Home page incorrectly redirecting to https when not signed in
Created by: micah
Summary
I want to provide a Tor hidden service for my gitlab installation that is otherwise only available over https. However, whenever I am not logged in, and I visit the main page over tor via http, I'm redirected to the sign-in page https, instead of staying http: https://example.onion/users/sign_in.
It may seem strange that I do not want to redirect to https, but this is actually what I want. When using a Tor hidden service, everything is already TLS encrypted and I do not have a TLS certificate that matches the onion address in the CN. Redirecting to https will result in a mismatched server TLS error, and not provide me any additional protections.
I want to be able to connect to gitlab over this tor onion address through http, and not be redirected to https when doing so.
Once I have been redirected to https://example.onion/users/sign_in, nginx fails because it is not configured to listen on https for this domain.
If I simply replace the https in that URL with http, everything works fine over tor. Its simply the home page itself that is erroneously redirecting me.
Steps to reproduce
Install gitlab-ce version 8.6.4-ce.0 on Debian Jessie.
Configure tor to provide a hidden service over a unix socket, on port 80 as follows:
HiddenServiceDir /var/lib/tor/hidden_gitlab
HiddenServicePort 80 unix:/run/tor/nginx-onion-80.sockRestart tor, then obtain the hidden service hostname from /var/lib/tor/hidden_gitlab/hostname.
Then disable the omnibus nginx in gitlab.rb:
nginx['enable'] = false
The following other configurations are what I have in my gitlab.rb, so to reproduce exactly you may wish to set these as well:
## Url on which GitLab will be reachable.
## For more details on configuring external_url see:
## https://gitlab.com/gitlab-org/omnibus-gitlab/blob/629def0a7a26e7c2326566f0758d4a27857b52a3/README.md#configuring-the-external-url-for-gitlab
external_url 'http://bugs.example.com'
gitlab_rails['gitlab_default_can_create_group'] = false
gitlab_rails['gitlab_default_projects_features_builds'] = false
#####################
# GitLab Web server #
#####################
## see: https://gitlab.com/gitlab-org/omnibus-gitlab/tree/629def0a7a26e7c2326566f0758d4a27857b52a3/doc/settings/nginx.md#using-a-non-bundled-web-server
## When bundled nginx is disabled we need to add the external webserver user to the GitLab webserver group.
web_server['external_users'] = ['www-data']
################
# GitLab Nginx #
################
## see: https://gitlab.com/gitlab-org/omnibus-gitlab/tree/629def0a7a26e7c2326566f0758d4a27857b52a3/doc/settings/nginx.md
nginx['enable'] = false
nginx['redirect_http_to_https'] = falsereconfigure and restart gitlab.
configure your own nginx to listen to that socket and send people to gitlab, just like they are done with https, replacing example.onion with your tor hidden service hostname, and the server name with your server name:
upstream gitlab-workhorse {
server unix:/var/opt/gitlab/gitlab-workhorse/socket fail_timeout=0;
}
## Redirects all HTTP traffic to the HTTPS host
server {
listen 0.0.0.0:80;
server_name bugs.example.com; ## Replace this with something like gitlab.example.com
server_tokens off; ## Don't show the nginx version number, a security best practice
return 301 https://$http_host$request_uri;
access_log /var/log/nginx/gitlab_access.log;
error_log /var/log/nginx/gitlab_error.log;
}
## HTTPS host
server {
listen 0.0.0.0:443 ssl;
server_name bugs.example.com; ## Replace this with something like gitlab.example.com
server_tokens off; ## Don't show the nginx version number, a security best practice
root /opt/gitlab/embedded/service/gitlab-rails/public;
## Strong SSL Security
ssl on;
ssl_certificate /etc/x509/certs/bugs.example.com-full.pem;
ssl_certificate_key /etc/x509/keys/bugs.example.com.key;
# GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
## Individual nginx logs for this GitLab vhost
access_log /var/log/nginx/gitlab_access.log;
error_log /var/log/nginx/gitlab_error.log;
location / {
include /etc/nginx/snippets/gitlab.conf;
proxy_pass http://gitlab-workhorse;
}
}
## onion
server {
listen unix:/run/tor/nginx-onion-80.sock;
server_name example.onion;
allow "unix:";
deny all;
server_tokens off; ## Don't show the nginx version number, a security best practice
root /opt/gitlab/embedded/service/gitlab-rails/public;
location = / {
return 301 http://example.onion/users/sign_in;
}
## Individual nginx logs for this GitLab vhost
access_log /var/log/nginx/gitlab_onion_access.log;
error_log /var/log/nginx/gitlab_onion_error.log;
location / {
include /etc/nginx/snippets/gitlab.conf;
proxy_pass http://gitlab-workhorse;
}
subs_filter http://bugs.example.com/ http://example.onion/ i;
subs_filter https://bugs.example.com/ http://example.onion/ i;
subs_filter "http://bugs.example.com" "http://example.onion" i;
subs_filter "https://bugs.example.com" "http://example.onion" i;
subs_filter 'http://bugs.example.com' 'http://example.onion' i;
subs_filter 'https://bugs.example.com' 'http://example.onion' i;
subs_filter http://bugs.example.com/ http://example.onion/ i;
subs_filter https://bugs.example.com/ http://example.onion/ i;
subs_filter "http://bugs.example.com" "http://example.onion" i;
subs_filter "https://bugs.example.com" "http://example.onion" i;
subs_filter 'http://bugs.example.com' 'http://example.onion' i;
subs_filter 'https://bugs.example.com' 'http://example.onion' i;
subs_filter https://example.onion/ http://example.onion/ i;
subs_filter "https://example.onion" "http://example.onion" i;
subs_filter 'https://example.onion' 'http://example.onion' i;
}Restart nginx.
Launch torbrowser, visit http://example.onion (replacing example.onion with your tor hidden service name). You will be redirected to https://example.onion/users/sign_in and it will fail.
Change the URL in torbrowser to be: http://example.onion/users/sign_in - you will be able to load gitlab and login and do everything as expected.
Expected behavior
When visiting http://example.onion when not logged in, you should not be redirected to https://example.onion, it should respect the protocol specified.
As you can see from the nginx configuration, if you visit the site over the clear Internet on http, you will be redirected to https, where the main gitlab resides. If you visit the site over the tor network using the hidden service onion address, you are not redirected in nginx, however gitlab is still redirecting you. I've removed the redirecting server listening on port 80 just to make sure its not causing the redirects, and it is not.
Relevant logs and/or screenshots
nginx access log:
unix: - - [08/Apr/2016:19:50:32 +0000] "GET / HTTP/1.1" 302 121 "-" "Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0"
Output of checks
Results of GitLab Application Check
Checking GitLab Shell ...
GitLab Shell version >= 2.6.12 ? ... OK (2.6.12)
Repo base directory exists? ... yes
Repo base directory is a symlink? ... no
Repo base owned by git:git? ... yes
Repo base access is drwxrws---? ... yes
hooks directories in repos are links: ...
89/7 ... ok
86/8 ... ok
89/9 ... ok
90/10 ... ok
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Check GitLab API access: OK
Check directories and files:
/var/opt/gitlab/git-data/repositories: OK
/var/opt/gitlab/.ssh/authorized_keys: OK
Test redis-cli executable: redis-cli 2.8.24
Send ping to redis server: PONG
gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Sidekiq ...
Running? ... yes
Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Checking Reply by email ...
Address formatted correctly? ... yes
IMAP server credentials are correct? ... yes
Init.d configured correctly? ... skipped (omnibus-gitlab has no init script)
MailRoom running? ... can't check because of previous errors
Checking Reply by email ... Finished
Checking LDAP ...
LDAP is disabled in config/gitlab.yml
Checking LDAP ... Finished
Checking GitLab ...
Git configured with autocrlf=input? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config outdated? ... no
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory setup correctly? ... yes
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
projects have namespace: ...
89/7 ... yes
86/8 ... yes
89/9 ... yes
90/10 ... yes
Redis version >= 2.8.0? ... yes
Ruby version >= 2.1.0 ? ... yes (2.1.8)
Your git bin path is "/opt/gitlab/embedded/bin/git"
Git version >= 2.7.3 ? ... yes (2.7.4)
Active users: 89
Checking GitLab ... FinishedResults of GitLab Environment Info
System information
System: Debian 8.4
Current User: git
Using RVM: no
Ruby Version: 2.1.8p440
Gem Version: 2.5.1
Bundler Version:1.10.6
Rake Version: 10.5.0
Sidekiq Version:4.0.1
GitLab information
Version: 8.6.4
Revision: e47b581
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: postgresql
URL: http://bugs.example.com
HTTP Clone URL: http://bugs.example.com/some-group/some-project.git
SSH Clone URL: [email protected]:some-group/some-project.git
Using LDAP: no
Using Omniauth: no
GitLab Shell
Version: 2.6.12
Repositories: /var/opt/gitlab/git-data/repositories
Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks/
Git: /opt/gitlab/embedded/bin/gitPossible fixes
Unknown.