Gitlab pages https redirect to Gitlab Login page

Summary

I'm trying to use HTTPS on my Gitlab Pages, the current behavior is:

Pages are exposed via http and https (redirect option is set to false)
Pages are exposed in a custom domain
Once going to any of pages via http ex. http://docs.win/performance everyting working fine (I got my static content)
Once going to any of pages via https ex. https://docs.win/performance I always landing on Gitlab Login screen with ex. url https://docs.win/users/sign_in

Steps to reproduce

Try access site via HTTPS (where http link works fine)

Gitlab config

Gitlab version 11.1.2 (gitlab-ce@35936b0b6282db026128d21abe8f3490c1d376f2)

Related options (overriten or set by me) rest of settings are defaults

external_url  'https://git.dionglobal.eu'

nginx['enable'] = true
nginx['client_max_body_size'] = '0'
nginx['redirect_http_to_https'] = false
nginx['ssl_certificate'] = "/etc/gitlab/ssl/******************"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/******************"

pages_external_url "http://win/"

gitlab_pages['enable'] = true
gitlab_pages['redirect_http'] = false
gitlab_pages['use_http2'] = true
gitlab_pages['dir'] = "/opt/dionglobal/******************"
gitlab_pages['log_directory'] = "/opt/dionglobal/******************"


pages_nginx['redirect_http_to_https'] = false
pages_nginx['ssl_certificate'] = "/etc/gitlab/ssl/******************"
pages_nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/******************"

What is the current bug behavior?

The user is being kicked to Gitlab login page when accessing via https

What is the expected correct behavior?

Pages will be accessible via HTTPS without login

Relevant logs and/or screenshots

Curl with HTTP (my page)

╭─dariuszn@innocence ~  
╰─$ curl -Lkv http://docs.win/performance 
*   Trying 10.44.13.212...
* TCP_NODELAY set
* Connected to docs.win (10.44.13.212) port 80 (#0)
> GET /performance HTTP/1.1
> Host: docs.win
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 302 Found
< Server: nginx
< Date: Mon, 06 Aug 2018 13:22:14 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 46
< Connection: keep-alive
< Location: //docs.win/performance/
< Vary: Origin
< 
* Ignoring the response-body
* Connection #0 to host docs.win left intact
* Issue another request to this URL: 'http://docs.win/performance/'
* Found bundle for host docs.win: 0x559c62c6b680 [can pipeline]
* Re-using existing connection! (#0) with host docs.win
* Connected to docs.win (10.44.13.212) port 80 (#0)
> GET /performance/ HTTP/1.1
> Host: docs.win
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: nginx
< Date: Mon, 06 Aug 2018 13:22:14 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 9940
< Connection: keep-alive
< Accept-Ranges: bytes
< Cache-Control: max-age=600
< Expires: Mon, 06 Aug 2018 13:32:14 UTC
< Last-Modified: Fri, 03 Aug 2018 15:34:16 GMT
< Vary: Origin
< 


<!DOCTYPE html>
<!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]-->
<head>
  <meta charset="utf-8">
  
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  
  <title>Performance &mdash; Performance Handbook 0.1 documentation</title>

Curl with HTTPS (getting gitlab login page)

╰─$ curl -Lkv https://docs.win/performance                                                                                        130 ↵
*   Trying 10.44.13.212...
* TCP_NODELAY set
* Connected to docs.win (10.44.13.212) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=GB; postalCode=LE1 7DD; ST=Leicestershire; L=Leicester; street=86-92 Regent Road; O=Dion Global Solutions(UK) Ltd; OU=PremiumSSL Wildcard; CN=*.dionglobal.eu
*  start date: Apr 30 00:00:00 2018 GMT
*  expire date: Jul 16 23:59:59 2019 GMT
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Organization Validation Secure Server CA
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5609534c18e0)
> GET /performance HTTP/2
> Host: docs.win
> User-Agent: curl/7.58.0
> Accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 302 
< server: nginx
< date: Mon, 06 Aug 2018 13:23:54 GMT
< content-type: text/html; charset=utf-8
< content-length: 96
< location: https://docs.win/users/sign_in
< cache-control: no-cache
< set-cookie: _gitlab_session=*******************; path=/; secure; HttpOnly
< x-content-type-options: nosniff
< x-frame-options: SAMEORIGIN
< x-request-id: 87fc61a8-49fe-40fd-8e78-**********
< x-runtime: 0.017306
< x-xss-protection: 1; mode=block
< strict-transport-security: max-age=31536000
< 
* Ignoring the response-body
* Connection #0 to host docs.win left intact
* Issue another request to this URL: 'https://docs.win/users/sign_in'
* Found bundle for host docs.win: 0x5609534c1680 [can multiplex]
* Re-using existing connection! (#0) with host docs.win
* Connected to docs.win (10.44.13.212) port 443 (#0)
* Using Stream ID: 3 (easy handle 0x5609534c18e0)
> GET /users/sign_in HTTP/2
> Host: docs.win
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/2 200 
< server: nginx
< date: Mon, 06 Aug 2018 13:23:54 GMT
< content-type: text/html; charset=utf-8
< vary: Accept-Encoding
< cache-control: max-age=0, private, must-revalidate
< etag: W/"*****************"
< set-cookie: _gitlab_session=****************; path=/; secure; HttpOnly
< x-content-type-options: nosniff
< x-frame-options: DENY
< x-request-id: e7cb8989-ab85-4dd3-bd56-***********
< x-runtime: 0.019065
< x-ua-compatible: IE=edge
< x-xss-protection: 1; mode=block
< strict-transport-security: max-age=31536000
< 
<!DOCTYPE html>
<html class="devise-layout-html">
<head prefix="og: http://ogp.me/ns#">
<meta charset="utf-8">
<meta content="IE=edge" http-equiv="X-UA-Compatible">

Results of GitLab environment info

System information
System:
Current User:   git
Using RVM:      no
Ruby Version:   2.4.4p296
Gem Version:    2.7.6
Bundler Version:1.16.2
Rake Version:   12.3.1
Redis Version:  3.2.11
Git Version:    2.17.1
Sidekiq Version:5.1.3
Go Version:     unknown

GitLab information
Version:        11.1.2
Revision:       35936b0
Directory:      /opt/gitlab/embedded/service/gitlab-rails
DB Adapter:     postgresql
URL:            https://git.dionglobal.eu
HTTP Clone URL: https://git.dionglobal.eu/some-group/some-project.git
SSH Clone URL:  git@git.dionglobal.eu:some-group/some-project.git
Using LDAP:     yes
Using Omniauth: no

GitLab Shell
Version:        7.1.4
Repository storage paths:
- default:      /opt/dionglobal/gitlab/repositories
Hooks:          /opt/gitlab/embedded/service/gitlab-shell/hooks
Git:            /opt/gitlab/embedded/bin/git

Results of GitLab application Check

All passing green

Possible fixes (what I've tried)

Tried to enable HTTPS redirect on both gitlab & pages (same behaviour, getting redirected to https then to login page) + tried to disable HTTP2 (also no change in behaviour)

Edited Jun 24, 2025 by 🤖 GitLab Bot 🤖