anonymous access get redirected from https to http with external https proxy

Summary

After upgrade to 10.8.1 on a self-hosted gitlab-ce instance, anonymous access got too many redirects error.

We have an external https proxy in front of gitlab nginx, it will redirects http access to https. When an anonymous user access https://git.example.com/, gitlab rails app mistakenly redirect user back to http url, caused a redirect loop.

Steps to reproduce

$ curl -L http://git.example.com/
curl: (47) Maximum (50) redirects followed
$ curl -I https://git.example.com/
HTTP/1.1 200 Connection established

HTTP/1.1 302 Found
Server: nginx/1.12.2
Date: Sat, 26 May 2018 07:44:51 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Cache-Control: no-cache
Location: http://git.example.com/
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Request-Id: 1b77f957-d0af-41c4-9e6f-beb4bd9a932f
X-Runtime: 0.043006
X-Ua-Compatible: IE=edge
X-Xss-Protection: 1; mode=block
$ curl -I http://git.example.com/
HTTP/1.1 301 Moved Permanently
Server: nginx/1.12.2
Date: Sat, 26 May 2018 07:45:28 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: https://git.example.com/

What is the expected correct behavior?

anonymous user should be redirected to https://git.example.com/users/sign_in

Results of GitLab environment info

related configs in gitlab.rb:

external_url 'https://git.example.com'

nginx['listen_addresses'] = ['127.0.0.1']
nginx['hsts_max_age'] = 0
nginx['hsts_include_subdomains'] = false
nginx['listen_port'] = 8090
nginx['listen_https'] = false
Expand for output related to GitLab environment info 
System information
System:		CentOS 7.5.1804
Current User:	git
Using RVM:	no
Ruby Version:	2.3.7p456
Gem Version:	2.6.14
Bundler Version:1.13.7
Rake Version:	12.3.1
Redis Version:	3.2.11
Git Version:	2.16.3
Sidekiq Version:5.0.5
Go Version:	unknown


GitLab information
Version:	10.8.1
Revision:	21a8d61
Directory:	/opt/gitlab/embedded/service/gitlab-rails
DB Adapter:	postgresql
URL:		https://git.example.com
HTTP Clone URL:	https://git.example.com/some-group/some-project.git
SSH Clone URL:	git@git.example.com:some-group/some-project.git
Using LDAP:	no
Using Omniauth:	no


GitLab Shell
Version:	7.1.2
Repository storage paths:
  • default: /var/opt/gitlab/git-data/repositories Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks Git: /opt/gitlab/embedded/bin/git

Results of GitLab application Check

all ok

Possible fixes

null

Edited by George