anonymous access get redirected from https to http with external https proxy
Summary
After upgrade to 10.8.1 on a self-hosted gitlab-ce instance, anonymous access got too many redirects error.
We have an external https proxy in front of gitlab nginx, it will redirects http access to https. When an anonymous user access https://git.example.com/
, gitlab rails app mistakenly redirect user back to http url, caused a redirect loop.
Steps to reproduce
$ curl -L http://git.example.com/
curl: (47) Maximum (50) redirects followed
$ curl -I https://git.example.com/
HTTP/1.1 200 Connection established
HTTP/1.1 302 Found
Server: nginx/1.12.2
Date: Sat, 26 May 2018 07:44:51 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Cache-Control: no-cache
Location: http://git.example.com/
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Request-Id: 1b77f957-d0af-41c4-9e6f-beb4bd9a932f
X-Runtime: 0.043006
X-Ua-Compatible: IE=edge
X-Xss-Protection: 1; mode=block
$ curl -I http://git.example.com/
HTTP/1.1 301 Moved Permanently
Server: nginx/1.12.2
Date: Sat, 26 May 2018 07:45:28 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: https://git.example.com/
What is the expected correct behavior?
anonymous user should be redirected to https://git.example.com/users/sign_in
Results of GitLab environment info
related configs in gitlab.rb
:
external_url 'https://git.example.com'
nginx['listen_addresses'] = ['127.0.0.1']
nginx['hsts_max_age'] = 0
nginx['hsts_include_subdomains'] = false
nginx['listen_port'] = 8090
nginx['listen_https'] = false
Expand for output related to GitLab environment info
System information System: CentOS 7.5.1804 Current User: git Using RVM: no Ruby Version: 2.3.7p456 Gem Version: 2.6.14 Bundler Version:1.13.7 Rake Version: 12.3.1 Redis Version: 3.2.11 Git Version: 2.16.3 Sidekiq Version:5.0.5 Go Version: unknown
GitLab information Version: 10.8.1 Revision: 21a8d61 Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: postgresql URL: https://git.example.com HTTP Clone URL: https://git.example.com/some-group/some-project.git SSH Clone URL: git@git.example.com:some-group/some-project.git Using LDAP: no Using Omniauth: no
GitLab Shell Version: 7.1.2 Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks Git: /opt/gitlab/embedded/bin/git
Results of GitLab application Check
all ok
Possible fixes
null