Cloning over http fails if gitlab is not on /

Created by: SaitoWu

Hi @morth ,

Can u show me ur clone uri? I need more details.

By Administrator on 2012-08-13T14:40:14 (imported from GitLab)

Created by: perj

git clone https://foo.example.com/gitlab/project.git

Note https. We're actually using client certificates as well, in case that matters. Here's the apache config file:

LoadModule passenger_module /opt/ruby/lib/ruby/gems/1.9.1/gems/passenger-3.0.12/ext/apache2/mod_passenger.so
PassengerRoot /opt/ruby/lib/ruby/gems/1.9.1/gems/passenger-3.0.12
PassengerRuby /opt/ruby/bin/ruby

Alias /gitlab /opt/gitlabhq/public
RailsBaseURI /gitlab
<Location /gitlab>
   SSLRequireSSL
   PassengerEnabled on
   SSLOptions +StdEnvVars
</Location>
<Directory /opt/gitlabhq/public>
# This relaxes Apache security settings.
   AllowOverride all
# MultiViews must be turned off.
   Options -MultiViews
</Directory>

By Administrator on 2012-08-13T15:02:52 (imported from GitLab)

Created by: oreofish

Hi, I got the same problem, but http clone can work well without passenger. I think it is a gitlab and passenger cowork issue.

By Administrator on 2012-08-16T01:30:11 (imported from GitLab)

Created by: mbartosch

I had the same problem and kept my pipe down, hoping that 2.9 would fix this issue. Apparently it does not, bummer.

My setup is:

gitlab configured on SITE/gitlab/
Apache 2.2 with passenger
authentication uses LDAP (n. b. my LDAP does not use static passwords, but instead one time passwords (Google Authenticator and Yubikey) - this means that the bind password is always different if that matters...)

Push/pull via https and one time passwords is a really important feature for me.

I am observing the following:

gitlab web login works (LDAP with one time password)
git push/pull via ssh works fine
git push/pull via https (i. e. username/LDAP password) does NOT work

On the client what I am seeing is:

git fetch https://SITE/gitlab/dummy.git Username for 'https://SITE': myuser Password for 'https://myuser@SITE': fatal: Authentication failed

Apache server log: [23/Sep/2012:11:53:35 +0200] "GET /gitlab/dummy.git/info/refs?service=git-upload-pack HTTP/1.1" 401 3309 "-" "git/1.7.11.3" [23/Sep/2012:11:53:41 +0200] "GET /gitlab/dummy.git/info/refs?service=git-upload-pack HTTP/1.1" 401 523 "-" "git/1.7.11.3" [23/Sep/2012:11:53:41 +0200] "GET /gitlab/dummy.git/info/refs?service=git-upload-pack HTTP/1.1" 401 91 "-" "git/1.7.11.3

The FIRST log line appears immediately after I hit return on the fetch statement. The two next requests appear after hitting return for the password prompt with the fetch statement.

The gitlab production log file shows the corresponding entries:

Started GET "/gitlab/dummy.git/info/refs?service=git-upload-pack" for IP at 2012-09-23 11:53:35 +0200

Started GET "/gitlab/dummy.git/info/refs?service=git-upload-pack" for IP at 2012-09-23 11:53:41 +0200

EDIT Additional observation: The LDAP server backend is accessed when logging in to the web frontend. But it does not get hit at all when a git http request is made! (Checked via tcpdump)

By Administrator on 2012-09-23T10:49:26 (imported from GitLab)

Created by: danielkummer

+1 for this issue

By Administrator on 2012-10-02T08:50:07 (imported from GitLab)

Created by: wolfg1969

i got this issue too even the gitlab is on /

By Administrator on 2012-10-11T09:23:55 (imported from GitLab)

Created by: danielkummer

Maybe there has to be a separate mod_ldap configuration if we're using apache and passenger with github... Any thoughts?

By Administrator on 2012-10-11T09:43:52 (imported from GitLab)

Created by: mbartosch

I'm not using mod_ldap at all in Apache, so I don't think this is an issue. My Gitlab is configured to use LDAP as an authentication backend, and the lack of any authentication with LDAP during an HTTP pull request seems to indicate that the authentication is not at all triggered by Gitlab itself. Maybe it is hardcoded to use internal authentication?

By Administrator on 2012-10-11T09:47:54 (imported from GitLab)

Created by: SaitoWu

@mbartosch Yes, the current version of http git authentication is based on Gitlab's email and password. not support LDAP yet.

By Administrator on 2012-10-11T09:52:53 (imported from GitLab)

Created by: mbartosch

Thanks for the clarification, this explains all my the observations.

By Administrator on 2012-10-11T09:53:59 (imported from GitLab)

Created by: SaitoWu

I highly recommend deploy Gitlab on the second level domain. like gitlab.example.com

but we should support this situation too. I'll handle this one.

By Administrator on 2012-10-11T09:57:33 (imported from GitLab)

Created by: mbartosch

This is not desirable in cases you wish to use an already existing SSL certificate for your site which does not include github.example.com as an Subject Alternative Name. In most cases you need to pay extra for additional SANs in certificates, and in addition you will have to replace the existing certificate (going through the whole request and installation process) just for the extra Gitlab hosting. For me this is not acceptable, so I decided to host Gitlab on the already existing SSL enabled virtual host, protected by the already existing certificate.

By Administrator on 2012-10-11T11:02:52 (imported from GitLab)

Created by: SaitoWu

@mbartosch Got it. I didn't consider the SSL problem.

This issue will be fix soon. Thanks.

By Administrator on 2012-10-11T11:07:52 (imported from GitLab)

Created by: erikschwalbe

Is there a date by when the problem will be solved?

By Administrator on 2012-11-23T10:07:59 (imported from GitLab)

Created by: riyad

#2162 has been merged, please try. :)

By Administrator on 2012-12-29T22:16:23 (imported from GitLab)

Created by: atuleu

Hi, I still have this issue with gitlab 4.2, installed on /gitlab location on nginx (with SSL enabled)

maybe my SSL setup is not right (just modified nginx recipe to add SSL)

I fixed this with this patch :

diff --git a/lib/gitlab/backend/grack_auth.rb b/lib/gitlab/backend/grack_auth.rb
index a2d15d5..d615738 100644
--- a/lib/gitlab/backend/grack_auth.rb
+++ b/lib/gitlab/backend/grack_auth.rb
@@ -11,7 +11,15 @@ module Grack
       ENV['GL_BYPASS_UPDATE_HOOK'] = "true"

       # Need this patch due to the rails mount
-      @env['PATH_INFO'] = @request.path
+
+      unless Gitlab.config.gitlab.relative_url_root.empty?
+        #if using relative_url_mount, need to strip relative url from path
+        @env['PATH_INFO'] = @request.path.sub(Gitlab.config.gitlab.relative_url_root,'')
+      else
+        #acts as normal
+        @env['PATH_INFO'] = @request.path
+      end
+
       @env['SCRIPT_NAME'] = ""

       return render_not_found unless project

By Administrator on 2013-03-07T11:43:48 (imported from GitLab)

Created by: tkretschmer-rb

After applying the patch from @atuleu, I was able to clone over http with a relative_url_root.

By Administrator on 2013-03-07T13:50:42 (imported from GitLab)

Created by: madhurranjan

Excellent. After applying the patch from @atuleu , I am able to clone over http.

By Administrator on 2013-03-11T07:11:23 (imported from GitLab)

Created by: jrmithdobbs

I can also confirm this fixes http/https cloning on public and private repos on 5.1.0pre using a prefix other than /.

By Administrator on 2013-03-29T06:31:28 (imported from GitLab)

Created by: mazlo

I can also confirm. After this fix cloning over http works, requesting authentification via username and passwort. gitlab 5.0

By Administrator on 2013-04-19T08:55:06 (imported from GitLab)

Created by: junalmeida

Its not working for me. Using release stable 5.1. http://myserver:81/gitlab/project.git throws 404. Using gitlab with apache2 passenger.

By Administrator on 2013-04-24T13:49:51 (imported from GitLab)

Created by: VonC

@junalmeida gitlab with apache2 passenger? me too.

How do you start puma though? (https://github.com/gitlabhq/gitlabhq/blob/master/lib/support/init.d/gitlab#L19 and https://github.com/gitlabhq/gitlabhq/blob/master/lib/support/init.d/gitlab#L48)?
It complains about not finding #{application_path}/tmp/sockets/gitlab.socket (https://github.com/gitlabhq/gitlabhq/blob/master/config/puma.rb.example#L62), which is only defined with an nginx config (https://github.com/gitlabhq/gitlabhq/blob/master/lib/support/nginx/gitlab#L6)

By Administrator on 2013-04-24T13:56:11 (imported from GitLab)

Created by: atuleu

Did not had the time to switch to gitlab 5.0 or 5.1. Will update the patch at this time (but do not count before 13.06.2013)

By Administrator on 2013-04-24T14:00:48 (imported from GitLab)

Created by: junalmeida

@vonc If I understood correctly, once we are using apache passenger, we don't need the puma server. My gitlab init script is always stopped. Everything runs ok except http clone.

I guess that if you use apache proxypass you will need the puma server.

Am I missing some config about Smart HTTP?

By Administrator on 2013-05-04T15:21:35 (imported from GitLab)

Created by: VonC

@junalmeida not sure actually. I manage to make puma run, on its own port, binding with ssh: https://github.com/VonC/compileEverything/blob/master/gitlab/puma.rb.tpl#L63

It does work.

But pushing over https doesn't (Apache front, with relative_root: https://github.com/VonC/compileEverything/blob/master/gitlab/gitlab.yml.tpl#L23)

By Administrator on 2013-05-04T20:35:49 (imported from GitLab)

Created by: junalmeida

I guess that I found the problem. https://github.com/gitlabhq/gitlabhq/blob/5-1-stable/lib/gitlab/backend/grack_auth.rb#L88 At this line, the m.last variable have gitlab (from /gitlab url).

Also, https://github.com/gitlabhq/gitlabhq/blob/5-1-stable/lib/gitlab/backend/grack_auth.rb#L13 have this problem. Fixing both lines removing "/gitlab" fixes the issue for git clone.

Is it possible to reopen this issue?

By Administrator on 2013-05-06T17:04:43 (imported from GitLab)

Created by: hgomez

Same problem here using GitLab 5.2

git clone http://swf-gitlab.mycorp.org/bears-team/devops.git
Cloning into 'devops'...
Username for 'http://swf-gitlab.mycorp.org': hgomez
Password for 'http://hgomez@swf-gitlab.mycorp.org': 
fatal: Authentication failed

Everything works well via SSH but no luck with HTTP.

Note, I'm using Apache HTTP who proxyfiy to Puma via

ProxyPass / http://localhost:9292/
ProxyPassReverse / http://localhost:9292/

Same problem if I connect to Puma on port 9292 :(

git clone http://swf-gitlab.mycorp.org:9292/bears-team/devops.git
Cloning into 'devops'...
Username for 'http://swf-gitlab.mycorp.org:9292': hgomez
Password for 'http://hgomez@swf-gitlab.mycorp.org:9292': 
fatal: Authentication failed

By Administrator on 2013-05-24T15:16:18 (imported from GitLab)

Created by: atuleu

I may give a trial next week end with gitlab 5.2.

I will check out as for me https cloning is mandatory.

2013/5/24 Gomez Henri notifications@github.com

Same problem here using GitLab 5.2

Everything works well via SSH but no luck with HTTP.

Note, I'm using Apache HTTP who proxyfiy to Puma via

ProxyPass / http://localhost:9292/ ProxyPassReverse / http://localhost:9292/

— Reply to this email directly or view it on GitHubhttps://github.com/gitlabhq/gitlabhq/issues/1228#issuecomment-18410942 .

By Administrator on 2013-05-24T15:16:40 (imported from GitLab)

Created by: hgomez

https is mandatory ?

By Administrator on 2013-05-24T15:18:07 (imported from GitLab)

Created by: atuleu

sorry for that unprecise statement

cloning over http (or https) with a relative url root.

2013/5/24 Gomez Henri notifications@github.com

https is mandatory ?

— Reply to this email directly or view it on GitHubhttps://github.com/gitlabhq/gitlabhq/issues/1228#issuecomment-18411202 .

By Administrator on 2013-05-24T15:22:20 (imported from GitLab)

Created by: hgomez

Cloning over http fails if gitlab is not on /

Designs

Child items ...

Activity

Admin message

Admin message

Cloning over http fails if gitlab is not on /

Activity