Wrong Redirections with Mattermost Gitlab SSO / oauth
Summary
When setting up Mattermost with Gitlab SSO behind a reverse proxy, incorrect browser redirects (302 codes) are generated after both authentication steps and thus SSO fails.
Steps to reproduce
- Normal installation of Omnibus-Gitlab (latest version 10.4.0) with bundled mattermost enabled on the same server and two separate hostnames (git.company.com, mattermost.company.com)
- The virtual server that hosts omnibus-gitlab including mattermost is running behind a reverse proxy (IIS in my case) that uses SNI for the different domains. The reverse proxy terminates SSL, everything afterwards is done in HTTP. The virtual server and reverse proxy communicate through a private subnet (10.10.10.X), using port 80 for gitlab and port 81 (with nginx) or port 8065 (without nginx) for mattermost.
- Open the mattermost site (https://mattermost.company.com), click the "Sign in Through Gitlab" button
Expected behavior
- After clicking the "sign in through gitlab" button on the start page (https://mattermost.company.com/login), I want to be redirected to https://git.company.com/oauth/authorize?response_type=code&... where the authorization happens
- Afterwards, back to https://mattermost.company.com/signup/gitlab/complete?code=... and then being logged in.
Observed behavior
- After clicking the "sign in through gitlab" button on the start page (https://mattermost.company.com/login), I am instead redirected to https://mattermost.company.com/oauth/authorize?response_type=code&... which does not exist and therefore I get an error.
- If i manually correct the url to https://git.company.com/oauth/authorize?response_type=code&... in the address bar of the browser, the SSO authorization works and continues.
- After successfull authorization, I am redirected back to https://git.company.com/signup/gitlab/complete?code=..., which - again - does not exist.
- Again, if I manually correct this url to https://mattermost.company.com/signup/gitlab/complete?code=..., I am finally successfully logged in to mattermost and can use the site normally, everything works fine. Also gitlab itself works fully fine
Possible fixes
I have read a lot of posts on similar problems. Most of the time, the headers of the request throug the various proxies was a problem, specifically the X-Forwarded-Proto. I have enabled the mattermost_nginx service (see below) and set this header explicitly.
Also, in my case it does not look like a http / https problem but it is just entirely the wrong hostname in the redirect. If I disable mattermost_nginx and point the reverse proxy directly to the mattermost service on port 8065, I get the same behavior overall.
My IIS Reverse proxy also sets several headers:
<set name="HTTP_X_FORWARDED_PROTO" value="https" />
<set name="HTTP_X_FORWARDED_SCHEMA" value="https" />
<set name="HTTP_X_FORWARDED_SSL" value="On" />
<set name="HTTP_X_FORWARDED_HOST" value="{HTTP_HOST}" />
Furthermore, the oauth settings in Gitlab ("Applications" pane) are also correct, i.e. the checkbox for "api" under scope is enabled and the redirect / callback URIs are set as follows:
https://mattermost.company.com/login/gitlab/complete
https://mattermost.company.com/signup/gitlab/complete
and, as I said, once I am logged in, both gitlab and mattermost fully work behind the reverse proxy.
One more thing: The address that is generated after the first login step (clicking the "login through gitlab" button) contains the correct redirect_uri (mattermost.company.com/signup/gitlab/complete), however gitlab does not seem to respect it and redirect to the wrong hostname:
https://mattermost.company.com/oauth/authorize?response_type=code&client_id=845de7XXXXXXXXXXXXXXXXXXXb592f3&redirect_uri=https%3A%2F%2Fmattermost.company.com%2Fsignup%2Fgitlab%2Fcomplete&state=eyJhY3Rpb24iOiJsbXXXXXXXXXXXXXXXzN5MzRzcyJ9
finally my complete (anonymized) config file:
external_url 'https://git.company.com/'
gitlab_rails['gitlab_email_enabled'] = true
gitlab_rails['gitlab_email_from'] = 'notifications@company.com'
gitlab_rails['gitlab_email_display_name'] = 'Company git'
gitlab_rails['gitlab_email_reply_to'] = 'notifications@company.com'
gitlab_rails['webhook_timeout'] = 20
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' # remember to close this block with 'EOS' below
main: # 'main' is the GitLab 'provider ID' of this LDAP server
label: 'LDAP Company'
host: 'Company-SRV-01.Company.local'
port: 389
uid: 'sAMAccountName'
encryption: 'start_tls' #method: 'tls' # "tls" or "ssl" or "plain"
bind_dn: 'CN=ldapadmin,OU=Admins,OU=Users,OU=Company,DC=Company,DC=local'
password: 'XXXXXXXXXXXXX'
active_directory: true
verify_certificates: true
ca_file: '/etc/gitlab/trusted-certs/Company-Company-SRV-01-CA.pem'
allow_username_or_email_login: false
block_auto_created_users: false
base: 'OU=Users,OU=Company,DC=Company,DC=local'
user_filter: ''
attributes:
username: ['uid', 'userid', 'sAMAccountName']
email: ['mail', 'email', 'userPrincipalName']
name: 'cn'
first_name: 'givenName'
last_name: 'sn'
EOS
gitlab_rails['backup_path'] = '/mnt/Company-stor-01-gitlab/application'
gitlab_rails['backup_keep_time'] = 2419200
gitlab_rails['git_timeout'] = 120
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "mail.company.com"
gitlab_rails['smtp_port'] = 587
gitlab_rails['smtp_user_name'] = "notifications@company.com"
gitlab_rails['smtp_password'] = "XXXXXXXXXXXXXXXXX"
gitlab_rails['smtp_company'] = "company.com"
gitlab_rails['smtp_authentication'] = "login"
gitlab_rails['smtp_enable_starttls_auto'] = true
gitlab_rails['smtp_tls'] = false
gitlab_rails['smtp_openssl_verify_mode'] = 'none'
unicorn['worker_timeout'] = 120
unicorn['worker_processes'] = 8
nginx['listen_addresses'] = ['10.10.10.13']
nginx['listen_port'] = 80 # override only if you use a reverse proxy: https://docs.gitlab.com/omnibus/settings/nginx.html#setting-the-nginx-listen-port
nginx['listen_https'] = false # override only if your reverse proxy internally communicates over HTTP: https://docs.gitlab.com/omnibus/settings/nginx.html#supporting-proxied-ssl
nginx['proxy_set_headers'] = {
"X-Forwarded-Proto" => "https",
"X-Forwarded-Ssl" => "on",
}
nginx['keepalive_timeout'] = 120
mattermost_external_url 'https://mattermost.company.com'
mattermost['service_use_ssl'] = false
mattermost['service_address'] = "10.10.10.13"
mattermost['service_port'] = "8065"
mattermost['env'] = {
'MM_EMAILSETTINGS_ENABLESIGNUPWITHEMAIL' => 'false',
'MM_EMAILSETTINGS_ENABLESIGNINWITHEMAIL' => 'false',
'MM_EMAILSETTINGS_SENDEMAILNOTIFICATIONS' => 'true',
'MM_EMAILSETTINGS_SMTPUSERNAME' => 'notifications@company.com',
'MM_EMAILSETTINGS_SMTPPASSWORD' => 'XXXXXXXXXXXXXXXXXX',
'MM_EMAILSETTINGS_SMTPSERVER' => 'mail.company.com',
'MM_EMAILSETTINGS_SMTPPORT' => '587',
'MM_EMAILSETTINGS_CONNECTIONSECURITY' => 'STARTTLS',
'MM_EMAILSETTINGS_ENABLEBATCHING' => 'true',
'MM_EMAILSETTINGS_BATCHINGBUFFERSIZE' => '256',
'MM_EMAILSETTINGS_BATCHINGINTERVAL' => '30',
'MM_EMAILSETTINGS_FEEDBACKNAME' => 'Company Mattermost',
'MM_EMAILSETTINGS_FEEDBACKEMAIL' => 'notifications@company.com',
'MM_EMAILSETTINGS_FEEDBACKORGANIZATION' => 'Company'
}
mattermost['service_site_url'] = 'https://mattermost.company.com'
mattermost['gitlab_enable'] = true
mattermost['gitlab_id'] = "xxxxxxxxxxxx"
mattermost['gitlab_secret'] = "xxxxxxxxxxxxxxxxxxx"
mattermost['gitlab_scope'] = ""
mattermost['gitlab_auth_endpoint'] = "https://git.company.com/oauth/authorize"
mattermost['gitlab_token_endpoint'] = "https://git.company.com/oauth/token"
mattermost['gitlab_user_api_endpoint'] = "https://git.company.com/api/v4/user"
mattermost_nginx['enable'] = true
mattermost_nginx['listen_addresses'] = ['10.10.10.13']
mattermost_nginx['listen_port'] = 81 # override only if you use a reverse proxy: https://docs.gitlab.com/omnibus/settings/nginx.html#setting-the-nginx-listen-port
mattermost_nginx['listen_https'] = false # override only if your reverse proxy internally communicates over HTTP: https://docs.gitlab.com/omnibus/settings/nginx.html#supporting-proxied-ssl
mattermost_nginx['proxy_set_headers'] = {
"X-Forwarded-Proto" => "https",
"X-Forwarded-Ssl" => "on",
}