<classpathentry kind="lib" path="ext/slf4j-api-1.6.6.jar" sourcepath="ext/src/slf4j-api-1.6.6.jar" /> | <classpathentry kind="lib" path="ext/slf4j-api-1.6.6.jar" sourcepath="ext/src/slf4j-api-1.6.6.jar" /> | ||||
<classpathentry kind="lib" path="ext/slf4j-log4j12-1.6.6.jar" sourcepath="ext/src/slf4j-log4j12-1.6.6.jar" /> | <classpathentry kind="lib" path="ext/slf4j-log4j12-1.6.6.jar" sourcepath="ext/src/slf4j-log4j12-1.6.6.jar" /> | ||||
<classpathentry kind="lib" path="ext/mail-1.4.3.jar" sourcepath="ext/src/mail-1.4.3.jar" /> | <classpathentry kind="lib" path="ext/mail-1.4.3.jar" sourcepath="ext/src/mail-1.4.3.jar" /> | ||||
<classpathentry kind="lib" path="ext/javax.servlet-api-3.0.1.jar" sourcepath="ext/src/javax.servlet-api-3.0.1.jar" /> | |||||
<classpathentry kind="lib" path="ext/jetty-webapp-8.1.13.v20130916.jar" sourcepath="ext/src/jetty-webapp-8.1.13.v20130916.jar" /> | |||||
<classpathentry kind="lib" path="ext/jetty-ajp-8.1.13.v20130916.jar" sourcepath="ext/src/jetty-ajp-8.1.13.v20130916.jar" /> | |||||
<classpathentry kind="lib" path="ext/javax.servlet-api-3.1.0.jar" sourcepath="ext/src/javax.servlet-api-3.1.0.jar" /> | |||||
<classpathentry kind="lib" path="ext/jetty-all-9.1.4.v20140401.jar" sourcepath="ext/src/jetty-all-9.1.4.v20140401.jar" /> | |||||
<classpathentry kind="lib" path="ext/wicket-1.4.21.jar" sourcepath="ext/src/wicket-1.4.21.jar" /> | <classpathentry kind="lib" path="ext/wicket-1.4.21.jar" sourcepath="ext/src/wicket-1.4.21.jar" /> | ||||
<classpathentry kind="lib" path="ext/wicket-auth-roles-1.4.21.jar" sourcepath="ext/src/wicket-auth-roles-1.4.21.jar" /> | <classpathentry kind="lib" path="ext/wicket-auth-roles-1.4.21.jar" sourcepath="ext/src/wicket-auth-roles-1.4.21.jar" /> | ||||
<classpathentry kind="lib" path="ext/wicket-extensions-1.4.21.jar" sourcepath="ext/src/wicket-extensions-1.4.21.jar" /> | <classpathentry kind="lib" path="ext/wicket-extensions-1.4.21.jar" sourcepath="ext/src/wicket-extensions-1.4.21.jar" /> |
# Convenience properties for dependencies | # Convenience properties for dependencies | ||||
properties: { | properties: { | ||||
jetty.version : 8.1.13.v20130916 | |||||
jetty.version : 9.1.4.v20140401 | |||||
wicket.version : 1.4.21 | wicket.version : 1.4.21 | ||||
lucene.version : 4.6.0 | lucene.version : 4.6.0 | ||||
jgit.version : 3.3.1.201403241930-r | jgit.version : 3.3.1.201403241930-r | ||||
- compile 'org.slf4j:slf4j-api:1.6.6' :war :fedclient :authority | - compile 'org.slf4j:slf4j-api:1.6.6' :war :fedclient :authority | ||||
- compile 'org.slf4j:slf4j-log4j12:1.6.6' :war :fedclient :authority | - compile 'org.slf4j:slf4j-log4j12:1.6.6' :war :fedclient :authority | ||||
- compile 'javax.mail:mail:1.4.3' :war :authority | - compile 'javax.mail:mail:1.4.3' :war :authority | ||||
- compile 'javax.servlet:javax.servlet-api:3.0.1' :fedclient | |||||
- compile 'org.eclipse.jetty.aggregate:jetty-webapp:${jetty.version}' @jar | |||||
- compile 'org.eclipse.jetty:jetty-ajp:${jetty.version}' @jar | |||||
- compile 'javax.servlet:javax.servlet-api:3.1.0' :fedclient | |||||
- compile 'org.eclipse.jetty.aggregate:jetty-all:${jetty.version}' @jar | |||||
- compile 'org.apache.wicket:wicket:${wicket.version}' :war !org.mockito | - compile 'org.apache.wicket:wicket:${wicket.version}' :war !org.mockito | ||||
- compile 'org.apache.wicket:wicket-auth-roles:${wicket.version}' :war !org.mockito | - compile 'org.apache.wicket:wicket-auth-roles:${wicket.version}' :war !org.mockito | ||||
- compile 'org.apache.wicket:wicket-extensions:${wicket.version}' :war !org.mockito | - compile 'org.apache.wicket:wicket-extensions:${wicket.version}' :war !org.mockito |
</library> | </library> | ||||
</orderEntry> | </orderEntry> | ||||
<orderEntry type="module-library"> | <orderEntry type="module-library"> | ||||
<library name="javax.servlet-api-3.0.1.jar"> | |||||
<library name="javax.servlet-api-3.1.0.jar"> | |||||
<CLASSES> | <CLASSES> | ||||
<root url="jar://$MODULE_DIR$/ext/javax.servlet-api-3.0.1.jar!/" /> | |||||
<root url="jar://$MODULE_DIR$/ext/javax.servlet-api-3.1.0.jar!/" /> | |||||
</CLASSES> | </CLASSES> | ||||
<JAVADOC /> | <JAVADOC /> | ||||
<SOURCES> | <SOURCES> | ||||
<root url="jar://$MODULE_DIR$/ext/src/javax.servlet-api-3.0.1.jar!/" /> | |||||
<root url="jar://$MODULE_DIR$/ext/src/javax.servlet-api-3.1.0.jar!/" /> | |||||
</SOURCES> | </SOURCES> | ||||
</library> | </library> | ||||
</orderEntry> | </orderEntry> | ||||
<orderEntry type="module-library"> | <orderEntry type="module-library"> | ||||
<library name="jetty-webapp-8.1.13.v20130916.jar"> | |||||
<library name="jetty-all-9.1.4.v20140401.jar"> | |||||
<CLASSES> | <CLASSES> | ||||
<root url="jar://$MODULE_DIR$/ext/jetty-webapp-8.1.13.v20130916.jar!/" /> | |||||
<root url="jar://$MODULE_DIR$/ext/jetty-all-9.1.4.v20140401.jar!/" /> | |||||
</CLASSES> | </CLASSES> | ||||
<JAVADOC /> | <JAVADOC /> | ||||
<SOURCES> | <SOURCES> | ||||
<root url="jar://$MODULE_DIR$/ext/src/jetty-webapp-8.1.13.v20130916.jar!/" /> | |||||
</SOURCES> | |||||
</library> | |||||
</orderEntry> | |||||
<orderEntry type="module-library"> | |||||
<library name="jetty-ajp-8.1.13.v20130916.jar"> | |||||
<CLASSES> | |||||
<root url="jar://$MODULE_DIR$/ext/jetty-ajp-8.1.13.v20130916.jar!/" /> | |||||
</CLASSES> | |||||
<JAVADOC /> | |||||
<SOURCES> | |||||
<root url="jar://$MODULE_DIR$/ext/src/jetty-ajp-8.1.13.v20130916.jar!/" /> | |||||
<root url="jar://$MODULE_DIR$/ext/src/jetty-all-9.1.4.v20140401.jar!/" /> | |||||
</SOURCES> | </SOURCES> | ||||
</library> | </library> | ||||
</orderEntry> | </orderEntry> |
- Option to allow LDAP users to directly authenticate without performing LDAP searches (pr-162) | - Option to allow LDAP users to directly authenticate without performing LDAP searches (pr-162) | ||||
- Replace JCommander with args4j to be consistent with other tools (ticket-28) | - Replace JCommander with args4j to be consistent with other tools (ticket-28) | ||||
- Sort repository urls by descending permissions and by transport security within equal permissions | - Sort repository urls by descending permissions and by transport security within equal permissions | ||||
- Move to Java 7 | |||||
- Move to Java 7 & updated to Jetty 9.1.4 | |||||
- dropped AJP support because it has been removed from upstream Jetty | |||||
- dropped settings: server.useNio, server.ajpPort, server.ajpBindInterface | |||||
- dropped GO parameters: --ajpPort, --useNio | |||||
additions: | additions: | ||||
- Added an SSH daemon with public key authentication (issue-369, ticket-6) | - Added an SSH daemon with public key authentication (issue-369, ticket-6) | ||||
- Added beginnings of a plugin framework for extending Gitblit (issue-381, ticket-23) | - Added beginnings of a plugin framework for extending Gitblit (issue-381, ticket-23) | ||||
- Added a setting to control what transports may be used for pushes | - Added a setting to control what transports may be used for pushes | ||||
dependencyChanges: | dependencyChanges: | ||||
- Java 7 | - Java 7 | ||||
- Jetty 9.1.4 | |||||
- args4j 2.0.26 | - args4j 2.0.26 | ||||
- JGit 3.3.1 | - JGit 3.3.1 | ||||
- Mina SSHD 0.10.1 | - Mina SSHD 0.10.1 |
import java.util.Scanner; | import java.util.Scanner; | ||||
import org.apache.log4j.PropertyConfigurator; | import org.apache.log4j.PropertyConfigurator; | ||||
import org.eclipse.jetty.ajp.Ajp13SocketConnector; | |||||
import org.eclipse.jetty.security.ConstraintMapping; | import org.eclipse.jetty.security.ConstraintMapping; | ||||
import org.eclipse.jetty.security.ConstraintSecurityHandler; | import org.eclipse.jetty.security.ConstraintSecurityHandler; | ||||
import org.eclipse.jetty.server.Connector; | |||||
import org.eclipse.jetty.server.HttpConfiguration; | |||||
import org.eclipse.jetty.server.HttpConnectionFactory; | |||||
import org.eclipse.jetty.server.Server; | import org.eclipse.jetty.server.Server; | ||||
import org.eclipse.jetty.server.bio.SocketConnector; | |||||
import org.eclipse.jetty.server.nio.SelectChannelConnector; | |||||
import org.eclipse.jetty.server.ServerConnector; | |||||
import org.eclipse.jetty.server.session.HashSessionManager; | import org.eclipse.jetty.server.session.HashSessionManager; | ||||
import org.eclipse.jetty.server.ssl.SslConnector; | |||||
import org.eclipse.jetty.server.ssl.SslSelectChannelConnector; | |||||
import org.eclipse.jetty.server.ssl.SslSocketConnector; | |||||
import org.eclipse.jetty.util.security.Constraint; | import org.eclipse.jetty.util.security.Constraint; | ||||
import org.eclipse.jetty.util.thread.QueuedThreadPool; | import org.eclipse.jetty.util.thread.QueuedThreadPool; | ||||
import org.eclipse.jetty.webapp.WebAppContext; | import org.eclipse.jetty.webapp.WebAppContext; | ||||
String osversion = System.getProperty("os.version"); | String osversion = System.getProperty("os.version"); | ||||
logger.info("Running on " + osname + " (" + osversion + ")"); | logger.info("Running on " + osname + " (" + osversion + ")"); | ||||
List<Connector> connectors = new ArrayList<Connector>(); | |||||
// conditionally configure the http connector | |||||
if (params.port > 0) { | |||||
Connector httpConnector = createConnector(params.useNIO, params.port, settings.getInteger(Keys.server.threadPoolSize, 50)); | |||||
String bindInterface = settings.getString(Keys.server.httpBindInterface, null); | |||||
if (!StringUtils.isEmpty(bindInterface)) { | |||||
logger.warn(MessageFormat.format("Binding connector on port {0,number,0} to {1}", | |||||
params.port, bindInterface)); | |||||
httpConnector.setHost(bindInterface); | |||||
} | |||||
if (params.port < 1024 && !isWindows()) { | |||||
logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!"); | |||||
} | |||||
if (params.port > 0 && params.securePort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true)) { | |||||
// redirect HTTP requests to HTTPS | |||||
if (httpConnector instanceof SelectChannelConnector) { | |||||
((SelectChannelConnector) httpConnector).setConfidentialPort(params.securePort); | |||||
} else { | |||||
((SocketConnector) httpConnector).setConfidentialPort(params.securePort); | |||||
} | |||||
} | |||||
connectors.add(httpConnector); | |||||
QueuedThreadPool threadPool = new QueuedThreadPool(); | |||||
int maxThreads = settings.getInteger(Keys.server.threadPoolSize, 50); | |||||
if (maxThreads > 0) { | |||||
threadPool.setMaxThreads(maxThreads); | |||||
} | } | ||||
Server server = new Server(threadPool); | |||||
server.setStopAtShutdown(true); | |||||
// conditionally configure the https connector | // conditionally configure the https connector | ||||
if (params.securePort > 0) { | if (params.securePort > 0) { | ||||
File certificatesConf = new File(baseFolder, X509Utils.CA_CONFIG); | File certificatesConf = new File(baseFolder, X509Utils.CA_CONFIG); | ||||
}); | }); | ||||
if (serverKeyStore.exists()) { | if (serverKeyStore.exists()) { | ||||
Connector secureConnector = createSSLConnector(params.alias, serverKeyStore, serverTrustStore, params.storePassword, | |||||
caRevocationList, params.useNIO, params.securePort, settings.getInteger(Keys.server.threadPoolSize, 50), params.requireClientCertificates); | |||||
/* | |||||
* HTTPS | |||||
*/ | |||||
logger.info("Setting up HTTPS transport on port " + params.securePort); | |||||
GitblitSslContextFactory factory = new GitblitSslContextFactory(params.alias, | |||||
serverKeyStore, serverTrustStore, params.storePassword, caRevocationList); | |||||
if (params.requireClientCertificates) { | |||||
factory.setNeedClientAuth(true); | |||||
} else { | |||||
factory.setWantClientAuth(true); | |||||
} | |||||
ServerConnector connector = new ServerConnector(server, factory); | |||||
connector.setSoLingerTime(-1); | |||||
connector.setIdleTimeout(30000); | |||||
connector.setPort(params.securePort); | |||||
String bindInterface = settings.getString(Keys.server.httpsBindInterface, null); | String bindInterface = settings.getString(Keys.server.httpsBindInterface, null); | ||||
if (!StringUtils.isEmpty(bindInterface)) { | if (!StringUtils.isEmpty(bindInterface)) { | ||||
logger.warn(MessageFormat.format( | logger.warn(MessageFormat.format( | ||||
"Binding ssl connector on port {0,number,0} to {1}", params.securePort, | |||||
"Binding HTTPS transport on port {0,number,0} to {1}", params.securePort, | |||||
bindInterface)); | bindInterface)); | ||||
secureConnector.setHost(bindInterface); | |||||
connector.setHost(bindInterface); | |||||
} | } | ||||
if (params.securePort < 1024 && !isWindows()) { | if (params.securePort < 1024 && !isWindows()) { | ||||
logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!"); | logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!"); | ||||
} | } | ||||
connectors.add(secureConnector); | |||||
server.addConnector(connector); | |||||
} else { | } else { | ||||
logger.warn("Failed to find or load Keystore?"); | logger.warn("Failed to find or load Keystore?"); | ||||
logger.warn("SSL connector DISABLED."); | |||||
logger.warn("HTTPS transport DISABLED."); | |||||
} | } | ||||
} | } | ||||
// conditionally configure the ajp connector | |||||
if (params.ajpPort > 0) { | |||||
Connector ajpConnector = createAJPConnector(params.ajpPort); | |||||
String bindInterface = settings.getString(Keys.server.ajpBindInterface, null); | |||||
// conditionally configure the http transport | |||||
if (params.port > 0) { | |||||
/* | |||||
* HTTP | |||||
*/ | |||||
logger.info("Setting up HTTP transport on port " + params.port); | |||||
HttpConfiguration httpConfig = new HttpConfiguration(); | |||||
if (params.port > 0 && params.securePort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true)) { | |||||
httpConfig.setSecureScheme("https"); | |||||
httpConfig.setSecurePort(params.securePort); | |||||
} | |||||
httpConfig.setSendServerVersion(false); | |||||
httpConfig.setSendDateHeader(false); | |||||
ServerConnector connector = new ServerConnector(server, new HttpConnectionFactory(httpConfig)); | |||||
connector.setSoLingerTime(-1); | |||||
connector.setIdleTimeout(30000); | |||||
connector.setPort(params.port); | |||||
String bindInterface = settings.getString(Keys.server.httpBindInterface, null); | |||||
if (!StringUtils.isEmpty(bindInterface)) { | if (!StringUtils.isEmpty(bindInterface)) { | ||||
logger.warn(MessageFormat.format("Binding connector on port {0,number,0} to {1}", | |||||
params.ajpPort, bindInterface)); | |||||
ajpConnector.setHost(bindInterface); | |||||
logger.warn(MessageFormat.format("Binding HTTP transport on port {0,number,0} to {1}", | |||||
params.port, bindInterface)); | |||||
connector.setHost(bindInterface); | |||||
} | } | ||||
if (params.ajpPort < 1024 && !isWindows()) { | |||||
if (params.port < 1024 && !isWindows()) { | |||||
logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!"); | logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!"); | ||||
} | } | ||||
connectors.add(ajpConnector); | |||||
server.addConnector(connector); | |||||
} | } | ||||
// tempDir is where the embedded Gitblit web application is expanded and | // tempDir is where the embedded Gitblit web application is expanded and | ||||
logger.warn("Failed to create temp dir " + tempDir.getAbsolutePath()); | logger.warn("Failed to create temp dir " + tempDir.getAbsolutePath()); | ||||
} | } | ||||
Server server = new Server(); | |||||
server.setStopAtShutdown(true); | |||||
server.setConnectors(connectors.toArray(new Connector[connectors.size()])); | |||||
// Get the execution path of this class | // Get the execution path of this class | ||||
// We use this to set the WAR path. | // We use this to set the WAR path. | ||||
ProtectionDomain protectionDomain = GitBlitServer.class.getProtectionDomain(); | ProtectionDomain protectionDomain = GitBlitServer.class.getProtectionDomain(); | ||||
return new GitblitContext(settings, baseFolder); | return new GitblitContext(settings, baseFolder); | ||||
} | } | ||||
/** | |||||
* Creates an http connector. | |||||
* | |||||
* @param useNIO | |||||
* @param port | |||||
* @param threadPoolSize | |||||
* @return an http connector | |||||
*/ | |||||
private Connector createConnector(boolean useNIO, int port, int threadPoolSize) { | |||||
Connector connector; | |||||
if (useNIO) { | |||||
logger.info("Setting up NIO SelectChannelConnector on port " + port); | |||||
SelectChannelConnector nioconn = new SelectChannelConnector(); | |||||
nioconn.setSoLingerTime(-1); | |||||
if (threadPoolSize > 0) { | |||||
nioconn.setThreadPool(new QueuedThreadPool(threadPoolSize)); | |||||
} | |||||
connector = nioconn; | |||||
} else { | |||||
logger.info("Setting up SocketConnector on port " + port); | |||||
SocketConnector sockconn = new SocketConnector(); | |||||
if (threadPoolSize > 0) { | |||||
sockconn.setThreadPool(new QueuedThreadPool(threadPoolSize)); | |||||
} | |||||
connector = sockconn; | |||||
} | |||||
connector.setPort(port); | |||||
connector.setMaxIdleTime(30000); | |||||
return connector; | |||||
} | |||||
/** | |||||
* Creates an https connector. | |||||
* | |||||
* SSL renegotiation will be enabled if the JVM is 1.6.0_22 or later. | |||||
* oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html | |||||
* | |||||
* @param certAlias | |||||
* @param keyStore | |||||
* @param clientTrustStore | |||||
* @param storePassword | |||||
* @param caRevocationList | |||||
* @param useNIO | |||||
* @param port | |||||
* @param threadPoolSize | |||||
* @param requireClientCertificates | |||||
* @return an https connector | |||||
*/ | |||||
private Connector createSSLConnector(String certAlias, File keyStore, File clientTrustStore, | |||||
String storePassword, File caRevocationList, boolean useNIO, int port, int threadPoolSize, | |||||
boolean requireClientCertificates) { | |||||
GitblitSslContextFactory factory = new GitblitSslContextFactory(certAlias, | |||||
keyStore, clientTrustStore, storePassword, caRevocationList); | |||||
SslConnector connector; | |||||
if (useNIO) { | |||||
logger.info("Setting up NIO SslSelectChannelConnector on port " + port); | |||||
SslSelectChannelConnector ssl = new SslSelectChannelConnector(factory); | |||||
ssl.setSoLingerTime(-1); | |||||
if (requireClientCertificates) { | |||||
factory.setNeedClientAuth(true); | |||||
} else { | |||||
factory.setWantClientAuth(true); | |||||
} | |||||
if (threadPoolSize > 0) { | |||||
ssl.setThreadPool(new QueuedThreadPool(threadPoolSize)); | |||||
} | |||||
connector = ssl; | |||||
} else { | |||||
logger.info("Setting up NIO SslSocketConnector on port " + port); | |||||
SslSocketConnector ssl = new SslSocketConnector(factory); | |||||
if (threadPoolSize > 0) { | |||||
ssl.setThreadPool(new QueuedThreadPool(threadPoolSize)); | |||||
} | |||||
connector = ssl; | |||||
} | |||||
connector.setPort(port); | |||||
connector.setMaxIdleTime(30000); | |||||
return connector; | |||||
} | |||||
/** | |||||
* Creates an ajp connector. | |||||
* | |||||
* @param port | |||||
* @return an ajp connector | |||||
*/ | |||||
private Connector createAJPConnector(int port) { | |||||
logger.info("Setting up AJP Connector on port " + port); | |||||
Ajp13SocketConnector ajp = new Ajp13SocketConnector(); | |||||
ajp.setPort(port); | |||||
if (port < 1024 && !isWindows()) { | |||||
logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!"); | |||||
} | |||||
return ajp; | |||||
} | |||||
/** | /** | ||||
* Tests to see if the operating system is Windows. | * Tests to see if the operating system is Windows. | ||||
* | * | ||||
/* | /* | ||||
* JETTY Parameters | * JETTY Parameters | ||||
*/ | */ | ||||
@Option(name = "--useNio", usage = "Use NIO Connector else use Socket Connector.") | |||||
public Boolean useNIO = FILESETTINGS.getBoolean(Keys.server.useNio, true); | |||||
@Option(name = "--httpPort", usage = "HTTP port for to serve. (port <= 0 will disable this connector)", metaVar="PORT") | @Option(name = "--httpPort", usage = "HTTP port for to serve. (port <= 0 will disable this connector)", metaVar="PORT") | ||||
public Integer port = FILESETTINGS.getInteger(Keys.server.httpPort, 0); | public Integer port = FILESETTINGS.getInteger(Keys.server.httpPort, 0); | ||||
@Option(name = "--httpsPort", usage = "HTTPS port to serve. (port <= 0 will disable this connector)", metaVar="PORT") | @Option(name = "--httpsPort", usage = "HTTPS port to serve. (port <= 0 will disable this connector)", metaVar="PORT") | ||||
public Integer securePort = FILESETTINGS.getInteger(Keys.server.httpsPort, 8443); | public Integer securePort = FILESETTINGS.getInteger(Keys.server.httpsPort, 8443); | ||||
@Option(name = "--ajpPort", usage = "AJP port to serve. (port <= 0 will disable this connector)", metaVar="PORT") | |||||
public Integer ajpPort = FILESETTINGS.getInteger(Keys.server.ajpPort, 0); | |||||
@Option(name = "--gitPort", usage = "Git Daemon port to serve. (port <= 0 will disable this connector)", metaVar="PORT") | @Option(name = "--gitPort", usage = "Git Daemon port to serve. (port <= 0 will disable this connector)", metaVar="PORT") | ||||
public Integer gitPort = FILESETTINGS.getInteger(Keys.git.daemonPort, 9418); | public Integer gitPort = FILESETTINGS.getInteger(Keys.git.daemonPort, 9418); | ||||
this.caRevocationList = caRevocationList; | this.caRevocationList = caRevocationList; | ||||
// disable renegotiation unless this is a patched JVM | |||||
boolean allowRenegotiation = false; | |||||
String v = System.getProperty("java.version"); | |||||
if (v.startsWith("1.7")) { | |||||
allowRenegotiation = true; | |||||
} else if (v.startsWith("1.6")) { | |||||
// 1.6.0_22 was first release with RFC-5746 implemented fix. | |||||
if (v.indexOf('_') > -1) { | |||||
String b = v.substring(v.indexOf('_') + 1); | |||||
if (Integer.parseInt(b) >= 22) { | |||||
allowRenegotiation = true; | |||||
} | |||||
} | |||||
} | |||||
if (allowRenegotiation) { | |||||
logger.info(" allowing SSL renegotiation on Java " + v); | |||||
setAllowRenegotiate(allowRenegotiation); | |||||
} | |||||
if (!StringUtils.isEmpty(certAlias)) { | if (!StringUtils.isEmpty(certAlias)) { | ||||
logger.info(" certificate alias = " + certAlias); | logger.info(" certificate alias = " + certAlias); | ||||
setCertAlias(certAlias); | setCertAlias(certAlias); | ||||
} | } | ||||
setKeyStorePassword(storePassword); | setKeyStorePassword(storePassword); | ||||
setTrustStore(clientTrustStore.getAbsolutePath()); | |||||
setTrustStorePath(clientTrustStore.getAbsolutePath()); | |||||
setTrustStorePassword(storePassword); | setTrustStorePassword(storePassword); | ||||
logger.info(" keyStorePath = " + keyStore.getAbsolutePath()); | logger.info(" keyStorePath = " + keyStore.getAbsolutePath()); |
- Integrated GUI tool to facilitate x509 PKI including ssl and client certificate generation, client certificate revocation, and client certificate distribution | - Integrated GUI tool to facilitate x509 PKI including ssl and client certificate generation, client certificate revocation, and client certificate distribution | ||||
- Single text file for configuring server and gitblit | - Single text file for configuring server and gitblit | ||||
- A Windows service installation script and configuration tool | - A Windows service installation script and configuration tool | ||||
- Built-in AJP connector for Apache httpd | |||||
## Limitations | ## Limitations | ||||
- Built-in access controls are not branch-based, they are repository-based. | - Built-in access controls are not branch-based, they are repository-based. |
--baseFolder The default base folder for all relative file reference settings | --baseFolder The default base folder for all relative file reference settings | ||||
--repositoriesFolder Git Repositories Folder | --repositoriesFolder Git Repositories Folder | ||||
--userService Authentication and Authorization Service (filename or fully qualified classname) | --userService Authentication and Authorization Service (filename or fully qualified classname) | ||||
--useNio Use NIO Connector else use Socket Connector. | |||||
--httpPort HTTP port for to serve. (port <= 0 will disable this connector) | --httpPort HTTP port for to serve. (port <= 0 will disable this connector) | ||||
--httpsPort HTTPS port to serve. (port <= 0 will disable this connector) | --httpsPort HTTPS port to serve. (port <= 0 will disable this connector) | ||||
--ajpPort AJP port to serve. (port <= 0 will disable this connector) | |||||
--sshPort SSH Daemon port to serve. (port <= 0 will disable this daemon) | |||||
--gitPort Git Daemon port to serve. (port <= 0 will disable this daemon) | |||||
--alias Alias in keystore of SSL cert to use for https serving | --alias Alias in keystore of SSL cert to use for https serving | ||||
--storePassword Password for SSL (https) keystore. | --storePassword Password for SSL (https) keystore. | ||||
--shutdownPort Port for Shutdown Monitor to listen on. (port <= 0 will disable this monitor) | --shutdownPort Port for Shutdown Monitor to listen on. (port <= 0 will disable this monitor) |
## Running Gitblit behind Apache | ## Running Gitblit behind Apache | ||||
Gitblit runs fine behind Apache. You may use either *mod_proxy* (GO or WAR) or *mod_proxy_ajp* (GO). | |||||
Gitblit runs fine behind Apache. | |||||
Each Linux distribution may vary on the exact configuration of Apache 2.2. | Each Linux distribution may vary on the exact configuration of Apache 2.2. | ||||
Here is a sample configuration that works on Debian 7.0 (Wheezy), your distribution may be different. | Here is a sample configuration that works on Debian 7.0 (Wheezy), your distribution may be different. | ||||
ln -s ../mods-available/proxy.load proxy.load | ln -s ../mods-available/proxy.load proxy.load | ||||
ln -s ../mods-available/proxy_balancer.load proxy_balancer.load | ln -s ../mods-available/proxy_balancer.load proxy_balancer.load | ||||
ln -s ../mods-available/proxy_http.load proxy_http.load | ln -s ../mods-available/proxy_http.load proxy_http.load | ||||
ln -s ../mods-available/proxy_ajp.load proxy_ajp.load | |||||
``` | ``` | ||||
### Configuring Apache to use the proxy modules | ### Configuring Apache to use the proxy modules | ||||
# context path for your repository url. | # context path for your repository url. | ||||
# If you are not using subdomain proxying, then ignore this setting. | # If you are not using subdomain proxying, then ignore this setting. | ||||
#RequestHeader set X-Forwarded-Context / | #RequestHeader set X-Forwarded-Context / | ||||
#ProxyPass /gitblit ajp://localhost:8009/gitblit | |||||
``` | ``` | ||||
**Please** make sure to: | **Please** make sure to: | ||||
1. Review the security of these settings as appropriate for your deployment | 1. Review the security of these settings as appropriate for your deployment | ||||
2. Uncomment the *ProxyPass* setting for whichever connection you prefer (http/ajp) | |||||
2. Uncomment the *ProxyPass* setting | |||||
3. Correctly set the ports and context paths both in the *ProxyPass* definition and your Gitblit installation | 3. Correctly set the ports and context paths both in the *ProxyPass* definition and your Gitblit installation | ||||
If you are using Gitblit GO you can easily configure the AJP connector by specifying a non-zero AJP port. | |||||
Please remember that on Linux/UNIX, ports < 1024 require root permissions to open. | |||||
4. Set *web.mountParameters=false* in `gitblit.properties` or `web.xml` this will use parameterized URLs. | 4. Set *web.mountParameters=false* in `gitblit.properties` or `web.xml` this will use parameterized URLs. | ||||
Alternatively, you can respecify *web.forwardSlashCharacter*. | Alternatively, you can respecify *web.forwardSlashCharacter*. | ||||