opendev/gerrit
Code Issues Proposed changes

Merge branch 'stable-2.15' into stable-2.16

Browse Source 
* stable-2.15:
  MergeOp: Fix swapped message and tag parameters for ChangeMessage
  Documentation: rewrite httpd.listenUrl

Change-Id: Ia11ddea20b9dd2150f8aad815a253ab61fccb97e
This commit is contained in:
David Pursehouse
2019-09-30 11:05:20 +09:00
parent 2edcdf23e1 6c95cb4495
commit d604d2cedb
2 changed files with 92 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

115
Documentation/config-gerrit.txt
View File

@@ -2502,57 +2502,122 @@ The httpd section configures the embedded servlet container.
[[httpd.listenUrl]]httpd.listenUrl:: [[httpd.listenUrl]]httpd.listenUrl::
+ +
Specifies the URLs the internal HTTP daemon should listen for Configuration for the listening sockets of the internal HTTP daemon.
connections on. The special hostname '*' may be used to listen Each entry of `listenUrl` combines the following options for a
on all local addresses. A context path may optionally be included, listening socket: protocol, network address, port and context path.
placing Gerrit Code Review's web address within a subdirectory of
the server.
+ +
Multiple protocol schemes are supported: _Protocol_ can be either `http://`, `https://`, `proxy-http://` or
`proxy-https://`. The latter two are special forms of `http://` with
awareness of a reverse proxy (see below). _Network address_ selects
the interface and/or scope of the listening socket. For notes
examples, see below. _Port_ is the TCP port number and is optional
(default value depends on the protocol). _Context path_ is the
optional "base URI" for the Gerrit Code Review as application to
serve on.
+ +
* `http://`'hostname'`:`'port' **Protocol** schemes:
+
* `http://`
+ +
Plain-text HTTP protocol. If port is not supplied, defaults to 80, Plain-text HTTP protocol. If port is not supplied, defaults to 80,
the standard HTTP port. the standard HTTP port.
+ +
* `https://`'hostname'`:`'port' * `https://`
+ +
SSL encrypted HTTP protocol. If port is not supplied, defaults to SSL encrypted HTTP protocol. If port is not supplied, defaults to
443, the standard HTTPS port. 443, the standard HTTPS port.
+ +
Externally facing production sites are encouraged to use a reverse For configuration of the certificate and private key, see
proxy configuration and `proxy-https://` (below), rather than using <<httpd.sslKeyStore,httpd.sslKeyStore>>.
the embedded servlet container to implement the SSL processing.
The proxy server with SSL support is probably easier to configure,
provides more configuration options to control cipher usage, and
is likely using natively compiled encryption algorithms, resulting
in higher throughput.
+ +
* `proxy-http://`'hostname'`:`'port' [NOTE]
SSL/TLS configuration capabilities of Gerrit internal HTTP daemon
are very limited. Externally facing production sites are strongly
encouraged to use a reverse proxy configuration to handle SSL/TLS
and use a `proxy-https://` scheme here (below) for security and
performance reasons.
+
* `proxy-http://`
+ +
Plain-text HTTP relayed from a reverse proxy. If port is not Plain-text HTTP relayed from a reverse proxy. If port is not
supplied, defaults to 8080. supplied, defaults to 8080.
+ +
Like http, but additional header parsing features are Like `http://`, but additional header parsing features are
enabled to honor X-Forwarded-For, X-Forwarded-Host and enabled to honor `X-Forwarded-For`, `X-Forwarded-Host` and
X-Forwarded-Server. These headers are typically set by Apache's `X-Forwarded-Server`. These headers are typically set by Apache's
link:http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#x-headers[mod_proxy]. link:https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#x-headers[mod_proxy].
+ +
* `proxy-https://`'hostname'`:`'port' [NOTE]
--
For secruity reasons, make sure to only allow connections from a
trusted reverse proxy in your network, as clients could otherwise
easily spoof these headers and thus spoof their originating IP
address effectively. If the reverse proxy is running on the same
machine as Gerrit daemon, the use of a _loopback_ network address
to bind to (see below) is strongly recommended to mitigate this.
If not using Apache's mod_proxy, validate that your reverse proxy
sets these headers on all requests. If not, either configure it to
sanitize them from the origin, or use the `http://` scheme instead.
--
+ +
Plain text HTTP relayed from a reverse proxy that has already * `proxy-https://`
+
Plain-text HTTP relayed from a reverse proxy that has already
handled the SSL encryption/decryption. If port is not supplied, handled the SSL encryption/decryption. If port is not supplied,
defaults to 8080. defaults to 8080.
+ +
Behaves exactly like proxy-http, but also sets the scheme to assume Behaves exactly like `proxy-http://`, but also sets the scheme to
'https://' is the proper URL back to the server. assume `https://` is the proper URL back to the server.
+ +
-- --
**Network address** forms:
* Loopback (localhost): `127.0.0.1` (IPv4) or `[::1]` (IPv6).
* All (unspecified): `0.0.0.0` (IPv4), `[::]` (IPv6) or `*`
(IPv4 and IPv6)
* Interface IP address, e.g. `1.2.3.4` (IPv4) or
`[2001:db8::a00:20ff:fea7:ccea]` (IPv6)
* Hostname, resolved at startup time to an address.
**Context path** is the local part of the URL to be used to access
Gerrit on ('base URL'). E.g. `/gerrit/` to serve Gerrit on that URI
as base. If set, consider to align this with the
<<gerrit.canonicalWebUrl,gerrit.canonicalWebUrl>> setting. Correct
settings may depend on the reverse proxy configuration as well. By
default, this is `/` so that Gerrit serves requests on the root.
If multiple values are supplied, the daemon will listen on all If multiple values are supplied, the daemon will listen on all
of them. of them.
By default, http://*:8080. Examples:
----
[httpd]
listenUrl = proxy-https://127.0.0.1:9999/gerrit/
[gerrit]
# Reverse proxy is configured to serve with SSL/TLS on
# example.com and to relay requests on /gerrit/ onto
# http://127.0.0.1:9999/gerrit/
canonicalWebUrl = https://example.com/gerrit/
----
----
[httpd]
# Listen on specific external interface with plaintext
# HTTP on IPv6.
listenUrl = http://[2001:db8::a00:20ff:fea7:ccea]
# Also listen on specific internal interface for use with
# reverse proxy run on another host.
listenUrl = proxy-https://192.168.100.123
----
See also the page on link:config-reverseproxy.html[reverse proxy]
configuration.
By default, `\http://*:8080`.
-- --
[[httpd.reuseAddress]]httpd.reuseAddress:: [[httpd.reuseAddress]]httpd.reuseAddress::

4
java/com/google/gerrit/server/submit/MergeOp.java
View File

@@ -922,8 +922,8 @@ public class MergeOp implements AutoCloseable {
change.currentPatchSetId(), change.currentPatchSetId(),
internalUserFactory.create(), internalUserFactory.create(),
change.getLastUpdatedOn(), change.getLastUpdatedOn(),
ChangeMessagesUtil.TAG_MERGED, "Project was deleted.",
"Project was deleted."); ChangeMessagesUtil.TAG_MERGED);
cmUtil.addChangeMessage( cmUtil.addChangeMessage(
ctx.getDb(), ctx.getUpdate(change.currentPatchSetId()), msg); ctx.getDb(), ctx.getUpdate(change.currentPatchSetId()), msg);