Gitlab pages self hosted with access control enabled, behind docker-compose and traefik2

General
, ,
#1

Hi ! I have a docker instance of self-hosted Gitlab and I wanted to add gitlab pages to it… All of this runs behind traefik2 (a reverse proxy). I was able to make gitlab pages work normally, but when I enabled access_control, it didn’t work anymore… If the repository is public, the pages work normally, but when it’s not, I receive this error : The redirect URI included is not valid.
And by the way, the website for gitlab pages says it’s insecure, but I thought that traefik2 would handle this but it doesn’t…

Here is my docker-compose :

services:
###### GitLab
  gitlab:
    container_name: gitlab
    image: gitlab/gitlab-ce:14.7.6-ce.0
    volumes:
      - /media/disk1/gitlab:/var/opt/gitlab
      - $DOCKERDIR/gitlab/config:/etc/gitlab
      - $DOCKERDIR/gitlab/logs:/var/log/gitlab
    environment:
      TZ: $TZ
      GITLAB_OMNIBUS_CONFIG: |
        external_url 'https://git.DOMAIN'
        nginx['redirect_http_to_https'] = false
        nginx['listen_port'] = 7990
        nginx['listen_https'] = false
        # nginx['proxy_set_headers'] = {
        #   'X-Forwarded-Proto' => 'https',
        #   'X-Forwarded-Ssl' => 'on'
        # }
        gitlab_rails['time_zone'] = "${TZ}"
        gitlab_rails['gitlab_shell_ssh_port'] = 2222
        
        # PAGES
        gitlab_pages['enable'] = true

        pages_external_url 'https://pages.DOMAIN'
        pages_nginx['listen_port'] = 8081
        pages_nginx['listen_https'] = false

        pages_nginx['proxy_set_headers'] = {
          "Host" => "$$http_host",
          "X-Real-IP" => "$$remote_addr",
          "X-Forwarded-For" => "$$proxy_add_x_forwarded_for",
          "X-Forwarded-Proto" => "https",
          "X-Forwarded-Ssl" => "on"
        }

        gitlab_pages['internal_gitlab_server'] = 'https://git.DOMAIN'
        gitlab_pages['inplace_chroot'] = true
        gitlab_pages['external_http'] = ['gitlab:8091']    
        gitlab_pages['access_control'] = true
        gitlab_pages['auth_scope'] = 'read_api'

        mattermost['enable'] = false

    restart: unless-stopped
    networks:
      - t2_proxy
    labels:
      - "traefik.enable=true"
      ## HTTPS Routers
      - "traefik.http.routers.gitlab-rtr.entrypoints=https"
      - "traefik.http.routers.gitlab-rtr.rule=HostHeader(`git.$DOMAINNAME`)"
      - "traefik.http.routers.gitlab-rtr.tls=true"
      ## HTTPS Services
      - "traefik.http.routers.gitlab-rtr.service=gitlab-svc"
      - "traefik.http.services.gitlab-svc.loadbalancer.server.port=7990"
      # GITLAB PAGES
      - "traefik.http.routers.gitlab-pages-http.rule=HostHeader(`pages.$DOMAINNAME`) || HostRegexp(`{[a-z]+}.pages.$DOMAINNAME`)"
      - "traefik.http.routers.gitlab-pages-http.entrypoints=http"
      - "traefik.http.routers.gitlab-pages-http.service=gitlab-pages"

      - "traefik.http.services.gitlab-pages.loadbalancer.server.port=8091"

      - "traefik.http.routers.gitlab-pages-https.rule=HostHeader(`pages.$DOMAINNAME`) || HostRegexp(`{[a-zA-Z0-9]+}.pages.$DOMAINNAME`)"
      - "traefik.http.routers.gitlab-pages-https.entrypoints=https"
      - "traefik.http.routers.gitlab-pages-https.tls=true"
      - "traefik.http.routers.gitlab-pages-https.service=gitlab-pages"

Any idea where this is coming from ?