Hey all!
I’ve got this weird problem. After an update to version 8.8.5 my Gitlab installation, which has TLS set up, stopped working properly. I could no longer login from Chrome (Linux). My production.log says: “Can’t verify CSRF token authenticity”. This was also the case from Firefox at first but after poking around changing settings in my gitlab-http.conf back and forth it started working. Current setting now is:
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
During my search around the web the above section seem to be in focus regarding this type of error.
My gitlab.rb file (which is small) is as follows:
external_url "https://git.my-domain/"
nginx['redirect_http_to_https'] = true
nginx['ssl_certificate'] = "/etc/gitlab/ssl/my-domain.crt"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/my-domain.key"
I also noticed that not all content was going over https (warning sign in the https padlock). Turning of Gravatar fixed it. Perhaps its not a security issue, but it lowers the end user confidence when the padlock no longer is fully green and you cannot from an end user perspective tell what information goes in clear text and not.
Hope anyone can help me with this and point me in the right direction. I’m pretty new to Gitlab so cannot really find out.
Thanks!
Best regards
/Thomas