Add support for redirect to HTTPS behind proxied SSL
Summary
Without HTTPS enabled and even with redirect_http_to_https
enabled requests are not redirect to HTTPS.
For example, if the loadbalancer is terminating SSL, and still passing 80 to the gitlab instance these http/80 requests will not be automatically redirected. This is a problem on an environment behind AWS ELB classic, where redirect rules are no possible from the Loadbalancer.
Another example of a problem caused by this is proxied SSL for pages. The pages are accessible via HTTP/80 and HTTPS/443, and requests to HTTP/80 are not redirected.
Links/URLs are still served with HTTPS, so the entrypoint is a redirect to an HTTPS sign page, but any direct requests respond directly.
Per the configuration templates, there isn't any fields when HTTPS and redirect are not both enabled:
<% if @https && @redirect_http_to_https %>
Proposal
Add support for redirecting all http requests to https with proxied SSL.
There needs to be rules within the primary server block to look for and redirect as needed.Workaround for now is to add custom config via the gitlab.rb
.
Note: Testing/Experiemental. Additional overrides may be needed. For example, review the healthchecks (only liveness is allowed here).
registry_nginx['custom_gitlab_server_config'] = <<-CONF
if ($http_x_forwarded_proto != "https") {
rewrite ^/(.*)$ https://$host/$1 permanent;
}
CONF
pages_nginx['custom_gitlab_server_config'] = <<-CONF
if ($http_x_forwarded_proto != "https") {
rewrite ^/(.*)$ https://$host/$1 permanent;
}
CONF
nginx['custom_gitlab_server_config'] = <<-CONF
set $is_redirect "0";
if ($http_x_forwarded_proto != "https") {
set $is_redirect "1";
}
if ($request_uri = "/-/liveness") {
set $is_redirect "0";
}
if ($is_redirect) {
rewrite ^/(.*)$ https://$host/$1 permanent;
}
CONF