mirror of
https://github.com/go-gitea/gitea.git
synced 2026-03-12 02:24:21 -05:00
Proxy support broke in Gitea 1.18 #10055
Closed
opened 2025-11-02 08:57:02 -06:00 by GiteaMirror
·
10 comments
No Branch/Tag Specified
main
release/v1.25
release/v1.24
release/v1.23
release/v1.22
release/v1.21
release/v1.20
release/v1.19
release/v1.18
release/v1.17
release/v1.16
release/v1.15
release/v1.14
release/v1.13
release/v1.12
release/v1.11
release/v1.10
release/v1.9
release/v1.8
v1.25.3
v1.25.2
v1.25.1
v1.25.0
v1.24.7
v1.25.0-rc0
v1.26.0-dev
v1.24.6
v1.24.5
v1.24.4
v1.24.3
v1.24.2
v1.24.1
v1.24.0
v1.23.8
v1.24.0-rc0
v1.25.0-dev
v1.23.7
v1.23.6
v1.23.5
v1.23.4
v1.23.3
v1.23.2
v1.23.1
v1.23.0
v1.23.0-rc0
v1.24.0-dev
v1.22.6
v1.22.5
v1.22.4
v1.22.3
v1.22.2
v1.22.1
v1.22.0
v1.23.0-dev
v1.22.0-rc1
v1.21.11
v1.22.0-rc0
v1.21.10
v1.21.9
v1.21.8
v1.21.7
v1.21.6
v1.21.5
v1.21.4
v1.21.3
v1.21.2
v1.20.6
v1.21.1
v1.21.0
v1.21.0-rc2
v1.21.0-rc1
v1.20.5
v1.22.0-dev
v1.21.0-rc0
v1.20.4
v1.20.3
v1.20.2
v1.20.1
v1.20.0
v1.19.4
v1.21.0-dev
v1.20.0-rc2
v1.20.0-rc1
v1.20.0-rc0
v1.19.3
v1.19.2
v1.19.1
v1.19.0
v1.19.0-rc1
v1.20.0-dev
v1.19.0-rc0
v1.18.5
v1.18.4
v1.18.3
v1.18.2
v1.18.1
v1.18.0
v1.17.4
v1.18.0-rc1
v1.19.0-dev
v1.18.0-rc0
v1.17.3
v1.17.2
v1.17.1
v1.17.0
v1.17.0-rc2
v1.16.9
v1.17.0-rc1
v1.18.0-dev
v1.16.8
v1.16.7
v1.16.6
v1.16.5
v1.16.4
v1.16.3
v1.16.2
v1.16.1
v1.16.0
v1.15.11
v1.17.0-dev
v1.16.0-rc1
v1.15.10
v1.15.9
v1.15.8
v1.15.7
v1.15.6
v1.15.5
v1.15.4
v1.15.3
v1.15.2
v1.15.1
v1.14.7
v1.15.0
v1.15.0-rc3
v1.14.6
v1.15.0-rc2
v1.14.5
v1.16.0-dev
v1.15.0-rc1
v1.14.4
v1.14.3
v1.14.2
v1.14.1
v1.14.0
v1.13.7
v1.14.0-rc2
v1.13.6
v1.13.5
v1.14.0-rc1
v1.15.0-dev
v1.13.4
v1.13.3
v1.13.2
v1.13.1
v1.13.0
v1.12.6
v1.13.0-rc2
v1.14.0-dev
v1.13.0-rc1
v1.12.5
v1.12.4
v1.12.3
v1.12.2
v1.12.1
v1.11.8
v1.12.0
v1.11.7
v1.12.0-rc2
v1.11.6
v1.12.0-rc1
v1.13.0-dev
v1.11.5
v1.11.4
v1.11.3
v1.10.6
v1.12.0-dev
v1.11.2
v1.10.5
v1.11.1
v1.10.4
v1.11.0
v1.11.0-rc2
v1.10.3
v1.11.0-rc1
v1.10.2
v1.10.1
v1.10.0
v1.9.6
v1.9.5
v1.10.0-rc2
v1.11.0-dev
v1.10.0-rc1
v1.9.4
v1.9.3
v1.9.2
v1.9.1
v1.9.0
v1.9.0-rc2
v1.10.0-dev
v1.9.0-rc1
v1.8.3
v1.8.2
v1.8.1
v1.8.0
v1.8.0-rc3
v1.7.6
v1.8.0-rc2
v1.7.5
v1.8.0-rc1
v1.9.0-dev
v1.7.4
v1.7.3
v1.7.2
v1.7.1
v1.7.0
v1.7.0-rc3
v1.6.4
v1.7.0-rc2
v1.6.3
v1.7.0-rc1
v1.7.0-dev
v1.6.2
v1.6.1
v1.6.0
v1.6.0-rc2
v1.5.3
v1.6.0-rc1
v1.6.0-dev
v1.5.2
v1.5.1
v1.5.0
v1.5.0-rc2
v1.5.0-rc1
v1.5.0-dev
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.4.0-rc3
v1.4.0-rc2
v1.3.3
v1.4.0-rc1
v1.3.2
v1.3.1
v1.3.0
v1.3.0-rc2
v1.3.0-rc1
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.2.0-rc3
v1.2.0-rc2
v1.1.4
v1.2.0-rc1
v1.1.3
v1.1.2
v1.1.1
v1.1.0
v1.0.2
v1.0.1
v1.0.0
v0.9.99
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
Mirrored from GitHub Pull Request
No Label
type/bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/gitea#10055
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @zfLQ2qx2 on GitHub (Jan 4, 2023).
Description
I run gitea as a tor service so that I do not have to expose ports on my home firewall. Applications on my tor server do not have direct access to the internet, instead the tor daemon acts as a socks5 proxy and is responsible for name resolution and forwarding outgoing traffic through the tor network.
To have gitea work with tor I added the following lines to my app.ini:
[proxy]
ENABLED = true
PROXY_URL = socks://127.0.0.1:9050/
PROXY_HOSTS = *
In versions upto 1.16.1 this worked correctly and I setup mirrors of a number repos from github, gitlab, and .onion domains without issue.
I jumped from 1.16.1 to 1.18.0 and in the latest version all of my mirror connections fail with DNS resolution errors which suggests that gitea is still trying to resolve the names itself instead of entrusting them to the socks5 proxy. This makes it impossible to reach onion addresses also since only the tor client can resolve those.
My test cases to show tor is working are:
ALL_PROXY=socks5h://127.0.0.1:9050/ curl -vvv http://github.com/
ALL_PROXY=socks5h://127.0.0.1:9050/ curl -vvv http://eweiibe6tdjsdprb4px6rqrzzcsi22m4koia44kc5pcjr7nec2rlxyad.onion/
(the later is the gitlab run by the tor project)
I should point out that in curl there is a difference, socks5 and socks5h, where the former uses the libc resolver and the later uses the socks5 resolver. The golang base libraries don't have a distinction.
Gitea Version
1.18
Can you reproduce the bug on the Gitea demo site?
Yes
Log Gist
No response
Screenshots
No response
Git Version
No response
Operating System
Linux
How are you running Gitea?
gitea-1.18.0-linux-amd64 from github releases
Database
SQLite
@zeripath commented on GitHub (Jan 12, 2023):
Have you tried adding
*.onionto[migrations]ALLOWED_DOMAINS?@zfLQ2qx2 commented on GitHub (Jan 15, 2023):
@zeripath I will try that, but all of the connections are failing. The majority are GitHub (dozens) a couple Gitlab, and a couple .onion.
@zeripath commented on GitHub (Jan 15, 2023):
Then have you tried setting
ALLOWED_DOMAINS=*presumably your proxy is not going to allow connections to local machines?@zfLQ2qx2 commented on GitHub (Jan 28, 2023):
@zeripath Apologies, it took me a while to try these. I added a migrations section and tried adding ALLOWED_DOMAINS=*, although the documentation says that by default all domains are allowed so I don't think this is needed, and got the same result. I also tried adding ALLOW_LOCALNETWORKS=true under migrations because the way Tor works it maps resolved onion names to a local address and then requests to that address get forwarded to the onion address. I had no luck with this either. So I think we are back to something having changed in Gitea 1.18 (or 1.17, the last version this worked for sure was 1.16) where Gitea is attempting to resolve the addresses itself rather than allowing the Socks5 proxy to do it.
So to test I need to configure tor to answer DNS queries on 127.0.0.1:53 and we'll see if that is a workaround for this new behavior.
@zfLQ2qx2 commented on GitHub (Jan 29, 2023):
@zeripath So I did need [migrations] with ALLOWED_DOMAINS=* in order to update the host in the mirroring config. It looks like the Tor project changed the address of their git server which is the test case I used at start of this ticket.
I verified that the gitea user and resolve the onion address and reach it via socks 4, 5, and 5h - onion addresses resolve from command line via 127.0.0.1:53. Test case which works is:
ALL_PROXY=socks://127.0.0.1:9050/ curl -v -v -v http://gzgme7ov25seqjbphab4fkcph3jkobfwwpivt5kzbv3kqx2y2qttl4yd.onion:80/tor.git
Error from gitea is now:
Which is not a resolution error so thats ok now but seems like Gitea is not using the Socks proxy for outgoing connections - otherwise would take more then 0ms to fail.
It looks like [proxy] ENABLED is now [proxy] PROXY_ENABLED, made that change but did not help.
I tried changing [proxy] PROXY_HOSTS to , **, ",**", and *.onion (four different settings) but did not help.
I'm not sure what other settings there are or how I can diagnose further. If gitea uses the socks proxy on 127.0.0.1:9050 like curl does, it should have no issue connecting out.
@zeripath commented on GitHub (Jan 29, 2023):
So the error is now coming from git not being able to resolve the host which implies that it isn't using the tor proxy.
This is strange because the proxy settings should set it.
@zfLQ2qx2 commented on GitHub (Jan 30, 2023):
@zeripath In the gitea user's .gitconfig I also have an [http] proxy = socks5h://127.0.0.1:9050 setting, if I do '''git clone http://gzgme7ov25seqjbphab4fkcph3jkobfwwpivt5kzbv3kqx2y2qttl4yd.onion/tor.git''' I get a "repository not found" error from the remote which is significant in that it shows the git binary itself can talk to the remove server. The error itself is completely different issue, I need to open an issue with the tor project, neither their new or old onion addresses seem to allow git requests. The "gzgme..." address is the one they list on the bottom of their page https://gitweb.torproject.org/tor.git
...
@zfLQ2qx2 commented on GitHub (Feb 12, 2023):
Now looking at https://github.com/xjasonlyu/tun2socks as a workaround which does not depend on gitea or git having explicit knowledge of the proxy.
@lunny commented on GitHub (Jul 27, 2023):
Is this still a problem?
@yp05327 commented on GitHub (Sep 26, 2024):
Any updates?