set up gerrit with http authentication

Okay. Actually I was creating a virtual host on port 8081 and my Jetty (that comes along with gerrit) was also listening to the same port,my configuration remained almost the same but these are the additional steps :-

  • Add a new port to your selinux (which has some basic ports defined initially) or you can disable it if security is not an issue.
  • tell httpd to listen to this port(in my case i added 8082) ,so add the line listen <port-no> in your http conf file
  • Change the virtual host to your port number now your virtualhost is set on port 8082

    <VirtualHost *:8082>
        ServerName localhost
    
        ProxyRequests Off
        ProxyVia Off
        ProxyPreserveHost On
    
        <Proxy *>
              Order deny,allow
              Allow from all
        </Proxy>
        <Location "/login/">
              AuthType Basic
              AuthName "Gerrit Code Review"
              AuthBasicProvider file
              AuthUserFile /usr/local/apache/passwd/passwords
              Require valid-user
        </Location>
    
        ProxyPass / http://localhost:8081/
    </VirtualHost>
    
  • change the canonical url to port 8082 (so that it redirects it to same port)

  • finally restart the apache and Gerrit (access your-host:8082).

Gerrit it expecting the authentication to be provided. It does not allow anonymous access when you use HTTP authentication.

For this to work you need to authenticate at the root and your Location block should look like this:

<Location "/">
  AuthType Basic
  AuthName "Gerrit Code Review"
  AuthBasicProvider file
  AuthUserFile /usr/local/apache/passwd/passwords
  Require valid-user
</Location>

There are a few issues with your configuration:

  1. Apache and try to listen on the same port 8081, this is not possible
  2. You ProxyPass is not the best, it will create some small issues. These issues are:
    1. Unable to to create projects names with a slash in it like: main/sub
    2. When reviewing files the check mark will not appear next to the file to show it as reviewed, again this is related to the forward slash not being properly processed
  3. It is most common to use a subfolder and not the root, I guess that works better with the reverse proxy

This is my recommended configuration for you:

    <VirtualHost *:80>
        ServerName localhost

        ProxyRequests Off
        ProxyVia Off
        ProxyPreserveHost On

        <Proxy *>
              Order deny,allow
              Allow from all
        </Proxy>

        <Location "/">
            AuthType Basic
            AuthName "Gerrit Code Review"
            AuthBasicProvider file
            AuthUserFile /usr/local/apache/passwd/passwords
            Require valid-user
        </Location>

        AllowEncodedSlashes On
        ProxyPass /r http://localhost:8081/r nocanon
    </VirtualHost>

Ofcourse don't forget to amend the gerrit.config, the canonicalWebUrl is what you type in the address bar, not what apache uses to find gerrit.

[gerrit]
    basePath = git
    canonicalWebUrl = http://localhost:8082/r

To prevent the apache default page from showing add a index.php in your root folder that will redirect your browser to the sub path:

<?php
    header('Location: http://localhost:8082/r/');
?>