GitLab redirecting to HTTPS although it is disabled

Myari · August 30, 2018, 7:55pm

Hey,

I am currently facing a weird issue. It seems that GitLab is redirecting http to the https port although I disabled it in the gitlab.rb
My goal is the following:
I want to run GitLab behind a reversed proxy. Both sides are maintained via docker-compose
But I cannot reach gitlab by any config. The reversed proxy shows me a “503 Service Temporarilly unavailable”

First of all, even if I am running “curl -v -L 127.0.0.1” inside the GitLab docker it redirects me to the port 443 which gives me a “Connection refused”

* Rebuilt URL to: 127.0.0.1/
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> Host: 127.0.0.1
> User-Agent: curl/7.59.0
> Accept: */*
> 
< HTTP/1.1 302 Found
< Server: nginx
< Date: Thu, 30 Aug 2018 19:45:48 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 97
< Connection: keep-alive
< Cache-Control: no-cache
< Location: https://127.0.0.1/users/sign_in
< X-Content-Type-Options: nosniff
< X-Frame-Options: DENY
< X-Request-Id: e7f151d3-2090-4ce7-9118-8b0285596075
< X-Runtime: 0.009960
< X-Ua-Compatible: IE=edge
< X-Xss-Protection: 1; mode=block
< Strict-Transport-Security: max-age=31536000
< 
* Ignoring the response-body
* Connection #0 to host 127.0.0.1 left intact
* Issue another request to this URL: 'https://127.0.0.1/users/sign_in'
*   Trying 127.0.0.1...
* TCP_NODELAY set
* connect to 127.0.0.1 port 443 failed: Connection refused
* Failed to connect to 127.0.0.1 port 443: Connection refused
* Closing connection 1
curl: (7) Failed to connect to 127.0.0.1 port 443: Connection refused

I get the same result if I run a curl to the gitlab container inside the reverse proxy container

I changed the following lines in the gitlab.rb

external_url 'https://gitlab.<domain>'
gitlab_rails['trusted_proxies'] = ['172.19.0.2']  #the proxyip in the docker network
nginx['redirect_http_to_https'] = false #normally it is nil; even put it to false -> no result
nginx['listen_addresses'] = ['0.0.0.0', '[::]'] #so gitlab will listen to everything -> enabled this for testing reasons
nginx['listen_port'] = 80 #reverseproxy handles https but communicates over http with gitlab
nginx['listen_https'] = false
nginx['proxy_set_headers'] = {
  "X-Forwarded-Proto" => "https",
  "X-Forwarded-Ssl" => "on"
}

Note that the reverse proxy(jwilder) and gitlab should communicate over http and not over https! https is handled via the reverse proxy. And this would work if gitlab wouldn’t redirect itself to https again. (see curl above)

I would really appreciate your help regarding this topic!

deltamotion · August 30, 2018, 9:57pm

If you are using a reverse proxy, you would normally terminate the SSL at the proxy so your external_url for GitLab should be http.

GitLab is trying to be smart and doing the redirect itself when you have https in its URL.

Myari · August 31, 2018, 6:45am

Hey @deltamotion
Thank you for your answer.
I tried your suggestion but it sadly doesn’t work. (yes I reconfigured and restarted). It still wants to redirect me to https.

deltamotion · August 31, 2018, 4:01pm

Ok!

Looking at your configuration a little closer it looks like these should not be there if you are trying to have your reverse proxy communicate over HTTP:

nginx['proxy_set_headers'] = {
  "X-Forwarded-Proto" => "https",
  "X-Forwarded-Ssl" => "on"
}

From the docs (this is what I was pointing to earlier):

By default, when you specify an external_url starting with 'https', Nginx will no longer listen for unencrypted HTTP traffic on port 80. If you want to redirect all HTTP traffic to HTTPS you can use the redirect_http_to_https setting.

https://docs.gitlab.com/omnibus/settings/nginx.html

I would step back the GitLab install to the very basics and make sure it is running the way you want it before adding the reverse proxy. Adding the reverse proxy should not involve many changes to gitlab.rb.

Good luck!