Hi, I want to provide a Tor hidden service for my gitlab installation that is otherwise only available over HTTPS. However, when I visit the tor hidden service (over HTTP), I'm redirected to the sign-in page over HTTPS, instead of staying on HTTP (it redirects to: https://example.onion/users/sign_in)
It may seem strange that I do not want to redirect to HTTPS, but this is actually what I want. When using a Tor hidden service, everything is already TLS encrypted and I do not have a TLS certificate that matches the onion address in the CN. Redirecting to HTTPS will result in a mismatched server TLS error, and not provide me any additional protections. I want to be able to connect to gitlab over this tor onion address through HTTP, and not be redirected to HTTPS when doing so. Once I have been redirected to https://example.onion/users/sign_in, nginx fails because it is not configured to listen on HTTPS for this domain. If I simply replace the HTTPS in that URL with http, everything works fine over tor. Its simply the home page itself that is erroneously redirecting me. A full description of how to reproduce this is located here: https://gitlab.com/gitlab-org/gitlab-ce/issues/15096 When visiting http://example.onion when not logged in, you should not be redirected to https://example.onion, it should respect the protocol specified. If you visit the site over the clear Internet on HTTP, you will be redirected to HTTPS, where the main gitlab resides. If you visit the site over the tor network using the hidden service onion address, you are not redirected in nginx, however gitlab is still redirecting you. Thanks for any suggestions! micah -- You received this message because you are subscribed to the Google Groups "GitLab" group. To unsubscribe from this group and stop receiving emails from it, send an email to gitlabhq+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/gitlabhq/887d1789-9ef3-4e39-a987-74ab42affd6f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
