After changing the external_url, login page redirects to old external_url

Summary

A few weeks ago, while running GitLab CE 13.12.12 (Omnibus Install) we changed the external_url property in /etc/gitlab/gitlab.rb from hostname.internal.domain.net to gitlab.internal.domain.net, and used a CNAME DNS Record to point the latter at the former. I completed a gitlab-ctl reconfigure to complete the change, and tested access. All seemed to be OK.

Since then, I started to notice that sometimes when I used a browser to access https://gitlab.internal.domain.net/, I would end up at after a redirect https://hostname.internal.domain.net/users/sign_in. Initially I thought it was just me.

I have since completed a migration from the old host to a new host using backup and restore instructions, and can confirm that everything is behaving OK, with the exception of this same issue. I first noticed during a test restore that I was being redirected from the pre-production test host to the existing production host. I have also since upgraded to GitLab 14.4.2 on this new host as this was part of the reason for migrating.

If I manually complete the full URL to the login page as https://gitlab.internal.domain.net/users/sign_in, and complete the sign-in process via LDAP, the URL continues to reference the gitlab.internal.domain.net as expected. This only seems to affect users when not already logged in, and not directly navigating to the sign-in page.

The TLS/SSL Certificate in the nginx configuration has SAN DNS entries for both old and new hosts as well as gitlab.internal.domain.net.

Steps to reproduce

Note that I have not attempted to re-produce this directly to validate.

  1. Configure a new instance of GitLab CE, setting the external_url to one value.
  2. Do some things in GitLab
  3. Change the external_url to a new value in /etc/gitlab/gitlab.rb
  4. Execute gitlab-ctl reconfigure to effect the change
  5. Navigate to https://newname.internal.domain.net/
  6. Observe a redirect to the login page on the original external_url

Example Project

An example project is not suitable for this issue.

What is the current bug behavior?

When navigating to the newly configured external_url to log into GitLab, a redirect is issued for the login page on the original external_url

What is the expected correct behavior?

When navigating to any page on GitLab using the current external_url, when not already authenticated, redirect should send browser to the sign-in page under the currently configured external_url.

Relevant logs and/or screenshots

Developer Tools : Network screen shot of redirects (parts of hostname obfuscated).

Screen_Shot_2021-11-23_at_3.33.16_pm

I have checked the contents of /etc/gitlab/gitlab.rb and find no reference to the old value of external_url. Since this persisted after migrating to another host, I can only surmise that there is a value saved in the database that is created if not present, but is not updated when the external_url is changed.

Output of checks

Results of GitLab environment info

Original installation was on Ubuntu 16.04 prior to changing external_url. Post migration, GitLab was upgraded to 14.4.2 via 14.0.12. Issue persists after upgrading.

Expand for output related to GitLab environment info 

sudo gitlab-rake gitlab:env:info

System information
System:         Ubuntu 20.04
Current User:   git
Using RVM:      no
Ruby Version:   2.7.4p191
Gem Version:    3.1.4
Bundler Version:2.1.4
Rake Version:   13.0.6
Redis Version:  6.0.16
Git Version:    2.33.0.
Sidekiq Version:6.2.2
Go Version:     unknown

GitLab information
Version:        14.4.2
Revision:       1ce86e92f81
Directory:      /opt/gitlab/embedded/service/gitlab-rails
DB Adapter:     PostgreSQL
DB Version:     12.7
URL:            https://gitlab.internal.domain.net
HTTP Clone URL: https://gitlab.internal.domain.net/some-group/some-project.git
SSH Clone URL:  git@gitlab.internal.domain.net:some-group/some-project.git
Using LDAP:     yes
Using Omniauth: yes
Omniauth Providers:

GitLab Shell
Version:        13.21.1
Repository storage paths:
- default:      /var/opt/gitlab/git-data/repositories
GitLab Shell path:              /opt/gitlab/embedded/service/gitlab-shell
Git:            /opt/gitlab/embedded/bin/git

Results of GitLab application Check

Expand for output related to the GitLab application check 
sudo gitlab-rake gitlab:check SANITIZE=true
Checking GitLab subtasks ...


Checking GitLab Shell ...


GitLab Shell: ... GitLab Shell version >= 13.21.1 ? ... OK (13.21.1)
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Internal API available: OK
Redis available via internal API: OK
gitlab-shell self-check successful


Checking GitLab Shell ... Finished


Checking Gitaly ...


Gitaly: ... default ... OK


Checking Gitaly ... Finished


Checking Sidekiq ...


Sidekiq: ... Running? ... yes
Number of Sidekiq processes (cluster/worker) ... 1/1


Checking Sidekiq ... Finished


Checking Incoming Email ...


Incoming Email: ... Reply by email is disabled in config/gitlab.yml


Checking Incoming Email ... Finished


Checking LDAP ...


LDAP: ... Server: ldapmain
not verifying SSL hostname of LDAPS server 'dc01.internal.domain.net:636'
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)
User output sanitized. Found 17 users of 100 limit.


Checking LDAP ... Finished


Checking GitLab App ...


Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... skipped (no tmp uploads folder yet)
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
Projects have namespace: ...
4/1 ... yes
5/2 ... yes
5/3 ... yes
5/4 ... yes
7/5 ... yes
5/6 ... yes
8/7 ... yes
8/8 ... yes
9/9 ... yes
5/10 ... yes
7/11 ... yes
7/12 ... yes
7/13 ... yes
5/14 ... yes
4/15 ... yes
5/16 ... yes
5/17 ... yes
22/18 ... yes
12/19 ... yes
12/20 ... yes
83/21 ... yes
15/22 ... yes
44/23 ... yes
15/24 ... yes
18/25 ... yes
18/26 ... yes
5/27 ... yes
44/28 ... yes
21/29 ... yes
23/30 ... yes
56/31 ... yes
21/32 ... yes
24/33 ... yes
15/34 ... yes
15/35 ... yes
44/36 ... yes
27/37 ... yes
27/38 ... yes
7/39 ... yes
28/40 ... yes
30/41 ... yes
28/42 ... yes
31/43 ... yes
15/44 ... yes
36/54 ... yes
61/55 ... yes
36/56 ... yes
36/57 ... yes
36/58 ... yes
36/59 ... yes
36/60 ... yes
36/61 ... yes
38/62 ... yes
36/63 ... yes
24/64 ... yes
34/65 ... yes
39/67 ... yes
42/68 ... yes
43/69 ... yes
45/70 ... yes
24/71 ... yes
29/72 ... yes
24/73 ... yes
42/74 ... yes
56/81 ... yes
42/82 ... yes
48/83 ... yes
49/84 ... yes
50/85 ... yes
27/86 ... yes
42/87 ... yes
39/88 ... yes
58/89 ... yes
47/90 ... yes
52/91 ... yes
2/92 ... yes
54/93 ... yes
54/94 ... yes
54/95 ... yes
54/96 ... yes
39/97 ... yes
56/98 ... yes
60/99 ... yes
54/100 ... yes
54/101 ... yes
54/102 ... yes
54/103 ... yes
54/104 ... yes
54/105 ... yes
11/106 ... yes
54/107 ... yes
63/108 ... yes
54/109 ... yes
54/110 ... yes
54/111 ... yes
61/112 ... yes
54/113 ... yes
54/114 ... yes
63/115 ... yes
55/116 ... yes
60/117 ... yes
54/118 ... yes
60/119 ... yes
60/120 ... yes
54/121 ... yes
54/122 ... yes
60/123 ... yes
60/124 ... yes
60/125 ... yes
60/126 ... yes
60/127 ... yes
60/128 ... yes
60/129 ... yes
60/130 ... yes
60/131 ... yes
60/132 ... yes
60/133 ... yes
60/134 ... yes
60/135 ... yes
60/136 ... yes
60/137 ... yes
60/138 ... yes
60/139 ... yes
60/140 ... yes
60/141 ... yes
60/142 ... yes
56/143 ... yes
60/144 ... yes
27/145 ... yes
42/146 ... yes
44/147 ... yes
42/148 ... yes
54/149 ... yes
18/150 ... yes
66/151 ... yes
67/152 ... yes
42/153 ... yes
45/154 ... yes
60/155 ... yes
42/156 ... yes
42/157 ... yes
23/158 ... yes
42/159 ... yes
71/160 ... yes
69/161 ... yes
42/162 ... yes
67/163 ... yes
60/164 ... yes
27/165 ... yes
56/166 ... yes
42/168 ... yes
11/169 ... yes
75/170 ... yes
76/171 ... yes
27/172 ... yes
27/173 ... yes
42/174 ... yes
69/175 ... yes
79/176 ... yes
79/177 ... yes
83/178 ... yes
82/179 ... yes
81/180 ... yes
80/181 ... yes
27/182 ... yes
27/183 ... yes
67/184 ... yes
84/185 ... yes
69/186 ... yes
18/187 ... yes
69/188 ... yes
42/189 ... yes
42/190 ... yes
56/191 ... yes
27/192 ... yes
27/193 ... yes
11/194 ... yes
42/195 ... yes
42/196 ... yes
27/197 ... yes
42/199 ... yes
42/200 ... yes
87/201 ... yes
69/202 ... yes
69/203 ... yes
69/204 ... yes
69/205 ... yes
83/206 ... yes
60/207 ... yes
60/208 ... yes
Redis version >= 5.0.0? ... yes
Ruby version >= 2.7.2 ? ... yes (2.7.4)
Git version >= 2.33.0 ? ... yes (2.33.0)
Git user has default SSH configuration? ... yes
Active users: ... 19
Is authorized keys file accessible? ... yes
GitLab configured to store new projects in hashed storage? ... yes
All projects are in hashed storage? ... yes


Checking GitLab App ... Finished


Checking GitLab subtasks ... Finished

Possible fixes