omnibus, nginx reverse proxy, mixed SSL/non-SSL content
I configured my setup to work like this:
client (SSL)-> nginx proxy (no SSL)-> gitlab nginx -> gitlab appBut it doesn't work properly. AJAX requests are being sent over HTTP instead of HTTPS which are blocked by Chrome because it expects them to be also over HTTPS. Everything else appears to be fine.
Omnibus gitlab instance configured as following:
external_url 'https://domain.local'
nginx['listen_address'] = '127.0.0.1'
nginx['listen_port'] = 10000
nginx['listen_https'] = falseNginx proxy:
server {
listen 443 ssl;
server_name domain.local;
ssl_certificate domain.crt;
ssl_certificate_key domain.key;
ssl_dhparam dhparams.pem;
ssl_verify_client off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
client_max_body_size 20m;
location / {
proxy_pass http://127.0.0.1:10000/;
proxy_redirect off;
proxy_ssl_session_reuse off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}For example, I opened a project and want to return to the dashboard. I click on the logo in the upper left corner. Gitlab makes AJAX request over HTTP but Chrome doesn't allow it printing the following in the console:
Mixed Content: The page at 'https://domain.local/mygroup/myproject' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://domain.local/dashboard/activity'. This request has been blocked; the content must be served over HTTPS.If I configure my setup like this:
nginx['listen_https'] = trueproxy_pass https://127.0.0.1:10000/;Then everything works fine. That's how my setup is running right now.
Activity
I think you may be missing the
HostandX-Forwarded-Sslheaders in your nginx config. See: omnibus-gitlab@65c12ad2.mentioned in issue #3566 (closed)
mentioned in issue #3987 (closed)
mentioned in issue #20562 (closed)
mentioned in merge request !14785
