Gerrit provides git-based code hosting and code review services. It can be configured to accept the Remote User Token from oauthsub. There are a few relevant sections of gerrit.config. First, with gerrit sitting behind a reverse proxy you must tell gerrit what it’s URL is so that it can properly contruct links. For our testing configuration we’ll use the following:

  canonicalWebUrl =

Secondly, we need to tell gerrit which port to listen on for http connections. We’ll setup gerrit to listen on 8082:

  listenUrl = http://*:8082/gerrit/


For a production server, consider using proxy- instead of http://

Lastly, we need to tell gerrit to enable HTTP header authentication, and which header to look in. For our example setup, that gives us:

  type = HTTP
  httpHeader = X-Gsuite-User
  emailFormat = {0}

And now that gerrit is configured, we need to update the nginx configuration to proxy it. Add the following to your nginx site configuration:

location = /gerrit {
  return 302 /gerrit/;

location /gerrit/ {
  auth_request /auth/query_auth;
  auth_request_set $user $upstream_http_x_gsuite_user;
  proxy_set_header X-Gsuite-User $user;

  proxy_pass http://localhost:8082;
  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $scheme;

Note that nginx behaves differently depending on whether or not the proxy_pass URL ends in a slash. Without the trailing slash, as we have done here, will forward the whole URI down to the proxied service. In this case that means that all requests that gerrit sees will be prefixed by the gerrit/ path. As alternative configuration, we could configure nginx to forward only the relative URI (i.e. strip the gerrit/ prefix) and then we would change the gerrit config to listenUrl = http://*:8082/.