Documentation/config-reverseproxy.txt

= Gerrit Code Review - Reverse Proxy

== Description

Gerrit can be configured to run behind a third-party web server.
This allows the other web server to bind to the privileged port 80
(or 443 for SSL), as well as offloads the SSL processing overhead
from Java to optimized native C code.


== Gerrit Configuration

Ensure `'$site_path'/etc/gerrit.config` has the property
link:config-gerrit.html#httpd.listenUrl[httpd.listenUrl] configured
to use 'proxy-http://' or 'proxy-https://' and a free port number.
This may have already been configured if proxy support was enabled
during 'init'.

----
  [httpd]
  	listenUrl = proxy-http://127.0.0.1:8081/r/
----

== Reverse proxy and client IPs

When behind a reverse proxy the http_log will log the IP of the reverse proxy
as client.ip. To log the correct client IP you must provide the
'X-Forwarded-For' header from the reverse proxy.
See the nginx configuration example below.


== Apache 2 Configuration

To run Gerrit behind an Apache server using 'mod_proxy', enable the
necessary Apache2 modules:

----
  a2enmod proxy_http
  a2enmod ssl          ; # optional, needed for HTTPS / SSL
----

Configure an Apache VirtualHost to proxy to the Gerrit daemon,
setting the 'ProxyPass' line to use the 'http://' URL configured
above.  Ensure the path of ProxyPass and httpd.listenUrl match,
or links will redirect to incorrect locations.

----
	<VirtualHost *>
	  ServerName review.example.com

	  ProxyRequests Off
	  ProxyVia Off
	  ProxyPreserveHost On

	  <Proxy *>
	    Order deny,allow
	    Allow from all
	    # Use following line instead of the previous two on Apache >= 2.4
	    # Require all granted
	  </Proxy>

	  AllowEncodedSlashes On
	  ProxyPass /r/ http://127.0.0.1:8081/r/ nocanon
	</VirtualHost>
----

The two options 'AllowEncodedSlashes On' and 'ProxyPass .. nocanon' are required
since Gerrit 2.6.

=== SSL

To enable Apache to perform the SSL processing, use 'proxy-https://'
in httpd.listenUrl within Gerrit's configuration file, and enable
the SSL engine in the Apache VirtualHost block:

----
	<VirtualHost *:443>
	  SSLEngine on
	  SSLCertificateFile    conf/server.crt
	  SSLCertificateKeyFile conf/server.key

	  ... same as above ...
	</VirtualHost>
----

See the Apache 'mod_ssl' documentation for more details on how to
configure SSL within the server, like controlling how strong of an
encryption algorithm is required.

=== Troubleshooting

If you are encountering 'Page Not Found' errors when opening the change
screen, your Apache proxy is very likely decoding the passed URL.
Make sure to either use 'AllowEncodedSlashes On' together with
'ProxyPass .. nocanon' or alternatively a 'mod_rewrite' configuration with
'AllowEncodedSlashes NoDecode' set.


== Nginx Configuration

To run Gerrit behind an Nginx server, use a server statement such
as this one:

----
	server {
	  listen 80;
	  server_name review.example.com;

	  location ^~ /r/ {
	    proxy_pass        http://127.0.0.1:8081;
	    proxy_set_header  X-Forwarded-For $remote_addr;
	    proxy_set_header  Host $host;
	  }
	}
----

=== SSL

To enable Nginx to perform the SSL processing, use 'proxy-https://'
in httpd.listenUrl within Gerrit's configuration file, and enable
the SSL engine in the Nginx server statement:

----
	server {
	  listen 443;
	  server_name review.example.com;

	  ssl  on;
	  ssl_certificate      conf/server.crt;
	  ssl_certificate_key  conf/server.key;

	  ... same as above ...
	}
----

See the Nginx 'http ssl module' documentation for more details on
how to configure SSL within the server, like controlling how strong
of an encryption algorithm is required.

=== Troubleshooting

If you are encountering 'Page Not Found' errors when opening the change
screen, your Nginx proxy is very likely decoding the passed URL.
Make sure to use a 'proxy_pass' URL without any path (esp. no trailing
'/' after the 'host:port').

If you are using Apache httpd server with mod_jk and AJP connector, add
the following option to your httpd.conf directly or included from another
file:

----
JkOptions +ForwardURICompatUnparsed
----

GERRIT
------
Part of link:index.html[Gerrit Code Review]

SEARCHBOX
---------