gitblit icon indicating copy to clipboard operation
gitblit copied to clipboard

Published 20 hours ago verified publisher icon gitblit-org

Redirect URLs after login/logout have problems with reverse proxying

Open gitblit opened this issue 9 years ago • 7 comments

Originally reported on Google Code with ID 604

What steps will reproduce the problem?

1. Run gitblit GO with http
2. behind a reverse proxy (Apache)
3. configure apache to use https
4. access gitblit via https and observe the URLs during login & logout.

What is the expected output? What do you see instead?

I'd expect to stay on https but the url changes to http. Hard to spot for the user
that the connection is no longer secure.

What version of the product are you using? On what operating system?
gitblit 1.6.7, centos 7

Please provide any additional information below.

All URLs gitblit creates are correct and work just fine. I suspect that the generated
redirect URLs don't heed the X-Forwarded-Proto header or something alike.

Workaround:

Redirect any access to gitblit via http to https. I think the user then gets redirected
twice, but it does the trick:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/gitblit/(.*) https://%{SERVER_NAME}/gitblit/$1 [R,L]

This makes it impossible to access gitblit via http, as the user will always end up
using https, which is what you'll probably want anyway.


Here's the apache config I'm using (without the workaorund):

ProxyPass         /gitblit  http://localhost:8082/gitblit nocanon
ProxyPassReverse  /gitblit  http://localhost:8082/gitblit
ProxyRequests     Off
AllowEncodedSlashes NoDecode
ProxyPreserveHost On
ProxyVia Off
<Proxy>
        AddDefaultCharset off
        Order deny,allow
        Allow from all
</Proxy>
Header edit Location &#94;http://([&#94;&#8260;]+)/gitblit/ https://&#36;1/gitblit/
RequestHeader set X-Forwarded-Proto https
RequestHeader set X-Forwarded-Port 443

Reported by smurn.org on 2015-07-06 18:28:16

gitblit avatar Aug 12 '15 12:08 gitblit 

+1, I use nginx for reverse proxying and for SSL and I have the same problem - Gitblit
always redirects to non-https URLs.

Reported by vitalifster on 2015-07-20 11:19:40

gitblit avatar Aug 12 '15 12:08 gitblit

I usually lost proper URL when clicking any button on a page. All other links are fine. Did update to canonical url - no help.

spagu avatar Oct 12 '15 23:10 spagu

I had similar problem with tickets, login/logout worked for me

Adding Header edit Ajax-Location ^http://([^⁄]+)/ https://$1/ to apache configuration solves the problem for me.

j123b567 avatar Jul 20 '16 15:07 j123b567

Related to #965

flaix avatar Dec 17 '16 22:12 flaix

I have similar problem, but only when try to login. After login browser redirect me to https://localhost. What is interesting - when i go back to proper url i'm logged in and all works fine. How to fix this? (rev proxy made on apache2).

michaljakubowski avatar Jun 21 '17 20:06 michaljakubowski

When using nginx, here's how the config for the forwarding could be done:

server {
        server_name mygitblit.example.com;
        listen 80;
        return 301 https://$host$request_uri;
}

This is in addition to the separate server entry for the actual 443/proxy forwarfing. If you don't run any other sites on that machine, you can make it the default:

server {
        server_name _;
        listen 80 default_server;
        return 301 https://$host$request_uri;
}

mstum avatar Jan 02 '19 00:01 mstum

You may also want to set HSTS so once Gitblit opened via HTTPS your browser will never use HTTP again. In nginx you add:

server {
    ...
    add_header Strict-Transport-Security max-age=15768000;
    ...
}

Personally I use HTTP/2 only (no HTTP/1.1); modern browsers doesn't allow to open HTTP/2 websites without TLS.

lassana avatar Jan 02 '19 12:01 lassana