search

kubitron / redmine_git_hosting

A ChiliProject/Redmine plugin which makes configuring your own git hosting easy.
78 stars 15 forks source link

Git Smart HTTP only working if "HTTPS and HTTP" is selected #18

Closed gituser closed 12 years ago

gituser commented 12 years ago

https://github.com/ericpaulbishop/redmine_git_hosting/issues/103

it also happens on your plugin

kubitron commented 12 years ago

This is odd, because I use the "https only" option all the time (I think it is the default)...

Did you have to do any special configuration to get the passwords working at all originally? What is your server configuration? Are you using apache? Are you using fcgi or passenger?

gituser commented 12 years ago

I'm using nginx + unicorn_rails setup and yes it's not working if I chose https only. It gives me exact the same error as the topicstarter said in the linked thread:

fatal: https://rnuno@bugs.mysite.com/ta.git/info/refs not found: did you run git
 update-server-info on the server?

I partially solved this by rewriting all http requests to redmine to https in nginx.conf.

kubitron commented 12 years ago

Question for you: does your redmine installation support https? (i.e. did you set up a server with an ssl key, etc)? Note that under a standard apache configuration, there is actually a separate ssl.conf file for setting up repos handled by ssl.

What happens in plugin code is that it actually checks to see if the connection is an ssl connection. If it isn't, it returns a "not found" error.

My hypothesis is that you are not actually setting up ssl connections for some reason (or you are doing it in a way that fails this test in the plugin code):

def is_ssl?
    return request.ssl? || (request.env['HTTPS']).to_s == 'on' || (request.env['HTTP_X_FORWARDED_PROTO']).to_s == 'https' || (request.env['HTTP_X_FORWARDED_SSL']).to_s == 'on'
end

I suppose it is possible that your hacked configuration is doing ssl but doesn't put in the right headers?

kubitron commented 12 years ago

(p.s. with respect to your original query -- when you turn off the "https only" option, there is no check of the above type. Thus, if your https query was redirected silently to be an http query somehow, then it would go through and you would think you were using https...)

gituser commented 12 years ago

I did setup SSL with self-signed certificate.

It works just fine with nginx. HTTP requests are being rewritten to HTTPS automatically in nginx.

If I set-up 'HTTPS ONLY' it doesn't work, gives me error I did show before.

If I set-up 'HTTPS AND HTTP' it just works.

Note: I'm cloning ofc via git clone https://username@git.site/project.git

gituser commented 12 years ago

ok, I think I got you now.

it happens because nginx is configured to pass queries to ruby via http:// socket instead of https:// with unicorn_rails.

sorry for misunderstanding.

but, still, bit confusing settings in the redmine don't you think?

on passenger it just works with HTTPS_ONLY setting, because passenger is integrated into nginx, thus no redirects to ruby workers.

my nginx.conf looks like this for ssl part:

upstream unicorn_cluster {
        server unix:/var/www/redmine/tmp/sockets/unicorn.sock fail_timeout=0;
}

server {
    listen       443;
    server_name  server;

    access_log  /var/log/nginx/redmine-ssl.access.log;
    error_log   /var/log/nginx/redmine-ssl.error.log;

    ssl on;

    ssl_certificate /etc/ssl/certs/redmine.crt;
    ssl_certificate_key /etc/ssl/private/redmine.key;
    ssl_session_timeout  5m;

    ssl_protocols  SSLv3 TLSv1;
    ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
    ssl_prefer_server_ciphers   on;

    include proxy.include;
    proxy_redirect off;
    location ~ /\.(ht|svn|git) {
          deny  all;
    }

    root /var/www/redmine/public; 
    location / {
                try_files $uri/index.html $uri.html $uri @unicorn;
     }

      location @unicorn {
                proxy_pass http://unicorn_cluster;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $http_host;
                proxy_redirect off;
        }
     error_page   500 502 503 504  /50x.html;
     location = /50x.html {
             root   /var/www/redmine/public;
     }
}
gituser commented 12 years ago

btw, cloning under http also fails (I guess its because 301 redirect):

~ $ git clone http://username@redmine/project.git
Cloning into site...
Password: 
fatal: invalid server response; got '# service=git-upload-pack?service=upload-pack'

is there any way to display URL https:// instead of http:// in the Git Repository (in redmine) for users for HTTP/HTTPS mode ?

kubitron commented 12 years ago

Note that it works fine with Apacha+fcgi as well.

As far as I can tell, this should work, if ngix properly sets the HTTP_X_FORWARDED_PROTO to "https". I don't use nginx, but brief googling seems to indicate that this should happen properly. Is it possible that this header is turned off somehow?

gituser commented 12 years ago

ok, to solve this you need to use this config for unicorn in nginx:

location @unicorn {
                proxy_pass http://unicorn_cluster;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $http_host;
                proxy_set_header X-Forwarded-Proto https; #tells unicorn request comes from https
                proxy_redirect off;
        }
kubitron commented 12 years ago

Can you look at the headers being forwarded to Redmine? I wonder if HTTP_X_FORWARDED_PROTO is set to 'HTTPS' (in caps or something like that)... If so, the plugin code would fail to recognize the https connection.

kubitron commented 12 years ago

Does this set the X-Forwarded-Proto to https only when the incoming protocol is https? You probably don't want to do that unless it is true...

gituser commented 12 years ago

Does this set the X-Forwarded-Proto to https only when the incoming protocol is https? >You probably don't want to do that unless it is true...

yes, I set this header for https section only.

Can you look at the headers being forwarded to Redmine?

How can I do this? I think it's solved anyways, so no need to look into headers, nginx is sending correct header right now.

Heh, I just saw your message about HTTPS header.. Right after I found a recipe on google and fixed it.

I think it was a mis-configuration, I did change this to:

     location @unicorn {
                include proxy.include;
                proxy_pass http://unicorn_cluster;
                proxy_redirect off;
     }

proxy.include already has relevant entries:

 proxy_set_header   Host $http_host;                                                                                                                     
    proxy_set_header   X-Real-IP $remote_addr;                                                                                                                   
    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header   X-Forwarded-Proto $scheme;

    client_max_body_size       10m;
    client_body_buffer_size    128k;

    proxy_connect_timeout      90;
    proxy_send_timeout         90;
    proxy_read_timeout         90;

    proxy_buffer_size          4k;
    proxy_buffers              4 32k;
    proxy_busy_buffers_size    64k;
    proxy_temp_file_write_size 64k;
gituser commented 12 years ago

also, regarding git - should it redirect to https automagically if used for example: git http://username@server/project.git ?

currently, http:// scheme does not work for me.

debug shows

~ $ env GIT_CURL_VERBOSE=1 git clone http://username@server/project.git Cloning into site... Password:

< HTTP/1.1 301 Moved Permanently < Server: nginx < Date: Sat, 25 Feb 2012 01:35:19 GMT < Content-Type: text/html < Content-Length: 178 < Connection: keep-alive < Location: https://server/project.git/info/refs?service=git-upload-pack?service=git-upload-pack <

< HTTP/1.1 401 Unauthorized < Server: nginx < Date: Sat, 25 Feb 2012 01:35:20 GMT < Content-Type: text/html; charset=utf-8 < Connection: keep-alive < Status: 401 Unauthorized < WWW-Authenticate: Basic realm="Application" < X-Runtime: 7 < Content-Length: 27 < Cache-Control: no-cache <

< HTTP/1.1 200 OK < Server: nginx < Date: Sat, 25 Feb 2012 01:35:20 GMT < Content-Type: application/x-git-upload-pack?service=upload-pack-advertisement; charset=utf-8 < Connection: keep-alive < Status: 200 OK < ETag: "9130dcaa495493fcb721b510da17593e" < X-Runtime: 51 < Content-Length: 54 < Pragma: no-cache < Cache-Control: no-cache, max-age=0, must-revalidate < Expires: Fri, 01 Jan 1980 00:00:00 GMT <

tried to enclose into pre tags, but github failed to output everything :)

kubitron commented 12 years ago

Um... Not sure that git ever handles redirection...

Is there some reason that you need this to work? I believe that the notion is that you need to have the correct URL (including the 'https') during the cloning process...

gituser commented 12 years ago

Um... Not sure that git ever handles redirection...

Is there some reason that you need this to work? I believe that the notion is that you >need to have the correct URL (including the 'https') during the cloning process...

just interesting.

Not really, it works just fine right now and displaying correct git url in the redmine.