"Mixed Context" errors in browser console when HTTP external_url behind HTTPS reverse proxy
Summary
I cannot use external_url "https://..." because gitlab fails to start up (In my configuration, I am not running gitlab via HTTPS).
I cannot use external_url "http://..." because (only some) images and assets fail to load.
Steps to reproduce
I have gitlab-ce running in a docker image on an internal host, e.g. 192.168.1.10, with
external_url "http://gitlab.mydomain.org"
This machine is not accessible from the outside world (so I cannot put a letsencrypt certificate on it, for example). Therefore, I am running gitlab on HTTP, and I have a separate reverse proxy server (shared with other services) on an externally-accessible IP address that has its own external SSL certificate.
gitlab.mydomain.org points to this Apache reverse proxy, serving out pages for gitlab.mydomain.org using
ProxyPass / http://192.168.1.10/
What is the current bug behavior?
Everything else in gitlab appears to work OK so far - checkins work, opening issues, commenting etc. all works fine.
I noticed this bug when trying to award an emoji to an issue. An icon appears in Chrome on the right of the URL bar (as if a pop-up was blocked), and the messages pasted in below appeared in the developer console.
I can't see any emoji listed against my test issue. I have no idea if they failed to register, or if when I clicked on the button it did register, but just can't display due to this issue.
What is the expected correct behavior?
- No errors in Chrome developer console
- Icons, images etc. should load
Relevant logs and/or screenshots
With external_url "https://gitlab.mydomain.org"
gitlab fails to start up, after running gitlab-ctl reconfigure
==> /var/log/gitlab/nginx/current <==
2017-05-19_14:18:39.78803 nginx: [emerg] BIO_new_file("/etc/gitlab/ssl/gitlab.mydomain.org.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/gitlab/ssl/gitlab.mydomain.org.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)(This is pretty much expected - I am not running gitlab in HTTPS mode)
With external_url "http://gitlab.mydomain.org"
Chrome developer console - sanitised:
Mixed Content: The page at 'https://gitlab.mydomain.org/myuser/myproject/commit/203e0d60cd6d06cead324c37edf7015e2cd63ad2' was loaded over HTTPS, but requested an insecure image 'http://gitlab.mydomain.org/uploads/user/avatar/2/avatar.png'. This content should also be served over HTTPS.
903e0d60cd6d06cead324c37edf7015e2cd63ad0:356
Mixed Content: The page at 'https://gitlab.mydomain.org/myuser/myproject/commit/203e0d60cd6d06cead324c37edf7015e2cd63ad2' was loaded over HTTPS, but requested an insecure image 'http://www.gravatar.com/avatar/d4cd164f2b0052cd24a866ed47b8896d?s=48&d=identicon'. This content should also be served over HTTPS.
903e0d60cd6d06cead324c37edf7015e2cd63ad0:2472
Mixed Content: The page at 'https://gitlab.mydomain.org/myuser/myproject/commit/203e0d60cd6d06cead324c37edf7015e2cd63ad2' was loaded over HTTPS, but requested an insecure image 'http://gitlab.mydomain.org/uploads/user/avatar/2/avatar.png'. This content should also be served over HTTPS.
common.e8bc527fe263a99fd779.bundle.js:14
Mixed Content: The page at 'https://gitlab.mydomain.org/myuser/myproject/commit/203e0d60cd6d06cead324c37edf7015e2cd63ad2' was loaded over HTTPS, but requested an insecure image 'http://gitlab.mydomain.org/uploads/user/avatar/2/avatar.png'. This content should also be served over HTTPS.
common.e8bc527fe263a99fd779.bundle.js:14
common.e8bc527fe263a99fd779.bundle.js:24
Mixed Content: The page at 'https://gitlab.mydomain.org/myuser/myproject/commit/203e0d60cd6d06cead324c37edf7015e2cd63ad2' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://gitlab.mydomain.org/myuser/myproject/notes/54/toggle_award_emoji'. This request has been blocked; the content must be served over HTTPS.
common.e8bc527fe263a99fd779.bundle.js:24Output of checks
Not tried on gitlab.com
Results of GitLab environment info
docker exec -it mygitlab gitlab-rake gitlab:env:info
System information
System:
Current User: git
Using RVM: no
Ruby Version: 2.3.3p222
Gem Version: 2.6.6
Bundler Version:1.13.7
Rake Version: 10.5.0
Redis Version: 3.2.5
Git Version: 2.11.1
Sidekiq Version:4.2.7
GitLab information
Version: 9.1.4
Revision: fed799a
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: postgresql
URL: http://gitlab.mydomain.org
HTTP Clone URL: http://gitlab.mydomain.org/some-group/some-project.git
SSH Clone URL: git@gitlab.mydomain.org:some-group/some-project.git
Using LDAP: yes
Using Omniauth: no
GitLab Shell
Version: 5.0.2
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks
Git: /opt/gitlab/embedded/bin/gitResults of GitLab application Check
docker exec -it mygitlab gitlab-rake gitlab:check SANITIZE=true
(results ommitted, as amongst other things it includes my entire LDAP directory - not sure how sanitized that is!? - but also I don't think this would be relevant at all for this issue. gitlab-shell seemed to have some permission issues, I'm not sure if that is an artefact of the fact I am running in docker, or something else unrelated. Everything else seemed to check out fine)
Possible fixes
Could be as simple as just using relative paths? i.e. /myuser/myproject/notes/54/toggle_award_emoji instead of ${external_url}/myuser/myproject/notes/54/toggle_award_emoji ?
If not, then need to somehow support this scenario whereby gitlab publishes itself via HTTP, but an external reverse proxy is used to serve this out via HTTPS. In which case, I expect gitlab needs to have a separate concept of "I am visible to the outside world as https://xyz", compared to "I am running myself in a HTTPS web server" - the two are fundamentally different (although I accept that in the majority of cases they will be the same)
Activity
@jmhunter Thanks for raising an issue. We have some documentation surrounding this here:
Have the
HostandX-Forwarded-Sslheaders been added to the nginx config?Thank you Mark - that is exactly it, and has indeed resolved the issue.
Sorry for taking up your time.
As a newcomer to gitlab, I started with
and simply stopped once things were working.. I wonder if it is worth adding a link to the proxied SSL page from the external_url section? I didn't realise to check the ngix page, otherwise. (Of course, this issue now exists so hopefully people will find it this way also :) )
Many thanks,
Jonathan
-
@jmhunter Thanks for the update.
It's a difficult one, it's tough to say how many users will require this extra information regarding proxying to the GitLab instance. We try to keep the instructions as vanilla as possible and document the other, more advanced configurations elsewhere.
Thank you @markglenfletcher - that makes sense.
Perhaps the answer is a note to that effect, at the top of https://docs.gitlab.com/omnibus/settings/configuration.html ?
As a new user I did not know where to look, originally, and then when I found that page I was happy as I had "found" the documentation for all settings. I didn't realise (my bad) that there was more documentation out there, otherwise I would have definitely trawled through that first.
So maybe we could just put a note at the top, explaining that these are the common options, but there are many more on the other configuration pages?
moved to omnibus-gitlab#2365
