Git clone/pull doesn't work through HTTP(s)

Enabling maintenance mode doesn't allow HTTP(s) clones to go through:

╰─>$ env GIT_CURL_VERBOSE=1 git clone https://domain/root/ci-test.git
Cloning into 'ci-test'...
[..]
Username for 'https://domain': root
Password for 'https://root@domain':
[..]
19:03:35.617674 http.c:715              => Send header: POST /root/ci-test.git/git-upload-pack HTTP/2
19:03:35.617677 http.c:715              => Send header: Host: domain
19:03:35.617680 http.c:715              => Send header: authorization: Basic ****
19:03:35.617682 http.c:715              => Send header: user-agent: git/2.31.0
19:03:35.617685 http.c:715              => Send header: accept-encoding: deflate, gzip, zstd
19:03:35.617687 http.c:715              => Send header: content-type: application/x-git-upload-pack-request
19:03:35.617689 http.c:715              => Send header: accept: application/x-git-upload-pack-result
19:03:35.617691 http.c:715              => Send header: git-protocol: version=2
19:03:35.617693 http.c:715              => Send header: content-length: 175
[..]
error: RPC failed; HTTP 301 curl 22 The requested URL returned error: 301
fatal: expected flush after ref listing

Adding:

modified   lib/gitlab/middleware/read_only/controller.rb
@@ -99,6 +99,7 @@ def allowlisted_routes
         # https://gitlab.com/gitlab-org/gitlab-workhorse/-/merge_requests/12
         def workhorse_passthrough_route?
           # Calling route_hash may be expensive. Only do it if we think there's a possible match
+          Rails.logger.error [request.path, request.post?, request.path.end_with?('.git/git-upload-pack'), route_hash[:controller], route_hash[:action]]
           return false unless request.post? &&
             request.path.end_with?('.git/git-upload-pack')

Shows:

Started POST "/root/ci-test.git/git-upload-pack/" for ** at 2021-05-12 18:07:28 +0000
["/root/ci-test.git/git-upload-pack/", true, false, nil, nil]

This seems to prevent Geo clones as well since the read_only? method will return true in here.