From 9ef027a8c7502b622f566460d2864ec7bcd0613a Mon Sep 17 00:00:00 2001 From: James Moger Date: Fri, 11 Apr 2014 13:38:46 -0400 Subject: Update to Jetty 9, drop AJP --- .classpath | 5 +- build.moxie | 7 +- gitblit.iml | 23 +-- releases.moxie | 6 +- src/main/java/com/gitblit/GitBlitServer.java | 210 ++++++--------------- .../java/com/gitblit/GitblitSslContextFactory.java | 22 +-- src/site/features.mkd | 1 - src/site/setup_go.mkd | 4 +- src/site/setup_proxy.mkd | 9 +- 9 files changed, 78 insertions(+), 209 deletions(-) diff --git a/.classpath b/.classpath index 7939536b..6b0d864e 100644 --- a/.classpath +++ b/.classpath @@ -14,9 +14,8 @@ - - - + + diff --git a/build.moxie b/build.moxie index 4e567b47..0f7ac81f 100644 --- a/build.moxie +++ b/build.moxie @@ -101,7 +101,7 @@ repositories: central, eclipse-snapshots, eclipse # Convenience properties for dependencies properties: { - jetty.version : 8.1.13.v20130916 + jetty.version : 9.1.4.v20140401 wicket.version : 1.4.21 lucene.version : 4.6.0 jgit.version : 3.3.1.201403241930-r @@ -134,9 +134,8 @@ dependencies: - compile 'org.slf4j:slf4j-api:1.6.6' :war :fedclient :authority - compile 'org.slf4j:slf4j-log4j12:1.6.6' :war :fedclient :authority - compile 'javax.mail:mail:1.4.3' :war :authority -- compile 'javax.servlet:javax.servlet-api:3.0.1' :fedclient -- compile 'org.eclipse.jetty.aggregate:jetty-webapp:${jetty.version}' @jar -- compile 'org.eclipse.jetty:jetty-ajp:${jetty.version}' @jar +- compile 'javax.servlet:javax.servlet-api:3.1.0' :fedclient +- compile 'org.eclipse.jetty.aggregate:jetty-all:${jetty.version}' @jar - compile 'org.apache.wicket:wicket:${wicket.version}' :war !org.mockito - compile 'org.apache.wicket:wicket-auth-roles:${wicket.version}' :war !org.mockito - compile 'org.apache.wicket:wicket-extensions:${wicket.version}' :war !org.mockito diff --git a/gitblit.iml b/gitblit.iml index bd5df9b7..69bd8e46 100644 --- a/gitblit.iml +++ b/gitblit.iml @@ -113,35 +113,24 @@ - + - + - + - + - + - - - - - - - - - - - - + diff --git a/releases.moxie b/releases.moxie index 1d260905..2a69c985 100644 --- a/releases.moxie +++ b/releases.moxie @@ -24,7 +24,10 @@ r22: { - Option to allow LDAP users to directly authenticate without performing LDAP searches (pr-162) - Replace JCommander with args4j to be consistent with other tools (ticket-28) - Sort repository urls by descending permissions and by transport security within equal permissions - - Move to Java 7 + - Move to Java 7 & updated to Jetty 9.1.4 + - dropped AJP support because it has been removed from upstream Jetty + - dropped settings: server.useNio, server.ajpPort, server.ajpBindInterface + - dropped GO parameters: --ajpPort, --useNio additions: - Added an SSH daemon with public key authentication (issue-369, ticket-6) - Added beginnings of a plugin framework for extending Gitblit (issue-381, ticket-23) @@ -32,6 +35,7 @@ r22: { - Added a setting to control what transports may be used for pushes dependencyChanges: - Java 7 + - Jetty 9.1.4 - args4j 2.0.26 - JGit 3.3.1 - Mina SSHD 0.10.1 diff --git a/src/main/java/com/gitblit/GitBlitServer.java b/src/main/java/com/gitblit/GitBlitServer.java index c37bc3a1..4191e9b4 100644 --- a/src/main/java/com/gitblit/GitBlitServer.java +++ b/src/main/java/com/gitblit/GitBlitServer.java @@ -38,17 +38,13 @@ import java.util.Properties; import java.util.Scanner; import org.apache.log4j.PropertyConfigurator; -import org.eclipse.jetty.ajp.Ajp13SocketConnector; import org.eclipse.jetty.security.ConstraintMapping; import org.eclipse.jetty.security.ConstraintSecurityHandler; -import org.eclipse.jetty.server.Connector; +import org.eclipse.jetty.server.HttpConfiguration; +import org.eclipse.jetty.server.HttpConnectionFactory; import org.eclipse.jetty.server.Server; -import org.eclipse.jetty.server.bio.SocketConnector; -import org.eclipse.jetty.server.nio.SelectChannelConnector; +import org.eclipse.jetty.server.ServerConnector; import org.eclipse.jetty.server.session.HashSessionManager; -import org.eclipse.jetty.server.ssl.SslConnector; -import org.eclipse.jetty.server.ssl.SslSelectChannelConnector; -import org.eclipse.jetty.server.ssl.SslSocketConnector; import org.eclipse.jetty.util.security.Constraint; import org.eclipse.jetty.util.thread.QueuedThreadPool; import org.eclipse.jetty.webapp.WebAppContext; @@ -233,31 +229,15 @@ public class GitBlitServer { String osversion = System.getProperty("os.version"); logger.info("Running on " + osname + " (" + osversion + ")"); - List connectors = new ArrayList(); - - // conditionally configure the http connector - if (params.port > 0) { - Connector httpConnector = createConnector(params.useNIO, params.port, settings.getInteger(Keys.server.threadPoolSize, 50)); - String bindInterface = settings.getString(Keys.server.httpBindInterface, null); - if (!StringUtils.isEmpty(bindInterface)) { - logger.warn(MessageFormat.format("Binding connector on port {0,number,0} to {1}", - params.port, bindInterface)); - httpConnector.setHost(bindInterface); - } - if (params.port < 1024 && !isWindows()) { - logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!"); - } - if (params.port > 0 && params.securePort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true)) { - // redirect HTTP requests to HTTPS - if (httpConnector instanceof SelectChannelConnector) { - ((SelectChannelConnector) httpConnector).setConfidentialPort(params.securePort); - } else { - ((SocketConnector) httpConnector).setConfidentialPort(params.securePort); - } - } - connectors.add(httpConnector); + QueuedThreadPool threadPool = new QueuedThreadPool(); + int maxThreads = settings.getInteger(Keys.server.threadPoolSize, 50); + if (maxThreads > 0) { + threadPool.setMaxThreads(maxThreads); } + Server server = new Server(threadPool); + server.setStopAtShutdown(true); + // conditionally configure the https connector if (params.securePort > 0) { File certificatesConf = new File(baseFolder, X509Utils.CA_CONFIG); @@ -303,38 +283,70 @@ public class GitBlitServer { }); if (serverKeyStore.exists()) { - Connector secureConnector = createSSLConnector(params.alias, serverKeyStore, serverTrustStore, params.storePassword, - caRevocationList, params.useNIO, params.securePort, settings.getInteger(Keys.server.threadPoolSize, 50), params.requireClientCertificates); + /* + * HTTPS + */ + logger.info("Setting up HTTPS transport on port " + params.securePort); + GitblitSslContextFactory factory = new GitblitSslContextFactory(params.alias, + serverKeyStore, serverTrustStore, params.storePassword, caRevocationList); + if (params.requireClientCertificates) { + factory.setNeedClientAuth(true); + } else { + factory.setWantClientAuth(true); + } + + ServerConnector connector = new ServerConnector(server, factory); + connector.setSoLingerTime(-1); + connector.setIdleTimeout(30000); + connector.setPort(params.securePort); String bindInterface = settings.getString(Keys.server.httpsBindInterface, null); if (!StringUtils.isEmpty(bindInterface)) { logger.warn(MessageFormat.format( - "Binding ssl connector on port {0,number,0} to {1}", params.securePort, + "Binding HTTPS transport on port {0,number,0} to {1}", params.securePort, bindInterface)); - secureConnector.setHost(bindInterface); + connector.setHost(bindInterface); } if (params.securePort < 1024 && !isWindows()) { logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!"); } - connectors.add(secureConnector); + + server.addConnector(connector); } else { logger.warn("Failed to find or load Keystore?"); - logger.warn("SSL connector DISABLED."); + logger.warn("HTTPS transport DISABLED."); } } - // conditionally configure the ajp connector - if (params.ajpPort > 0) { - Connector ajpConnector = createAJPConnector(params.ajpPort); - String bindInterface = settings.getString(Keys.server.ajpBindInterface, null); + // conditionally configure the http transport + if (params.port > 0) { + /* + * HTTP + */ + logger.info("Setting up HTTP transport on port " + params.port); + + HttpConfiguration httpConfig = new HttpConfiguration(); + if (params.port > 0 && params.securePort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true)) { + httpConfig.setSecureScheme("https"); + httpConfig.setSecurePort(params.securePort); + } + httpConfig.setSendServerVersion(false); + httpConfig.setSendDateHeader(false); + + ServerConnector connector = new ServerConnector(server, new HttpConnectionFactory(httpConfig)); + connector.setSoLingerTime(-1); + connector.setIdleTimeout(30000); + connector.setPort(params.port); + String bindInterface = settings.getString(Keys.server.httpBindInterface, null); if (!StringUtils.isEmpty(bindInterface)) { - logger.warn(MessageFormat.format("Binding connector on port {0,number,0} to {1}", - params.ajpPort, bindInterface)); - ajpConnector.setHost(bindInterface); + logger.warn(MessageFormat.format("Binding HTTP transport on port {0,number,0} to {1}", + params.port, bindInterface)); + connector.setHost(bindInterface); } - if (params.ajpPort < 1024 && !isWindows()) { + if (params.port < 1024 && !isWindows()) { logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!"); } - connectors.add(ajpConnector); + + server.addConnector(connector); } // tempDir is where the embedded Gitblit web application is expanded and @@ -351,10 +363,6 @@ public class GitBlitServer { logger.warn("Failed to create temp dir " + tempDir.getAbsolutePath()); } - Server server = new Server(); - server.setStopAtShutdown(true); - server.setConnectors(connectors.toArray(new Connector[connectors.size()])); - // Get the execution path of this class // We use this to set the WAR path. ProtectionDomain protectionDomain = GitBlitServer.class.getProtectionDomain(); @@ -465,104 +473,6 @@ public class GitBlitServer { return new GitblitContext(settings, baseFolder); } - /** - * Creates an http connector. - * - * @param useNIO - * @param port - * @param threadPoolSize - * @return an http connector - */ - private Connector createConnector(boolean useNIO, int port, int threadPoolSize) { - Connector connector; - if (useNIO) { - logger.info("Setting up NIO SelectChannelConnector on port " + port); - SelectChannelConnector nioconn = new SelectChannelConnector(); - nioconn.setSoLingerTime(-1); - if (threadPoolSize > 0) { - nioconn.setThreadPool(new QueuedThreadPool(threadPoolSize)); - } - connector = nioconn; - } else { - logger.info("Setting up SocketConnector on port " + port); - SocketConnector sockconn = new SocketConnector(); - if (threadPoolSize > 0) { - sockconn.setThreadPool(new QueuedThreadPool(threadPoolSize)); - } - connector = sockconn; - } - - connector.setPort(port); - connector.setMaxIdleTime(30000); - return connector; - } - - /** - * Creates an https connector. - * - * SSL renegotiation will be enabled if the JVM is 1.6.0_22 or later. - * oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html - * - * @param certAlias - * @param keyStore - * @param clientTrustStore - * @param storePassword - * @param caRevocationList - * @param useNIO - * @param port - * @param threadPoolSize - * @param requireClientCertificates - * @return an https connector - */ - private Connector createSSLConnector(String certAlias, File keyStore, File clientTrustStore, - String storePassword, File caRevocationList, boolean useNIO, int port, int threadPoolSize, - boolean requireClientCertificates) { - GitblitSslContextFactory factory = new GitblitSslContextFactory(certAlias, - keyStore, clientTrustStore, storePassword, caRevocationList); - SslConnector connector; - if (useNIO) { - logger.info("Setting up NIO SslSelectChannelConnector on port " + port); - SslSelectChannelConnector ssl = new SslSelectChannelConnector(factory); - ssl.setSoLingerTime(-1); - if (requireClientCertificates) { - factory.setNeedClientAuth(true); - } else { - factory.setWantClientAuth(true); - } - if (threadPoolSize > 0) { - ssl.setThreadPool(new QueuedThreadPool(threadPoolSize)); - } - connector = ssl; - } else { - logger.info("Setting up NIO SslSocketConnector on port " + port); - SslSocketConnector ssl = new SslSocketConnector(factory); - if (threadPoolSize > 0) { - ssl.setThreadPool(new QueuedThreadPool(threadPoolSize)); - } - connector = ssl; - } - connector.setPort(port); - connector.setMaxIdleTime(30000); - - return connector; - } - - /** - * Creates an ajp connector. - * - * @param port - * @return an ajp connector - */ - private Connector createAJPConnector(int port) { - logger.info("Setting up AJP Connector on port " + port); - Ajp13SocketConnector ajp = new Ajp13SocketConnector(); - ajp.setPort(port); - if (port < 1024 && !isWindows()) { - logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!"); - } - return ajp; - } - /** * Tests to see if the operating system is Windows. * @@ -664,18 +574,12 @@ public class GitBlitServer { /* * JETTY Parameters */ - @Option(name = "--useNio", usage = "Use NIO Connector else use Socket Connector.") - public Boolean useNIO = FILESETTINGS.getBoolean(Keys.server.useNio, true); - @Option(name = "--httpPort", usage = "HTTP port for to serve. (port <= 0 will disable this connector)", metaVar="PORT") public Integer port = FILESETTINGS.getInteger(Keys.server.httpPort, 0); @Option(name = "--httpsPort", usage = "HTTPS port to serve. (port <= 0 will disable this connector)", metaVar="PORT") public Integer securePort = FILESETTINGS.getInteger(Keys.server.httpsPort, 8443); - @Option(name = "--ajpPort", usage = "AJP port to serve. (port <= 0 will disable this connector)", metaVar="PORT") - public Integer ajpPort = FILESETTINGS.getInteger(Keys.server.ajpPort, 0); - @Option(name = "--gitPort", usage = "Git Daemon port to serve. (port <= 0 will disable this connector)", metaVar="PORT") public Integer gitPort = FILESETTINGS.getInteger(Keys.git.daemonPort, 9418); diff --git a/src/main/java/com/gitblit/GitblitSslContextFactory.java b/src/main/java/com/gitblit/GitblitSslContextFactory.java index 2a4735e6..9dd89b61 100644 --- a/src/main/java/com/gitblit/GitblitSslContextFactory.java +++ b/src/main/java/com/gitblit/GitblitSslContextFactory.java @@ -47,32 +47,12 @@ public class GitblitSslContextFactory extends SslContextFactory { this.caRevocationList = caRevocationList; - // disable renegotiation unless this is a patched JVM - boolean allowRenegotiation = false; - String v = System.getProperty("java.version"); - if (v.startsWith("1.7")) { - allowRenegotiation = true; - } else if (v.startsWith("1.6")) { - // 1.6.0_22 was first release with RFC-5746 implemented fix. - if (v.indexOf('_') > -1) { - String b = v.substring(v.indexOf('_') + 1); - if (Integer.parseInt(b) >= 22) { - allowRenegotiation = true; - } - } - } - if (allowRenegotiation) { - logger.info(" allowing SSL renegotiation on Java " + v); - setAllowRenegotiate(allowRenegotiation); - } - - if (!StringUtils.isEmpty(certAlias)) { logger.info(" certificate alias = " + certAlias); setCertAlias(certAlias); } setKeyStorePassword(storePassword); - setTrustStore(clientTrustStore.getAbsolutePath()); + setTrustStorePath(clientTrustStore.getAbsolutePath()); setTrustStorePassword(storePassword); logger.info(" keyStorePath = " + keyStore.getAbsolutePath()); diff --git a/src/site/features.mkd b/src/site/features.mkd index dc048804..5981f834 100644 --- a/src/site/features.mkd +++ b/src/site/features.mkd @@ -76,7 +76,6 @@ - Integrated GUI tool to facilitate x509 PKI including ssl and client certificate generation, client certificate revocation, and client certificate distribution - Single text file for configuring server and gitblit - A Windows service installation script and configuration tool -- Built-in AJP connector for Apache httpd ## Limitations - Built-in access controls are not branch-based, they are repository-based. diff --git a/src/site/setup_go.mkd b/src/site/setup_go.mkd index 2e8f864a..51ca295d 100644 --- a/src/site/setup_go.mkd +++ b/src/site/setup_go.mkd @@ -117,10 +117,10 @@ Command-Line parameters override the values in `gitblit.properties` at runtime. --baseFolder The default base folder for all relative file reference settings --repositoriesFolder Git Repositories Folder --userService Authentication and Authorization Service (filename or fully qualified classname) - --useNio Use NIO Connector else use Socket Connector. --httpPort HTTP port for to serve. (port <= 0 will disable this connector) --httpsPort HTTPS port to serve. (port <= 0 will disable this connector) - --ajpPort AJP port to serve. (port <= 0 will disable this connector) + --sshPort SSH Daemon port to serve. (port <= 0 will disable this daemon) + --gitPort Git Daemon port to serve. (port <= 0 will disable this daemon) --alias Alias in keystore of SSL cert to use for https serving --storePassword Password for SSL (https) keystore. --shutdownPort Port for Shutdown Monitor to listen on. (port <= 0 will disable this monitor) diff --git a/src/site/setup_proxy.mkd b/src/site/setup_proxy.mkd index f1435f12..4ae89875 100644 --- a/src/site/setup_proxy.mkd +++ b/src/site/setup_proxy.mkd @@ -1,6 +1,6 @@ ## Running Gitblit behind Apache -Gitblit runs fine behind Apache. You may use either *mod_proxy* (GO or WAR) or *mod_proxy_ajp* (GO). +Gitblit runs fine behind Apache. Each Linux distribution may vary on the exact configuration of Apache 2.2. Here is a sample configuration that works on Debian 7.0 (Wheezy), your distribution may be different. @@ -13,7 +13,6 @@ cd /etc/apache2/mods-enabled ln -s ../mods-available/proxy.load proxy.load ln -s ../mods-available/proxy_balancer.load proxy_balancer.load ln -s ../mods-available/proxy_http.load proxy_http.load -ln -s ../mods-available/proxy_ajp.load proxy_ajp.load ``` ### Configuring Apache to use the proxy modules @@ -57,16 +56,12 @@ ProxyPreserveHost On # context path for your repository url. # If you are not using subdomain proxying, then ignore this setting. #RequestHeader set X-Forwarded-Context / - -#ProxyPass /gitblit ajp://localhost:8009/gitblit ``` **Please** make sure to: 1. Review the security of these settings as appropriate for your deployment - 2. Uncomment the *ProxyPass* setting for whichever connection you prefer (http/ajp) + 2. Uncomment the *ProxyPass* setting 3. Correctly set the ports and context paths both in the *ProxyPass* definition and your Gitblit installation - If you are using Gitblit GO you can easily configure the AJP connector by specifying a non-zero AJP port. - Please remember that on Linux/UNIX, ports < 1024 require root permissions to open. 4. Set *web.mountParameters=false* in `gitblit.properties` or `web.xml` this will use parameterized URLs. Alternatively, you can respecify *web.forwardSlashCharacter*. -- cgit v1.2.3