What steps will reproduce the problem?
1. Run gitblit GO with http
2. behind a reverse proxy (Apache)
3. configure apache to use https
4. access gitblit via https and observe the URLs during login & logout.
What is the expected output? What do you see instead?
I'd expect to stay on https but the url changes to http. Hard to spot for the
user that the connection is no longer secure.
What version of the product are you using? On what operating system?
gitblit 1.6.7, centos 7
Please provide any additional information below.
All URLs gitblit creates are correct and work just fine. I suspect that the
generated redirect URLs don't heed the X-Forwarded-Proto header or something
alike.
Workaround:
Redirect any access to gitblit via http to https. I think the user then gets
redirected twice, but it does the trick:
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/gitblit/(.*) https://%{SERVER_NAME}/gitblit/$1 [R,L]
This makes it impossible to access gitblit via http, as the user will always
end up using https, which is what you'll probably want anyway.
Here's the apache config I'm using (without the workaorund):
ProxyPass /gitblit http://localhost:8082/gitblit nocanon
ProxyPassReverse /gitblit http://localhost:8082/gitblit
ProxyRequests Off
AllowEncodedSlashes NoDecode
ProxyPreserveHost On
ProxyVia Off
<Proxy>
AddDefaultCharset off
Order deny,allow
Allow from all
</Proxy>
Header edit Location ^http://([^⁄]+)/gitblit/
https://$1/gitblit/
RequestHeader set X-Forwarded-Proto https
RequestHeader set X-Forwarded-Port 443
Original issue reported on code.google.com by smurn....@gmail.com on 6 Jul 2015 at 6:28
Original issue reported on code.google.com by
smurn....@gmail.comon 6 Jul 2015 at 6:28