"Mixed Context" errors in browser console when HTTP external_url behind HTTPS reverse proxy
Summary
I cannot use external_url "https://..." because gitlab fails to start up (In my configuration, I am not running gitlab via HTTPS).
I cannot use external_url "http://..." because (only some) images and assets fail to load.
Steps to reproduce
I have gitlab-ce running in a docker image on an internal host, e.g. 192.168.1.10, with
external_url "http://gitlab.mydomain.org"
This machine is not accessible from the outside world (so I cannot put a letsencrypt certificate on it, for example). Therefore, I am running gitlab on HTTP, and I have a separate reverse proxy server (shared with other services) on an externally-accessible IP address that has its own external SSL certificate.
gitlab.mydomain.org points to this Apache reverse proxy, serving out pages for gitlab.mydomain.org using
ProxyPass / http://192.168.1.10/
What is the current bug behavior?
Everything else in gitlab appears to work OK so far - checkins work, opening issues, commenting etc. all works fine.
I noticed this bug when trying to award an emoji to an issue. An icon appears in Chrome on the right of the URL bar (as if a pop-up was blocked), and the messages pasted in below appeared in the developer console.
I can't see any emoji listed against my test issue. I have no idea if they failed to register, or if when I clicked on the button it did register, but just can't display due to this issue.
What is the expected correct behavior?
- No errors in Chrome developer console
- Icons, images etc. should load
Relevant logs and/or screenshots
With external_url "https://gitlab.mydomain.org"
gitlab fails to start up, after running gitlab-ctl reconfigure
==> /var/log/gitlab/nginx/current <==
2017-05-19_14:18:39.78803 nginx: [emerg] BIO_new_file("/etc/gitlab/ssl/gitlab.mydomain.org.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/gitlab/ssl/gitlab.mydomain.org.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)(This is pretty much expected - I am not running gitlab in HTTPS mode)
With external_url "http://gitlab.mydomain.org"
Chrome developer console - sanitised:
Mixed Content: The page at 'https://gitlab.mydomain.org/myuser/myproject/commit/203e0d60cd6d06cead324c37edf7015e2cd63ad2' was loaded over HTTPS, but requested an insecure image 'http://gitlab.mydomain.org/uploads/user/avatar/2/avatar.png'. This content should also be served over HTTPS.
903e0d60cd6d06cead324c37edf7015e2cd63ad0:356
Mixed Content: The page at 'https://gitlab.mydomain.org/myuser/myproject/commit/203e0d60cd6d06cead324c37edf7015e2cd63ad2' was loaded over HTTPS, but requested an insecure image 'http://www.gravatar.com/avatar/d4cd164f2b0052cd24a866ed47b8896d?s=48&d=identicon'. This content should also be served over HTTPS.
903e0d60cd6d06cead324c37edf7015e2cd63ad0:2472
Mixed Content: The page at 'https://gitlab.mydomain.org/myuser/myproject/commit/203e0d60cd6d06cead324c37edf7015e2cd63ad2' was loaded over HTTPS, but requested an insecure image 'http://gitlab.mydomain.org/uploads/user/avatar/2/avatar.png'. This content should also be served over HTTPS.
common.e8bc527fe263a99fd779.bundle.js:14
Mixed Content: The page at 'https://gitlab.mydomain.org/myuser/myproject/commit/203e0d60cd6d06cead324c37edf7015e2cd63ad2' was loaded over HTTPS, but requested an insecure image 'http://gitlab.mydomain.org/uploads/user/avatar/2/avatar.png'. This content should also be served over HTTPS.
common.e8bc527fe263a99fd779.bundle.js:14
common.e8bc527fe263a99fd779.bundle.js:24
Mixed Content: The page at 'https://gitlab.mydomain.org/myuser/myproject/commit/203e0d60cd6d06cead324c37edf7015e2cd63ad2' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://gitlab.mydomain.org/myuser/myproject/notes/54/toggle_award_emoji'. This request has been blocked; the content must be served over HTTPS.
common.e8bc527fe263a99fd779.bundle.js:24Output of checks
Not tried on gitlab.com
Results of GitLab environment info
docker exec -it mygitlab gitlab-rake gitlab:env:info
System information
System:
Current User: git
Using RVM: no
Ruby Version: 2.3.3p222
Gem Version: 2.6.6
Bundler Version:1.13.7
Rake Version: 10.5.0
Redis Version: 3.2.5
Git Version: 2.11.1
Sidekiq Version:4.2.7
GitLab information
Version: 9.1.4
Revision: fed799a
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: postgresql
URL: http://gitlab.mydomain.org
HTTP Clone URL: http://gitlab.mydomain.org/some-group/some-project.git
SSH Clone URL: git@gitlab.mydomain.org:some-group/some-project.git
Using LDAP: yes
Using Omniauth: no
GitLab Shell
Version: 5.0.2
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks
Git: /opt/gitlab/embedded/bin/gitResults of GitLab application Check
docker exec -it mygitlab gitlab-rake gitlab:check SANITIZE=true
(results ommitted, as amongst other things it includes my entire LDAP directory - not sure how sanitized that is!? - but also I don't think this would be relevant at all for this issue. gitlab-shell seemed to have some permission issues, I'm not sure if that is an artefact of the fact I am running in docker, or something else unrelated. Everything else seemed to check out fine)
Possible fixes
Could be as simple as just using relative paths? i.e. /myuser/myproject/notes/54/toggle_award_emoji instead of ${external_url}/myuser/myproject/notes/54/toggle_award_emoji ?
If not, then need to somehow support this scenario whereby gitlab publishes itself via HTTP, but an external reverse proxy is used to serve this out via HTTPS. In which case, I expect gitlab needs to have a separate concept of "I am visible to the outside world as https://xyz", compared to "I am running myself in a HTTPS web server" - the two are fundamentally different (although I accept that in the majority of cases they will be the same)