Send allowed endpoints to Workhorse for diagram proxy
What does this MR do and why?
Send allowed endpoints to Workhorse for diagram proxy; not sending this causes Workhorse's SSRF filter to reject internal requests, which is really the whole point of using the diagram proxy.
Closes Kroki diagram proxy fails with private IP Kroki... (#597921 - closed); see that work item for details.
Screenshots
| Before | After |
|---|---|
 |
 |
Relevant Workhorse logs before the MR:
2026-05-01_02:41:10.37001 gitlab-workhorse : {"correlation_id":"01KQGPJNNXMASM6JEF9K873P55","level":"info","msg":"SendURL: sending","path":"/-/diagram-proxy/120e0132-1a71-496d-be37-20ff484be0fc","time":"2026-05-01T12:41:10+10:00","url":"http://172.16.123.1:8080/graphviz/svg/eNpLyUwvSizIUKhWSFTQtVNIUqgFADrsBaY="}
2026-05-01_02:41:10.37024 gitlab-workhorse : {"correlation_id":"01KQGPJNNXMASM6JEF9K873P55","error":"SendURL: Do request: Get \"http://172.16.123.1:8080/graphviz/svg/eNpLyUwvSizIUKhWSFTQtVNIUqgFADrsBaY=\": dial tcp 172.16.123.1:8080: IP 172.16.123.1 is not allowed: private IPs are not allowed","level":"error","method":"GET","msg":"","time":"2026-05-01T12:41:10+10:00","uri":"/-/diagram-proxy/120e0132-1a71-496d-be37-20ff484be0fc"}Relevant Workhorse logs with the MR:
2026-05-01_02:38:56.16719 gitlab-workhorse : {"correlation_id":"01KQGPEJM0KQERYT7R7400ZKWF","level":"info","msg":"SendURL: sending","path":"/-/diagram-proxy/7fe36764-739e-48c6-8098-f6e72a2eade6","time":"2026-05-01T12:38:56+10:00","url":"http://172.16.123.1:8080/graphviz/svg/eNpLyUwvSizIUKhWSFTQtVNIUqgFADrsBaY="}
2026-05-01_02:38:56.26996 gitlab-workhorse : {"backend_id":"rails","body_limit":104857600,"content_type":"image/svg+xml","correlation_id":"01KQGPEJM0KQERYT7R7400ZKWF","duration_ms":141,"host":"gdk.test:3000","level":"info","method":"GET","msg":"access","proto":"HTTP/1.1","read_bytes":953,"referrer":"http://gdk.test:3000/root/comrak/-/work_items/35","remote_addr":"172.16.123.1:60289","remote_ip":"172.16.123.1","route":"^/-/","route_id":"dash","status":200,"system":"http","time":"2026-05-01T12:38:56+10:00","ttfb_ms":141,"uri":"/-/diagram-proxy/7fe36764-739e-48c6-8098-f6e72a2eade6","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36","written_bytes":1265}How to set up and validate locally
Copied from #597921 (closed):
-
Run Kroki locally:
podman run -d --name kroki -p 8000:8000 docker.io/yuzutech/kroki -
Get the container IP:
podman inspect kroki --format '{{.NetworkSettings.IPAddress}}'(e.g.10.88.0.3) -
In Admin > Settings > General > Kroki, enable Kroki and set URL to
http://10.88.0.3:8000 -
Enable the Kroki diagram proxy
-
Add a diagram to an issue or wiki page:
```graphviz digraph { a -> b } ``` -
Observe broken image icon
-
Check Workhorse log:
sudo gitlab-ctl tail gitlab-workhorse/current— seeprivate IPs are not allowederror
If, like me, you're using GDK, Docker and a loopback alias at 172.16.123.1, you can make the following substitutions:
docker run --rm --name kroki -p 8080:8000 yuzutech/kroki(this will bind it to port 8080 on all interfaces)- Enable the
172.16.0.0/16network for outbound requests at http://gdk.test:3000/admin/application_settings/network#js-outbound-settings. Mine looks like this:
- Set the Kroki endpoint at http://gdk.test:3000/admin/application_settings/general#js-kroki-settings to
http://172.16.123.1:8080and ensure you check "Proxy Kroki diagrams through GitLab". Mine looks like this:
gdk tail gitlab-workhorseshows you the Workhorse logs. There's a lot so you gotta use your sniffer to find the right ones.- After changing application settings, if things aren't working right, I suggest a hearty
gdk restart rails-web, just to check. - Note that you can't open or reload the diagram proxy image URLs individually to test (by design), so you need to reload the containing page each time.
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.