Document Gitlab's "force https" setting is incompatible with cloudflare's "flexible" setting
Problem to Solve
The problem was:
-
flexiblesetting in cloudflare was trying to access gitlab pages via http - gitlab's setting "force https" was causing redirects to https
- cloudflare didn't follow this redirrect
So this issue is: gitlab's "force https" setting is incompatible with cloudflare's "flexible" setting.
Proposal
And there are two ways to resolve this:
- uncheck "force https" in gitlab
- or use "full" SSL connection setting in Cloudflare. (this option is preferable) cc @sselhorn
We can just add a warning in https://docs.gitlab.com/ee/user/project/pages/custom_domains_ssl_tls_certification/#force-https-for-gitlab-pages-websites
If you use CloudFlare CDN in front of GitLab Pages, make sure to set SSL connection setting to `full` instead of `flexible`. Additional Details
Cloudflare requests seem to be getting rate limited when the zone is set to an Orange cloud, which activates the Cloudflare proxy. Based on this, the proxy listener only restores the real host from the X-Forwarded-Host header, however, Cloudflare does not send this, instead sending X-Forwarded-For and Cf-Connecting-Ip.
The fix would be checking one of the two above headers for proxy hosts, as well as making sure Cloudflare IP addresses are set as proxy hosts when deployed in production.