diff options
5 files changed, 65 insertions, 28 deletions
diff --git a/Documentation/config-reverseproxy.txt b/Documentation/config-reverseproxy.txt index 0857442fa3..064fe2e548 100644 --- a/Documentation/config-reverseproxy.txt +++ b/Documentation/config-reverseproxy.txt @@ -28,37 +28,40 @@ during 'init'. Apache 2 Configuration ---------------------- -To run Gerrit behind an Apache server we cannot use 'mod_proxy' -directly, as Gerrit relies on getting unmodified escaped forward -slashes. Depending on the setting of 'AllowEncodedSlashes', -'mod_proxy' would either decode encoded slashes, or encode them once -again. Hence, we resort to using 'mod_rewrite'. To enable the +To run Gerrit behind an Apache server using 'mod_proxy', enable the necessary Apache2 modules: ---- - a2enmod rewrite + a2enmod proxy_http a2enmod ssl ; # optional, needed for HTTPS / SSL ---- -Configure an Apache VirtualHost to proxy to the Gerrit daemon, setting -the 'RewriteRule' line to use the 'http://' URL configured above. -Ensure the path of 'RewriteRule' (the part before '$1') and -httpd.listenUrl match, or links will redirect to incorrect locations. - -Note that this configuration allows to pass encoded characters to the -virtual host, which is potentially dangerous. Be sure to read up on -this topic and that you understand the risks. +Configure an Apache VirtualHost to proxy to the Gerrit daemon, +setting the 'ProxyPass' line to use the 'http://' URL configured +above. Ensure the path of ProxyPass and httpd.listenUrl match, +or links will redirect to incorrect locations. ---- <VirtualHost *> ServerName review.example.com - AllowEncodedSlashes NoDecode - RewriteEngine On - RewriteRule ^/r/(.*) http://localhost:8081/r/$1 [NE,P] + ProxyRequests Off + ProxyVia Off + ProxyPreserveHost On + + <Proxy *> + Order deny,allow + Allow from all + </Proxy> + + AllowEncodedSlashes On + ProxyPass /r/ http://127.0.0.1:8081/r/ nocanon </VirtualHost> ---- +The two options 'AllowEncodedSlashes On' and 'ProxyPass .. nocanon' are required +since Gerrit 2.6. + SSL ~~~ @@ -80,6 +83,15 @@ See the Apache 'mod_ssl' documentation for more details on how to configure SSL within the server, like controlling how strong of an encryption algorithm is required. +Troubleshooting +~~~~~~~~~~~~~~~ + +If you are encountering 'Page Not Found' errors when opening the change +screen, your Apache proxy is very likely decoding the passed URL. +Make sure to either use 'AllowEncodedSlashes On' together with +'ProxyPass .. nodecode' or alternatively a 'mod_rewrite' configuration with +'AllowEncodedSlashes NoDecode' set. + Nginx Configuration ------------------- @@ -124,6 +136,14 @@ See the Nginx 'http ssl module' documentation for more details on how to configure SSL within the server, like controlling how strong of an encryption algorithm is required. +Troubleshooting +~~~~~~~~~~~~~~~ + +If you are encountering 'Page Not Found' errors when opening the change +screen, your Nginx proxy is very likely decoding the passed URL. +Make sure to use a 'proxy_pass' URL without any path (esp. no trailing +'/' after the 'host:port'). + GERRIT ------ Part of link:index.html[Gerrit Code Review] diff --git a/ReleaseNotes/ReleaseNotes-2.6.txt b/ReleaseNotes/ReleaseNotes-2.6.txt index e166c4b0b1..12986f61c0 100644 --- a/ReleaseNotes/ReleaseNotes-2.6.txt +++ b/ReleaseNotes/ReleaseNotes-2.6.txt @@ -23,6 +23,17 @@ Schema Change a later 2.1.x version), and then to 2.6.x. If you are upgrading from 2.2.x.x or newer, you may ignore this warning and upgrade directly to 2.6.x. +Reverse Proxy Configuration Changes +----------------------------------- + +If you are running a reverse proxy in front of Gerrit (e.g. Apache or Nginx), +make sure to check your configuration, especially if you are encountering +'Page Not Found' errors when opening the change screen. +See the link:http://gerrit-documentation.googlecode.com/svn/Documentation/2.6/config-reverseproxy.html[ +Reverse Proxy Configuration] for details. + +Gerrit now requires passed URLs to be unchanged by the proxy. + Release Highlights ------------------ * 42x improvement on `git clone` and `git fetch` @@ -437,13 +448,6 @@ responses are protected from accidential sniffing and treatment as HTML thanks to Gson encoding HTML control characters using Unicode character escapes within JSON strings. -* Apache reverse proxies must switch to mod_rewrite -+ -When Apache is used as a reverse proxy the server must be reconfigured -to use mod_rewrite and AllowEncodedSlashes. For updated information -link:http://gerrit-documentation.googlecode.com/svn/Documentation/2.6/config-reverseproxy.html#_apache_2_configuration[ -review the Apache 2 Configuration documentation]. - Project Dashboards ~~~~~~~~~~~~~~~~~~ * link:http://gerrit-documentation.googlecode.com/svn/Documentation/2.6/user-dashboards.html#project-dashboards[ diff --git a/gerrit-httpd/src/main/resources/com/google/gerrit/httpd/auth/container/ConfigurationError.html b/gerrit-httpd/src/main/resources/com/google/gerrit/httpd/auth/container/ConfigurationError.html index 0bc3369211..a05e1ea90e 100644 --- a/gerrit-httpd/src/main/resources/com/google/gerrit/httpd/auth/container/ConfigurationError.html +++ b/gerrit-httpd/src/main/resources/com/google/gerrit/httpd/auth/container/ConfigurationError.html @@ -49,6 +49,15 @@ <VirtualHost <span class='ServerName'>review.example.com</span><span class='ServerPort'>:80</span>> ServerName <span class='ServerName'>review.example.com</span> + ProxyRequests Off + ProxyVia Off + ProxyPreserveHost On + + <Proxy *> + Order deny,allow + Allow from all + </Proxy> + <div class='apache_auth'> <Location <span class='ContextPath'>/r</span>/login/> AuthType Basic AuthName "Gerrit Code Review" @@ -56,9 +65,8 @@ ... </Location></div> - AllowEncodedSlashes NoDecode - RewriteEngine On - RewriteRule ^<span class='ContextPath'>/r</span>/(.*) http://...<span class='ContextPath'>/r</span>/$1 [NE,P] + AllowEncodedSlashes On + ProxyPass <span class='ContextPath'>/r</span>/ http://...<span class='ContextPath'>/r</span>/ nodecode </VirtualHost> </pre> </body> diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/changedetail/RebaseChange.java b/gerrit-server/src/main/java/com/google/gerrit/server/changedetail/RebaseChange.java index 9089710345..89c507bdee 100644 --- a/gerrit-server/src/main/java/com/google/gerrit/server/changedetail/RebaseChange.java +++ b/gerrit-server/src/main/java/com/google/gerrit/server/changedetail/RebaseChange.java @@ -313,6 +313,9 @@ public class RebaseChange { OrmException, IOException, InvalidChangeOperationException, PathConflictException { Change change = chg; + if (!chg.currentPatchSetId().equals(patchSetId)) { + throw new InvalidChangeOperationException("patch set is not current"); + } final PatchSet originalPatchSet = db.patchSets().get(patchSetId); final RevCommit rebasedCommit; diff --git a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/SshScope.java b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/SshScope.java index 64a1a424b5..0ae40a5adf 100644 --- a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/SshScope.java +++ b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/SshScope.java @@ -82,7 +82,9 @@ class SshScope { public CurrentUser getCurrentUser() { final CurrentUser user = session.getCurrentUser(); if (user instanceof IdentifiedUser) { - return userFactory.create(((IdentifiedUser) user).getAccountId()); + IdentifiedUser identifiedUser = userFactory.create(((IdentifiedUser) user).getAccountId()); + identifiedUser.setAccessPath(user.getAccessPath()); + return identifiedUser; } return user; } |