Bropen pipe in gitlab-workhorse while cloning repository via reverse proxy (Citrix Netscaler)

Hi all,

we are using the latest version of omnibus-gitlab (GitLab Community Edition 10.2.4) with RHEL 7.

We activated SSL locally with self signed certificate and talk to Gitlab via SSL.

So the traffic looks like this:

Client --> 443 --> Citrix Netscaler --> 443 --> Gitlab Server

We have proxied the connection through our Citrix Netscaler with official certificate also via SSL and get the following messages inside gitlab-workhorse logs while cloning a repo of 20k files:

2017-12-19_15:32:19.08200 @ - - [2017-12-19 16:32:19.011054609 +0100 CET] “GET /project/repo.git/info/refs?service=git-upload-pack HTTP/1.1” 401 26 “” “git/” 0.070872
2017-12-19_15:32:19.10580 @ - - [2017-12-19 16:32:19.083900961 +0100 CET] “GET /project/repo.git/info/refs?service=git-upload-pack HTTP/1.1” 401 26 “” “git/” 0.021824
2017-12-19_15:32:21.96913 @ - - [2017-12-19 16:32:21.297379962 +0100 CET] “GET /project/repo.git/info/refs?service=git-upload-pack HTTP/1.1” 200 351 “” “git/” 0.671654

2017-12-19_15:33:25.66083 2017/12/19 16:33:25 error: POST “/project/repo.git/git-upload-pack”: handleUploadPack: smarthttp.UploadPack: write unix /var/opt/gitlab/gitlab-workhorse/socket->@: write: broken pipe

2017-12-19_15:33:25.66087 @ - - [2017-12-19 16:32:22.009642139 +0100 CET] “POST /project/repo.git/git-upload-pack HTTP/1.1” 200 13164672 “” “git/” 63.651190

The cloning on the client side hangs forever and doesn’t show a error message.

Here is our gitlab.rb-Config:

external_url '

unicorn[‘worker_timeout’] = 300

Anybode saw this error before or can us point to a solution?

When we directly connect to the Gitlab server it works, via SSH it through Netscaler it also works.



Found the problem myself.

It seems there is a incompatiblity between the SSL implementation of Citrix Netscaler and Nginx, I had to change the following settings in gitlab.rb:

nginx[‘ssl_protocols’] = "TLSv1 TLSv1.1 TLSv1.2"

After that I disabled TLSv1.1 and TLSv1.2 on the Netscaler for this connection:

Netscaler --> 443 --> Gitlab

So it only uses TLSv1 and now it works!

Its not a pretty solution I know, we had the same problem with IIS in the backende, maybe an update of Netscaler will help.

Maybe this will help someone out there.

Thanks anyway!