Change-Id: I33966b8292434c10ffd623838d09527aaebaca5ftags/v1.4.0
@@ -26,6 +26,7 @@ r20: { | |||
- Removed "show readme" setting in favor of automatic detection | |||
- Support plain text "readme" files | |||
- Determine best commit id (e.g. "master") for the tree and docs pages and use that in links | |||
- By default GO will now bind to all interfaces for both http and https connectors. This simplifies setup for first-time users. | |||
additions: | |||
- Added branch graph image servlet based on EGit's branch graph renderer (issue-194) | |||
- Added option to render Markdown commit messages (issue-203) | |||
@@ -35,6 +36,7 @@ r20: { | |||
- Support intradocument linking in Markdown content using [[WikiLinks]] syntax (issue-324) | |||
- Added setting to globally disable anonymous pushes in the receive pack | |||
- Added a normalized diffstat display to the commit, commitdiff, and compare pages | |||
- Added GO setting to automatically redirect all http requests to the secure https connector | |||
dependencyChanges: | |||
- updated to Jetty 7.6.13 | |||
- updated to JGit 3.1.0 | |||
@@ -45,6 +47,7 @@ r20: { | |||
- { name: 'git.defaultAccessRestriction', defaultValue: 'PUSH' } | |||
- { name: 'web.commitMessageRenderer', defaultValue: 'plain' } | |||
- { name: 'web.showBranchGraph', defaultValue: 'true' } | |||
- { name: 'server.redirectToHttpsPort', defaultValue: 'true' } | |||
contributors: | |||
- James Moger | |||
- Robin Rosenberg |
@@ -1545,6 +1545,16 @@ server.httpsPort = 8443 | |||
# RESTART REQUIRED | |||
server.ajpPort = 0 | |||
# Automatically redirect http requests to the secure https connector. | |||
# | |||
# This setting requires that you have configured server.httpPort and server.httpsPort. | |||
# Unless you are on a private LAN where you trust all client connections, it is | |||
# recommended to use https for all communications. | |||
# | |||
# SINCE 1.4.0 | |||
# RESTART REQUIRED | |||
server.redirectToHttpsPort = true | |||
# Specify the interface for Jetty to bind the standard connector. | |||
# You may specify an ip or an empty value to bind to all interfaces. | |||
# Specifying localhost will result in Gitblit ONLY listening to requests to | |||
@@ -1552,7 +1562,7 @@ server.ajpPort = 0 | |||
# | |||
# SINCE 0.5.0 | |||
# RESTART REQUIRED | |||
server.httpBindInterface = localhost | |||
server.httpBindInterface = | |||
# Specify the interface for Jetty to bind the secure connector. | |||
# You may specify an ip or an empty value to bind to all interfaces. | |||
@@ -1561,7 +1571,7 @@ server.httpBindInterface = localhost | |||
# | |||
# SINCE 0.5.0 | |||
# RESTART REQUIRED | |||
server.httpsBindInterface = localhost | |||
server.httpsBindInterface = | |||
# Specify the interface for Jetty to bind the AJP connector. | |||
# You may specify an ip or an empty value to bind to all interfaces. |
@@ -36,6 +36,8 @@ import java.util.List; | |||
import java.util.Scanner; | |||
import org.eclipse.jetty.ajp.Ajp13SocketConnector; | |||
import org.eclipse.jetty.security.ConstraintMapping; | |||
import org.eclipse.jetty.security.ConstraintSecurityHandler; | |||
import org.eclipse.jetty.server.Connector; | |||
import org.eclipse.jetty.server.Server; | |||
import org.eclipse.jetty.server.bio.SocketConnector; | |||
@@ -44,6 +46,7 @@ import org.eclipse.jetty.server.session.HashSessionManager; | |||
import org.eclipse.jetty.server.ssl.SslConnector; | |||
import org.eclipse.jetty.server.ssl.SslSelectChannelConnector; | |||
import org.eclipse.jetty.server.ssl.SslSocketConnector; | |||
import org.eclipse.jetty.util.security.Constraint; | |||
import org.eclipse.jetty.util.thread.QueuedThreadPool; | |||
import org.eclipse.jetty.webapp.WebAppContext; | |||
import org.eclipse.jgit.storage.file.FileBasedConfig; | |||
@@ -213,6 +216,14 @@ public class GitBlitServer { | |||
if (params.port < 1024 && !isWindows()) { | |||
logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!"); | |||
} | |||
if (params.port > 0 && params.securePort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true)) { | |||
// redirect HTTP requests to HTTPS | |||
if (httpConnector instanceof SelectChannelConnector) { | |||
((SelectChannelConnector) httpConnector).setConfidentialPort(params.securePort); | |||
} else { | |||
((SocketConnector) httpConnector).setConfidentialPort(params.securePort); | |||
} | |||
} | |||
connectors.add(httpConnector); | |||
} | |||
@@ -380,6 +391,24 @@ public class GitBlitServer { | |||
// Set the server's contexts | |||
server.setHandler(rootContext); | |||
// redirect HTTP requests to HTTPS | |||
if (params.port > 0 && params.securePort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true)) { | |||
logger.info(String.format("Configuring automatic http(%1$s) -> https(%2$s) redirects", params.port, params.securePort)); | |||
// Create the internal mechanisms to handle secure connections and redirects | |||
Constraint constraint = new Constraint(); | |||
constraint.setDataConstraint(Constraint.DC_CONFIDENTIAL); | |||
ConstraintMapping cm = new ConstraintMapping(); | |||
cm.setConstraint(constraint); | |||
cm.setPathSpec("/*"); | |||
ConstraintSecurityHandler sh = new ConstraintSecurityHandler(); | |||
sh.setConstraintMappings(new ConstraintMapping[] { cm }); | |||
// Configure this context to use the Security Handler defined before | |||
rootContext.setHandler(sh); | |||
} | |||
// Setup the GitBlit context | |||
GitBlit gitblit = getGitBlitInstance(); | |||
gitblit.configureContext(settings, baseFolder, true); |
@@ -5,8 +5,7 @@ | |||
2. The server itself is configured through a simple text file. | |||
Open `data/gitblit.properties` in your favorite text editor and make sure to review and set: | |||
- *server.httpPort* and *server.httpsPort* | |||
- *server.httpBindInterface* and *server.httpsBindInterface* | |||
- *server.storePassword* | |||
- *server.storePassword* | |||
**https** is strongly recommended because passwords are insecurely transmitted form your browser/git client using Basic authentication! | |||
- *git.packedGitLimit* (set larger than the size of your largest repository) | |||
- *git.streamFileThreshold* (set larger than the size of your largest committed file) |