<!--- Please read this! Before opening a new issue, make sure to search for keywords in the issues filtered by the "regression" or "type::bug" label: - https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=regression - https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=type::bug and verify the issue you're about to submit isn't a duplicate. ---> ### Summary Configuring outbound filtering on Gitlab Dedicated causes issues with Geo region setup. [The documentation explicitly states](https://docs.gitlab.com/security/webhooks/#filter-requests) that Geo region will not be blocked, but it creates issues regardless. Adding the Geo region to outbound list fixes it. So Geo should be already added to outbound filtering, as the documentation states. ### Steps to reproduce * Setup Gitlab with Geo (Dedicated uses Cloud Native Hybrid deployment) * Configure outbound filtering * Create rails console and follow [these steps to reproduce](https://gitlab.com/gitlab-com/gl-infra/gitlab-dedicated/incident-management/-/issues/1013#note_2513518711) _The actual issue is happening in one of the Ansible steps during upgrades, but the above provides a simpler reproducer_ ### Example Project <!--If possible, please create an example project here on GitLab.com that exhibits the problematic behavior, and link to it here in the bug report. If you are using an older version of GitLab, this will also determine whether the bug is fixed in a more recent version.--> ### What is the current _bug_ behavior? Geo region URL is absent from `ApplicationSetting.current.outbound_local_requests_whitelist` when outbound filtering is used in Geo setup ### What is the expected _correct_ behavior? Geo region URL should already be present in the `ApplicationSetting.current.outbound_local_requests_whitelist` when outbound filtering is enabled in Geo setup ### Relevant logs and/or screenshots ``` 2025-05-20 02:21:54.177: stderr: |- 2025-05-20 02:21:54.177: WARNING: Active Record does not support composite primary key. 2025-05-20 02:21:54.177: 2025-05-20 02:21:54.177: security_findings has composite primary key. Composite primary key is ignored. 2025-05-20 02:21:54.177: /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/activerecord-7.0.8.7/lib/active_record/validations.rb:80:in `raise_validation_error': Validation failed: Url is blocked: Requests to hosts and IP addresses not on the Allow List are denied, Internal url is blocked: Requests to hosts and IP addresses not on the Allow List are denied (ActiveRecord::RecordInvalid) 2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/activerecord-7.0.8.7/lib/active_record/validations.rb:53:in `save!' 2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/activerecord-7.0.8.7/lib/active_record/transactions.rb:302:in `block in save!' 2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/activerecord-7.0.8.7/lib/active_record/transactions.rb:354:in `block in with_transaction_returning_status' 2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/activerecord-7.0.8.7/lib/active_record/connection_adapters/abstract/transaction.rb:319:in `block in within_new_transaction' 2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/activesupport-7.0.8.7/lib/active_support/concurrency/load_interlock_aware_monitor.rb:25:in `handle_interrupt' 2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/activesupport-7.0.8.7/lib/active_support/concurrency/load_interlock_aware_monitor.rb:25:in `block in synchronize' 2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/activesupport-7.0.8.7/lib/active_support/concurrency/load_interlock_aware_monitor.rb:21:in `handle_interrupt' 2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/activesupport-7.0.8.7/lib/active_support/concurrency/load_interlock_aware_monitor.rb:21:in `synchronize' 2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/activerecord-7.0.8.7/lib/active_record/connection_adapters/abstract/transaction.rb:317:in `within_new_transaction' 2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/activerecord-7.0.8.7/lib/active_record/connection_adapters/abstract/database_statements.rb:316:in `transaction' 2025-05-20 02:21:54.177: from /srv/gitlab/lib/gitlab/database/load_balancing/connection_proxy.rb:127:in `public_send' 2025-05-20 02:21:54.177: from /srv/gitlab/lib/gitlab/database/load_balancing/connection_proxy.rb:127:in `block in write_using_load_balancer' 2025-05-20 02:21:54.177: from /srv/gitlab/lib/gitlab/database/load_balancing/load_balancer.rb:141:in `block in read_write' 2025-05-20 02:21:54.177: from /srv/gitlab/lib/gitlab/database/load_balancing/load_balancer.rb:228:in `retry_with_backoff' 2025-05-20 02:21:54.177: from /srv/gitlab/lib/gitlab/database/load_balancing/load_balancer.rb:130:in `read_write' 2025-05-20 02:21:54.177: from /srv/gitlab/lib/gitlab/database/load_balancing/connection_proxy.rb:126:in `write_using_load_balancer' 2025-05-20 02:21:54.177: from /srv/gitlab/lib/gitlab/database/load_balancing/connection_proxy.rb:78:in `transaction' 2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/activerecord-7.0.8.7/lib/active_record/transactions.rb:350:in `with_transaction_returning_status' 2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/activerecord-7.0.8.7/lib/active_record/transactions.rb:302:in `save!' 2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/activerecord-7.0.8.7/lib/active_record/suppressor.rb:54:in `save!' 2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/railties-7.0.8.7/lib/rails/commands/runner/runner_command.rb:46:in `<main>' 2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/railties-7.0.8.7/lib/rails/commands/runner/runner_command.rb:46:in `eval' 2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/railties-7.0.8.7/lib/rails/commands/runner/runner_command.rb:46:in `perform' 2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/thor-1.3.1/lib/thor/command.rb:28:in `run' 2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/thor-1.3.1/lib/thor/invocation.rb:127:in `invoke_command' 2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/thor-1.3.1/lib/thor.rb:527:in `dispatch' 2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/railties-7.0.8.7/lib/rails/command/base.rb:87:in `perform' 2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/railties-7.0.8.7/lib/rails/command.rb:48:in `invoke' 2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/railties-7.0.8.7/lib/rails/commands.rb:18:in `<main>' 2025-05-20 02:21:54.177: from <internal:/usr/lib/ruby/site_ruby/3.2.0/rubygems/core_ext/kernel_require.rb>:37:in `require' 2025-05-20 02:21:54.177: from <internal:/usr/lib/ruby/site_ruby/3.2.0/rubygems/core_ext/kernel_require.rb>:37:in `require' 2025-05-20 02:21:54.177: from /srv/gitlab/vendor/bundle/ruby/3.2.0/gems/bootsnap-1.18.4/lib/bootsnap/load_path_cache/core_ext/kernel_require.rb:30:in `require' 2025-05-20 02:21:54.177: from bin/rails:4:in `<main>' ``` ### Output of checks <!--If you are reporting a bug on GitLab.com, uncomment below--> <!--This bug happens on GitLab.com--> <!--and uncomment below if you have /label privileges--> <!--/label ~"reproduced on GitLab.com"--> <!--or follow up with an issue comment of `@gitlab-bot label ~"reproduced on GitLab.com"` if you do not--> #### Results of GitLab environment info <!--Input any relevant GitLab environment information if needed.--> <details> <summary>Expand for output related to GitLab environment info</summary> <pre> (For installations with omnibus-gitlab package run and paste the output of: \\\\\\\`sudo gitlab-rake gitlab:env:info\\\\\\\`) (For installations from source run and paste the output of: \\\\\\\`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production\\\\\\\`) </pre> </details> #### Results of GitLab application Check <!--Input any relevant GitLab application check information if needed.--> <details> <summary>Expand for output related to the GitLab application check</summary> <pre> (For installations with omnibus-gitlab package run and paste the output of: \\\`sudo gitlab-rake gitlab:check SANITIZE=true\\\`) (For installations from source run and paste the output of: \\\`sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true\\\`) (we will only investigate if the tests are passing) </pre> </details> ### Possible fixes <!--If you can, link to the line of code that might be responsible for the problem.--> ### Patch release information for backports If the bug fix needs to be backported in a [patch release](https://handbook.gitlab.com/handbook/engineering/releases/patch-releases) to a version under [the maintenance policy](https://docs.gitlab.com/policy/maintenance/), please follow the steps on the [patch release runbook for GitLab engineers](https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/engineers.md). Refer to the [internal "Release Information" dashboard](https://dashboards.gitlab.net/d/delivery-release_info/delivery3a-release-information?orgId=1) for information about the next patch release, including the targeted versions, expected release date, and current status. #### High-severity bug remediation To remediate high-severity issues requiring an [internal release](https://handbook.gitlab.com/handbook/engineering/releases/internal-releases/) for single-tenant SaaS instances, refer to the [internal release process for engineers](https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/internal-releases/engineers.md?ref_type=heads). <!--If you don't have /label privileges, follow up with an issue comment of `@gitlab-bot label ~"type::bug"`-->