gitlab-omnibus-ssl-apache24.conf - ProxyPass vs RewriteRule

hey everyone,

i am using at the moment the folowing config: https://gitlab.com/gitlab-org/gitlab-recipes/blob/master/web-server/apache/gitlab-omnibus-ssl-apache24.conf

i read here omnibus-gitlab#1244 (closed) that the uploads are now served by gitlab-workhorse. for this reason i asked myself why we need these rules:

<Location />
   # New authorization commands for apache 2.4 and up
   # http://httpd.apache.org/docs/2.4/upgrading.html#access
   Require all granted

   #Allow forwarding to gitlab-workhorse
   ProxyPassReverse http://127.0.0.1:8181
   ProxyPassReverse http://YOUR_SERVER_FQDN/ 
 </Location>

#Forward all requests to gitlab-workhorse except existing files like error documents
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]
RewriteCond %{REQUEST_URI} ^/uploads/.* 
RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA,NE]

RewriteCond %{REQUEST_URI} ^/uploads/.* ---> why this rule despite the fact that workhorse is responsible for uploads and the next RewriteRule covers it ?

ProxyPassReverse http://YOUR_SERVER_FQDN/ ---> why this rule if the previous one (ProxyPassReverse http://127.0.0.1:8181) is enough ?

Furthermore apache says here https://httpd.apache.org/docs/2.4/rewrite/proxy.html:

Consider using either ProxyPass or ProxyPassMatch whenever possible in preference to mod_rewrite.

Can you check please this solution:

### set in gitlab.rb
# nginx
#external_url 'https://gitlab.example.com'
#nginx['enable'] = false
#
# workhorse
#gitlab_workhorse['listen_network'] = "tcp"
#gitlab_workhorse['listen_addr'] = "127.0.0.1:8181"
#web_server['external_users'] = ['www-data']
#
# rails app
#gitlab_rails['internal_api_url'] = 'https://gitlab.example.com'
#gitlab_rails['time_zone'] = 'Europe/Berlin'

<VirtualHost *:80>
    ServerName gitlab.example.com

    Redirect permanent "/" "https://gitlab.example.com/"
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName gitlab.example.com

    ProxyRequests Off
    SSLProxyEngine On
    ProxyPreserveHost On
    AllowEncodedSlashes NoDecode

    ProxyPass / http://127.0.0.1:8181/ keepalive=On connectiontimeout=10 retry=0
    ProxyPassReverse / http://127.0.0.1:8181/

    RequestHeader set X_FORWARDED_PROTO 'https'
    RequestHeader set X-Forwarded-Ssl on

    SSLEngine on
    SSLCertificateFile    /etc/apache2/ssl.crt/gitlab.example.com.crt
    SSLCertificateKeyFile /etc/apache2/ssl.key/gitlab.example.com.key

    ErrorLog  ${APACHE_LOG_DIR}/gitlab.example.com-error.log
    CustomLog ${APACHE_LOG_DIR}/gitlab.example.com-access.log combined
</VirtualHost>
</IfModule>

Edited Oct 06, 2020 by 🤖 GitLab Bot 🤖