NGINX - Wrong HSTS redirect sequence
We are using GitLab Omnibus 12.5, have HSTS enabled and are using external_url
in our /etc/gitlab/gitlab.rb
:
external_url 'https://gitlab.example.com'
However we can reach GitLab by both external_url
and the servers hostname. This is problematic for HSTS as the redirect sequence is wrong (we need to redirect HTTP to HTTPS on the same host first, cfr. https://hstspreload.org/ and https://serverfault.com/questions/930368/hsts-and-double-redirect/):
http://servername.example.com/ -> https://gitlab.example.com:443/ -> https://gitlab.example.com/users/sign_in
This should be:
http://servername.example.com/ -> https://servername.example.com/ -> https://gitlab.example.com:443/ -> https://gitlab.example.com/users/sign_in
To get this fixed, we updated /var/opt/gitlab/nginx/conf/gitlab-http.conf
from
location / {
return 301 https://gitlab.example.com:443$request_uri;
}
to
location / {
return 301 https://$host$request_uri;
}
However, it looks like we can not make this persistent as the template is always inserting @fqdn
:
location / {
return 301 https://<%= @fqdn %>:<%= @port %>$request_uri;
}
Three questions:
- Does there is a way to prevent GitLab from being accessed by non
using external_url
URI's? - If not, can we fully disable HTTP traffic?
- Shouldn't this being fixed in the template?