Skip to content

Fix trusted proxies regression when hostname is specified

What does this MR do and why?

This backports !202653 (merged) to 18-3-stable-ee.

In GitLab Omnibus, specifying a trusted address in NGINX with a hostname is allowed, but was passed along to the Rails trusted proxies config. For example, a user could set:

nginx['real_ip_trusted_addresses'] = ['localhost']

This change would not only populate the NGINX config, but also update the GitLab Rails gitlab.yml.

Prior to !196981 (merged), hostnames were just ignored. In GitLab 18.3.0, however, this causes all requests to fail because IPAddr.new('localhost') raises an error, which is rescued but causes the trusted_proxies array to include a nil entry. With each incoming request, Puma then reports:

<NoMethodError: undefined method `include?' for nil:NilClass>
Error reached top of thread-pool: stack level too deep (SystemStackError)

This commit restores the behavior of filtering nil values.

The correct behavior may be for GitLab to resolve the IP addresses for these hostnames, but should likely be done periodically rather than at boot time given that IP addresses may change.

Relates to #565044 (closed)

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

  • This MR is backporting a bug fix, documentation update, or spec fix, previously merged in the default branch.
  • The MR that fixed the bug on the default branch has been deployed to GitLab.com (not applicable for documentation or spec changes).
  • The MR title is descriptive (e.g. "Backport of 'title of default branch MR'"). This is important, since the title will be copied to the patch blog post.
  • Required labels have been applied to this merge request
  • Set the milestone of the merge request to match the target backport branch version.
  • This MR has been approved by a maintainer (only one approval is required).
  • Ensure the e2e:test-on-omnibus-ee job has either succeeded or been approved by a Software Engineer in Test.

Note to the merge request author and maintainer

If you have questions about the patch release process, please:

Edited by Stan Hu

Merge request reports

Loading