GitLab

Created by: aus

I am testing a new server that has HTTPS enabled. I believe I have all the pieces in place, but I am getting some strange behavior when doing git clone. Here is what happens:

When I try to clone a public project via HTTPS, it works as expected and I get:

> git clone https://gitlab.host.com/user.name/public-project.git
Cloning into 'public-project'...
remote: Counting objects: 62, done.
remote: Compressing objects: 100% (58/58), done.
remote: Total 62 (delta 21), reused 0 (delta 0)
Unpacking objects: 100% (62/62), done.

But when I try to clone the same project via HTTP, I am prompted for authentication. I shouldn't be prompted for authentication when trying to clone a public project. Additionally, my username and password is rejected:

> git clone http://gitlab.host.com/user.name/public-project.git
Cloning into public-project...
Username for 'http://gitlab.host.com' : user.name
Password for 'http://gitlab.host.com' : 
fatal: Authentication failed

While I could just force my users to only clone via HTTPS or SSH, I would rather not have all my users update their repo paths from HTTP to HTTPS. So I have a rewrite rule in my nginx config to change HTTP requests to HTTPS.

Here is some information about my environment:

nginx

upstream gitlab {

  server unix:/home/git/gitlab/tmp/sockets/gitlab.socket;

}
server {
    listen *:80;
    server_name gitlab.host.com;
    server_tokens off;
    root /nowhere; 
    rewrite ^ https://$server_name$request_uri permanent;
}

server {
    listen 443 ssl;
    server_name gitlab.host.com;
    server_tokens off;
    root /home/git/gitlab/public;

    ssl on;
    ssl_certificate /etc/nginx/gitlab.crt;
    ssl_certificate_key /etc/nginx/gitlab.key;
    ssl_protocols  SSLv3 TLSv1 TLSv1.2;
    ssl_ciphers AES:HIGH:!ADH:!MD5;
    ssl_prefer_server_ciphers   on;

    access_log  /var/log/nginx/gitlab_access.log;
    error_log   /var/log/nginx/gitlab_error.log;

    location / {
        try_files $uri $uri/index.html $uri.html @gitlab;
    }

    location @gitlab {
        proxy_read_timeout    300; 
        proxy_connect_timeout 300;
        proxy_redirect        off;

        proxy_set_header  X-Forwarded-Proto https;
        proxy_set_header  X-Forwarded-Ssl   on;
        proxy_set_header  Host              $http_host;
        proxy_set_header  X-Real-IP         $remote_addr;

        proxy_pass http://gitlab;
    }
}

gitlab.yml

(just the relevant parts)

  gitlab:
    ## Web server settings
    host: gitlab.host.com
    port: 443
    https: true

gitlab-shell config.yml

(just the relevant parts)

# GitLab user. git by default
user: git

# Url to gitlab instance. Used for api calls. Should end with a slash.
gitlab_url: "https://gitlab.host.com/"

http_settings:
#  user: someone
#  password: somepass
   ca_file: /etc/nginx/gitlab.crt
#  ca_path: /etc/pki/tls/certs
   self_signed_cert: false

And some relevant log messages:

From GitLab, the only relevant message is:

production.log

Started GET "/user.name/public-project.git/info/refs?service=git-upload-pack?service=git-upload-pack" for 127.0.0.1 at 2014-01-30 11:58:23 -0500

Then from nginx I see the HTTP 301 to redirect from HTTP to HTTPS:

nginx access.log

10.42.53.21 - - [30/Jan/2014:11:58:23 -0500] "GET /user.name/public-project.git/info/refs?service=git-upload-pack HTTP/1.1" 301 178 "-" "git/1.8.1.msysgit.1" "10.41.230.26"

Then from the nginx gitlab log I see the HTTP 401 (Unauthorized):

nginx gitlab_access.log

10.42.53.21 - user.name [30/Jan/2014:11:58:23 -0500] "GET /user.name/public-project.git/info/refs?service=git-upload-pack?service=git-upload-pack HTTP/1.1" 401 0 "-" "git/1.8.1.msysgit.1"

So I am not sure why I am: a) being prompted for authentication and b) my username and password is rejected.

This occurs with a standard user and an LDAP user.

Components

GitLab 6.4.3
GitLab Shell 1.8.0
GitLab API v3
Ruby 2.1.0p0
Rails 4.0.2

Any ideas?

Created by: aus

It looks like this issue is specific to nginx. I could not reproduce with Apache.

By Administrator on 2014-02-10T16:34:21 (imported from GitLab project)

Created by: leiming

I have the same trouble that using http and nginx counter to [fatal: Authentication failed]

By Administrator on 2014-07-26T17:53:10 (imported from GitLab project)

Created by: jojosch

i can confirm this issue when using a redirect with

rewrite ^ https://$server_name$request_uri permanent;

CURL debug (note the duplicated ?service in Location:):

[johannes@johannesDellXPS15] ~  
❯ curl -I http://[MY_GITLAB_INSTANCE]/[NAMESPACE]/[REPOSITORY].git/info/refs?service=git-upload-pack
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Sat, 26 Jul 2014 18:20:27 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: https://[MY_GITLAB_INSTANCE]/[NAMESPACE]/[REPOSITORY].git/info/refs?service=git-upload-pack?service=git-upload-pack
Strict-Transport-Security: max-age=31536000

Instead try:

(note the ? after $request_uri):

rewrite ^ https://$server_name$request_uri? permanent;

or

rewrite ^/(.*) https://$server_name/$1 last;

CURL debug:

[johannes@johannesDellXPS15] ~  
❯ curl -I http://[MY_GITLAB_INSTANCE]/[NAMESPACE]/[REPOSITORY].git/info/refs?service=git-upload-pack
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Sat, 26 Jul 2014 18:20:08 GMT
Content-Type: text/html
Content-Length: 154
Connection: keep-alive
Location: https://[MY_GITLAB_INSTANCE]/[NAMESPACE]/[REPOSITORY].git/info/refs?service=git-upload-pack
Strict-Transport-Security: max-age=31536000

By Administrator on 2014-07-26T18:38:13 (imported from GitLab project)

Created by: azurewraith

The ? is important if you roll your own nginx config outside of Omnibus as well. In this instance, my GitLab CI builds were failing to sync with fatal: Authentication Failed. It was subtle, especially since everything else seemed to be working well.

By Administrator on 2015-04-01T14:59:33 (imported from GitLab project)