Connection Refused - 503 / 502 with Apache as proxy
Summary
I'm using gitlab-ce docker image running it with following command:
docker run --name gitlab --detach --publish 8181:8181 --publish 5000:5000 --volume /opt/gitlab-docker/data:/var/opt/gitlab --volume /opt/gitlab-docker/config:/etc/gitlab gitlab/gitlab-ce:latest
Nginx is disabled and I use Apache with SSL enabled as proxy running in a remote server. Gitlab is served under a subfolder (/gitlab). Here the relevant part from config file:
#GITLAB
<Location /gitlab>
ProxyPass http://192.168.123.122:8181/gitlab connectiontimeout=10 ttl=300 keepalive=on retry=0
ProxyPassReverse http://192.168.123.122:8181/gitlab
Order deny,allow
Allow from all
ErrorDocument 404 /gitlab/404.html
ErrorDocument 422 /gitlab/422.html
ErrorDocument 500 /gitlab/500.html
ErrorDocument 502 /gitlab/502.html
ErrorDocument 503 /gitlab/503.html
</Location>
RequestHeader set X_FORWARDED_PROTO 'https'
RequestHeader set X-Forwarded-Ssl onAdditionally I tried almost every possible combination of ProxyPass and ProxyPassReverse including the official recipe and a proposed PR: gitlab-recipes#63
What is the current bug behavior?
If I try to access through the browser I receive a 503. sometimes a 502 and in the next attempt it just loads and works normally. If I let it some minutes of "cooling down" it throws the same error.
Similar behavior was reported in issue #1033 (closed)
I've done a test with curl accessing directly to the host where docker container runs:
curl -vvv http://192.168.123.122:8181/gitlab/users/sign_in
* Trying 192.168.123.122...
* TCP_NODELAY set
* Connected to 192.168.123.122 (192.168.123.122) port 8181 (#0)
> GET /gitlab/users/sign_in HTTP/1.1
> Host: 192.168.123.122:8181
> User-Agent: curl/7.58.0
> Accept: */*
>
* Recv failure: Connection reset by peer
* stopped the pause stream!
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer
curl -vvv http://192.168.123.122:8181/gitlab/users/sign_in
* Trying 192.168.123.122...
* TCP_NODELAY set
* Connected to 192.168.123.122 (192.168.123.122) port 8181 (#0)
> GET /gitlab/users/sign_in HTTP/1.1
> Host: 192.168.123.122:8181
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Cache-Control: max-age=0, private, must-revalidate
< Content-Type: text/html; charset=utf-8
< Date: Mon, 26 Feb 2018 17:39:13 GMT
< Etag: W/"f9d90b8c9470b49a67fab0cb41a3fc67"
< X-Content-Type-Options: nosniff
< X-Frame-Options: DENY
< X-Request-Id: 9a369ba6-f969-4e64-80d9-c76913c503d9
< X-Runtime: 6.742975
< X-Ua-Compatible: IE=edge
< X-Xss-Protection: 1; mode=block
< Transfer-Encoding: chunked
<
<!DOCTYPE html>
<html class="devise-layout-html">
<head prefix="og: http://ogp.me/ns#">
<meta charset="utf-8">
<meta content="IE=edge" http-equiv="X-UA-Compatible">
<meta content="object" property="og:type">
<meta content="GitLab" property="og:site_name">
...Same behavior as through Apache, so I'm guessing Apache is not the culprit in this case. In the first attempt gitlab-ctl tail shows no signs of life, in the second call it writes the expected logs:
==> /var/log/gitlab/gitlab-rails/production.log <==
Started GET "/gitlab/users/sign_in" for 127.0.0.1 at 2018-02-26 17:39:06 +0000
Processing by SessionsController#new as */*
Completed 200 OK in 397ms (Views: 297.3ms | ActiveRecord: 7.5ms)
==> /var/log/gitlab/gitlab-rails/production_json.log <==
{"method":"GET","path":"/gitlab/users/sign_in","format":"*/*","controller":"SessionsController","action":"new","status":200,"duration":398.91,"view":297.31,"db":7.46,"time":"2018-02-26T17:39:12.837Z","params":{},"remote_ip":"127.0.0.1","user_id":null,"username":null}
==> /var/log/gitlab/gitlab-workhorse/current <==
2018-02-26_17:39:13.23821 192.168.123.122:8181 192.168.123.174:34976 - - [2018-02-26 17:39:06.458799926 +0000 UTC m=+136.793798831] "GET /gitlab/users/sign_in HTTP/1.1" 200 11639 "" "curl/7.58.0" 6.779233
Details of package version
Gitlab version is 10.5.1 21c2ffe Docker version 17.03.0-ce, build 3a232c8
If you require some additional info, just ask.