| Francois Marier | d550b46 | 2011-04-13 14:30:20 +1200 | [diff] [blame] | 1 | Gerrit Code Review - Reverse Proxy |
| 2 | ================================== |
| Shawn O. Pearce | 9ad8ba5 | 2009-12-11 19:06:21 -0800 | [diff] [blame] | 3 | |
| 4 | Description |
| 5 | ----------- |
| 6 | |
| Francois Marier | 624f447 | 2011-04-13 15:58:14 +1200 | [diff] [blame] | 7 | Gerrit can be configured to run behind a third-party web server. |
| David Pursehouse | 221d4f6 | 2012-06-08 17:38:08 +0900 | [diff] [blame^] | 8 | This allows the other web server to bind to the privileged port 80 |
| Shawn O. Pearce | 9ad8ba5 | 2009-12-11 19:06:21 -0800 | [diff] [blame] | 9 | (or 443 for SSL), as well as offloads the SSL processing overhead |
| 10 | from Java to optimized native C code. |
| 11 | |
| 12 | |
| Francois Marier | 624f447 | 2011-04-13 15:58:14 +1200 | [diff] [blame] | 13 | Gerrit Configuration |
| 14 | -------------------- |
| Shawn O. Pearce | 9ad8ba5 | 2009-12-11 19:06:21 -0800 | [diff] [blame] | 15 | |
| 16 | Ensure `'$site_path'/etc/gerrit.config` has the property |
| 17 | link:config-gerrit.html#httpd.listenUrl[httpd.listenUrl] configured |
| 18 | to use 'proxy-http://' or 'proxy-https://' and a free port number. |
| 19 | This may have already been configured if proxy support was enabled |
| 20 | during 'init'. |
| 21 | |
| 22 | ---- |
| 23 | [httpd] |
| 24 | listenUrl = proxy-http://127.0.0.1:8081/r/ |
| 25 | ---- |
| 26 | |
| Francois Marier | 624f447 | 2011-04-13 15:58:14 +1200 | [diff] [blame] | 27 | |
| 28 | Apache 2 Configuration |
| 29 | ---------------------- |
| 30 | |
| 31 | To run Gerrit behind an Apache server using 'mod_proxy', enable the |
| 32 | necessary Apache2 modules: |
| 33 | |
| 34 | ---- |
| 35 | a2enmod proxy_http |
| 36 | a2enmod ssl ; # optional, needed for HTTPS / SSL |
| 37 | ---- |
| 38 | |
| Shawn O. Pearce | e240de1 | 2010-02-13 12:07:53 -0800 | [diff] [blame] | 39 | Configure an Apache VirtualHost to proxy to the Gerrit daemon, |
| 40 | setting the 'ProxyPass' line to use the 'http://' URL configured |
| 41 | above. Ensure the path of ProxyPass and httpd.listenUrl match, |
| 42 | or links will redirect to incorrect locations. |
| Shawn O. Pearce | 9ad8ba5 | 2009-12-11 19:06:21 -0800 | [diff] [blame] | 43 | |
| 44 | ---- |
| 45 | <VirtualHost *> |
| 46 | ServerName review.example.com |
| 47 | |
| 48 | ProxyRequests Off |
| 49 | ProxyVia Off |
| 50 | ProxyPreserveHost On |
| 51 | |
| 52 | <Proxy *> |
| 53 | Order deny,allow |
| 54 | Allow from all |
| 55 | </Proxy> |
| 56 | |
| 57 | ProxyPass /r/ http://127.0.0.1:8081/r/ |
| 58 | </VirtualHost> |
| 59 | ---- |
| 60 | |
| 61 | SSL |
| 62 | ~~~ |
| 63 | |
| 64 | To enable Apache to perform the SSL processing, use 'proxy-https://' |
| 65 | in httpd.listenUrl within Gerrit's configuration file, and enable |
| 66 | the SSL engine in the Apache VirtualHost block: |
| 67 | |
| 68 | ---- |
| 69 | <VirtualHost *:443> |
| 70 | SSLEngine on |
| 71 | SSLCertificateFile conf/server.crt |
| 72 | SSLCertificateKeyFile conf/server.key |
| 73 | |
| 74 | ... same as above ... |
| 75 | </VirtualHost> |
| 76 | ---- |
| 77 | |
| 78 | See the Apache 'mod_ssl' documentation for more details on how to |
| 79 | configure SSL within the server, like controlling how strong of an |
| 80 | encryption algorithm is required. |
| 81 | |
| Francois Marier | 624f447 | 2011-04-13 15:58:14 +1200 | [diff] [blame] | 82 | |
| 83 | Nginx Configuration |
| 84 | ------------------- |
| 85 | |
| 86 | To run Gerrit behind an Nginx server, use a server statement such |
| 87 | as this one: |
| 88 | |
| 89 | ---- |
| 90 | server { |
| 91 | listen 80; |
| Piotr Sikora | 2e6a4ae | 2011-04-13 17:11:18 +0000 | [diff] [blame] | 92 | server_name review.example.com; |
| Francois Marier | 624f447 | 2011-04-13 15:58:14 +1200 | [diff] [blame] | 93 | |
| 94 | location /r/ { |
| Piotr Sikora | 2e6a4ae | 2011-04-13 17:11:18 +0000 | [diff] [blame] | 95 | proxy_pass http://127.0.0.1:8081; |
| 96 | proxy_set_header X-Forwarded-For $remote_addr; |
| 97 | proxy_set_header Host $host; |
| Francois Marier | 624f447 | 2011-04-13 15:58:14 +1200 | [diff] [blame] | 98 | } |
| 99 | } |
| 100 | ---- |
| 101 | |
| 102 | SSL |
| 103 | ~~~ |
| 104 | |
| 105 | To enable Nginx to perform the SSL processing, use 'proxy-https://' |
| 106 | in httpd.listenUrl within Gerrit's configuration file, and enable |
| 107 | the SSL engine in the Nginx server statement: |
| 108 | |
| 109 | ---- |
| 110 | server { |
| 111 | listen 443; |
| Piotr Sikora | 2e6a4ae | 2011-04-13 17:11:18 +0000 | [diff] [blame] | 112 | server_name review.example.com; |
| Francois Marier | 624f447 | 2011-04-13 15:58:14 +1200 | [diff] [blame] | 113 | |
| 114 | ssl on; |
| 115 | ssl_certificate conf/server.crt; |
| 116 | ssl_certificate_key conf/server.key; |
| 117 | |
| 118 | ... same as above ... |
| 119 | } |
| 120 | ---- |
| 121 | |
| 122 | See the Nginx 'http ssl module' documentation for more details on |
| 123 | how to configure SSL within the server, like controlling how strong |
| 124 | of an encryption algorithm is required. |
| 125 | |
| Shawn O. Pearce | 9ad8ba5 | 2009-12-11 19:06:21 -0800 | [diff] [blame] | 126 | GERRIT |
| 127 | ------ |
| 128 | Part of link:index.html[Gerrit Code Review] |
