Action-Cable Error: Request origin not allowed


on my self-hosted GitLab 15.7 instance I get an error using action cable websockets. At first, it seemed to e a tunnelling issue (as stated here), but I finally got the tunnell working. Now GitLab’s log shows the following error message:

Started GET "/-/cable" for $REMOTE_IP at 2022-12-23 16:02:43 +0100
Started GET "/-/cable/" [WebSocket] for $REMOTE_IP at 2022-12-23 16:02:43 +0100
Request origin not allowed:
Failed to upgrade to WebSocket (REQUEST_METHOD: GET, HTTP_CONNECTION: Upgrade, HTTP_UPGRADE: websocket)
Finished "/-/cable/" [WebSocket] for $REMOTE_IP at 2022-12-23 16:02:43 +0100

The request origin is the address of my instance, so I think, this should be perfectly fine. The origin most likely comes from the HTTP ORIGIN header; the instance is configured to this hostname, and HTTPS:

production: &base
  # 1. GitLab app settings
  # ==========================
  ## GitLab settings
    ## Web server settings (note: host is the FQDN, do not include http://)
    port: 443 # Set to 443 if using HTTPS, see for additional HTTPS configuration details
    https: true # Set to true if using HTTPS, see for additional HTTPS configuration details

GitLab’s documentation does not state anything regarding origins to allow; I found some rails related stuff regardng the error, but there is no configuration available to my knowlege on how to set origins for GitLab’s action cable implementation.

I’m not sure, what I’m missing.


  config.action_cable.allowed_request_origins = ['']

to config/initializers/action_cable.rb resolves the problem; so I think this is a bug in GitLab itself. I’ll file a report.

Issue created.

This turned out to be a layer 8 error. The proxy configuration still was wrong, I missed the ProxyPreserveHost directive, on Apache the minimum required for GitLab is:

ProxyPreserveHost on
RequestHeader add X-Forwarded-Ssl on
RequestHeader set X-Forwarded-Proto "https"

<Proxy *>
    Require all granted

<Location />
    ProxyPass unix:///opt/gitlab/gitlab/tmp/sockets/gitlab-workhorse.socket|
    ProxyPassReverse unix:///opt/gitlab/gitlab/tmp/sockets/gitlab-workhorse.socket|

<Location /-/cable>
    ProxyPass unix:///opt/gitlab/gitlab/tmp/sockets/gitlab-workhorse.socket|ws://
    ProxyPassReverse unix:///opt/gitlab/gitlab/tmp/sockets/gitlab-workhorse.socket|ws://