Issue 1028: Cannot create new branch if using listenUrl = proxy-http:...
Status:  New
Owner: ----
Reported by stefan.f...@genua.de, Jun 29, 2011
Affected Version: 2.1.8

What steps will reproduce the problem?
1. Configure gerrit with listenUrl = proxy-http://*:8080/gerrit/
2. try to create a new branch in a project via the web UI


What is the expected output? What do you see instead?

Web UI gives 'internal error' and error log has:

[2011-06-29 16:33:56,033] WARN  /gerrit : Error in addBranch
com.google.inject.ProvisionException: Guice provision errors:

1) Cannot get @RemotePeer
  while locating com.google.gerrit.httpd.HttpRemotePeerProvider
  while locating java.net.SocketAddress annotated with interface com.google.gerrit.server.RemotePeer

1 error
	at com.google.inject.InjectorImpl$4.get(InjectorImpl.java:767)
	at com.google.gerrit.server.IdentifiedUser.newRefLogIdent(IdentifiedUser.java:315)
	at com.google.gerrit.server.IdentifiedUser.newRefLogIdent(IdentifiedUser.java:293)
	at com.google.gerrit.httpd.rpc.project.AddBranch.call(AddBranch.java:140)
	at com.google.gerrit.httpd.rpc.project.AddBranch.call(AddBranch.java:49)
	at com.google.gerrit.httpd.rpc.Handler.to(Handler.java:65)
	at com.google.gerrit.httpd.rpc.project.ProjectAdminServiceImpl.addBranch(ProjectAdminServiceImpl.java:108)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:616)
	at com.google.gwtjsonrpc.server.MethodHandle.invoke(MethodHandle.java:91)
	at com.google.gwtjsonrpc.server.JsonServlet.doService(JsonServlet.java:382)
	at com.google.gwtjsonrpc.server.JsonServlet.service(JsonServlet.java:268)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
	at com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:216)
	at com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:141)
	at com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:93)
	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:63)
	at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:134)
	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:59)
	at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:134)
	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:59)
	at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:134)
	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:59)
	at com.google.gwtexpui.server.CacheControlFilter.doFilter(CacheControlFilter.java:76)
	at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:129)
	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:59)
	at com.google.gerrit.httpd.RequestCleanupFilter.doFilter(RequestCleanupFilter.java:54)
	at com.google.inject.servlet.FilterDefinition.doFilter(FilterDefinition.java:129)
	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:59)
	at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:122)
	at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:110)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1322)
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:473)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:921)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:403)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:856)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:114)
	at org.eclipse.jetty.server.handler.RequestLogHandler.handle(RequestLogHandler.java:59)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:114)
	at org.eclipse.jetty.server.Server.handle(Server.java:352)
	at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:596)
	at org.eclipse.jetty.server.HttpConnection$RequestHandler.content(HttpConnection.java:1069)
	at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:805)
	at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:218)
	at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:426)
	at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:510)
	at org.eclipse.jetty.io.nio.SelectChannelEndPoint.access$000(SelectChannelEndPoint.java:34)
	at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:40)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:450)
	at java.lang.Thread.run(Thread.java:636)
Caused by: java.net.UnknownHostException: unknown
	at java.net.InetAddress.getAllByName0(InetAddress.java:1201)
	at java.net.InetAddress.getAllByName(InetAddress.java:1128)
	at java.net.InetAddress.getAllByName(InetAddress.java:1064)
	at java.net.InetAddress.getByName(InetAddress.java:1014)
	at com.google.gerrit.httpd.HttpRemotePeerProvider.get(HttpRemotePeerProvider.java:43)
	at com.google.gerrit.httpd.HttpRemotePeerProvider.get(HttpRemotePeerProvider.java:29)
	at com.google.inject.BoundProviderFactory.get(BoundProviderFactory.java:58)
	at com.google.inject.ProviderToInternalFactoryAdapter$1.call(ProviderToInternalFactoryAdapter.java:45)
	at com.google.inject.InjectorImpl.callInContext(InjectorImpl.java:811)
	at com.google.inject.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:42)
	at com.google.inject.servlet.ServletScopes$1$1.get(ServletScopes.java:53)
	at com.google.inject.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:48)
	at com.google.inject.InjectorImpl$4$1.call(InjectorImpl.java:758)
	at com.google.inject.InjectorImpl.callInContext(InjectorImpl.java:804)
	at com.google.inject.InjectorImpl$4.get(InjectorImpl.java:754)
	... 52 more

If I switch requestLog on, I see that all requests are logged with 'unknown' peer address in httpd_log.

If I change to listenUrl = http:... (without proxy-), it works (and httpd_log has the correct peer address).

Jun 29, 2011
#1 sop@google.com
What is your reverse proxy server, and how is it configured?

When listenUrl is proxy-http Gerrit Code Review expects certain HTTP headers to be injected by the reverse proxy to let Gerrit know who the remote client is. If those headers are not injected, then the remote peer is "unknown" leading to this error.
Status: AwaitingInformation
Jun 30, 2011
#2 stefan.f...@genua.de
My reverse proxy is Apache httpd 2.2.9 with this configuration:

    ProxyPass         /gerrit/ http://backend:8080/gerrit/
    ProxyPassReverse  /gerrit/ http://backend:8080/gerrit/

It seems the problem is that the reverse proxy is accessed via another squid proxy, which adds

    X-Forwarded-For: unknown

(see http://www.squid-cache.org/Doc/config/forwarded_for/). Apache HTTPD then merges this to

    X-Forwarded-For: unknown, 192.168.3.4

So the bug in gerrit is that it uses the first value in the X-Forwarded-For header while it should be using the last. All values in X-Forwarded-For except for the last value (which is added by the reverse proxy) are not trustworthy and may be faked by any client. The current behaviour seems like a security problem.

Jan 31, 2012
#3 stefan.f...@genua.de
The status is still "AwaitingInformation". I think I have provided the information you requested. Please change the status.
Aug 10, 2015
#4 stefan.f...@genua.de
Ping. Please remove the "AwaitingInformation" status.
Aug 10, 2015
Project Member #5 edwin.ke...@gmail.com
(No comment was entered for this change.)
Status: New
Aug 10, 2015
#6 stefan.f...@genua.de
Thanks.

This still happens with gerrit 2.11.2