HTTPS using haproxy with SSL termination Add the ability to clone projects via https to the local multi-site environment. Feature: Issue 10561 Change-Id: I471ba89b5fdb3ad1b17119c01e2923579c88e0df

commit: 2efc429c9adc1e16b7a7e2faadab487875fc8729 [log] [tgz]
author: Tiago Palma <tiago.f.palma@gmail.com> Mon Mar 04 16:34:02 2019 +0100
committer: Tiago Palma <tiago.f.palma@gmail.com> Wed Mar 06 09:55:23 2019 +0100
tree: d0817f127f8eac52901044aa6f47d2e226d9816c
parent: 3c42f37a38575c5fe158695d63270f94339a7efb [diff]
diff --git a/setup_local_env/README.md b/setup_local_env/README.md
index 41fbee3..2df0c2b 100644
--- a/setup_local_env/README.md
+++ b/setup_local_env/README.md

@@ -47,6 +47,8 @@
 [--replication-type]            Options [file,ssh]; default ssh
 [--replication-ssh-user]        SSH user for the replication plugin; default $(whoami)
 [--just-cleanup-env]            Cleans up previous deployment; default false
+
+[--enabled-https]               Enabled https; default true
 ```
 
 ## Limitations

diff --git a/setup_local_env/configs/gerrit.config b/setup_local_env/configs/gerrit.config
index 4dcbb41..8666abe 100644
--- a/setup_local_env/configs/gerrit.config
+++ b/setup_local_env/configs/gerrit.config

@@ -1,7 +1,7 @@
 [gerrit]
     basePath = git
     serverId = 69ec38f0-350e-4d9c-96d4-bc956f2faaac
-    canonicalWebUrl = http://$GERRIT_CANONICAL_HOSTNAME:$GERRIT_CANONICAL_PORT/
+    canonicalWebUrl = $GERRIT_CANONICAL_WEB_URL
 [database]
     type = h2
     database = $LOCATION_TEST_SITE/db/ReviewDB
@@ -27,7 +27,7 @@
     listenAddress = *:$GERRIT_SSHD_PORT
     advertisedAddress = *:$SSH_ADVERTISED_PORT
 [httpd]
-    listenUrl = proxy-http://*:$GERRIT_HTTPD_PORT/
+    listenUrl = proxy-$HTTP_PROTOCOL://*:$GERRIT_HTTPD_PORT/
 [cache]
     directory = cache
 [plugins]

diff --git a/setup_local_env/haproxy-config/haproxy.cfg b/setup_local_env/haproxy-config/haproxy.cfg
index 40bbda6..8afce07 100644
--- a/setup_local_env/haproxy-config/haproxy.cfg
+++ b/setup_local_env/haproxy-config/haproxy.cfg

@@ -1,6 +1,7 @@
 global
     log 127.0.0.1   local0
     log 127.0.0.1   local1 debug
+    tune.ssl.default-dh-param 2048
     maxconn 4096
 
 defaults
@@ -17,6 +18,7 @@
 
 frontend haproxynode
     bind *:$HA_GERRIT_CANONICAL_PORT
+    $HA_HTTPS_BIND
     mode http
     acl redirect_reads url_reg -i git-upload-pack
     acl redirect_reads url_reg -i clone.bundle

diff --git a/setup_local_env/setup.sh b/setup_local_env/setup.sh
index 9cd69bc..a7195ed 100755
--- a/setup_local_env/setup.sh
+++ b/setup_local_env/setup.sh

@@ -24,6 +24,7 @@
 	type docker-compose >/dev/null 2>&1 || { echo >&2 "Require docker-compose but it's not installed. Aborting."; exit 1; }
 	type wget >/dev/null 2>&1 || { echo >&2 "Require wget but it's not installed. Aborting."; exit 1; }
 	type envsubst >/dev/null 2>&1 || { echo >&2 "Require envsubst but it's not installed. Aborting."; exit 1; }
+	type openssl >/dev/null 2>&1 || { echo >&2 "Require openssl but it's not installed. Aborting."; exit 1; }
 }
 
 function get_replication_url {
@@ -38,6 +39,15 @@
 	fi
 }
 
+function deploy_tls_certificates {
+	echo "Deplying certificates in $HA_PROXY_CERTIFICATES_DIR..."
+	openssl req -new -newkey rsa:2048 -x509 -sha256 -days 365 -nodes \
+	-out $HA_PROXY_CERTIFICATES_DIR/MyCertificate.crt \
+	-keyout $HA_PROXY_CERTIFICATES_DIR/GerritLocalKey.key \
+	-subj "/C=GB/ST=London/L=London/O=Gerrit Org/OU=IT Department/CN=localhost"
+	cat $HA_PROXY_CERTIFICATES_DIR/MyCertificate.crt $HA_PROXY_CERTIFICATES_DIR/GerritLocalKey.key | tee $HA_PROXY_CERTIFICATES_DIR/GerritLocalKey.pem
+}
+
 function copy_config_files {
 	for file in `ls $SCRIPT_DIR/configs/*.config`
 	do
@@ -63,6 +73,8 @@
 	export HA_GERRIT_CANONICAL_HOSTNAME=$GERRIT_CANONICAL_HOSTNAME
 	export HA_GERRIT_CANONICAL_PORT=$GERRIT_CANONICAL_PORT
 
+	export HA_HTTPS_BIND=$HTTPS_BIND
+
 	export HA_GERRIT_SITE1_HOSTNAME=$GERRIT_1_HOSTNAME
 	export HA_GERRIT_SITE2_HOSTNAME=$GERRIT_2_HOSTNAME
 	export HA_GERRIT_SITE1_HTTPD_PORT=$GERRIT_1_HTTPD_PORT
@@ -74,6 +86,8 @@
 	cat $SCRIPT_DIR/haproxy-config/haproxy.cfg | envsubst > $HA_PROXY_CONFIG_DIR/haproxy.cfg
 
 	echo "Starting HA-PROXY..."
+	echo "THE SCRIPT LOCATION $SCRIPT_DIR"
+	echo "THE HA SCRIPT_LOCATION $HA_SCRIPT_DIR"
 	haproxy -f $HA_PROXY_CONFIG_DIR/haproxy.cfg &
 }
 
@@ -147,6 +161,8 @@
 		echo "[--replication-ssh-user]			SSH user for the replication plugin; default $(whoami)"
 		echo "[--just-cleanup-env]				Cleans up previous deployment; default false"
 		echo
+		echo "[--enabled-https]					Enabled https; default true"
+		echo
 		exit 0
   ;;
   "--new-deployment")
@@ -224,6 +240,11 @@
 		shift
 		shift
   ;;
+  "--enabled-https" )
+		HTTPS_ENABLED=$2
+		shift
+		shift
+  ;;
   *	   )
 		echo "Unknown option argument: $1"
 		shift
@@ -250,11 +271,13 @@
 REPLICATION_TYPE=${REPLICATION_TYPE:-"ssh"}
 REPLICATION_SSH_USER=${REPLICATION_SSH_USER:-$(whoami)}
 export SSH_ADVERTISED_PORT=${SSH_ADVERTISED_PORT:-"29418"}
+HTTPS_ENABLED=${HTTPS_ENABLED:-"true"}
 
 COMMON_LOCATION=$DEPLOYMENT_LOCATION/gerrit_setup
 LOCATION_TEST_SITE_1=$COMMON_LOCATION/instance-1
 LOCATION_TEST_SITE_2=$COMMON_LOCATION/instance-2
 HA_PROXY_CONFIG_DIR=$COMMON_LOCATION/ha-proxy-config
+HA_PROXY_CERTIFICATES_DIR="$HA_PROXY_CONFIG_DIR/certificates"
 
 RELEASE_WAR_FILE_LOCATION=${RELEASE_WAR_FILE_LOCATION:-bazel-bin/release.war}
 MULTISITE_PLUGIN_LOCATION=${MULTISITE_PLUGIN_LOCATION:-bazel-genfiles/plugins/multi-site/multi-site.jar}
@@ -294,15 +317,28 @@
 	echo "Make sure ~/.ssh/authorized_keys and ~/.ssh/known_hosts are configured correctly"
 fi
 
+if [ "$HTTPS_ENABLED" = "true" ];then
+	export HTTP_PROTOCOL="https"
+	export GERRIT_CANONICAL_WEB_URL="$HTTP_PROTOCOL://$GERRIT_CANONICAL_HOSTNAME/"
+	export HTTPS_BIND="bind *:443 ssl crt $HA_PROXY_CONFIG_DIR/certificates/GerritLocalKey.pem"
+	HTTPS_CLONE_MSG="Using self-signed certificates, to clone via https - 'git config --global http.sslVerify false'"
+else
+	export HTTP_PROTOCOL="http"
+	export GERRIT_CANONICAL_WEB_URL="$HTTP_PROTOCOL://$GERRIT_CANONICAL_HOSTNAME:$GERRIT_CANONICAL_PORT/"
+fi
+
 # New installation
 if [ $NEW_INSTALLATION = "true" ]; then
 
 	cleanup_environment $LOCATION_TEST_SITE_1 $LOCATION_TEST_SITE_2 $COMMON_LOCATION
 
 	echo "Setting up directories"
-	mkdir -p $LOCATION_TEST_SITE_1 $LOCATION_TEST_SITE_2 $HA_PROXY_CONFIG_DIR $FAKE_NFS
+	mkdir -p $LOCATION_TEST_SITE_1 $LOCATION_TEST_SITE_2 $HA_PROXY_CERTIFICATES_DIR $FAKE_NFS
 	java -jar $DEPLOYMENT_LOCATION/gerrit.war init --batch --no-auto-start --install-all-plugins --dev -d $LOCATION_TEST_SITE_1
 
+	# Deploying TLS certificates
+	if [ "$HTTPS_ENABLED" = "true" ];then deploy_tls_certificates;fi
+
 	echo "Copy multi-site plugin"
 	cp -f $DEPLOYMENT_LOCATION/multi-site.jar $LOCATION_TEST_SITE_1/plugins/multi-site.jar
 
@@ -345,15 +381,20 @@
 echo "==============================="
 echo "Current gerrit multi-site setup"
 echo "==============================="
+echo "The admin password is 'secret'"
 echo "deployment-location=$DEPLOYMENT_LOCATION"
 echo "replication-type=$REPLICATION_TYPE"
 echo "replication-ssh-user=$REPLICATION_SSH_USER"
+echo "enable-https=$HTTPS_ENABLED"
 echo
-echo "GERRIT HA-PROXY: http://$GERRIT_CANONICAL_HOSTNAME:$GERRIT_CANONICAL_PORT"
+echo "GERRIT HA-PROXY: $GERRIT_CANONICAL_WEB_URL"
 echo "GERRIT-1: http://$GERRIT_1_HOSTNAME:$GERRIT_1_HTTPD_PORT"
 echo "GERRIT-2: http://$GERRIT_2_HOSTNAME:$GERRIT_2_HTTPD_PORT"
 echo
 echo "Site-1: $LOCATION_TEST_SITE_1"
 echo "Site-2: $LOCATION_TEST_SITE_2"
+echo
+echo "$HTTPS_CLONE_MSG"
+echo
 
 exit $?
\ No newline at end of file
commit	2efc429c9adc1e16b7a7e2faadab487875fc8729	[log] [tgz]
author	Tiago Palma <tiago.f.palma@gmail.com>	Mon Mar 04 16:34:02 2019 +0100
committer	Tiago Palma <tiago.f.palma@gmail.com>	Wed Mar 06 09:55:23 2019 +0100
tree	d0817f127f8eac52901044aa6f47d2e226d9816c
parent	3c42f37a38575c5fe158695d63270f94339a7efb [diff]