summaryrefslogtreecommitdiffstats
path: root/src/main
diff options
context:
space:
mode:
authorJames Moger <james.moger@gitblit.com>2013-10-27 11:05:11 -0400
committerJames Moger <james.moger@gitblit.com>2013-10-27 11:05:11 -0400
commit9c7bb3d377a0637ff034be407cb9c03c606647a9 (patch)
tree544a3924183b75d62c5b852736008a79600d0b49 /src/main
parentaae137d5da475ec72f271811a848d426f05c1b8e (diff)
downloadgitblit-9c7bb3d377a0637ff034be407cb9c03c606647a9.tar.gz
gitblit-9c7bb3d377a0637ff034be407cb9c03c606647a9.zip
Add setting to automatically redirect http requests to the https port
Change-Id: I33966b8292434c10ffd623838d09527aaebaca5f
Diffstat (limited to 'src/main')
-rw-r--r--src/main/distrib/data/gitblit.properties14
-rw-r--r--src/main/java/com/gitblit/GitBlitServer.java29
2 files changed, 41 insertions, 2 deletions
diff --git a/src/main/distrib/data/gitblit.properties b/src/main/distrib/data/gitblit.properties
index 7c62c5ad..41aa5a33 100644
--- a/src/main/distrib/data/gitblit.properties
+++ b/src/main/distrib/data/gitblit.properties
@@ -1545,6 +1545,16 @@ server.httpsPort = 8443
# RESTART REQUIRED
server.ajpPort = 0
+# Automatically redirect http requests to the secure https connector.
+#
+# This setting requires that you have configured server.httpPort and server.httpsPort.
+# Unless you are on a private LAN where you trust all client connections, it is
+# recommended to use https for all communications.
+#
+# SINCE 1.4.0
+# RESTART REQUIRED
+server.redirectToHttpsPort = true
+
# Specify the interface for Jetty to bind the standard connector.
# You may specify an ip or an empty value to bind to all interfaces.
# Specifying localhost will result in Gitblit ONLY listening to requests to
@@ -1552,7 +1562,7 @@ server.ajpPort = 0
#
# SINCE 0.5.0
# RESTART REQUIRED
-server.httpBindInterface = localhost
+server.httpBindInterface =
# Specify the interface for Jetty to bind the secure connector.
# You may specify an ip or an empty value to bind to all interfaces.
@@ -1561,7 +1571,7 @@ server.httpBindInterface = localhost
#
# SINCE 0.5.0
# RESTART REQUIRED
-server.httpsBindInterface = localhost
+server.httpsBindInterface =
# Specify the interface for Jetty to bind the AJP connector.
# You may specify an ip or an empty value to bind to all interfaces.
diff --git a/src/main/java/com/gitblit/GitBlitServer.java b/src/main/java/com/gitblit/GitBlitServer.java
index ca2f7ebb..0c5000cf 100644
--- a/src/main/java/com/gitblit/GitBlitServer.java
+++ b/src/main/java/com/gitblit/GitBlitServer.java
@@ -36,6 +36,8 @@ import java.util.List;
import java.util.Scanner;
import org.eclipse.jetty.ajp.Ajp13SocketConnector;
+import org.eclipse.jetty.security.ConstraintMapping;
+import org.eclipse.jetty.security.ConstraintSecurityHandler;
import org.eclipse.jetty.server.Connector;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.bio.SocketConnector;
@@ -44,6 +46,7 @@ import org.eclipse.jetty.server.session.HashSessionManager;
import org.eclipse.jetty.server.ssl.SslConnector;
import org.eclipse.jetty.server.ssl.SslSelectChannelConnector;
import org.eclipse.jetty.server.ssl.SslSocketConnector;
+import org.eclipse.jetty.util.security.Constraint;
import org.eclipse.jetty.util.thread.QueuedThreadPool;
import org.eclipse.jetty.webapp.WebAppContext;
import org.eclipse.jgit.storage.file.FileBasedConfig;
@@ -213,6 +216,14 @@ public class GitBlitServer {
if (params.port < 1024 && !isWindows()) {
logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!");
}
+ if (params.port > 0 && params.securePort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true)) {
+ // redirect HTTP requests to HTTPS
+ if (httpConnector instanceof SelectChannelConnector) {
+ ((SelectChannelConnector) httpConnector).setConfidentialPort(params.securePort);
+ } else {
+ ((SocketConnector) httpConnector).setConfidentialPort(params.securePort);
+ }
+ }
connectors.add(httpConnector);
}
@@ -380,6 +391,24 @@ public class GitBlitServer {
// Set the server's contexts
server.setHandler(rootContext);
+ // redirect HTTP requests to HTTPS
+ if (params.port > 0 && params.securePort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true)) {
+ logger.info(String.format("Configuring automatic http(%1$s) -> https(%2$s) redirects", params.port, params.securePort));
+ // Create the internal mechanisms to handle secure connections and redirects
+ Constraint constraint = new Constraint();
+ constraint.setDataConstraint(Constraint.DC_CONFIDENTIAL);
+
+ ConstraintMapping cm = new ConstraintMapping();
+ cm.setConstraint(constraint);
+ cm.setPathSpec("/*");
+
+ ConstraintSecurityHandler sh = new ConstraintSecurityHandler();
+ sh.setConstraintMappings(new ConstraintMapping[] { cm });
+
+ // Configure this context to use the Security Handler defined before
+ rootContext.setHandler(sh);
+ }
+
// Setup the GitBlit context
GitBlit gitblit = getGitBlitInstance();
gitblit.configureContext(settings, baseFolder, true);