`namespace_in_path` breaks auth
Summary
Auth for private pages fails for setups with an external reverse proxy: https://pages.foo.bar/radtke/pagestest/
responds with a location
header pointing towards https://projects.pages.foo.bar/auth?domain=https://pages.foo.bar/radtke&state=rcQJ4NmekRY_uf15J_1j7w==
which is an unregistered domain.
This sounds very much like #452459 (closed), but we don't set a custom auth_redirect_uri
.
Steps to reproduce
Use a dockerized setup like this with an external reverse proxy that handles TLS:
# Gitlab Pages
pages_external_url 'https://pages.foo.bar
gitlab_pages['access_control'] = true
gitlab_pages['enable'] = true
gitlab_pages['auth_scope'] = 'read_api'
gitlab_pages["namespace_in_path"] = true
gitlab_pages['internal_gitlab_server'] = "http://127.0.0.1:9000"
pages_nginx['redirect_http_to_https'] = false
pages_nginx['listen_https'] = false
pages_nginx['listen_port'] = 9001
What is the current bug behavior?
https://pages.foo.bar/radtke/pagestest/
redirects my user agent to https://projects.pages.foo.bar/auth?domain=https://pages.foo.bar/radtke&state=rcQJ4NmekRY_uf15J_1j7w==
(which is unexpected and unregistered).
What is the expected correct behavior?
Redirect to login works.
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
root@f0a7d3132b59:/# gitlab-rake gitlab:env:info System information System: Current User: git Using RVM: no Ruby Version: 3.1.4p223 Gem Version: 3.5.7 Bundler Version:2.5.8 Rake Version: 13.0.6 Redis Version: 7.0.15 Sidekiq Version:7.1.6 Go Version: unknown GitLab information Version: 16.11.1 Revision: 3ad2f8c9e62 Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 14.11 URL: https://gitlab.foo.bar HTTP Clone URL: https://gitlab.foo.bar/some-group/some-project.git SSH Clone URL: ssh://git@gitlab.foo.bar:2222/some-group/some-project.git Using LDAP: yes Using Omniauth: yes Omniauth Providers: GitLab Shell Version: 14.35.0 Repository storages: - default: unix:/var/opt/gitlab/gitaly/gitaly.socket GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell Gitaly - default Address: unix:/var/opt/gitlab/gitaly/gitaly.socket - default Version: 16.11.1 - default Git Version: 2.43.2
Results of GitLab application Check
Expand for output related to the GitLab application check
root@f0a7d3132b59:/# gitlab-rake gitlab:check SANITIZE=true Checking GitLab subtasks ...Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 14.35.0 ? ... OK (14.35.0) Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Internal API available: OK Redis available via internal API: OK gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes Number of Sidekiq processes (cluster/worker) ... 1/1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Reply by email is disabled in config/gitlab.yml
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... Server: ldapmain not verifying SSL hostname of LDAPS server 'food2.foo.de:636' LDAP authentication... Success LDAP users with access to your GitLab server (only showing the first 100 results) User output sanitized. Found 100 users of 100 limit.
Checking LDAP ... Finished
Checking GitLab App ...
Database config exists? ... yes Tables are truncated? ... skipped All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Cable config exists? ... yes Resque config exists? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Systemd unit files or init script exist? ... skipped (omnibus-gitlab has neither init script nor systemd units) Systemd unit files or init script up-to-date? ... skipped (omnibus-gitlab has neither init script nor systemd units) Projects have namespace: ... 12/1 ... yes 2/2 ... yes 5/5 ... yes 2/6 ... yes 2/7 ... yes 2/8 ... yes 8/9 ... yes 8/10 ... yes 8/11 ... yes 55/13 ... yes 55/14 ... yes 8/15 ... yes 20/16 ... yes 13/18 ... yes 8/19 ... yes 8/21 ... yes 15/24 ... yes 15/26 ... yes 32/28 ... yes 15/30 ... yes 55/31 ... yes 15/32 ... yes 14/33 ... yes 15/34 ... yes 17/35 ... yes 56/36 ... yes 18/39 ... yes 18/45 ... yes 20/47 ... yes 20/48 ... yes 13/49 ... yes 18/50 ... yes 19/53 ... yes 15/54 ... yes 20/56 ... yes 20/59 ... yes 19/60 ... yes 15/61 ... yes 31/63 ... yes 15/65 ... yes 99/67 ... yes 41/70 ... yes 99/72 ... yes 30/77 ... yes 41/86 ... yes 13/90 ... yes 15/91 ... yes 20/92 ... yes 36/93 ... yes 41/97 ... yes 41/98 ... yes 15/99 ... yes 42/100 ... yes 8/101 ... yes 99/102 ... yes 61/103 ... yes 61/104 ... yes 15/105 ... yes 61/106 ... yes 20/107 ... yes 46/108 ... yes 33/109 ... yes 20/110 ... yes 15/111 ... yes 15/112 ... yes 15/113 ... yes 20/114 ... yes 33/115 ... yes 55/116 ... yes 52/118 ... yes 46/119 ... yes 99/120 ... yes 33/121 ... yes 54/122 ... yes 54/123 ... yes 15/124 ... yes 56/125 ... yes 33/126 ... yes 20/127 ... yes 20/129 ... yes 13/131 ... yes 13/132 ... yes 33/133 ... yes 46/134 ... yes 52/135 ... yes 71/137 ... yes 74/138 ... yes 74/139 ... yes 73/140 ... yes 20/141 ... yes 33/142 ... yes 13/143 ... yes 13/144 ... yes 20/145 ... yes 79/146 ... yes 80/147 ... yes 82/148 ... yes 81/149 ... yes 33/150 ... yes 89/151 ... yes 52/152 ... yes 20/153 ... yes 20/154 ... yes 85/155 ... yes 33/156 ... yes 55/158 ... yes 85/159 ... yes 85/160 ... yes 105/162 ... yes 99/163 ... yes 20/164 ... yes 85/166 ... yes 33/168 ... yes 89/169 ... yes 33/170 ... yes 85/171 ... yes 85/172 ... yes 123/173 ... yes 123/174 ... yes 85/175 ... yes 99/176 ... yes 55/178 ... yes 13/179 ... yes 18/180 ... yes 12/182 ... yes 85/183 ... yes 89/184 ... yes 89/185 ... yes 123/190 ... yes 119/195 ... yes 52/196 ... yes 85/197 ... yes 179/198 ... yes 105/199 ... yes 131/201 ... yes 137/202 ... yes 56/203 ... yes 138/204 ... yes 127/205 ... yes 137/206 ... yes 89/208 ... yes 148/209 ... yes 142/210 ... yes 142/211 ... yes 132/212 ... yes 144/213 ... yes 146/214 ... yes 149/216 ... yes 148/217 ... yes 78/218 ... yes 144/220 ... yes 144/221 ... yes 144/222 ... yes 132/223 ... yes 132/224 ... yes 148/225 ... yes 152/226 ... yes 154/227 ... yes 85/228 ... yes 55/229 ... yes 154/231 ... yes 157/232 ... yes 106/233 ... yes 148/234 ... yes 150/235 ... yes 148/236 ... yes 148/237 ... yes 148/238 ... yes 138/239 ... yes 151/242 ... yes 148/243 ... yes 119/244 ... yes 91/245 ... yes 149/249 ... yes 167/250 ... yes 106/251 ... yes 171/252 ... yes 85/253 ... yes 89/254 ... yes 89/255 ... yes 142/256 ... yes 55/257 ... yes 138/258 ... yes 179/259 ... yes 179/260 ... yes 179/261 ... yes 179/262 ... yes 179/263 ... yes 181/265 ... yes 182/266 ... yes 118/268 ... yes 151/270 ... yes 151/271 ... yes 33/272 ... yes 106/273 ... yes 154/274 ... yes 85/275 ... yes 139/276 ... yes 85/277 ... yes 144/278 ... yes 155/279 ... yes 55/280 ... yes 169/281 ... yes 78/282 ... yes 113/283 ... yes 190/284 ... yes 190/286 ... yes 190/291 ... yes 52/293 ... yes 139/294 ... yes 66/295 ... yes 33/296 ... yes 13/297 ... yes 132/298 ... yes 144/299 ... yes 52/300 ... yes 54/305 ... yes 198/306 ... yes 87/307 ... yes 52/308 ... yes 60/309 ... yes 229/310 ... yes 151/312 ... yes 151/313 ... yes 151/314 ... yes 207/316 ... yes 151/318 ... yes 209/319 ... yes 211/320 ... yes 89/323 ... yes 89/324 ... yes 89/325 ... yes 213/326 ... yes 91/327 ... yes 818/328 ... yes 213/329 ... yes 213/330 ... yes 220/332 ... yes 52/334 ... yes 89/337 ... yes 20/338 ... yes 226/340 ... yes 229/341 ... yes 33/342 ... yes 228/343 ... yes 224/345 ... yes 240/346 ... yes 240/347 ... yes 229/348 ... yes 55/349 ... yes 229/350 ... yes 52/351 ... yes 200/353 ... yes 238/354 ... yes 78/355 ... yes 216/356 ... yes 592/358 ... yes 213/359 ... yes 241/360 ... yes 214/361 ... yes 243/362 ... yes 13/364 ... yes 238/365 ... yes 244/366 ... yes 151/369 ... yes 52/371 ... yes 139/373 ... yes 151/374 ... yes 532/375 ... yes 531/376 ... yes 238/377 ... yes 229/378 ... yes 531/379 ... yes 146/380 ... yes 545/383 ... yes 548/386 ... yes 52/387 ... yes 553/388 ... yes 555/389 ... yes 244/390 ... yes 244/391 ... yes 127/392 ... yes 568/393 ... yes 151/394 ... yes 240/395 ... yes 568/396 ... yes 531/397 ... yes 151/398 ... yes 578/401 ... yes 578/402 ... yes 578/403 ... yes 578/404 ... yes 586/408 ... yes 586/409 ... yes 586/410 ... yes 578/411 ... yes 596/413 ... yes 598/414 ... yes 598/415 ... yes 229/416 ... yes 816/417 ... yes 531/420 ... yes 531/421 ... yes 531/423 ... yes 531/424 ... yes 531/425 ... yes 531/426 ... yes 531/427 ... yes 531/428 ... yes 531/429 ... yes 531/430 ... yes 118/431 ... yes 622/432 ... yes 622/433 ... yes 578/435 ... yes 151/436 ... yes 642/438 ... yes 645/439 ... yes 89/440 ... yes 241/441 ... yes 649/442 ... yes 656/444 ... yes 52/445 ... yes 244/446 ... yes 238/447 ... yes 151/448 ... yes 665/449 ... yes 665/450 ... yes 665/451 ... yes 598/452 ... yes 598/453 ... yes 578/454 ... yes 640/455 ... yes 640/457 ... yes 240/458 ... yes 89/460 ... yes 642/462 ... yes 598/463 ... yes 244/464 ... yes 151/465 ... yes 645/466 ... yes 531/467 ... yes 720/468 ... yes 645/470 ... yes 720/471 ... yes 645/472 ... yes 720/473 ... yes 54/475 ... yes 645/476 ... yes 673/477 ... yes 244/478 ... yes 691/482 ... yes 151/483 ... yes 673/484 ... yes 531/485 ... yes 598/486 ... yes 816/487 ... yes 645/488 ... yes 721/489 ... yes 782/493 ... yes 118/494 ... yes 645/495 ... yes 151/497 ... yes 816/498 ... yes 742/499 ... yes 748/500 ... yes 748/501 ... yes 748/502 ... yes 782/503 ... yes 721/504 ... yes 721/505 ... yes 244/506 ... yes 857/507 ... yes 764/511 ... yes 194/512 ... yes 247/513 ... yes 772/514 ... yes 772/516 ... yes 85/517 ... yes 772/519 ... yes 241/520 ... yes 782/521 ... yes 531/523 ... yes 531/524 ... yes 789/525 ... yes 794/526 ... yes 721/527 ... yes 12/528 ... yes 33/529 ... yes 772/530 ... yes 202/531 ... yes 78/532 ... yes 815/533 ... yes 822/534 ... yes 649/537 ... yes 818/538 ... yes 838/539 ... yes 838/540 ... yes 838/541 ... yes 838/542 ... yes 838/543 ... yes 838/544 ... yes 838/545 ... yes 838/546 ... yes 838/547 ... yes 838/548 ... yes 838/549 ... yes 839/550 ... yes 837/551 ... yes 841/552 ... yes 857/554 ... yes 857/555 ... yes 645/556 ... yes 721/557 ... yes 863/558 ... yes 866/559 ... yes 830/561 ... yes 830/562 ... yes 830/563 ... yes 139/564 ... yes 880/566 ... yes 883/568 ... yes 761/569 ... yes 691/570 ... yes 863/571 ... yes 139/572 ... yes 89/573 ... yes 645/574 ... yes 188/575 ... yes 678/577 ... yes 909/578 ... yes 656/579 ... yes 897/580 ... yes 913/581 ... yes 761/582 ... yes 592/583 ... yes 897/586 ... yes 531/587 ... yes 194/588 ... yes 866/591 ... yes 592/592 ... yes 897/593 ... yes 943/594 ... yes 678/595 ... yes 948/596 ... yes 560/597 ... yes 649/598 ... yes 909/599 ... yes 143/600 ... yes 818/602 ... yes 531/603 ... yes 968/604 ... yes 971/605 ... yes 975/607 ... yes 977/608 ... yes 822/609 ... yes 947/610 ... yes 645/611 ... yes 89/612 ... yes 822/613 ... yes 968/614 ... yes 772/615 ... yes 645/617 ... yes 816/618 ... yes 866/619 ... yes 89/620 ... yes 818/621 ... yes 598/622 ... yes 644/623 ... yes 948/624 ... yes 816/625 ... yes 975/626 ... yes 975/627 ... yes 1006/628 ... yes 816/629 ... yes 968/630 ... yes 151/632 ... yes 1006/633 ... yes 1021/634 ... yes 1021/636 ... yes 975/637 ... yes 596/638 ... yes 1006/640 ... yes 1006/641 ... yes 1006/642 ... yes 188/643 ... yes 188/645 ... yes 818/646 ... yes 1052/648 ... yes 816/649 ... yes 598/650 ... yes 188/651 ... yes 816/653 ... yes 645/654 ... yes 814/655 ... yes 1071/656 ... yes 866/657 ... yes 644/658 ... yes 974/660 ... yes 818/661 ... yes 816/662 ... yes 644/663 ... yes 815/664 ... yes 645/665 ... yes 1006/666 ... yes 974/667 ... yes 943/668 ... yes 1006/670 ... yes 1098/672 ... yes 1099/673 ... yes 1101/674 ... yes 1102/676 ... yes 866/677 ... yes 1111/678 ... yes 816/679 ... yes 818/680 ... yes 954/681 ... yes 605/682 ... yes 645/683 ... yes 1120/684 ... yes 1120/685 ... yes 1120/686 ... yes 1120/687 ... yes 1120/688 ... yes 1120/689 ... yes 1120/690 ... yes 654/691 ... yes 974/692 ... yes 1006/693 ... yes 1136/694 ... yes 818/695 ... yes 830/696 ... yes 188/697 ... yes 866/698 ... yes 644/699 ... yes 1062/700 ... yes 531/701 ... yes 1021/702 ... yes 1120/703 ... yes 974/704 ... yes 971/705 ... yes 151/706 ... yes 816/707 ... yes 1176/708 ... yes 1135/709 ... yes Redis version >= 6.2.14? ... yes Ruby version >= 3.0.6 ? ... yes (3.1.4) Git user has default SSH configuration? ... yes Active users: ... 361 Is authorized keys file accessible? ... yes GitLab configured to store new projects in hashed storage? ... yes All projects are in hashed storage? ... yes
Checking GitLab App ... Finished
Checking GitLab subtasks ... Finished