Issue 2987: SSLVPN Login Loop, Code Review - Session Expired
Status:  New
Owner: ----
Reported by plama...@gmail.com, Oct 23, 2014
************************************************************
***** NOTE: THIS BUG TRACKER IS FOR GERRIT CODE REVIEW *****
***** DO NOT SUBMIT BUGS FOR CHROME, ANDROID, INTERNAL *****
***** ISSUES WITH YOUR COMPANY'S GERRIT SETUP, ETC.    *****
***** THOSE ISSUE BELONG IN DIFFERENT ISSUE TRACKERS!  *****
************************************************************

Affected Version:

2.9.x

What steps will reproduce the problem?
1. Minimum Gerrit Version 2.9.
2. Create a Juniper Web resource pointed at the reverse-proxy canonical url of Gerrit, or directly to Gerrit if not using reverse-proxy.  
3. Connect to the Juniper VPN and access the web resource. 

What is the expected output?
In version 2.8.6, Gerrit was fully functional as a web resource in a Juniper VPN.  I am able to sign in as an LDAP user and navigate gerrit as expected.


What do you see instead?
Navigating to the resource produces an endless loop of Code Review - Session Expired pop-up windows. This produces the following apache logs:
<client-ip> - - [23/Oct/2014:09:31:47 -0400] "GET /gerrit HTTP/1.0" 302 -
<client-ip> - - [23/Oct/2014:09:31:48 -0400] "GET /gerrit/ HTTP/1.0" 200 2549
<client-ip> - - [23/Oct/2014:09:31:48 -0400] "GET /gerrit/gerrit_ui/gerrit_ui.nocache.js?content=a19c961d361daec9673182c048d03006 HTTP/1.0" 200 7373
<client-ip> - - [23/Oct/2014:09:31:48 -0400] "GET /gerrit/favicon.ico HTTP/1.0" 304 -
<client-ip> - - [23/Oct/2014:09:31:48 -0400] "GET /gerrit/gerrit_ui/gwt/chrome/D0373A752B87FEB5C8DD3B45567F633E.cache.css HTTP/1.0" 200 27207
<client-ip> - - [23/Oct/2014:09:31:48 -0400] "GET /gerrit/gerrit_ui/E582C6B99F6990412E3FDE3FC4EDDE00.cache.js HTTP/1.0" 200 660655

....Code Review - Session Expired window pops here, then click sign in and get the following invalid url:

<client-ip> - - [23/Oct/2014:09:32:58 -0400] "GET /gerrit//login/ HTTP/1.0" 404 9

...which of course results in a "not found"

Please provide any additional information below.
Gerrit and the sign in process, of course, work properly outside of the SSL VPN wrapper.  The sign-in related httpd log is as such on the inside:

<client-ip> - - [23/Oct/2014:10:54:51 -0400] "GET /gerrit/login/q/status:open HTTP/1.1" 401 1937 "http://servername:8086/gerrit/ "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"

I have AllowEncodeSlashes and nocanon in my proxy server.  I tried removing both of these directives and receive the same behavior, so I don't necessarily think a selective enabling of AllowEncodeSlashes will help me here (but could be wrong).  I can investigate using a rewrite rule if you think it would be worthwhile.  Also, I reconfigured Gerrit to run non-ssl and took the reverse proxy out of the loop.  I receive the same behavior with a Juniper web resource pointed directly to the Gerrit app:

<client-ip> - - [23/Oct/2014:10:43:01 -0400] "GET /gerrit HTTP/1.0" 302 - - "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0"
<client-ip> - - [23/Oct/2014:10:43:01 -0400] "GET /gerrit/ HTTP/1.0" 200 2549 - "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0"
<client-ip> - - [23/Oct/2014:10:43:01 -0400] "GET /gerrit/gerrit_ui/gerrit_ui.nocache.js?content=a19c961d361daec9673182c048d03006 HTTP/1.0" 200 - "http://servername:8086/gerrit/ "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0"
<client-ip> - - [23/Oct/2014:10:43:02 -0400] "GET /gerrit/favicon.ico HTTP/1.0" 200 - - "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0"
<client-ip> - - [23/Oct/2014:10:43:02 -0400] "GET /gerrit/gerrit_ui/gwt/chrome/D0373A752B87FEB5C8DD3B45567F633E.cache.css HTTP/1.0" 200 - "http://servername:8086/gerrit/ "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0"
<client-ip> - - [23/Oct/2014:10:43:02 -0400] "GET /gerrit/gerrit_ui/E582C6B99F6990412E3FDE3FC4EDDE00.cache.js HTTP/1.0" 200 - "http://servername:8086/gerrit/ "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0"
<client-ip> - - [23/Oct/2014:10:43:03 -0400] "GET /gerrit/gerrit_ui/gwt/chrome/images/vborder.png HTTP/1.0" 200 - "http://servername:8086/gerrit/gerrit_ui/gwt/chrome/D0373A752B87FEB5C8DD3B45567F633E.cache.css "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0"
<client-ip> - - [23/Oct/2014:10:43:03 -0400] "GET /gerrit/gerrit_ui/gwt/chrome/images/hborder.png HTTP/1.0" 304 - "http://servername:8086/gerrit/gerrit_ui/gwt/chrome/D0373A752B87FEB5C8DD3B45567F633E.cache.css "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0"
<client-ip> - - [23/Oct/2014:10:43:03 -0400] "GET /gerrit/gerrit_ui/gwt/chrome/images/corner.png HTTP/1.0" 304 - "http://servername:8086/gerrit/gerrit_ui/gwt/chrome/D0373A752B87FEB5C8DD3B45567F633E.cache.css "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0"

....Code Review - Session Expired window here, then click sign in and get the following invalid url:

<client-ip> - - [23/Oct/2014:10:39:20 -0400] "GET /gerrit//login/ HTTP/1.0" 404 9 "http://servername:8086/gerrit/ "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0"

I certainly don't expect Gerrit to be compatible with every SSL VPN under the sun.  I only submit because this behavior changed from 2.8 to 2.9 and I'm hoping that these httpd logs might expose a simple bug fix that would help me tremendously.  So I'm starting with Gerrit, but this could be a Juniper problem.  In any case, I appreciate your help.