Stop https to http redirect

zvyezdan · December 30, 2018, 6:47pm

Hi all, quick question for gitlab config experts…

In a nuthsell…
Is there an easy way to stop gitlab from redirecting https -> http ? Config property in .yaml or .rb maybe?

Long explanation…
Running gitlab under openshift on port 80. Proxying that with an external nginx handling ssl. However, as soon as nginx forwards the https request to gitlab:80, gitlab responds with a redirect to http.

https://git.domain.net : handled by nginx, which forwards the request to
http://git.domain.local : which then redirects to
http://git.domain.net : … and this being the problem

I can/have created a server on nginx:80 as well to handle that last redirect and it works… but defeats the purpose of course.

I’ve looked through the .rb and .yml files and there could be something to set there… usually the problem is the other way around … forward http -> https … which has its own property in the .rb config file. But I experience the opposite.

Thanks for the help… Cheers!
Z.

zvyezdan · December 30, 2018, 6:52pm

Here’s the relevant log extract

Started GET "/" for 10.130.0.1 at 2018-12-30 17:49:14 +0000
Processing by RootController#index as HTML
Redirected to http://git.domain.net/users/sign_in
Filter chain halted as :redirect_unlogged_user rendered or redirected
Completed 302 Found in 4ms (ActiveRecord: 0.0ms)
==> /var/log/gitlab/gitlab-rails/production_json.log <==
{"method":"GET","path":"/","format":"html","controller":"RootController","action":"index","status":302,"duration":5.77,"view":0.0,"db":0.0,"location":"http://git.domain.net/users/sign_in","time":"2018-12-30T17:49:14.977Z","params":[],"remote_ip":"10.130.0.1","user_id":null,"username":null }
==> /var/log/gitlab/gitlab-workhorse/current <==
2018-12-30_17:49:14.98409 git.domain.net @ - - [2018/12/30:17:49:14 +0000] "GET / HTTP/1.1" 302 100 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0" 0.019
==> /var/log/gitlab/nginx/gitlab_access.log <==
10.130.0.1 - - [30/Dec/2018:17:49:14 +0000] "GET / HTTP/1.0" 302 100 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0"

As you can see the line

Redirected to http://git.domain.net/users/sign_in

is that last redirect that breaks things.

myersg86 · December 30, 2018, 9:06pm

Hi vyezdan,

Here are some troubleshooting tips that might help:

In your /etc/gitlab/gitlab.rb file, check the line:
external_url "http://git.domain.net"
make sure the external URL is set to https:// and not http://
So it should look like:
external_url "https://git.domain.net"

Also, find the
nginx['redirect_http_to_https'] line and check that it is set to “true”
So it should look like:
nginx['redirect_http_to_https'] = true

If you make any changes to the gitlab.rb file, make sure to run
gitlab-ctl reconfigure
afterward to ensure that any updates or changes you’ve made are recognized and applied.

You may find this link helpful as well:
https://docs.gitlab.com/omnibus/settings/nginx.html#manually-configuring-https

Please let me know if this helps!

Best Regards,
Greg M

zvyezdan · December 31, 2018, 4:06am

Thanks for the reply. I tried that and it failed … access to :80 was no more… So I was thinking the kubernetes ingress router would likely need to be reconfig-ed , as well as a service to work off of https. Which is a bit more work than I had hoped for… But ok… would give it a shot.

Then, just to have the thing functional again, I had reverted the external-url, commented it out and reconfigured again. Went on to test that the original redirects back and forth are still functional … just to find out that now https reverse proxying actually worked !!!

Color me confused !

Started GET "/" for 10.130.0.1 at 2018-12-31 03:46:16 +0000
Processing by RootController#index as HTML
Redirected to https://git.domain.net/users/sign_in 
Filter chain halted as :redirect_unlogged_user rendered or redirected
Completed 302 Found in 5ms (ActiveRecord: 0.0ms)
==> /var/log/gitlab/gitlab-rails/production_json.log <==
{"method":"GET","path":"/","format":"html","controller":"RootController","action":"index","status":302,"duration":6.18,"view":0.0,"db":0.0,"location":"https://git.domain.net/users/sign_in","time":"2018-12-31T03:46:16.883Z","params":[],"remote_ip":"10.130.0.1","user_id":null,"username":null }

Now you can see the line

Redirected to https://git.domain.net/users/sign_in

working in https mode.

Double checked the gitlab.rb,

## GitLab URL
##! URL on which GitLab will be reachable.
##! For more details on configuring external_url see:
##! https://docs.gitlab.com/omnibus/settings/configuration.html#configuring-the-external-url-for-gitlab
#external_url 'GENERATED_EXTERNAL_URL'
#external_url 'https://git.domain.net'

then checked the generated gitlab.yml (/var/opt/gitlab…/gitlab.yml)

  ## GitLab settings
  gitlab:
    ## Web server settings (note: host is the FQDN, do not include http://)
    host: gitlab.os.domain.local
    port: 80
    https: false

looks ok.

Then I disabled the git.domain.net:80 reverse proxy (external nginx) and it’s still fine… no more double redirects. I have no idea what has changed.

So in the end, your suggestion DID work, somehow. Awesome! Thx.

myersg86 · January 2, 2019, 6:17pm

@zvyezdan Glad to hear you fixed the redirect problem and everything worked out!