Fix trusted proxies regression when hostname is specified
What does this MR do and why?
This backports !202653 (merged) to 18-3-stable-ee
.
In GitLab Omnibus, specifying a trusted address in NGINX with a hostname is allowed, but was passed along to the Rails trusted proxies config. For example, a user could set:
nginx['real_ip_trusted_addresses'] = ['localhost']
This change would not only populate the NGINX config, but also update
the GitLab Rails gitlab.yml
.
Prior to !196981 (merged),
hostnames were just ignored. In GitLab 18.3.0, however, this causes all
requests to fail because IPAddr.new('localhost')
raises an error,
which is rescued but causes the trusted_proxies
array to include a
nil
entry. With each incoming request, Puma then reports:
<NoMethodError: undefined method `include?' for nil:NilClass>
Error reached top of thread-pool: stack level too deep (SystemStackError)
This commit restores the behavior of filtering nil
values.
The correct behavior may be for GitLab to resolve the IP addresses for these hostnames, but should likely be done periodically rather than at boot time given that IP addresses may change.
Relates to #565044 (closed)
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
This MR is backporting a bug fix, documentation update, or spec fix, previously merged in the default branch. -
The MR that fixed the bug on the default branch has been deployed to GitLab.com (not applicable for documentation or spec changes). -
The MR title is descriptive (e.g. "Backport of 'title of default branch MR'"). This is important, since the title will be copied to the patch blog post. -
Required labels have been applied to this merge request -
severity label and bug subtype labels (if applicable) -
If this MR fixes a bug that affects customers, the customer label has been applied.
-
-
Set the milestone of the merge request to match the target backport branch version. -
This MR has been approved by a maintainer (only one approval is required). -
Ensure the e2e:test-on-omnibus-ee
job has either succeeded or been approved by a Software Engineer in Test.
Note to the merge request author and maintainer
If you have questions about the patch release process, please:
- Refer to the patch release runbook for engineers and maintainers for guidance.
- Ask questions on the
#releases
Slack channel (internal only). - Once the backport has been merged, the commit changes will be automatically deployed to a release environment that can be used for manual validation. See after merging runbook for details.