Cloudflare bypasses #10019

New Issue

GiteaMirror · 2025-11-02T08:55:53-06:00

GiteaMirror commented

2025-11-02 08:55:53 -06:00

Originally created by @twisted-nematic57 on GitHub (Dec 27, 2022).

Feature Description

I'm hosting my Gitea server on a Raspberry Pi 4B 8GB. Of course I'm using ARM64 Ubuntu 22.04 LTS with PostgreSQL 15 database. I'm using Cloudflare Tunnel to route get Gitea online to my domain. Everything is perfect except for two things.

Cloning big repositories (such as this one) fails. Cloudflare returns HTTP 524 on requests that haven't been active for 100 seconds or more. Some kind of Git pack service takes more than 100 seconds to finish, which means the Git client that's trying to clone will exit saying that the server returned HTTP 524. This cannot be fixed unless if I get professional-grade hardware which is not my solution.
Cloudflare also imposes a 100MB upload limit, meaning that you cannot push commits greater than 100MB (realistically ~90MB) in size. Is there a way for Gitea to take commits in 75MB chunks? That way Cloudflare's limit can be bypassed since we're using multiple POST requests, each smaller than 100MB, to deliver the data. Same goes for the "upload file" button in the web UI.

Screenshots

No response

Originally created by @twisted-nematic57 on GitHub (Dec 27, 2022). ### Feature Description I'm hosting my Gitea server on a Raspberry Pi 4B 8GB. Of course I'm using ARM64 Ubuntu 22.04 LTS with PostgreSQL 15 database. I'm using Cloudflare Tunnel to route get Gitea online to [my domain](https://gitea.hdg57.eu.org/). Everything is perfect except for two things. 1. Cloning big repositories (such as [this one](https://gitea.hdg57.eu.org/coolstuff/gcc.git)) fails. Cloudflare returns HTTP 524 on requests that haven't been active for 100 seconds or more. Some kind of Git pack service takes more than 100 seconds to finish, which means the Git client that's trying to clone will exit saying that the server returned HTTP 524. This cannot be fixed unless if I get professional-grade hardware which is not my solution. 2. Cloudflare also imposes a 100MB upload limit, meaning that you cannot push commits greater than 100MB (realistically ~90MB) in size. Is there a way for Gitea to take commits in 75MB chunks? That way Cloudflare's limit can be bypassed since we're using multiple POST requests, each smaller than 100MB, to deliver the data. Same goes for the "upload file" button in the web UI. ### Screenshots _No response_

GiteaMirror added the type/proposal type/feature labels 2025-11-02 08:55:53 -06:00

GiteaMirror closed this issue

2025-11-02 08:55:53 -06:00

GiteaMirror commented

2025-11-02 08:55:54 -06:00

@tahaghafuri commented on GitHub (Dec 27, 2022):

You Can't Cloudflare Bypass,
Fix:
UnProxy Your Domain!

@tahaghafuri commented on GitHub (Dec 27, 2022): You Can't Cloudflare Bypass, Fix: UnProxy Your Domain!

GiteaMirror commented

2025-11-02 08:55:54 -06:00

@delvh commented on GitHub (Dec 27, 2022):

Regarding 1:
I wouldn't have put it like that, but in general, I agree:
It is not our task to fix what you choose to do with Gitea.
Our task is to ensure that Gitea works as universally as possible.
If you choose to host it under a too-restrictive hoster, then there is pretty much nothing we can or should do.

Regarding 2: It would be possible if git would allow for something like this.
I don't think it does at the moment, so please open another issue for them, and if they choose to implement it, we can revisit/ reopen this issue.
It's probably not a good idea to deviate from what git offers itself.

As there is otherwise nothing to do, I'd close this issue for now.
If Git chooses to implement [2], it can be reopened.

@delvh commented on GitHub (Dec 27, 2022): Regarding 1: I wouldn't have put it like that, but in general, I agree: It is not our task to fix what you choose to do with Gitea. Our task is to ensure that Gitea works as universally as possible. If you choose to host it under a too-restrictive hoster, then there is pretty much nothing we can or should do. Regarding 2: It would be possible if git would allow for something like this. I don't think it does at the moment, so please open another issue for them, and if they choose to implement it, we can revisit/ reopen this issue. It's probably not a good idea to deviate from what git offers itself. As there is otherwise nothing to do, I'd close this issue for now. If Git chooses to implement [2], it can be reopened.

GiteaMirror commented

2025-11-02 08:55:54 -06:00

@twisted-nematic57 commented on GitHub (Dec 27, 2022):

You Can't Cloudflare Bypass, Fix: UnProxy Your Domain!

Ah yes, I have tried that. But then my browser complains it can't find the server. Yes, really: when I unproxy my DNS entry for the gitea server it stops working. Gitea works fine while accessing from localhost, but something's wrong on the Cloudflare side, if you can help please do.

@twisted-nematic57 commented on GitHub (Dec 27, 2022): > You Can't Cloudflare Bypass, Fix: UnProxy Your Domain! Ah yes, I have tried that. But then my browser complains it can't find the server. Yes, really: when I unproxy my DNS entry for the gitea server it stops working. Gitea works fine while accessing from localhost, but something's wrong on the Cloudflare side, if you can help please do. ![Screenshot from 2022-12-27 12-14-35](https://user-images.githubusercontent.com/70416002/209718381-8f6e4d16-311a-4ccd-ac59-38b6e1b190f7.png) ![image](https://user-images.githubusercontent.com/70416002/209718538-d106708e-9ad3-4311-8647-8d268803ecd0.png)

GiteaMirror commented

2025-11-02 08:55:55 -06:00

@jrjake commented on GitHub (Dec 28, 2022):

To unproxy your Gitea server, you will need to delete that CNAME entry and replace it with an A entry containing the public IP address of your server (If your server has IPv6, you should add an AAAA record too).

@jrjake commented on GitHub (Dec 28, 2022): To unproxy your Gitea server, you will need to delete that CNAME entry and replace it with an A entry containing the public IP address of your server (If your server has IPv6, you should add an AAAA record too).

GiteaMirror commented

2025-11-02 08:55:55 -06:00

@twisted-nematic57 commented on GitHub (Dec 28, 2022):

Yep, the problem was that I was trying to use Cloudflare Tunnel on an unproxied subdomain. Apparently that isn't possible, so I replaced it with an A entry pointing directly to my server's public IP address. It works. Sort of.

The port is mapped like this:
<public IP>:443 mapped to <server's local IP>:<Gitea port>

Web UI traffic goes through nicely, whether the subdomain is orange-clouded or not. Everything Web UI-related still works and the website is still very responsive, and everything is coming directly from my origin server.

So what is so special about the Cloudflare proxy service that without it Git clones won’t even work? When the subdomain is orange-clouded then the Git clone is successful. If it’s grey clouded then running the exact same clone command will complain that it couldn’t even establish a connection since it timed out trying to connect. I’ve tried manually entering my credentials and server port in the clone URL itself, but still no avail. I also waited out the entire TTL when editing the DNS entries plus an entire five minutes extra, but again, still no avail. Please help.

The screenshot below shows what happens when I try to clone a tiny repository when the subdomain is grey-clouded. (When it's orange-clouded, it works the way you'd expect.)

The request doesn't even reach the Gitea instance (there are no logs suggesting so even at Trace level). Cloudflare just "holds on" to the request until it times out.

@twisted-nematic57 commented on GitHub (Dec 28, 2022): Yep, the problem was that I was trying to use Cloudflare Tunnel on an unproxied subdomain. Apparently that isn't possible, so I replaced it with an A entry pointing directly to my server's public IP address. It works. Sort of. The port is mapped like this: `<public IP>:443` mapped to `<server's local IP>:<Gitea port>` Web UI traffic goes through nicely, whether the subdomain is orange-clouded or not. Everything Web UI-related still works and the website is still very responsive, and everything is coming directly from my origin server. So what is so special about the Cloudflare proxy service that without it Git clones won’t even work? When the subdomain is orange-clouded then the Git clone is successful. If it’s grey clouded then running the exact same clone command will complain that it couldn’t even establish a connection since it timed out trying to connect. I’ve tried manually entering my credentials and server port in the clone URL itself, but still no avail. I also waited out the entire TTL when editing the DNS entries plus an entire five minutes extra, but again, still no avail. Please help. The screenshot below shows what happens when I try to clone a tiny repository when the subdomain is grey-clouded. (When it's orange-clouded, it works the way you'd expect.) ![image](https://user-images.githubusercontent.com/70416002/209772070-3f3b8dac-c31a-43ad-9206-ea78a281b904.png) The request doesn't even reach the Gitea instance (there are no logs suggesting so even at Trace level). Cloudflare just "holds on" to the request until it times out.

GiteaMirror commented

2025-11-02 08:55:55 -06:00

@jrjake commented on GitHub (Dec 28, 2022):

I don't know, I'm not very familiar with Cloudflare. My best guess is that there is some web application firewall running and it blocks requests ending in .git to prevent data exfiltration. You might be able to get better help asking on a Cloudflare specific forum or support team if they have one.

@jrjake commented on GitHub (Dec 28, 2022): I don't know, I'm not very familiar with Cloudflare. My best guess is that there is some web application firewall running and it blocks requests ending in `.git` to prevent data exfiltration. You might be able to get better help asking on a Cloudflare specific forum or support team if they have one.

GiteaMirror commented

2025-11-02 08:55:55 -06:00

@twisted-nematic57 commented on GitHub (Jan 12, 2023):

In case anyone far in the future could use this information:

The solution was that I needed to route external ports 22, 80, 443, and 9418 to my nginx proxy's internal port. Problem solved! (I also learned that Cloudflare Tunnel doesn't support unproxied domains.)

@twisted-nematic57 commented on GitHub (Jan 12, 2023): In case anyone far in the future could use this information: The solution was that I needed to route external ports `22`, `80`, `443`, and `9418` to my nginx proxy's internal port. Problem solved! (I also learned that Cloudflare Tunnel doesn't support unproxied domains.)

GiteaMirror commented

2025-11-02 08:55:56 -06:00

@roytam1 commented on GitHub (Apr 28, 2023):

for 1, I wonder if gitea can implement a poll-like approach and let pack/diff/etc. operations running in background, with front-end(i.e. web browsers) querying status by doing check-status poll requests?

@roytam1 commented on GitHub (Apr 28, 2023): for 1, I wonder if gitea can implement a poll-like approach and let pack/diff/etc. operations running in background, with front-end(i.e. web browsers) querying status by doing check-status poll requests?

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#10019