Unbundled nginx in redirect loop for non authenticated users

How to Use GitLab
1

(had to replace http with hxxp because “new forum users are only allowed 2 links”)

I’ve installed gitlab_7.7.1-omnibus.5.4.1.ci-1_amd64.deb which worked well. I then went on and configured it to use a non bundled nginx server. The problem I get is that if I go to hxxps://git.mydomain.com I get into a redirect loop. Interestingly if I go directly to hxxps://git.mydomain.com/ and then login once authenticated even hxxps://git.mydomain.com works fine until I logout again.

Below is my nginx host file, can anyone tell me the solution please.

upstream gitlab {
  server unix:/var/opt/gitlab/gitlab-rails/sockets/gitlab.socket fail_timeout=0;
}

server {
  listen *:80;
  server_name git.mydomain.com;
  server_tokens off;
  root /nowhere;
  rewrite ^ https://$server_name$request_uri permanent;
}

server {
  listen 443 ssl;
  server_name git.mydomain.com;
  server_tokens off;
  root /opt/gitlab/embedded/service/gitlab-ci/public;

  client_max_body_size 20m;

  ssl on;
  ssl_certificate /etc/nginx/ssl/gitlab.crt;
  ssl_certificate_key /etc/nginx/ssl/gitlab.key;

  ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4';

  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
  ssl_session_cache  builtin:1000  shared:SSL:10m;

  add_header Strict-Transport-Security max-age=63072000;
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;

  access_log  /var/log/nginx/gitlab_access.log;
  error_log   /var/log/nginx/gitlab_error.log;

  location / {
    try_files $uri $uri/index.html $uri.html @gitlab;
  }

  location @gitlab {

    gzip off;

    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;

    proxy_set_header    X-Forwared-Proto $scheme;
    proxy_set_header    X-Real-IP         $remote_addr;
    proxy_set_header    X-Forwarded-For   $remote_addr;
    proxy_set_header    Host                     git.mydomain.com:443;
    proxy_set_header    X-Forwarded-Ssl   on;
    proxy_set_header    X-Forwarded-Proto $scheme;
    proxy_set_header    X-Frame-Options   SAMEORIGIN;

    proxy_pass http://gitlab;
  }

  location ~ ^/(assets)/ {
    root /opt/gitlab/embedded/service/gitlab-rails/public;
    gzip_static on;
    expires max;
    add_header Cache-Control public;
  }

  error_page 502 /502.html;
}
2

In

root /opt/gitlab/embedded/service/gitlab-ci/public;

you have gitlab-ci. instead of gitlab-rails.

3

Hi Axil

Thanks for your idea, however there is no such directory as you suggest. ie. “ls /opt/gitlab/embedded/service/”
gem gitlab-ci gitlab-rails gitlab-shell omnibus-ctl

Also if I had the wrong directory completely I don’t think it would work once logged in would it?

4

You’ re right. Replace gitlab-ci with gitlab-rails and it should work after you restart nginx.

5

Thanks again. I should of mentioned I already tried gitlab-rails since I saw it had a public directory also, but this hasn’t worked even after a nginx restart. Same issue remains. If I recall correctly, I think I copied this host file from the bundled nginx install, so its surprising it doesn’t work. Once this is figured out it would be great to update the non-bundles wiki entry for others too.

6

Hey,

Just wondering if you found a solution for this? We’re seeing the same issue.

Thanks!

7

FYI, I resolved this by unsetting the value I had @ Admin > Settings > Home page url

I had previously set it to git.domain.com