Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to pull with fcgi+unix, gitea serve passing bearer token gets 403 #9474

Closed
flipkickmedia opened this issue Dec 23, 2019 · 5 comments
Closed

Comments

@flipkickmedia
Copy link

flipkickmedia commented Dec 23, 2019

APP_NAME       = giteatest
RUN_USER       = git
RUN_MODE       = prod
GITEA_WORK_DIR = /var/lib/gitea/workdir

[oauth2]
JWT_SECRET = <some secret>

[security]
INTERNAL_TOKEN = <some token>
INSTALL_LOCK   = true
SECRET_KEY     = <some secret>
[database]
DB_TYPE  = sqlite3
HOST     = 127.0.0.1:3306
NAME     = gitea
USER     = gitea
PASSWD   = 
SSL_MODE = disable
CHARSET  = utf8
PATH     = /var/lib/gitea/data/gitea.db

[repository]
ROOT             = /home/git
DISABLE_HTTP_GIT = false

[server]
PROTOCOL         = fcgi+unix
SSH_DOMAIN       = git.domain.com
DOMAIN           = git.domain.com
HTTP_ADDR        = /run/gitea/gitea.sock
DISABLE_SSH      = false
SSH_PORT         = 22
LFS_START_SERVER = true
LFS_CONTENT_PATH = /var/lib/gitea/data/lfs
LFS_JWT_SECRET   = <some secret>
OFFLINE_MODE     = true
HTTP_PORT        = 3000
ROOT_URL         = https://git.domain.com

[mailer]
ENABLED = true
HOST    = smtp.domain.com
FROM    = [email protected]
USER    = [email protected]
PASSWD  = 

[service]
REGISTER_EMAIL_CONFIRM            = true
ENABLE_NOTIFY_MAIL                = true
DISABLE_REGISTRATION              = false
ALLOW_ONLY_EXTERNAL_REGISTRATION  = false
ENABLE_CAPTCHA                    = false
REQUIRE_SIGNIN_VIEW               = true
DEFAULT_KEEP_EMAIL_PRIVATE        = false
DEFAULT_ALLOW_CREATE_ORGANIZATION = true
DEFAULT_ENABLE_TIMETRACKING       = true
NO_REPLY_ADDRESS                  = domain.com

[picture]
DISABLE_GRAVATAR        = true
ENABLE_FEDERATED_AVATAR = false

[openid]
ENABLE_OPENID_SIGNIN = true
ENABLE_OPENID_SIGNUP = true

[session]
PROVIDER = file

[log]
MODE = file
LEVEL = debug
redirect_macaron_log=false
router=,
macaron=,
ENABLE_ACCESS_LOG = true
ENABLE_XORM_LOG = true

[log.node.file]
LEVEL = debug

[other]
; Show template execution time in the footer
SHOW_FOOTER_TEMPLATE_LOAD_TIME = false

[indexer]
ISSUE_INDEXER_PATH      = /var/lib/gitea/indexer/issues.bleve
ISSUE_INDEXER_QUEUE_DIR = /var/lib/gitea/indexer/issues.queue

logs generated from above config:

2019/12/23 13:06:28 ...s/context/context.go:329:func1() [D] Session ID: b405f0f486ba6edf
2019/12/23 13:06:28 ...s/context/context.go:330:func1() [D] CSRF Token: 1J2TQZ8h7MN8Cvuqq_RwTF-x0C06MTU3NzEwNjM4ODI2OTA4NDg1Mw

==> /var/lib/gitea/workdir/log/access.log <==

<my server ip> - - [23/Dec/2019:13:06:28 +0000] "GET  HTTP/1.1" 403 0 "\" \"GiteaServer"

audit log from ssh: https://pastebin.com/Skw6DKLx

@zeripath
Copy link
Contributor

OK, so setting up a basic test on my machine does not immediately reproduce the problem, but I note that the logging doesn't work correctly because ctx.Req.RequestURI is empty. I suspect that this might be at least partly responsible for the problem.

@zeripath
Copy link
Contributor

I've just checked with REQUIRE_SIGNIN_VIEW = true on the internal SSH and can't get it to be replicated

@zeripath
Copy link
Contributor

Using openSSH doesn't seem to replicate this issue either.

I think you mentioned PAM in discord - I wonder if there is an issue authenticating against PAM - however, the SSH key should just be being used and there should be no attempt to log in against PAM so I don't think that can be the issue here.

@zeripath
Copy link
Contributor

OK so it appears that this was a proxy problem. I'll close this.

#9473 fixes the problem with logging of opaqued urls.

@flipkickmedia
Copy link
Author

flipkickmedia commented Dec 24, 2019

It worked with the branch you created. I need to check master.

The line which enables the authorization header to be passed:
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

Without this it fails.

        <VirtualHost *:443>
            ServerName git.domain.com
                ServerAdmin [email protected]
                DocumentRoot /var/www/git.domain.com/public

                LogLevel notice

                ErrorLog /var/www/git.domain.com/logs/error.ssl.og
                CustomLog /var/www/git.domain.com/logs/access.ssl.log combined
                ProxyPass "/" "unix:/var/run/gitea/gitea.sock|fcgi://localhost:51000/"
                ProxyPassReverse "/" "https://git.domain.com/"

                SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

                ProxyPreserveHost On
                ProxyRequests on
                AllowEncodedSlashes NoDecode
...

@go-gitea go-gitea locked and limited conversation to collaborators Nov 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants