Clone urls and oauth2 redirect url are always in http instead of https

:hugs: Please help fill in this template with all the details to help others help you more efficiently. Use formatting blocks for code, config, logs and ensure to remove sensitive data.

Problem to solve

I’m deploying gitlab on docker swarm behind traefik.

My endless number of attempts started like this:

[1] client β†’ https β†’ traefik β†’ http β†’ gitlab

then without traefik, like this:

[2] client β†’ https β†’ gitlab (with ports exposed in mode:host and letsencrypt enabled)

and then with traefik again like this:

[3] client β†’ https β†’ traefik β†’ https β†’ gitlab (https with a self signed cert)

nothing worked: with [1] and [3] I can access gitlab on https via traefik, but the all β€œClone with HTTP” urls are in http, and our oauth2-microsoft integration fails miserably because gitlab send a redirect url to microsoft in HTTP.
with [2] I cannot reach gitlab with https, only with http. and that is very sad.

What I want to do is to make gitlab use https urls.

I have another old instance running with docker run directly, with no front proxy and with letsencrypt enabled, and it does not have those issues.

I want to run the new instance on docker swarm, possibily behind traefik.

Configuration

this is my latest-attempt docker stack file extract (I was attempting [3]):

 gitlab:
    image: gitlab/gitlab-ee:16.9.2-ee.0
    volumes:
      - devops_gitlab_conf:/etc/gitlab
      - devops_gitlab_data:/var/opt/gitlab
      - type: tmpfs
        target: /dev/shm
        tmpfs:
          size: 268435456 # 256MB
    secrets:
        - gitlab.selfsigned.crt.pem
        - gitlab.selfsigned.key.pem
    networks:
      - gitlab
      - traefik_public
    environment:
      GITLAB_ROOT_PASSWORD: "mypass"
      GITLAB_OMNIBUS_CONFIG: |
        external_url='https://gitlab.mydomain.com'
    hostname: 'gitlab.mydomain.com'

as you can see I pruned all other configurations and I also nuked the volumes, so that the instance could start from scratch.
Buuut:

# gitlab-rake gitlab:env:info

System information
System:
Proxy:          no
Current User:   git
Using RVM:      no
Ruby Version:   3.1.4p223
Gem Version:    3.5.5
Bundler Version:2.5.5
Rake Version:   13.0.6
Redis Version:  7.0.15
Sidekiq Version:7.1.6
Go Version:     unknown

GitLab information
Version:        16.9.2-ee
Revision:       0d71d32d321
Directory:      /opt/gitlab/embedded/service/gitlab-rails
DB Adapter:     PostgreSQL
DB Version:     14.10
URL:            http://gitlab.mydomain.com  # <-- wtf?
HTTP Clone URL: http://gitlab.mydomain.com/some-group/some-project.git  # <-- wtf?
SSH Clone URL:  git@gitlab.mydomain.com:some-group/some-project.git
Elasticsearch:  no
Geo:            no
Using LDAP:     no
Using Omniauth: yes
Omniauth Providers:

GitLab Shell
Version:        14.33.0
Repository storages:
- default:      unix:/var/opt/gitlab/gitaly/gitaly.socket
GitLab Shell path:              /opt/gitlab/embedded/service/gitlab-shell

Gitaly
- default Address:      unix:/var/opt/gitlab/gitaly/gitaly.socket
- default Version:      16.9.2
- default Git Version:  2.43.0

Versions

  • Self-managed

Versions

  • the image used is in the yaml above

This is head-scratching as all documentation I could found does not mention this kind of behaviour at all.

ok, kind of embarassing:

the fact that the urls were http was caused by the different-from-all-the-other-variables external_url:

this is wrong: external_url='https://something.com'

this is correct: external_url 'https://something.com'

same thing for the registry_external_url: drop the β€˜=’.

Once the external url is correctly defined the clone urls are ok and the oauth2 redirect url is ok!