************************************************************
***** NOTE: THIS BUG TRACKER IS FOR GERRIT CODE REVIEW *****
***** DO NOT SUBMIT BUGS FOR CHROME, ANDROID, INTERNAL *****
***** ISSUES WITH YOUR COMPANY'S GERRIT SETUP, ETC. *****
***** THOSE ISSUE BELONG IN DIFFERENT ISSUE TRACKERS! *****
************************************************************
Affected Version:
2.9.x
What steps will reproduce the problem?
1. Minimum Gerrit Version 2.9.
2. Create a Juniper Web resource pointed at the reverse-proxy canonical url of Gerrit, or directly to Gerrit if not using reverse-proxy.
3. Connect to the Juniper VPN and access the web resource.
What is the expected output?
In version 2.8.6, Gerrit was fully functional as a web resource in a Juniper VPN. I am able to sign in as an LDAP user and navigate gerrit as expected.
What do you see instead?
Navigating to the resource produces an endless loop of Code Review - Session Expired pop-up windows. This produces the following apache logs:
<client-ip> - - [23/Oct/2014:09:31:47 -0400] "GET /gerrit HTTP/1.0" 302 -
<client-ip> - - [23/Oct/2014:09:31:48 -0400] "GET /gerrit/ HTTP/1.0" 200 2549
<client-ip> - - [23/Oct/2014:09:31:48 -0400] "GET /gerrit/gerrit_ui/gerrit_ui.nocache.js?content=a19c961d361daec9673182c048d03006 HTTP/1.0" 200 7373
<client-ip> - - [23/Oct/2014:09:31:48 -0400] "GET /gerrit/favicon.ico HTTP/1.0" 304 -
<client-ip> - - [23/Oct/2014:09:31:48 -0400] "GET /gerrit/gerrit_ui/gwt/chrome/D0373A752B87FEB5C8DD3B45567F633E.cache.css HTTP/1.0" 200 27207
<client-ip> - - [23/Oct/2014:09:31:48 -0400] "GET /gerrit/gerrit_ui/E582C6B99F6990412E3FDE3FC4EDDE00.cache.js HTTP/1.0" 200 660655
....Code Review - Session Expired window pops here, then click sign in and get the following invalid url:
<client-ip> - - [23/Oct/2014:09:32:58 -0400] "GET /gerrit//login/ HTTP/1.0" 404 9
...which of course results in a "not found"
Please provide any additional information below.
Gerrit and the sign in process, of course, work properly outside of the SSL VPN wrapper. The sign-in related httpd log is as such on the inside:
<client-ip> - - [23/Oct/2014:10:54:51 -0400] "GET /gerrit/login/q/status:open HTTP/1.1" 401 1937 "http://servername:8086/gerrit/ "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
I have AllowEncodeSlashes and nocanon in my proxy server. I tried removing both of these directives and receive the same behavior, so I don't necessarily think a selective enabling of AllowEncodeSlashes will help me here (but could be wrong). I can investigate using a rewrite rule if you think it would be worthwhile. Also, I reconfigured Gerrit to run non-ssl and took the reverse proxy out of the loop. I receive the same behavior with a Juniper web resource pointed directly to the Gerrit app:
<client-ip> - - [23/Oct/2014:10:43:01 -0400] "GET /gerrit HTTP/1.0" 302 - - "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0"
<client-ip> - - [23/Oct/2014:10:43:01 -0400] "GET /gerrit/ HTTP/1.0" 200 2549 - "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0"
<client-ip> - - [23/Oct/2014:10:43:01 -0400] "GET /gerrit/gerrit_ui/gerrit_ui.nocache.js?content=a19c961d361daec9673182c048d03006 HTTP/1.0" 200 - "http://servername:8086/gerrit/ "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0"
<client-ip> - - [23/Oct/2014:10:43:02 -0400] "GET /gerrit/favicon.ico HTTP/1.0" 200 - - "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0"
<client-ip> - - [23/Oct/2014:10:43:02 -0400] "GET /gerrit/gerrit_ui/gwt/chrome/D0373A752B87FEB5C8DD3B45567F633E.cache.css HTTP/1.0" 200 - "http://servername:8086/gerrit/ "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0"
<client-ip> - - [23/Oct/2014:10:43:02 -0400] "GET /gerrit/gerrit_ui/E582C6B99F6990412E3FDE3FC4EDDE00.cache.js HTTP/1.0" 200 - "http://servername:8086/gerrit/ "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0"
<client-ip> - - [23/Oct/2014:10:43:03 -0400] "GET /gerrit/gerrit_ui/gwt/chrome/images/vborder.png HTTP/1.0" 200 - "http://servername:8086/gerrit/gerrit_ui/gwt/chrome/D0373A752B87FEB5C8DD3B45567F633E.cache.css "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0"
<client-ip> - - [23/Oct/2014:10:43:03 -0400] "GET /gerrit/gerrit_ui/gwt/chrome/images/hborder.png HTTP/1.0" 304 - "http://servername:8086/gerrit/gerrit_ui/gwt/chrome/D0373A752B87FEB5C8DD3B45567F633E.cache.css "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0"
<client-ip> - - [23/Oct/2014:10:43:03 -0400] "GET /gerrit/gerrit_ui/gwt/chrome/images/corner.png HTTP/1.0" 304 - "http://servername:8086/gerrit/gerrit_ui/gwt/chrome/D0373A752B87FEB5C8DD3B45567F633E.cache.css "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0"
....Code Review - Session Expired window here, then click sign in and get the following invalid url:
<client-ip> - - [23/Oct/2014:10:39:20 -0400] "GET /gerrit//login/ HTTP/1.0" 404 9 "http://servername:8086/gerrit/ "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0"
I certainly don't expect Gerrit to be compatible with every SSL VPN under the sun. I only submit because this behavior changed from 2.8 to 2.9 and I'm hoping that these httpd logs might expose a simple bug fix that would help me tremendously. So I'm starting with Gerrit, but this could be a Juniper problem. In any case, I appreciate your help.