1cdebf467c
'nocanon' must be specified for the ProxyPass directive as described earlier in the same document, 'nodecode' is not even supported [1]. [1] http://httpd.apache.org/docs/current/mod/mod_proxy.html#ProxyPass Bug: Issue 3346 Change-Id: Id89c4c8bdc7f6f80c706278ff476852875cfe893 Signed-off-by: Edwin Kempin <edwin.kempin@sap.com>
152 lines
3.7 KiB
Plaintext
152 lines
3.7 KiB
Plaintext
= Gerrit Code Review - Reverse Proxy
|
|
|
|
== Description
|
|
|
|
Gerrit can be configured to run behind a third-party web server.
|
|
This allows the other web server to bind to the privileged port 80
|
|
(or 443 for SSL), as well as offloads the SSL processing overhead
|
|
from Java to optimized native C code.
|
|
|
|
|
|
== Gerrit Configuration
|
|
|
|
Ensure `'$site_path'/etc/gerrit.config` has the property
|
|
link:config-gerrit.html#httpd.listenUrl[httpd.listenUrl] configured
|
|
to use 'proxy-http://' or 'proxy-https://' and a free port number.
|
|
This may have already been configured if proxy support was enabled
|
|
during 'init'.
|
|
|
|
----
|
|
[httpd]
|
|
listenUrl = proxy-http://127.0.0.1:8081/r/
|
|
----
|
|
|
|
|
|
== Apache 2 Configuration
|
|
|
|
To run Gerrit behind an Apache server using 'mod_proxy', enable the
|
|
necessary Apache2 modules:
|
|
|
|
----
|
|
a2enmod proxy_http
|
|
a2enmod ssl ; # optional, needed for HTTPS / SSL
|
|
----
|
|
|
|
Configure an Apache VirtualHost to proxy to the Gerrit daemon,
|
|
setting the 'ProxyPass' line to use the 'http://' URL configured
|
|
above. Ensure the path of ProxyPass and httpd.listenUrl match,
|
|
or links will redirect to incorrect locations.
|
|
|
|
----
|
|
<VirtualHost *>
|
|
ServerName review.example.com
|
|
|
|
ProxyRequests Off
|
|
ProxyVia Off
|
|
ProxyPreserveHost On
|
|
|
|
<Proxy *>
|
|
Order deny,allow
|
|
Allow from all
|
|
</Proxy>
|
|
|
|
AllowEncodedSlashes On
|
|
ProxyPass /r/ http://127.0.0.1:8081/r/ nocanon
|
|
</VirtualHost>
|
|
----
|
|
|
|
The two options 'AllowEncodedSlashes On' and 'ProxyPass .. nocanon' are required
|
|
since Gerrit 2.6.
|
|
|
|
=== SSL
|
|
|
|
To enable Apache to perform the SSL processing, use 'proxy-https://'
|
|
in httpd.listenUrl within Gerrit's configuration file, and enable
|
|
the SSL engine in the Apache VirtualHost block:
|
|
|
|
----
|
|
<VirtualHost *:443>
|
|
SSLEngine on
|
|
SSLCertificateFile conf/server.crt
|
|
SSLCertificateKeyFile conf/server.key
|
|
|
|
... same as above ...
|
|
</VirtualHost>
|
|
----
|
|
|
|
See the Apache 'mod_ssl' documentation for more details on how to
|
|
configure SSL within the server, like controlling how strong of an
|
|
encryption algorithm is required.
|
|
|
|
=== Troubleshooting
|
|
|
|
If you are encountering 'Page Not Found' errors when opening the change
|
|
screen, your Apache proxy is very likely decoding the passed URL.
|
|
Make sure to either use 'AllowEncodedSlashes On' together with
|
|
'ProxyPass .. nocanon' or alternatively a 'mod_rewrite' configuration with
|
|
'AllowEncodedSlashes NoDecode' set.
|
|
|
|
|
|
== Nginx Configuration
|
|
|
|
To run Gerrit behind an Nginx server, use a server statement such
|
|
as this one:
|
|
|
|
----
|
|
server {
|
|
listen 80;
|
|
server_name review.example.com;
|
|
|
|
location /r/ {
|
|
proxy_pass http://127.0.0.1:8081;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header Host $host;
|
|
}
|
|
}
|
|
----
|
|
|
|
=== SSL
|
|
|
|
To enable Nginx to perform the SSL processing, use 'proxy-https://'
|
|
in httpd.listenUrl within Gerrit's configuration file, and enable
|
|
the SSL engine in the Nginx server statement:
|
|
|
|
----
|
|
server {
|
|
listen 443;
|
|
server_name review.example.com;
|
|
|
|
ssl on;
|
|
ssl_certificate conf/server.crt;
|
|
ssl_certificate_key conf/server.key;
|
|
|
|
... same as above ...
|
|
}
|
|
----
|
|
|
|
See the Nginx 'http ssl module' documentation for more details on
|
|
how to configure SSL within the server, like controlling how strong
|
|
of an encryption algorithm is required.
|
|
|
|
=== Troubleshooting
|
|
|
|
If you are encountering 'Page Not Found' errors when opening the change
|
|
screen, your Nginx proxy is very likely decoding the passed URL.
|
|
Make sure to use a 'proxy_pass' URL without any path (esp. no trailing
|
|
'/' after the 'host:port').
|
|
|
|
If you are using Apache httpd server with mod_jk and AJP connector, add
|
|
the following option to your httpd.conf directly or included from another
|
|
file:
|
|
|
|
----
|
|
JkOptions +ForwardURICompatUnparsed
|
|
----
|
|
|
|
GERRIT
|
|
------
|
|
Part of link:index.html[Gerrit Code Review]
|
|
|
|
SEARCHBOX
|
|
---------
|