gitlab behind https terminating reverse proxy and oauth
Question
I have installed GitLab 7.8.4 on a server behind pound which terminates HTTPS connections for me.
How do I configure GitLab to always assume that it is accessed via HTTPS without letting it also handle the HTTPS connection?
In practice I see the following problem:
I'm adding GitHub authentication to my GitLab instance and try to log into GitLab using my GitHub account. This works fine as long as everything is over HTTP. But if I use the HTTPS address to my GitLab instance, then the authentication with GitHub will fail.
The problem seems to be that GitLab passes the HTTP address to GitHub like this:
https://github.com/login/oauth/authorize?response_type=code&client_id=[...]&redirect_uri=http%3A%2F%2Fgitlab.myurl.com%2Fusers%2Fauth%2Fgithub%2Fcallback&state=[...]&scope=user%3Aemail
And then GitHub responds with:
/?error=redirect_uri_mismatch&error_description=The+redirect_uri+MUST+match+the+registered+callback+URL+for+this+application.&error_uri=https%3A%2F%2Fdeveloper.github.com%2Fv3%2Foauth%2F%23redirect-uri-mismatch&state=[...]
I never want to access my GitLab instance with http-only. How do I force GitLab to report the https:// url to GitHub without it handling HTTPS itself?
4 answers
solution1
2 ACCPTED 2015-03-18 14:42:29
Although @josch already gave the answer to his specific problem, I had another case of this error with a different solution.
When running a GitLab 7.7.2 ("from source") behind an Apache proxy, the same error occurred when attempting to authorize with my GitHub account, even though I used
RequestHeader set X-Forwarded-Proto "https"
in the site configuration.
The fix, as it turned out, was to set the OAuth Authorization callback URL protocol on GitHub to http:// instead of https:// , although the site is publicly available only over SSL.
solution2
1 2015-03-15 07:35:27
After some playing around I found out that setting the following in the nginx config solves the issue:
proxy_set_header X-Forwarded-Proto https;
Since I always want to access my gitlab instance via https, this works well for me and seems to also make oauth possible now.
Sorry, I should've played around with this longer before posting this question but maybe this helps somebody else with the same problem.
solution3
0 2016-04-01 22:50:21
A gitlab-ctl tail put me on the track. Here are the settings that worked for me:
In the application config in Github, I used the exact same value for
- Homepage URL
- and Authorization callback URL .
The value I used is https://MY_GITLAB_FQDN/ (MY_GITLAB_FQDN being replaced by my actual hostname). Note the S in scheme HTTPS.
In my (external) nginx config, I already had the stanza
proxy_set_header X-Forwarded-Proto $scheme;
My config:
- Gitlab-CE 8.6.2, installed with Omnibus packages
- Ubuntu 14.04 server
- external nginx (thus nginx from
gitlab.rbdisabled)
solution4
0 2021-02-20 13:39:02
在我的情况下,问题是通过在综合配置的 url 中使用https协议设置external_url变量来解决的
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.