Skip to content

Mattermost and Gitlab behind SSL-terminating reverse proxy: token request fails because of local ip and HTTPS port usage

I am trying to setup the integrated mattermost server using the GitLab 9.0.0-ce.0 alpine docker image (I am pulling the latest-tag, which as of now should be 9.0.0-ce.0). I am also using https://github.com/jwilder/nginx-proxy as an SSL-terminating reverse proxy.

My gitlab and mattermost configuration is based on https://docs.gitlab.com/omnibus/settings/nginx.html#supporting-proxied-ssl:

external_url 'https://gitlab.example.de';
nginx['listen_port'] = 80
nginx['listen_https'] = false
nginx['proxy_set_headers'] = {
 "Host" => "$http_host",
 "X-Real-IP" => "$remote_addr",
 "X-Forwarded-For" => "$proxy_add_x_forwarded_for",
 "X-Forwarded-Proto" => "https",
 "X-Forwarded-Ssl" => "on",
 "Upgrade" => "$http_upgrade",
 "Connection" => "$connection_upgrade"
}

mattermost_external_url 'https://chat.gitlab.example.de'
mattermost['service_site_url'] = "https://chat.gitlab.example.de"
mattermost_nginx['listen_port'] = 80
mattermost_nginx['listen_https'] = false
mattermost_nginx['proxy_set_headers'] = {
  "Host" => "$http_host",
  "X-Real-IP" => "$remote_addr",
  "X-Forwarded-For" => "$proxy_add_x_forwarded_for",
  "X-Frame-Options" => "SAMEORIGIN",
  "X-Forwarded-Proto" => "https",
  "X-Forwarded-Ssl" => "on",
  "Upgrade" => "$http_upgrade",
  "Connection" => "$connection_upgrade"
}

GitLab works without any problems with this configuration. When I now open mattermost I can see the login screen and the GitLab-login option. Hitting the GitLab-login redirects me to GitLab where I have to authorise it to use the API. When I hit authorise I am sent back to mattermost with the exception that the token could not be requested. The mattermost log then shows the following error:

[EROR] /signup/gitlab/complete:AuthorizeOAuthUser code=500 rid=xxx uid= ip=xxx Token request failed [details: Post https://gitlab.example.de/oauth/token: dial tcp 172.xx.0.x:443: getsockopt: connection refused]

For some reason it is trying to connect to port 443 inside of the docker image itself instead of going through the reverse proxy. Because the GitLab and mattermost services are running on HTTP and port 80, no one can answer on port 443.

Can someone help me or is this a bug in the GitLab-package?