Geo region URL is blocked when using outbound filtering
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Summary
Configuring outbound filtering on Gitlab Dedicated causes issues with Geo region setup. The documentation explicitly states that Geo region will not be blocked, but it creates issues regardless. Adding the Geo region to outbound list fixes it. So Geo should be already added to outbound filtering, as the documentation states.
Steps to reproduce
- Setup Gitlab with Geo (Dedicated uses Cloud Native Hybrid deployment)
- Configure outbound filtering
- Create rails console and follow these steps to reproduce
The actual issue is happening in one of the Ansible steps during upgrades, but the above provides a simpler reproducer
Example Project
What is the current bug behavior?
Geo region URL is absent from ApplicationSetting.current.outbound_local_requests_whitelist when outbound filtering is used in Geo setup
What is the expected correct behavior?
Geo region URL should already be present in the ApplicationSetting.current.outbound_local_requests_whitelist when outbound filtering is enabled in Geo setup
Relevant logs and/or screenshots
2025-05-20 02:21:54.177: stderr: |-
2025-05-20 02:21:54.177: WARNING: Active Record does not support composite primary key.
2025-05-20 02:21:54.177:
2025-05-20 02:21:54.177: security_findings has composite primary key. Composite primary key is ignored.
2025-05-20 02:21:54.177: /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/activerecord-7.0.8.7/lib/active_record/validations.rb:80:in `raise_validation_error': Validation failed: Url is blocked: Requests to hosts and IP addresses not on the Allow List are denied, Internal url is blocked: Requests to hosts and IP addresses not on the Allow List are denied (ActiveRecord::RecordInvalid)
2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/activerecord-7.0.8.7/lib/active_record/validations.rb:53:in `save!'
2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/activerecord-7.0.8.7/lib/active_record/transactions.rb:302:in `block in save!'
2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/activerecord-7.0.8.7/lib/active_record/transactions.rb:354:in `block in with_transaction_returning_status'
2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/activerecord-7.0.8.7/lib/active_record/connection_adapters/abstract/transaction.rb:319:in `block in within_new_transaction'
2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/activesupport-7.0.8.7/lib/active_support/concurrency/load_interlock_aware_monitor.rb:25:in `handle_interrupt'
2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/activesupport-7.0.8.7/lib/active_support/concurrency/load_interlock_aware_monitor.rb:25:in `block in synchronize'
2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/activesupport-7.0.8.7/lib/active_support/concurrency/load_interlock_aware_monitor.rb:21:in `handle_interrupt'
2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/activesupport-7.0.8.7/lib/active_support/concurrency/load_interlock_aware_monitor.rb:21:in `synchronize'
2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/activerecord-7.0.8.7/lib/active_record/connection_adapters/abstract/transaction.rb:317:in `within_new_transaction'
2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/activerecord-7.0.8.7/lib/active_record/connection_adapters/abstract/database_statements.rb:316:in `transaction'
2025-05-20 02:21:54.177: from /srv/gitlab/lib/gitlab/database/load_balancing/connection_proxy.rb:127:in `public_send'
2025-05-20 02:21:54.177: from /srv/gitlab/lib/gitlab/database/load_balancing/connection_proxy.rb:127:in `block in write_using_load_balancer'
2025-05-20 02:21:54.177: from /srv/gitlab/lib/gitlab/database/load_balancing/load_balancer.rb:141:in `block in read_write'
2025-05-20 02:21:54.177: from /srv/gitlab/lib/gitlab/database/load_balancing/load_balancer.rb:228:in `retry_with_backoff'
2025-05-20 02:21:54.177: from /srv/gitlab/lib/gitlab/database/load_balancing/load_balancer.rb:130:in `read_write'
2025-05-20 02:21:54.177: from /srv/gitlab/lib/gitlab/database/load_balancing/connection_proxy.rb:126:in `write_using_load_balancer'
2025-05-20 02:21:54.177: from /srv/gitlab/lib/gitlab/database/load_balancing/connection_proxy.rb:78:in `transaction'
2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/activerecord-7.0.8.7/lib/active_record/transactions.rb:350:in `with_transaction_returning_status'
2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/activerecord-7.0.8.7/lib/active_record/transactions.rb:302:in `save!'
2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/activerecord-7.0.8.7/lib/active_record/suppressor.rb:54:in `save!'
2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/railties-7.0.8.7/lib/rails/commands/runner/runner_command.rb:46:in `<main>'
2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/railties-7.0.8.7/lib/rails/commands/runner/runner_command.rb:46:in `eval'
2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/railties-7.0.8.7/lib/rails/commands/runner/runner_command.rb:46:in `perform'
2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/thor-1.3.1/lib/thor/command.rb:28:in `run'
2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/thor-1.3.1/lib/thor/invocation.rb:127:in `invoke_command'
2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/thor-1.3.1/lib/thor.rb:527:in `dispatch'
2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/railties-7.0.8.7/lib/rails/command/base.rb:87:in `perform'
2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/railties-7.0.8.7/lib/rails/command.rb:48:in `invoke'
2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/railties-7.0.8.7/lib/rails/commands.rb:18:in `<main>'
2025-05-20 02:21:54.177: from <internal:/usr/lib/ruby/site_ruby/3.2.0/rubygems/core_ext/kernel_require.rb>:37:in `require'
2025-05-20 02:21:54.177: from <internal:/usr/lib/ruby/site_ruby/3.2.0/rubygems/core_ext/kernel_require.rb>:37:in `require'
2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/bootsnap-1.18.4/lib/bootsnap/load_path_cache/core_ext/kernel_require.rb:30:in `require'
2025-05-20 02:21:54.177: from bin/rails:4:in `<main>'Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: \\\`sudo gitlab-rake gitlab:env:info\\\`) (For installations from source run and paste the output of: \\\`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production\\\`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of: \`sudo gitlab-rake gitlab:check SANITIZE=true\`) (For installations from source run and paste the output of: \`sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true\`) (we will only investigate if the tests are passing)
Possible fixes
Patch release information for backports
If the bug fix needs to be backported in a patch release to a version under the maintenance policy, please follow the steps on the patch release runbook for GitLab engineers.
Refer to the internal "Release Information" dashboard for information about the next patch release, including the targeted versions, expected release date, and current status.
High-severity bug remediation
To remediate high-severity issues requiring an internal release for single-tenant SaaS instances, refer to the internal release process for engineers.
Edited by 🤖 GitLab Bot 🤖