gerrit proxyed by nginx only works if "hosted" on top level directory

Question

I'm having a super weird issue. I'm trying to use nginx to wrap gerrit in SSL/HTTPS, and it's only working if I let dev.company.com/ point to gerrit (I'd prefer dev.company.com/gerrit/ as the web server should also host other services.)

This is the only working solution I've been able to find.

gerrit's etc/gerrit.config:

[gerrit]
    canonicalWebUrl = https://dev.company.com/
[httpd]
    listenUrl = proxy-https://127.0.0.1:8081/
(snip)

nginx's configuration in sites-available:

server {
  listen 443 ssl;
  server_name dev.company.com;

  ssl on;
  (ssl certificates blah blah)

  location / {
    proxy_pass        http://127.0.0.1:8081;
    proxy_set_header  X-Forwarded-For $remote_addr;
    proxy_set_header  Host $host;
  }
}

If I change to the following:

gerrit.config:

[gerrit]
    canonicalWebUrl = https://dev.company.com/gerrit/
[httpd]
    listenUrl = proxy-https://127.0.0.1:8081/
(snip)

nginx config:

server {
  listen 443 ssl;
  server_name dev.company.com;

  ssl on;
  (ssl certificates blah blah)

  location /gerrit/ {
    proxy_pass        http://127.0.0.1:8081/;
    proxy_set_header  X-Forwarded-For $remote_addr;
    proxy_set_header  Host $host;
  }
}

(Note the trailing slash on the proxy_pass.)

Things work except requests with escaped characters (such as %2F, which gerrit has a lot of.) So, gerrit, as a site, will halfway work.

I feel that this answer should lead in the right direction, but I simply couldn't get things to work.

Edit: I think this discussion hits the same bug.

Jan Garaj · Answer 1 · 2019-07-13T19:17:50.503

1

It is only about configuration of correct context path (/gerrit in your case).

Please try:

gerrit.conf:

[gerrit]
    canonicalWebUrl = https://dev.company.com/gerrit/
[httpd]
    listenUrl = proxy-https://127.0.0.1:8081/gerrit/

listenUrl also allows to configure context path - https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#httpd.listenUrl

nginx config:

server {
  listen 443 ssl;
  server_name dev.company.com;

  ssl on;
  (ssl certificates blah blah)

  location /gerrit/ {
    proxy_pass        http://127.0.0.1:8081/gerrit/;
    proxy_set_header  X-Forwarded-For $remote_addr;
    proxy_set_header  Host $host;
  }
}

Edit:

Try this proxypass to avoid decoding:

proxy_pass    http://127.0.0.1:8081/gerrit$request_uri;

edited Jul 13 '19 at 19:17

answered Jul 11 '19 at 17:38

Jan Garaj

25,598
3
38
59

Thanks for your answer, Jan Garaj. With your setup, everything works fine, except URLs with escaped characters in them (which are quite a few in Gerrit.) This leads to lots of 404 on the site, similar to what's being experienced in my link to the Google Groups discussion in the question. The only way to make it work is to ensure nothing after the port number in the proxy_pass directive in the nginx configuration. – bolind Jul 12 '19 at 10:19
Thanks again, Jan Garaj, I tried some variation of the $request_uri trick but couldn't make it work, that's not to say that it doesn't. – bolind Jul 15 '19 at 08:03

score 1 · Accepted Answer · answered Jul 15 '19 at 03:39

The last discussion you link, https://groups.google.com/forum/#!topic/repo-discuss/iSHHa4krRLo, actually does contain a resolution:

However, for the record, I give a try to nginx with a proxy_pass directive without /gerrit and it worked.

This is because you should not be using a trailing slash, or any other path specification within proxy_pass, as per https://stackoverflow.com/a/49702013, that you and they both reference, in order to avoid the path from being normalised and decoded.

gerrit.config:

[gerrit]
    canonicalWebUrl = https://dev.example.com/gerrit/
[httpd]
    listenUrl = proxy-https://127.0.0.1:8081/gerrit/

nginx.conf:

server {
  listen 443;
  server_name dev.example.com;

  ssl  on;
  ssl_certificate      conf/server.crt;
  ssl_certificate_key  conf/server.key;

  location ^~ /gerrit/ {
    proxy_pass        http://127.0.0.1:8081;
    proxy_set_header  X-Forwarded-For $remote_addr;
    proxy_set_header  Host $host;
  }
}

This whole thing is really straight out of https://gerrit-review.googlesource.com/Documentation/config-reverseproxy.html, TBH.

It would seem that a trailing /gerrit/ in httpd.listenUrl, and a lack of trailing / in proxy_pass, are the changes you need to make to your config for things to work properly.

The issue you're having with escaped characters being decoded is, indeed, described over at https://stackoverflow.com/a/49702013, and is precisely due to the trailing slash in proxy_pass that you were using without a good reason.

It works! I think I had tried your settings previously, but something was cached in chrome which lead to a redirect loop and a really weird 404 with "Not found" being the only text sent. (Never did figure out whether that was sent by nginx or Gerrit.) The site worked in incognito, so clearing the cache (and maybe cookies) seemed to do the trick. Thanks again! — bolind, Jul 15 '19 at 08:02

gerrit proxyed by nginx only works if "hosted" on top level directory

2 Answers2

gerrit.config:

nginx.conf: