Gitlab behind a captive portal and proxy doesn't seem to use http[s]_proxy set /etc/gitlab/gitlab.rb

I have Gitlab CE installed and working fine on Ubuntu 14.04:

# apt-cache policy gitlab-ce | head
gitlab-ce:
  Installed: 8.4.1-ce.0
  Candidate: 8.4.1-ce.0
  Version table:
 *** 8.4.1-ce.0 0
        500 https://packages.gitlab.com/gitlab/gitlab-ce/ubuntu/ trusty/main amd64 Packages
        100 /var/lib/dpkg/status
     8.4.0-ce.0 0
        500 https://packages.gitlab.com/gitlab/gitlab-ce/ubuntu/ trusty/main amd64 Packages
     8.3.4-ce.0 0

There’s a captive portal/transparent proxy that restricts internet access (not controlled by us), as well as a normal proxy server (using the other as a parent proxy, controlled by us). The normal proxy server has been configured to allow unauthenticated access from the Gitlab server’s IP. In /etc/gitlab/gitlab.rb, I have:

gitlab_rails['env'] = {
        "http_proxy" => "http://proxy.fqdn:80",
        "https_proxy" => "http://proxy.fqdn:80",
        "HTTP_PROXY" => "http://proxy.fqdn:80",
        "HTTPS_PROXY" => "http://proxy.fqdn:80"
}

(Yes, the proxy server listens on port 80, and I have run gitlab-ctl reconfigure several times.)

Yet, when I try to enable Github OAuth, it fails with a 500 internal Server Error. /var/log/gitlab/gitlab-rails/production.log at the time showed:

Started GET "/import/github/callback?code=[FILTERED]" for 127.0.0.1 at 2016-01-27 01:21:04 +0530
Processing by Import::GithubController#callback as HTML
  Parameters: {"code"=>"[FILTERED]"}
Completed 500 Internal Server Error in 104ms (ActiveRecord: 3.7ms)

Faraday::SSLError (SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol):
  lib/gitlab/github_import/client.rb:27:in `get_token'
  app/controllers/import/github_controller.rb:8:in `callback'

I strongly suspect Gitlab ignored the proxy and went for a direct connection, and the attempt by the captive portal to intercept the HTTPS connection caused this.

Did I configure it wrong? How do I debug this?


apt-get, using the same proxy in /etc/apt/apt.conf, works fine.