Use pages with namespace_in_path and access_control

Problem to solve

I try to setup gitlab pages in my gitlab instance which is based on the docker image. Additionally, I have an external proxy (Traefik) for handling certifications for different services.

To debugging the gitlab pages, I have disabled traefik on my pages subdomain (pages.DOMAIN). But Traefik is active for the gitlab domain (gilab.DOMAIN).

The features namespace_in_path and access_control are active in my configuration. (see full docker-compose.yaml bellow)

When I try to access a *.html page which is a build artifact via http (for debugging) I get a 502 Whoops, something went wrong on our end. error. In the pages log the following sequence is shown:

{"Namespace in path":"my_username","Request host":"my_username.pages.DOMAIN:5050","Session host":null,"correlation_id":"01JCFYTQGZKP3K8GSADPDAZ3SM","host":"my_username.pages.DOMAIN:5050","level":"info","msg":"Resetting session values","path":"/-/test/-/jobs/36/artifacts/build/hello.html","state":"","time":"2024-11-12T10:31:10Z"}
{"Namespace in path":"my_username","Request host":"my_username.pages.DOMAIN:5050","Session host":null,"correlation_id":"01JCFYTQGZKP3K8GSADPDAZ3SM","host":"my_username.pages.DOMAIN:5050","level":"info","msg":"Resetting session values","path":"/-/test/-/jobs/36/artifacts/build/hello.html","state":"","time":"2024-11-12T10:31:10Z"}
{"correlation_id":"01JCFYTQGZKP3K8GSADPDAZ3SM","error":"Get \"https://gitlab.DOMAIN/api/v4/projects/my_username%2Ftest/jobs/36/artifacts/build/hello.html\": dial tcp 37.114.48.46:443: connect: connection refused","host":"my_username.pages.DOMAIN:5050","level":"error","msg":"failed to request the artifact","path":"/-/test/-/jobs/36/artifacts/build/hello.html","time":"2024-11-12T10:31:10Z"}
{"content_type":"text/html; charset=utf-8","correlation_id":"01JCFYTQGZKP3K8GSADPDAZ3SM","duration_ms":9,"host":"my_username.pages.DOMAIN:5050","level":"info","method":"GET","msg":"access","pages_https":false,"proto":"HTTP/1.1","referrer":"","remote_addr":"IP:43468","remote_ip":"IP","status":502,"system":"http","time":"2024-11-12T10:31:10Z","ttfb_ms":8,"uri":"/-/test/-/jobs/36/artifacts/build/hello.html","user_agent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0","written_bytes":2905}
{"Namespace in path":"favicon.ico","Request host":"favicon.ico.pages.DOMAIN:5050","Session host":null,"correlation_id":"01JCFYTQJCNPZ7E7EHGBP3RC90","host":"favicon.ico.pages.DOMAIN:5050","level":"info","msg":"Resetting session values","path":"","state":"","time":"2024-11-12T10:31:10Z"}
{"Namespace in path":"favicon.ico","Request host":"favicon.ico.pages.DOMAIN:5050","Session host":null,"correlation_id":"01JCFYTQJCNPZ7E7EHGBP3RC90","host":"favicon.ico.pages.DOMAIN:5050","level":"info","msg":"Resetting session values","path":"","state":"","time":"2024-11-12T10:31:10Z"}
{"Namespace in path":"favicon.ico","Request host":"favicon.ico.pages.DOMAIN:5050","Session host":null,"correlation_id":"01JCFYTQJCNPZ7E7EHGBP3RC90","host":"favicon.ico.pages.DOMAIN:5050","level":"info","msg":"Resetting session values","path":"","state":"","time":"2024-11-12T10:31:10Z"}
{"content_type":"text/html; charset=utf-8","correlation_id":"01JCFYTQJCNPZ7E7EHGBP3RC90","duration_ms":0,"host":"favicon.ico.pages.DOMAIN:5050","level":"info","method":"GET","msg":"access","pages_https":false,"proto":"HTTP/1.1","referrer":"http://pages.DOMAIN:5050/my_username/-/test/-/jobs/36/artifacts/build/hello.html","remote_addr":"IP:43468","remote_ip":"IP","status":302,"system":"http","time":"2024-11-12T10:31:10Z","ttfb_ms":0,"uri":"","user_agent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0","written_bytes":154}
{"correlation_id":"01JCFYTQJYE9AHGQH16PX85NB6","host":"projects.pages.DOMAIN:5050","level":"info","msg":"Receive OAuth authentication callback","path":"/auth","state":"_kXR9Dw6TnpH44yl3mYVvA==","time":"2024-11-12T10:31:10Z"}
{"correlation_id":"01JCFYTQJYE9AHGQH16PX85NB6","domain_query":"http://pages.DOMAIN:5050/favicon.ico","host":"projects.pages.DOMAIN:5050","level":"info","msg":"User is authenticating via domain","path":"/auth","state":"_kXR9Dw6TnpH44yl3mYVvA==","time":"2024-11-12T10:31:10Z"}
{"correlation_id":"01JCFYTQJYE9AHGQH16PX85NB6","domain_query":"http://pages.DOMAIN:5050/favicon.ico","host":"projects.pages.DOMAIN:5050","level":"info","msg":"Redirecting user to gitlab for oauth","path":"/auth","public_gitlab_server":"https://gitlab.DOMAIN","state":"_kXR9Dw6TnpH44yl3mYVvA==","time":"2024-11-12T10:31:10Z"}
{"error":"can't extract namespace from host","level":"error","msg":"while writing location header, couldn't convert URL","orig_host":"gitlab.DOMAIN","orig_path":"/oauth/authorize","pages_domain":"pages.DOMAIN","time":"2024-11-12T10:31:10Z"}
{"content_type":"text/html; charset=utf-8","correlation_id":"01JCFYTQJYE9AHGQH16PX85NB6","duration_ms":0,"host":"projects.pages.DOMAIN:5050","level":"info","method":"GET","msg":"access","pages_https":false,"proto":"HTTP/1.1","referrer":"http://pages.DOMAIN:5050/my_username/-/test/-/jobs/36/artifacts/build/hello.html","remote_addr":"IP:43468","remote_ip":"IP","status":302,"system":"http","time":"2024-11-12T10:31:10Z","ttfb_ms":0,"uri":"/auth?domain=http://pages.DOMAIN:5050/favicon.ico\u0026state=_kXR9Dw6TnpH44yl3mYVvA==","user_agent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0","written_bytes":256}

I think there is an issue with the authentication? But I’m not sure whats the right configuration or how to debug them…

Or maybe it is a bug in the namespace_in_path configuration? Does any one have experience with it?

Configuration

This the docker-compose.yaml

services:
  gitlab:
    image: 'gitlab/gitlab-ce:17.5.1-ce.0'
    logging:
      driver: "json-file"
      options:
        max-size: "10m"
        max-file: "3"
    deploy:
      resources:
        limits:
          memory: 6144M
    restart: always
    hostname: gitlab
    container_name: gitlab
    networks:
      - traefik
      - default
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        external_url 'https://gitlab.DOMAIN'
        nginx['listen_https'] = false
        nginx['listen_port'] = 80
        pages_external_url 'http://pages.DOMAIN:5050'
        gitlab_pages['enable'] = true
        gitlab_pages['access_control'] = true
        gitlab_pages['namespace_in_path'] = true
        gitlab_pages['internal_gitlab_server'] = 'http://localhost:8080'
        pages_nginx['enable'] = false
        gitlab_pages['external_http'] = ['0.0.0.0:5050']
        #pages_nginx['listen_port'] = 5050
        #pages_nginx['listen_https'] = false
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.gitlab.entrypoints=http"
      - "traefik.http.routers.gitlab.rule=Host(`gitlab.DOMAIN`)"
      - "traefik.http.middlewares.gitlab-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.gitlab.middlewares=gitlab-https-redirect"
      - "traefik.http.routers.gitlab.service=gitlab"
      - "traefik.http.services.gitlab.loadbalancer.server.port=80"
      - "traefik.http.routers.gitlab-secure.entrypoints=https"
      - "traefik.http.routers.gitlab-secure.rule=Host(`gitlab.DOMAIN`)"
      - "traefik.http.routers.gitlab-secure.tls=true"
      - "traefik.http.routers.gitlab-secure.tls.certresolver=http"
      - "traefik.http.routers.gitlab-secure.service=gitlab"
      - "traefik.docker.network=traefik"
    ports:
      - '22:22'
      - '5050:5050'
    volumes:
      - '/opt/gitlab-test/config:/etc/gitlab'
      - '/opt/gitlab-test/logs:/var/log/gitlab'
      - '/opt/gitlab-test/data:/var/opt/gitlab'
    shm_size: '256m'

networks:
  traefik:
    external: true

Versions

Please add an x whether options apply, and add the version information.

  • Self-managed (docker image)

Versions

  • GitLab gitlab-ce:17.5.1-ce.0