github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-03-19 14:42:41 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

Sign in not possible behind tinyproxy with sub-path #13081

New Issue
Closed
opened 2025-11-02 10:29:41 -06:00 by GiteaMirror · 20 comments
GiteaMirror commented 2025-11-02 10:29:41 -06:00
Owner
Copy Link

Originally created by @LauKr on GitHub (May 31, 2024).

Originally assigned to: @wxiaoguang on GitHub.

Description

Running Gitea behind a Reverse Proxy using a sub-path doesn't allow login.
This issue was first occurring with the update 1.21.10 -> 1.21.11 and
continues with 1.22.0.

After entering credentials and pressing the "Sign In" button, the
unauthenticated "root" site is shown again, like after a logout.

From the release notes
we noted the following change which seems suspicious:

Fix to delete the cookie when AppSubURL is non-empty (#30375) (#30468)

Therefore, we checked our configurations and ensured, they used trailing slashes:

$ grep -r "git-staging" /etc/gitea-staging /etc/tinyproxy/ 
/etc/gitea-staging/app.ini:ROOT_URL = https://192.168.1.12/git-staging/
/etc/tinyproxy/tinyproxy.conf:ReversePath "/git-staging/" "http://127.0.0.1:3333/"

The logs from our reverse proxy show a behavior as requested by the
documentation:

May 29 16:16:31 debian-git tinyproxy[390434]: Connect (file descriptor 5): 127.0.0.1
May 29 16:16:31 debian-git tinyproxy[390434]: Request (file descriptor 5): POST /git-staging/user/login HTTP/1.1
May 29 16:16:31 debian-git tinyproxy[390434]: Rewriting URL: /git-staging/user/login -> http://127.0.0.1:3333/user/login
May 29 16:16:31 debian-git tinyproxy[390434]: No upstream proxy for 127.0.0.1
May 29 16:16:31 debian-git tinyproxy[390434]: opensock: opening connection to 127.0.0.1:3333
May 29 16:16:31 debian-git tinyproxy[390434]: opensock: getaddrinfo returned for 127.0.0.1:3333
May 29 16:16:31 debian-git tinyproxy[390434]: Established connection to host "127.0.0.1" using file descriptor 6.
May 29 16:16:31 debian-git tinyproxy[390434]: Closed connection between local client (fd:5) and remote client (fd:6)
May 29 16:16:31 debian-git tinyproxy[390434]: Connect (file descriptor 5): 127.0.0.1
May 29 16:16:31 debian-git tinyproxy[390434]: Request (file descriptor 5): GET /git-staging/ HTTP/1.1
May 29 16:16:31 debian-git tinyproxy[390434]: Rewriting URL: /git-staging/ -> http://127.0.0.1:3333/
May 29 16:16:31 debian-git tinyproxy[390434]: No upstream proxy for 127.0.0.1
May 29 16:16:31 debian-git tinyproxy[390434]: opensock: opening connection to 127.0.0.1:3333
May 29 16:16:31 debian-git tinyproxy[390434]: opensock: getaddrinfo returned for 127.0.0.1:3333
May 29 16:16:31 debian-git tinyproxy[390434]: Established connection to host "127.0.0.1" using file descriptor 6.
May 29 16:16:31 debian-git tinyproxy[390434]: Closed connection between local client (fd:5) and remote client (fd:6)

We see the equivalent to

Make the reverse-proxy pass https://common.example.com/gitea/foo to http://gitea:3000/foo

Rewriting URL: /git-staging/user/login -> http://127.0.0.1:3333/user/login

The corresponding Gitea logs are:

May 29 16:53:07 debian-git gitea[390439]: 2024/05/29 16:53:07 ...eb/routing/logger.go:102:func1() [I] router: completed POST /user/login for 127.0.0.1:56322, 303 See Other in 68.6ms @ auth/auth.go:196(auth.SignInPost)
May 29 16:53:07 debian-git gitea[390439]: 2024/05/29 16:53:07 .../context_response.go:70:HTML() [D] Template: home
May 29 16:53:07 debian-git gitea[390439]: 2024/05/29 16:53:07 ...eb/routing/logger.go:102:func1() [I] router: completed GET / for 127.0.0.1:56324, 200 OK in 3.6ms @ web/home.go:32(web.Home)

Access logs in Gitea:

127.0.0.1 - - [29/May/2024:16:52:57 +0200] "GET /user/login HTTP/1.1" 200 10629 "" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0"
127.0.0.1 - - [29/May/2024:16:53:00 +0200] "POST /user/login HTTP/1.1" 303 0 "" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0"
127.0.0.1 - - [29/May/2024:16:53:00 +0200] "GET / HTTP/1.1" 200 14214 "" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0"
127.0.0.1 - - [29/May/2024:16:53:02 +0200] "GET /user/login?redirect_to=%2fgit-staging%2f HTTP/1.1" 200 10629 "" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0"
127.0.0.1 - - [29/May/2024:16:53:07 +0200] "POST /user/login HTTP/1.1" 303 0 "" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0"
127.0.0.1 - - [29/May/2024:16:53:07 +0200] "GET / HTTP/1.1" 200 14214 "" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0"

Resolving

After reverting commit b18c04ebde (and commenting
out two sections undefined afterwards, see patch), we are able to use the normal
login again, when using our custom built binary. Thus, this also shows that our
error is connected to this change.

Gitea Version

1.21.11 and 1.22.0

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

2.39.2

Operating System

Debian Bookworm

How are you running Gitea?

The binary is pulled from the official server. Execution is happening through systemd on Debian 6.1.85-1 (2024-04-11) 86_64.
The Gitea server is listening locally via HTTP and is served by a tinyproxy reverse proxy. TLS is terminated by stunnel in front of tinyproxy.

Database

SQLite

Originally created by @LauKr on GitHub (May 31, 2024). Originally assigned to: @wxiaoguang on GitHub. ### Description Running Gitea behind a Reverse Proxy using a sub-path doesn't allow login. This issue was first occurring with the update 1.21.10 -> 1.21.11 and continues with 1.22.0. After entering credentials and pressing the "Sign In" button, the unauthenticated "root" site is shown again, like after a logout. From the [release notes](https://github.com/go-gitea/gitea/releases/tag/v1.21.11) we noted the following change which seems suspicious: > Fix to delete the cookie when AppSubURL is non-empty ([#30375](https://github.com/go-gitea/gitea/pull/30375)) ([#30468](https://github.com/go-gitea/gitea/pull/30468)) Therefore, we checked our configurations and ensured, they used trailing slashes: ``` $ grep -r "git-staging" /etc/gitea-staging /etc/tinyproxy/ /etc/gitea-staging/app.ini:ROOT_URL = https://192.168.1.12/git-staging/ /etc/tinyproxy/tinyproxy.conf:ReversePath "/git-staging/" "http://127.0.0.1:3333/" ``` The logs from our reverse proxy show a behavior as requested by the documentation: ``` May 29 16:16:31 debian-git tinyproxy[390434]: Connect (file descriptor 5): 127.0.0.1 May 29 16:16:31 debian-git tinyproxy[390434]: Request (file descriptor 5): POST /git-staging/user/login HTTP/1.1 May 29 16:16:31 debian-git tinyproxy[390434]: Rewriting URL: /git-staging/user/login -> http://127.0.0.1:3333/user/login May 29 16:16:31 debian-git tinyproxy[390434]: No upstream proxy for 127.0.0.1 May 29 16:16:31 debian-git tinyproxy[390434]: opensock: opening connection to 127.0.0.1:3333 May 29 16:16:31 debian-git tinyproxy[390434]: opensock: getaddrinfo returned for 127.0.0.1:3333 May 29 16:16:31 debian-git tinyproxy[390434]: Established connection to host "127.0.0.1" using file descriptor 6. May 29 16:16:31 debian-git tinyproxy[390434]: Closed connection between local client (fd:5) and remote client (fd:6) May 29 16:16:31 debian-git tinyproxy[390434]: Connect (file descriptor 5): 127.0.0.1 May 29 16:16:31 debian-git tinyproxy[390434]: Request (file descriptor 5): GET /git-staging/ HTTP/1.1 May 29 16:16:31 debian-git tinyproxy[390434]: Rewriting URL: /git-staging/ -> http://127.0.0.1:3333/ May 29 16:16:31 debian-git tinyproxy[390434]: No upstream proxy for 127.0.0.1 May 29 16:16:31 debian-git tinyproxy[390434]: opensock: opening connection to 127.0.0.1:3333 May 29 16:16:31 debian-git tinyproxy[390434]: opensock: getaddrinfo returned for 127.0.0.1:3333 May 29 16:16:31 debian-git tinyproxy[390434]: Established connection to host "127.0.0.1" using file descriptor 6. May 29 16:16:31 debian-git tinyproxy[390434]: Closed connection between local client (fd:5) and remote client (fd:6) ``` We see the equivalent to > `Make the reverse-proxy pass https://common.example.com/gitea/foo to http://gitea:3000/foo` ``` Rewriting URL: /git-staging/user/login -> http://127.0.0.1:3333/user/login ``` The corresponding Gitea logs are: ``` May 29 16:53:07 debian-git gitea[390439]: 2024/05/29 16:53:07 ...eb/routing/logger.go:102:func1() [I] router: completed POST /user/login for 127.0.0.1:56322, 303 See Other in 68.6ms @ auth/auth.go:196(auth.SignInPost) May 29 16:53:07 debian-git gitea[390439]: 2024/05/29 16:53:07 .../context_response.go:70:HTML() [D] Template: home May 29 16:53:07 debian-git gitea[390439]: 2024/05/29 16:53:07 ...eb/routing/logger.go:102:func1() [I] router: completed GET / for 127.0.0.1:56324, 200 OK in 3.6ms @ web/home.go:32(web.Home) ``` Access logs in Gitea: ``` 127.0.0.1 - - [29/May/2024:16:52:57 +0200] "GET /user/login HTTP/1.1" 200 10629 "" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0" 127.0.0.1 - - [29/May/2024:16:53:00 +0200] "POST /user/login HTTP/1.1" 303 0 "" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0" 127.0.0.1 - - [29/May/2024:16:53:00 +0200] "GET / HTTP/1.1" 200 14214 "" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0" 127.0.0.1 - - [29/May/2024:16:53:02 +0200] "GET /user/login?redirect_to=%2fgit-staging%2f HTTP/1.1" 200 10629 "" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0" 127.0.0.1 - - [29/May/2024:16:53:07 +0200] "POST /user/login HTTP/1.1" 303 0 "" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0" 127.0.0.1 - - [29/May/2024:16:53:07 +0200] "GET / HTTP/1.1" 200 14214 "" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0" ``` ### Resolving After reverting commit b18c04ebde94e23d97da4958173faea843d5344f (and commenting out two sections undefined afterwards, see patch), we are able to use the normal login again, when using our custom built binary. Thus, this also shows that our error is connected to this change. ### Gitea Version 1.21.11 and 1.22.0 ### Can you reproduce the bug on the Gitea demo site? No ### Log Gist _No response_ ### Screenshots _No response_ ### Git Version 2.39.2 ### Operating System Debian Bookworm ### How are you running Gitea? The binary is pulled from the official server. Execution is happening through systemd on Debian 6.1.85-1 (2024-04-11) 86_64. The Gitea server is listening locally via HTTP and is served by a tinyproxy reverse proxy. TLS is terminated by stunnel in front of tinyproxy. ### Database SQLite
GiteaMirror added the issue/needs-feedbackissue/not-a-bug labels 2025-11-02 10:29:41 -06:00
GiteaMirror commented 2025-11-02 10:29:42 -06:00
Author
Owner
Copy Link

@wxiaoguang commented on GitHub (May 31, 2024):

After reverting commit b18c04ebde, we are able to use the normal login again,
" fix: Fix to delete cookie when AppSubURL is non-empty #30375 "

@jtran would you like to take a look?

@wxiaoguang commented on GitHub (May 31, 2024): > After reverting commit https://github.com/go-gitea/gitea/commit/b18c04ebde94e23d97da4958173faea843d5344f, we are able to use the normal login again, " fix: Fix to delete cookie when AppSubURL is non-empty #30375 " @jtran would you like to take a look?
GiteaMirror commented 2025-11-02 10:29:42 -06:00
Author
Owner
Copy Link

@wxiaoguang commented on GitHub (May 31, 2024):

@LauKr could you help to elaborate some details?

  1. Does the "login" work in a private window (without any existing cookie)?
  2. If the login doesn't work, what are the cookies sent from server (Set-Cookie) and sent from client (Cookie)? Do they match?
@wxiaoguang commented on GitHub (May 31, 2024): @LauKr could you help to elaborate some details? 1. Does the "login" work in a private window (without any existing cookie)? 2. If the login doesn't work, what are the cookies sent from server (`Set-Cookie`) and sent from client (`Cookie`)? Do they match?
GiteaMirror commented 2025-11-02 10:29:43 -06:00
Author
Owner
Copy Link

@LauKr commented on GitHub (May 31, 2024):

Sadly GitHub doesn't let me upload a file with .path extension. I changed it to .txt instead.
diff.txt

This diff shows the revert plus two comments that allowed us to login again.

@LauKr commented on GitHub (May 31, 2024): Sadly GitHub doesn't let me upload a file with .path extension. I changed it to .txt instead. [diff.txt](https://github.com/user-attachments/files/15516402/diff.txt) This diff shows the revert plus two comments that allowed us to login again.
GiteaMirror commented 2025-11-02 10:29:43 -06:00
Author
Owner
Copy Link

@LauKr commented on GitHub (May 31, 2024):

  1. No, deleting cookies, using a private window etc. did not work. We already tried this first, due to #29757 and #29881.
  2. The POST request for login has the following cookies set: 
    Set-Cookie: yummy_magical_cookie=/git-staging/; path=/
Cookie: i_like_gitea=XXX; _csrf=XXX; yummy_magical_cookie=/git-staging/
@LauKr commented on GitHub (May 31, 2024): 1. No, deleting cookies, using a private window etc. did not work. We already tried this first, due to #29757 and #29881. 2. The POST request for login has the following cookies set: ``` Set-Cookie: yummy_magical_cookie=/git-staging/; path=/ Cookie: i_like_gitea=XXX; _csrf=XXX; yummy_magical_cookie=/git-staging/ ```
GiteaMirror commented 2025-11-02 10:29:43 -06:00
Author
Owner
Copy Link

@bohde commented on GitHub (May 31, 2024):

I worked with @jtran on this change for bug we were seeing in a deployment that is also behind a reverse proxy (nginx in our case) with a subpath of /app_path/. The set-cookie headers as a result of POST /app_path/user/login look like the following in my Firefox network tab:

set-cookie i_like_gitea=; Path=/app_path/; Max-Age=0; HttpOnly; Secure; SameSite=Lax
set-cookie i_like_gitea=<redacted>; Path=/app_path; HttpOnly; Secure; SameSite=Lax
set-cookie lang=; Path=/app_path/; Max-Age=0; HttpOnly; Secure; SameSite=Lax
set-cookie_csrf=; Path=/app_path; Max-Age=0; HttpOnly; Secure; SameSite=Lax
set-cookie redirect_to=; Path=/app_path; Max-Age=0; HttpOnly; Secure; SameSite=Lax
set-cookie redirect_to=; Path=/app_path/; Max-Age=0; HttpOnly; Secure; SameSite=Lax

@LauKr based on my reading of your config, it appears like your cookies should set Path=/git-staging, but it appears that's not happening from the Set-Cookie header your posted.

@bohde commented on GitHub (May 31, 2024): I worked with @jtran on this change for bug we were seeing in a deployment that is also behind a reverse proxy (nginx in our case) with a subpath of `/app_path/`. The `set-cookie` headers as a result of `POST /app_path/user/login` look like the following in my Firefox network tab: ``` set-cookie i_like_gitea=; Path=/app_path/; Max-Age=0; HttpOnly; Secure; SameSite=Lax set-cookie i_like_gitea=<redacted>; Path=/app_path; HttpOnly; Secure; SameSite=Lax set-cookie lang=; Path=/app_path/; Max-Age=0; HttpOnly; Secure; SameSite=Lax set-cookie_csrf=; Path=/app_path; Max-Age=0; HttpOnly; Secure; SameSite=Lax set-cookie redirect_to=; Path=/app_path; Max-Age=0; HttpOnly; Secure; SameSite=Lax set-cookie redirect_to=; Path=/app_path/; Max-Age=0; HttpOnly; Secure; SameSite=Lax ``` @LauKr based on my reading of your config, it appears like your cookies should set `Path=/git-staging`, but it appears that's not happening from the `Set-Cookie` header your posted.
GiteaMirror commented 2025-11-02 10:29:43 -06:00
Author
Owner
Copy Link

@wxiaoguang commented on GitHub (Jun 1, 2024):

@LauKr it doesn't seem right in your reverse proxy config.

Did you see any Set-Cookie for i_like_gitea? Which path is it on? It is directly related to Gitea login.

And, did you set any ReversePath or related config for your reverse proxy? I think they should be removed. UPDATE: maybe it should set ReverseMagic No, see below.

Since you are using tinyproxy, could you prepare a reproducible setup with detailed steps ? If you could provide a docker compose to reproduce, then I could try to debug it on my machine.

@wxiaoguang commented on GitHub (Jun 1, 2024): @LauKr it doesn't seem right in your reverse proxy config. Did you see any `Set-Cookie` for `i_like_gitea`? Which path is it on? It is directly related to Gitea login. And, did you set any `ReversePath` or related config for your reverse proxy? I think they should be removed. UPDATE: maybe it should set `ReverseMagic No`, see below. ---- Since you are using tinyproxy, could you prepare a reproducible setup with detailed steps ? If you could provide a docker compose to reproduce, then I could try to debug it on my machine.
GiteaMirror commented 2025-11-02 10:29:44 -06:00
Author
Owner
Copy Link

@wxiaoguang commented on GitHub (Jun 1, 2024):

And one more thing, It seems that tinyproxy does some trick (black magic?) on the "cookie path". https://github.com/search?q=repo%3Atinyproxy%2Ftinyproxy%20REVERSE_COOKIE&type=code

I do not feel it is quite right. If there is a chance, I would recommend to try to use some modern and standard reverse proxies.

ps: I guess setting ReverseMagic No should resolve the problem, according to the code in tinyproxy:

image

@wxiaoguang commented on GitHub (Jun 1, 2024): And one more thing, It seems that tinyproxy does some trick (black magic?) on the "cookie path". https://github.com/search?q=repo%3Atinyproxy%2Ftinyproxy%20REVERSE_COOKIE&type=code I do not feel it is quite right. If there is a chance, I would recommend to try to use some modern and standard reverse proxies. ps: I guess setting `ReverseMagic No` should resolve the problem, according to the code in tinyproxy: <details> ![image](https://github.com/go-gitea/gitea/assets/2114189/a156b5c0-e26e-43be-a9bb-4b2413e0957f) </details>
GiteaMirror commented 2025-11-02 10:29:44 -06:00
Author
Owner
Copy Link

@wxiaoguang commented on GitHub (Jun 4, 2024):

Any update?

@wxiaoguang commented on GitHub (Jun 4, 2024): Any update?
GiteaMirror commented 2025-11-02 10:29:44 -06:00
Author
Owner
Copy Link

@LauKr commented on GitHub (Jun 4, 2024):

Any update?

Sorry, I need some time for the reproducible build.

Changing ReverseMagic to No sadly didn't resolve the issue. I'll try debugging where the cookie went as soon as I find the time.

@LauKr commented on GitHub (Jun 4, 2024): > Any update? Sorry, I need some time for the reproducible build. Changing `ReverseMagic` to No sadly didn't resolve the issue. I'll try debugging where the cookie went as soon as I find the time.
GiteaMirror commented 2025-11-02 10:29:44 -06:00
Author
Owner
Copy Link

@LauKr commented on GitHub (Jun 9, 2024):

Hi,
sorry for the delay. I wrote a Dockerfile to reproduce the issue. Necessary files are attached:
setup_for_debugging.tar.gz

Building and running was tested using Podman, but should work with Docker as well:

podman build -t gitea_proxy_testing --file Dockerfile
podman run --rm -it --publish 8888:8888 gitea_proxy_testing:latest

The Dockerfile creates a container with Gitea and tinyproxy. The tinyproxy is accessible via port 8888.
Accessing Gitea via 127.0.0.1:8888/git-staging/ was successful, but login was not possible, as described in the issue.

@LauKr commented on GitHub (Jun 9, 2024): Hi, sorry for the delay. I wrote a Dockerfile to reproduce the issue. Necessary files are attached: [setup_for_debugging.tar.gz](https://github.com/user-attachments/files/15753539/setup_for_debugging.tar.gz) Building and running was tested using Podman, but should work with Docker as well: ```bash podman build -t gitea_proxy_testing --file Dockerfile podman run --rm -it --publish 8888:8888 gitea_proxy_testing:latest ``` The Dockerfile creates a container with Gitea and tinyproxy. The tinyproxy is accessible via port 8888. Accessing Gitea via 127.0.0.1:8888/git-staging/ was successful, but login was not possible, as described in the issue.
GiteaMirror commented 2025-11-02 10:29:45 -06:00
Author
Owner
Copy Link

@wxiaoguang commented on GitHub (Jun 10, 2024):

I guess the problem is caused by that the new cookie is correctly removed by the "deleting legacy code". So I think we could try to flip the order: first delete the legacy cookie, then set new cookie, then the new cookie won't be deleted.

-> Delete legacy cookie before setting new cookie #31306

@wxiaoguang commented on GitHub (Jun 10, 2024): I guess the problem is caused by that the new cookie is correctly removed by the "deleting legacy code". So I think we could try to flip the order: first delete the legacy cookie, then set new cookie, then the new cookie won't be deleted. -> Delete legacy cookie before setting new cookie #31306
GiteaMirror commented 2025-11-02 10:29:45 -06:00
Author
Owner
Copy Link

@wxiaoguang commented on GitHub (Jun 11, 2024):

Wait for backport to 1.22

@wxiaoguang commented on GitHub (Jun 11, 2024): Wait for backport to 1.22
GiteaMirror commented 2025-11-02 10:29:45 -06:00
Author
Owner
Copy Link

@LauKr commented on GitHub (Jun 11, 2024):

When trying use a custom build on commit 5342a61124, the problem was not fixed in the provided container setup.
I'll have a look at the proxy again, just in case.

@LauKr commented on GitHub (Jun 11, 2024): When trying use a custom build on commit 5342a61124bf2d4fbe4c1d560b13866198149ac9, the problem was not fixed in the provided container setup. I'll have a look at the proxy again, just in case.
GiteaMirror commented 2025-11-02 10:29:46 -06:00
Author
Owner
Copy Link

@lunny commented on GitHub (Jun 11, 2024):

Backport merged, wait for @LauKr 's confirmation and feedback.

@lunny commented on GitHub (Jun 11, 2024): Backport merged, wait for @LauKr 's confirmation and feedback.
GiteaMirror commented 2025-11-02 10:29:46 -06:00
Author
Owner
Copy Link

@wxiaoguang commented on GitHub (Jun 11, 2024):

Backport merged, wait for @LauKr 's confirmation and feedback.

It's said that the "fix" doesn't work.

@wxiaoguang commented on GitHub (Jun 11, 2024): > Backport merged, wait for @LauKr 's confirmation and feedback. It's said that the "fix" doesn't work.
GiteaMirror commented 2025-11-02 10:29:46 -06:00
Author
Owner
Copy Link

@wxiaoguang commented on GitHub (Jun 11, 2024):

I think it is a bug in tinyproxy. By using tcpdump, I can see:

Gitea tells tinyproxy:

HTTP/1.1 303 See Other
Cache-Control: max-age=0, private, must-revalidate, no-transform
Content-Type: text/plain; charset=utf-8
Location: /git-staging/
Set-Cookie: _csrf=en3AFom-bfjvNKBwckDCoPm17uQ6MTcxODA5OTk4NzE4NzcxMzAwMA; Path=/git-staging; Max-Age=86400; HttpOnly; SameSite=Lax
Set-Cookie: i_like_gitea=; Path=/git-staging/; Max-Age=0; HttpOnly; SameSite=Lax
Set-Cookie: i_like_gitea=fb422c79cf11bd1f; Path=/git-staging; HttpOnly; SameSite=Lax
Set-Cookie: lang=; Path=/git-staging/; Max-Age=0; HttpOnly; SameSite=Lax
Set-Cookie: lang=en-US; Path=/git-staging; HttpOnly; SameSite=Lax
Set-Cookie: _csrf=; Path=/git-staging; Max-Age=0; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
X-Gitea-Debug: RUN_MODE=dev
Date: Tue, 11 Jun 2024 09:59:47 GMT
Content-Length: 0
Connection: close

Tinyproxy tells browsers

HTTP/1.1 303 See Other
Via: 1.1 tinyproxy (tinyproxy/1.11.2)
Cache-Control: max-age=0, private, must-revalidate, no-transform
Content-Type: text/plain; charset=utf-8
Location: /git-staging/
Set-Cookie: _csrf=en3AFom-bfjvNKBwckDCoPm17uQ6MTcxODA5OTk4NzE4NzcxMzAwMA; Path=/git-staging; Max-Age=86400; HttpOnly; SameSite=Lax

!!!!!!!! HERE, all other cookies are lost !!!!!!!!!!

Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
X-Gitea-Debug: RUN_MODE=dev
Date: Tue, 11 Jun 2024 09:59:47 GMT
Content-Length: 0

Tinyproxy loses most cookies for browsers.

@wxiaoguang commented on GitHub (Jun 11, 2024): I think it is a bug in tinyproxy. By using `tcpdump`, I can see: #### Gitea tells tinyproxy: ``` HTTP/1.1 303 See Other Cache-Control: max-age=0, private, must-revalidate, no-transform Content-Type: text/plain; charset=utf-8 Location: /git-staging/ Set-Cookie: _csrf=en3AFom-bfjvNKBwckDCoPm17uQ6MTcxODA5OTk4NzE4NzcxMzAwMA; Path=/git-staging; Max-Age=86400; HttpOnly; SameSite=Lax Set-Cookie: i_like_gitea=; Path=/git-staging/; Max-Age=0; HttpOnly; SameSite=Lax Set-Cookie: i_like_gitea=fb422c79cf11bd1f; Path=/git-staging; HttpOnly; SameSite=Lax Set-Cookie: lang=; Path=/git-staging/; Max-Age=0; HttpOnly; SameSite=Lax Set-Cookie: lang=en-US; Path=/git-staging; HttpOnly; SameSite=Lax Set-Cookie: _csrf=; Path=/git-staging; Max-Age=0; HttpOnly; SameSite=Lax Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN X-Gitea-Debug: RUN_MODE=dev Date: Tue, 11 Jun 2024 09:59:47 GMT Content-Length: 0 Connection: close ``` #### Tinyproxy tells browsers ``` HTTP/1.1 303 See Other Via: 1.1 tinyproxy (tinyproxy/1.11.2) Cache-Control: max-age=0, private, must-revalidate, no-transform Content-Type: text/plain; charset=utf-8 Location: /git-staging/ Set-Cookie: _csrf=en3AFom-bfjvNKBwckDCoPm17uQ6MTcxODA5OTk4NzE4NzcxMzAwMA; Path=/git-staging; Max-Age=86400; HttpOnly; SameSite=Lax !!!!!!!! HERE, all other cookies are lost !!!!!!!!!! Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN X-Gitea-Debug: RUN_MODE=dev Date: Tue, 11 Jun 2024 09:59:47 GMT Content-Length: 0 ``` Tinyproxy loses most cookies for browsers.
GiteaMirror commented 2025-11-02 10:29:47 -06:00
Author
Owner
Copy Link

@wxiaoguang commented on GitHub (Jun 11, 2024):

I would suggest to use a professional reverse proxy like nginx, which is also small enough and I guess it won't cost more resources than tinyproxy.

@wxiaoguang commented on GitHub (Jun 11, 2024): I would suggest to use a professional reverse proxy like nginx, which is also small enough and I guess it won't cost more resources than tinyproxy.
GiteaMirror commented 2025-11-02 10:29:47 -06:00
Author
Owner
Copy Link

@LauKr commented on GitHub (Jun 11, 2024):

Thanks for the effort.
We will try to debug tinyproxy and create a separate issue there. Hopefully observing tinyproxy will show a clear reason why it cannot handle the changes mode by the mentioned commit.
Testing with NGINX looks promising, however we will have to consider the feature set etc. first, before switching.

@LauKr commented on GitHub (Jun 11, 2024): Thanks for the effort. We will try to debug tinyproxy and create a separate issue there. Hopefully observing tinyproxy will show a clear reason why it cannot handle the changes mode by the mentioned commit. Testing with NGINX looks promising, however we will have to consider the feature set etc. first, before switching.
GiteaMirror commented 2025-11-02 10:29:47 -06:00
Author
Owner
Copy Link

@LauKr commented on GitHub (Jun 11, 2024):

For reference, if anyone happens to have the same issue:
https://github.com/tinyproxy/tinyproxy/issues/403 describes a relevant issue:

All but the first of Set-Cookie headers in an HTTP response will be silently dropped by tinyproxy

The corresponding PR is still open: https://github.com/tinyproxy/tinyproxy/pull/435

However, we were able to confirm the fix by building a custom version of tinyproxy. As we use Debian, the Debian repository with corresponding release is used (https://salsa.debian.org/debian/tinyproxy/-/tags/debian%2F1.11.1-2) and the commits are applied on top.

Using this custom version of tinyproxy a login into Gitea is possible.

@wxiaoguang from my side this issue can be closed, as this is evidently no Gitea issue.

@LauKr commented on GitHub (Jun 11, 2024): For reference, if anyone happens to have the same issue: https://github.com/tinyproxy/tinyproxy/issues/403 describes a relevant issue: > All but the first of Set-Cookie headers in an HTTP response will be silently dropped by `tinyproxy` The corresponding PR is still open: https://github.com/tinyproxy/tinyproxy/pull/435 However, we were able to confirm the fix by building a custom version of `tinyproxy`. As we use Debian, the Debian repository with corresponding release is used (https://salsa.debian.org/debian/tinyproxy/-/tags/debian%2F1.11.1-2) and the commits are applied on top. Using this custom version of `tinyproxy` a **login into Gitea is possible**. @wxiaoguang from my side this issue can be closed, as this is evidently no Gitea issue.
GiteaMirror commented 2025-11-02 10:29:47 -06:00
Author
Owner
Copy Link

@wxiaoguang commented on GitHub (Jun 11, 2024):

Thank you very much for the details!

@wxiaoguang commented on GitHub (Jun 11, 2024): Thank you very much for the details!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label issue/needs-feedback issue/not-a-bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#13081
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?