Self hosted gitlab - page marked insecure by firefox

I installed a gitlab server yesterday. You can check it at git.ehtec.co. The login page is marked as partly insecure by firefox, because some graphics or scripts are included using http. How do I fix that? Thanks for help.

image
image

You sure is? Redirect http to https

Yes… in my virtualhost config I have a forward of Port 80 to 443, which is the same I have for my other websites (Gitlab is running behind an apache proxy). The redirect works, The problem is that there are http resources included in the html page (using a http:// link). Gitlab must include these using a https:// link. I don’t know how to fix that, seems like an issue of Gitlab to me actually.

Hi,

There is nothing wrong with the http page. If you load a http page, then all associated objects/images are also loading with http - this is normal. Just like the page works perfectly fine, when loading https, then all objects/images are loaded in https.

Your best bet is configure your Apache proxy to redirect http to https using the appropriate Apache config to do that. For example:

<VirtualHost *:80>
	ServerName git.ehtec.co
	Redirect 301 / https://git.ehtec.co/
</VirtualHost>

or you can use mod_rewrite to do it as well. For example:

<VirtualHost *:80>
	ServerName git.ehtech.co
	RewriteEngine On
	RewriteCond %{HTTPS} !=on
	RewriteRule ^/?(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
</VirtualHost>
1 Like

Hello, thanks for your reply. I am using exactly the upper virtual host config you mention (permanent redirect). But your upper statement is not true. When loading a website with https That includes third party images, js scripts or stylesheets via a http:// URL, they are not included via https. This is the reason for the Firefox error I mentioned.

It looks like I simply forgot to restart Apache / gitlab-ctl another time hahaha - now it works.

thanks and regards, Elias

If you have mixed content, eg: loading a https url, and getting http image links etc, this means the proxy configuration is incorrect. Since without a proxy, gitlab loads perfectly fine otherwise. But glad you got it working now.

With a proxy, you have to pay attention to it, especially if attempting something known as SSL offload. So, in essence:

Browser → https → Proxy → http → origin server

When doing SSL offload, the proxy has to rewrite the URL’s for content returned, since the origin server accepting a http connection will return with http urls, etc. It’s the job of the proxy to rewrite this based on the X-Forwarded-Proto and X-Forwarded-Port fields. That way, it’s able to determine correctly when running in SSL offload mode to rewrite before sending the data back to the browser.

1 Like

@iwalker It’s the best! I agree. Make sure look http to https using
config. Search web server documentation / this topic about redirrect to
https using …