Gitlab-CE 403 Forbidden when accessed via IPv6 behind Apache2 Reverse Proxy

progmem · September 8, 2016, 9:00pm

Hi!

I’ve encountered a problem trying to access Gitlab-CE (Omnibus) via IPv6 behind an Apache2 Reverse Proxy.
If a client tries to access the page via IPv6 it receives a 403 forbidden page, via IPv4 everything works as expected.
As a quick workaround I disabled IPv6 on my server.

I can’t say if it’s an issue with my Apache config or with Gitlab.
My Apache config is based on a recipe to put Gitlab behind an Apache2 Reverse Proxy with SSL (for Omnibus package)

Nginx is disabled, workhorse is operating on port 8181
Apache config:

ServerName gitlab.example.com
ServerAlias www.gitlab.example.com
DocumentRoot /somewhere
ErrorLog /var/log/gitlab.example.com_error_log
CustomLog /var/log/gitlab.example.com_access_log combined
...
unimportant stuff
...
SSLEngine on
SSLCertificateFile /ssl.cert
SSLCertificateKeyFile /ssl.key
SSLCACertificateFile /ssl.ca

#strong encryption ciphers only
#see ciphers(1) http://www.openssl.org/docs/apps/ciphers.html
SSLProtocol all -SSLv2
SSLHonorCipherOrder on
SSLCipherSuite "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
SSLCompression Off

# proxy settings
ProxyPreserveHost On
SSLProxyEngine On
SSLProxyCheckPeerCN On
SSLProxyCheckPeerExpire On
ProxyRequests Off
RemoteIPHeader X-Forwarded-For

# Ensure that encoded slashes are not decoded but left in their encoded state.
# http://doc.gitlab.com/ce/api/projects.html#get-single-project
AllowEncodedSlashes NoDecode

<Location />
  # New authorization commands for apache 2.4 and up
  # http://httpd.apache.org/docs/2.4/upgrading.html#access
  Require all granted

  #Allow forwarding to gitlab-workhorse
  ProxyPassReverse http://127.0.0.1:8181
  ProxyPassReverse http://gitlab.example.com/
</Location>

# Apache equivalent of nginx try files
# http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files
# http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab
RewriteEngine on

#Don't escape encoded characters in api requests
RewriteCond %{REQUEST_URI} ^/api/v3/.*
RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA,NE]

#Forward all requests to gitlab-workhorse except existing files like error documents
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]
RewriteCond %{REQUEST_URI} ^/uploads/.*
RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA]

RequestHeader set X_FORWARDED_PROTO 'https'
RequestHeader set X-Forwarded-Ssl on

#Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up.
ErrorDocument 404 /404.html
ErrorDocument 422 /422.html
ErrorDocument 500 /500.html
ErrorDocument 502 /502.html
ErrorDocument 503 /503.html

Topic		Replies	Views
Gitlab CE LetsEncrypt behind Apache Proxy unable to create certificates How to Use GitLab apache , letsencrypt	2	3322	June 4, 2019
Omnibus gitlab-ce behind nginx reverse proxy -- settings for Pages How to Use GitLab nginx , omnibus , gitlab-pages	3	12953	June 16, 2021
How to access GitLab on subdomain accessed thru Apache 2.4 reverse proxy server How to Use GitLab	0	442	January 9, 2019
Having trouble with gitlab-ce web interface How to Use GitLab	1	2148	February 14, 2016
Gitlab Behind a Apache Revers proxy with SSL How to Use GitLab	17	27395	June 11, 2023

Gitlab-CE 403 Forbidden when accessed via IPv6 behind Apache2 Reverse Proxy

Related topics