Clean install Gitea v1.21.1 with the default docker-compose config from the docs
version: "3"
services:
server:
image: gitea/gitea:1.21.1
ports:
- "3000:3000"
- "222:22"
If I configure Gitea to work from localhost (without the reverse proxy), I can clone a public or private repo, http or ssh.
I am redirected to the right authorization page, adding and verifying a ssh key works.
Working with the public and private repos with HTTP and SSH just works as intended.
I can create and delete ssh keys and applications, Gitea responds as I expect it to.
The problem
If I configure Gitea to work with the reverse proxy, I cannot access a private repo and I cannot verify or delete ssh keys or application tokens, so ssh doesn’t work either.
Nginx config taken from Gitea docs
## server listen 80 info here with redirect et all ##
server {
listen 443 ssl;
server_name git.example.org;
## lets encrypt certificate stuff here ##
location / {
client_max_body_size 512M;
proxy_pass http://localhost:3000;
proxy_set_header Connection $http_connection;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
HTTP
Public HTTPS repo works.
Private HTTPS repo opens a page to an authorization failed page
https://git.example.org/login/oauth/authorize?response_type=code&client_id=000&state=00000&code_challenge_method=S256&code_challenge=0000&redirect_uri=http%3a%2f%2f127.0.0.1%3a52589%2f *
Authorization failed
Client ID not registered
The authorization failed because we detected an invalid request. Please contact the maintainer of the app you have tried to authorize.
Nginx logs
0.0.0.0 - - [timedate] "POST /user/login HTTP/2.0" 303 0 "-" "browser info"
0.0.0.0 - - [timedate] "GET /login/oauth/authorize HTTP/2.0" 400 22352 "-" "browser info"
0.0.0.0 - - [timedate] "GET /avatar/d0aa75475ce02c63dbf2512d85cd4d2b?size=48 HTTP/2.0" 303 106 "-" "browser info"
0.0.0.0 - - [timedate] "GET /assets/js/eventsource.sharedworker.js?v=1.21.1 HTTP/2.0" 200 690 "-" "browser info"
0.0.0.0 - - [timedate] "GET /assets/img/favicon.svg HTTP/2.0" 200 1078 "-" "browser info"
Gitea container logs
timedate...eb/routing/logger.go:102:func1() [I] router: completed GET /Fluffy/test.git/info/refs for 0.0.0.0:0, 401 Unauthorized in 5.9ms @ repo/githttp.go:532(repo.GetInfoRefs)
timedate...rs/web/auth/oauth.go:828:handleAuthorizeError() [W] Authorization failed: Client ID not registered
timedate...eb/routing/logger.go:102:func1() [I] router: completed GET /login/oauth/authorize for 0.0.0.0:0, 400 Bad Request in 16.3ms @ auth/oauth.go:362(auth.AuthorizeOAuth)
timedate...eb/routing/logger.go:102:func1() [I] router: completed GET /avatar/d0aa75475ce02c63dbf2512d85cd4d2b for 108.162.241.74:0, 303 See Other in 9.3ms @ user/avatar.go:48(user.AvatarByEmailHash)
timedate...eb/routing/logger.go:102:func1() [I] router: completed GET /user/events for 0.0.0.0:0, 200 OK in 300029.7ms @ events/events.go:18(events.Events)
timedate...eb/routing/logger.go:68:func1() [I] router: polling GET /user/events for 0.0.0.0:0, elapsed 3688.6ms @ events/events.go:18(events.Events)
SSH
After making ssh work over the reverse proxy (a pain) :
I cannot verify a ssh-key; the page url changes to https://git.example.org/user/settings/keys?verify_ssh=SHA256%0000 *, without showing the next step.
I also cannot delete ssh-keys or application tokens.
Clicking on “delete” brings me to a “404 undefined” page. Going back to the keys, they are still there.
One way or another I cannot clone a private repo from a clean install of gitea…
* 0000 instead of actual tokens or ips
