github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-03-13 02:57:44 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

migrations.ALLOWED_DOMAINS config value does not default to allow everything #13343

New Issue
Open
opened 2025-11-02 10:39:04 -06:00 by GiteaMirror · 33 comments
GiteaMirror commented 2025-11-02 10:39:04 -06:00
Owner
Copy Link

Originally created by @mpeter50 on GitHub (Jul 30, 2024).

Description

Repositories can not be migrated anymore unless the following lines are present in Gitea's configuration file:

[migrations]
ALLOWED_DOMAINS = *

When this not present, starting a mirror migration from github.com results in this error message being shown:

image

The documentation's config cheat sheet for v1.22.1 tells that if this config value is undefined, it should not block anything:

ALLOWED_DOMAINS: empty: Domains allowlist for migrating repositories, default is blank. It means everything will be allowed.

I have first noticed this issue in v1.22.0, and the issue is also present after updating to v1.22.1.
On an other instance of mine, which is still running v1.21.4, migrations can be created fine, without overriding the default value of the migrations.ALLOWED_DOMAINS.

Gitea Version

v1.22.1

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

https://gist.github.com/mpeter50/8a50ed8f4605ee833b3e7dc552e6eb2b

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Docker Compose, with a locally built image from unmodified source at versioned tag.

Database

MySQL/MariaDB

Originally created by @mpeter50 on GitHub (Jul 30, 2024). ### Description Repositories can not be migrated anymore unless the following lines are present in Gitea's configuration file: ```ini [migrations] ALLOWED_DOMAINS = * ``` When this not present, starting a mirror migration from github.com results in this error message being shown: ![image](https://github.com/user-attachments/assets/8678a213-b04c-4c4c-a451-da016239b156) The documentation's config cheat sheet for v1.22.1 tells that if this config value is undefined, it should not block anything: > `ALLOWED_DOMAINS`: **_empty_**: Domains allowlist for migrating repositories, default is blank. It means everything will be allowed. I have first noticed this issue in v1.22.0, and the issue is also present after updating to v1.22.1. On an other instance of mine, which is still running `v1.21.4`, migrations can be created fine, without overriding the default value of the `migrations.ALLOWED_DOMAINS`. ### Gitea Version v1.22.1 ### Can you reproduce the bug on the Gitea demo site? No ### Log Gist https://gist.github.com/mpeter50/8a50ed8f4605ee833b3e7dc552e6eb2b ### Screenshots _No response_ ### Git Version _No response_ ### Operating System _No response_ ### How are you running Gitea? Docker Compose, with a locally built image from unmodified source at versioned tag. ### Database MySQL/MariaDB
GiteaMirror added the topic/repo-migrationtype/bug labels 2025-11-02 10:39:04 -06:00
GiteaMirror commented 2025-11-02 10:39:05 -06:00
Author
Owner
Copy Link

@yp05327 commented on GitHub (Jul 30, 2024):

Can you provide more settings in your app.ini?
I tested it in local, and there's no problem to migration from Github.

@yp05327 commented on GitHub (Jul 30, 2024): Can you provide more settings in your app.ini? I tested it in local, and there's no problem to migration from Github.
GiteaMirror commented 2025-11-02 10:39:05 -06:00
Author
Owner
Copy Link

@Dev-Wiki commented on GitHub (Aug 19, 2024):

我的也是如此,配置如下:

APP_NAME = DevWiki Gitea
RUN_MODE = prod
RUN_USER = git
WORK_PATH = /data/gitea

[repository]
ROOT = /data/git/repositories

[repository.local]
LOCAL_COPY_PATH = /data/gitea/tmp/local-repo

[repository.upload]
TEMP_PATH = /data/gitea/uploads

[server]
APP_DATA_PATH = /data/gitea
DOMAIN = git.devwiki.net
SSH_DOMAIN = git.devwiki.net
HTTP_PORT = 此处打码
ROOT_URL = https://git.devwiki.net/
DISABLE_SSH = false
START_SSH_SERVER = true
SSH_PORT = 22
SSH_LISTEN_PORT = 此处打码
LFS_START_SERVER = true
LFS_JWT_SECRET = 此处打码
OFFLINE_MODE = false
LANDING_PAGE = explore

[lsf]
PATH = /data/git/lfs

[database]
PATH = /data/gitea/gitea.db
DB_TYPE = sqlite3
HOST = localhost:3306
NAME = gitea
USER = root
PASSWD = 
LOG_SQL = false
SCHEMA = 
SSL_MODE = disable
CHARSET = utf8

[indexer]
ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve

[session]
PROVIDER_CONFIG = /data/gitea/sessions
PROVIDER = file

[picture]
AVATAR_UPLOAD_PATH = /data/gitea/avatars
REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
DISABLE_GRAVATAR = false
ENABLE_FEDERATED_AVATAR = true

[attachment]
PATH = /data/gitea/attachments

[log]
MODE = console
LEVEL = info
## ROUTER = console
ROOT_PATH = /data/gitea/log

[security]
INSTALL_LOCK = true
LOGIN_REMEMBER_DAYS = 3
SECRET_KEY = 
REVERSE_PROXY_LIMIT = 1
REVERSE_PROXY_TRUSTED_PROXIES = *
INTERNAL_TOKEN = 此处打码
PASSWORD_HASH_ALGO = 此处打码

[service]
# 禁用注册,启用后只能用管理员添加用户
DISABLE_REGISTRATION = true
# 是否所有页面都必须登录后才可访问
REQUIRE_SIGNIN_VIEW = false
# 是否显示注册按钮
SHOW_REGISTRATION_BUTTON = false
# 启用注册邮件激活,前提是 Mailer 已经启用
REGISTER_EMAIL_CONFIRM = false
# 是否发送工单创建等提醒邮件,需要 Mailer 被激活
ENABLE_NOTIFY_MAIL = false
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
ENABLE_CAPTCHA = true
REQUIRE_CAPTCHA_FOR_LOGIN = true
DEFAULT_KEEP_EMAIL_PRIVATE = true
DEFAULT_ALLOW_CREATE_ORGANIZATION = true
DEFAULT_ENABLE_TIMETRACKING = true
NO_REPLY_ADDRESS = noreply.localhost
RESET_PASSWD_CODE_LIVE_MINUTES = 5
ENABLE_CACHE_AVATAR = true

[migrations]
ALLOWED_DOMAINS = 
ALLOW_LOCALNETWORKS = true
SKIP_TLS_VERIFY = true
BLOCKED_DOMAINS = 

[mailer]
ENABLED = false

[openid]
ENABLE_OPENID_SIGNIN = false
ENABLE_OPENID_SIGNUP = false

[oauth2]
JWT_SECRET = 此处打码
@Dev-Wiki commented on GitHub (Aug 19, 2024): 我的也是如此,配置如下: ```ini APP_NAME = DevWiki Gitea RUN_MODE = prod RUN_USER = git WORK_PATH = /data/gitea [repository] ROOT = /data/git/repositories [repository.local] LOCAL_COPY_PATH = /data/gitea/tmp/local-repo [repository.upload] TEMP_PATH = /data/gitea/uploads [server] APP_DATA_PATH = /data/gitea DOMAIN = git.devwiki.net SSH_DOMAIN = git.devwiki.net HTTP_PORT = 此处打码 ROOT_URL = https://git.devwiki.net/ DISABLE_SSH = false START_SSH_SERVER = true SSH_PORT = 22 SSH_LISTEN_PORT = 此处打码 LFS_START_SERVER = true LFS_JWT_SECRET = 此处打码 OFFLINE_MODE = false LANDING_PAGE = explore [lsf] PATH = /data/git/lfs [database] PATH = /data/gitea/gitea.db DB_TYPE = sqlite3 HOST = localhost:3306 NAME = gitea USER = root PASSWD = LOG_SQL = false SCHEMA = SSL_MODE = disable CHARSET = utf8 [indexer] ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve [session] PROVIDER_CONFIG = /data/gitea/sessions PROVIDER = file [picture] AVATAR_UPLOAD_PATH = /data/gitea/avatars REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars DISABLE_GRAVATAR = false ENABLE_FEDERATED_AVATAR = true [attachment] PATH = /data/gitea/attachments [log] MODE = console LEVEL = info ## ROUTER = console ROOT_PATH = /data/gitea/log [security] INSTALL_LOCK = true LOGIN_REMEMBER_DAYS = 3 SECRET_KEY = REVERSE_PROXY_LIMIT = 1 REVERSE_PROXY_TRUSTED_PROXIES = * INTERNAL_TOKEN = 此处打码 PASSWORD_HASH_ALGO = 此处打码 [service] # 禁用注册,启用后只能用管理员添加用户 DISABLE_REGISTRATION = true # 是否所有页面都必须登录后才可访问 REQUIRE_SIGNIN_VIEW = false # 是否显示注册按钮 SHOW_REGISTRATION_BUTTON = false # 启用注册邮件激活,前提是 Mailer 已经启用 REGISTER_EMAIL_CONFIRM = false # 是否发送工单创建等提醒邮件,需要 Mailer 被激活 ENABLE_NOTIFY_MAIL = false ALLOW_ONLY_EXTERNAL_REGISTRATION = false ENABLE_CAPTCHA = true REQUIRE_CAPTCHA_FOR_LOGIN = true DEFAULT_KEEP_EMAIL_PRIVATE = true DEFAULT_ALLOW_CREATE_ORGANIZATION = true DEFAULT_ENABLE_TIMETRACKING = true NO_REPLY_ADDRESS = noreply.localhost RESET_PASSWD_CODE_LIVE_MINUTES = 5 ENABLE_CACHE_AVATAR = true [migrations] ALLOWED_DOMAINS = ALLOW_LOCALNETWORKS = true SKIP_TLS_VERIFY = true BLOCKED_DOMAINS = [mailer] ENABLED = false [openid] ENABLE_OPENID_SIGNIN = false ENABLE_OPENID_SIGNUP = false [oauth2] JWT_SECRET = 此处打码 ```
GiteaMirror commented 2025-11-02 10:39:05 -06:00
Author
Owner
Copy Link

@Dev-Wiki commented on GitHub (Aug 19, 2024):

经测试,ALLOWED_DOMAINS 设置为空不行, 必须设置具体的域名才可以

[migrations]
ALLOWED_DOMAINS = 
ALLOW_LOCALNETWORKS = true
SKIP_TLS_VERIFY = true
BLOCKED_DOMAINS =
@Dev-Wiki commented on GitHub (Aug 19, 2024): 经测试,ALLOWED_DOMAINS 设置为空不行, 必须设置具体的域名才可以 ```ini [migrations] ALLOWED_DOMAINS = ALLOW_LOCALNETWORKS = true SKIP_TLS_VERIFY = true BLOCKED_DOMAINS = ```
GiteaMirror commented 2025-11-02 10:39:05 -06:00
Author
Owner
Copy Link

@mpeter50 commented on GitHub (Aug 19, 2024):

Oh, totally forgot about this, sorry.

This is my app.ini. I have redacted a few things.

https://gist.github.com/mpeter50/ae8b4341f0eac3587e31b5e1c22efdfc

@mpeter50 commented on GitHub (Aug 19, 2024): Oh, totally forgot about this, sorry. This is my app.ini. I have redacted a few things. https://gist.github.com/mpeter50/ae8b4341f0eac3587e31b5e1c22efdfc
GiteaMirror commented 2025-11-02 10:39:05 -06:00
Author
Owner
Copy Link

@mpeter50 commented on GitHub (Aug 19, 2024):

@Dev-Wiki are you having the same problem?

@mpeter50 commented on GitHub (Aug 19, 2024): @Dev-Wiki are you having the same problem?
GiteaMirror commented 2025-11-02 10:39:05 -06:00
Author
Owner
Copy Link

@lunny commented on GitHub (Aug 19, 2024):

I cannot reproduce this on main branch(0d24c9f383) and release/v1.22 branch(3913ef69d5)

@lunny commented on GitHub (Aug 19, 2024): I cannot reproduce this on main branch(0d24c9f383255605d68a92cc5f087c3f16a1d735) and release/v1.22 branch(3913ef69d5a9a268bc44ef17a3bb8717ba924627)
GiteaMirror commented 2025-11-02 10:39:06 -06:00
Author
Owner
Copy Link

@mpeter50 commented on GitHub (Aug 20, 2024):

To be more complete, these are the complete migration settings:

image

Maybe this is helpful. Not sure why did I cut the issue screenshot that way.
Please note that this is a different repo that the one in the issue screenshot.

@mpeter50 commented on GitHub (Aug 20, 2024): To be more complete, these are the complete migration settings: ![image](https://github.com/user-attachments/assets/b206d743-9578-4a3e-8b60-b405e79a84fc) Maybe this is helpful. Not sure why did I cut the issue screenshot that way. Please note that this is a different repo that the one in the issue screenshot.
GiteaMirror commented 2025-11-02 10:39:06 -06:00
Author
Owner
Copy Link

@mpeter50 commented on GitHub (Aug 20, 2024):

Hmm just did an additional test, and maybe this is happening while the Gitea container does not have internet access, e.g. because of container settings.

Of course its fine that it cannot do the migration without access to the source service. The problem may be that the failure is handled incorrectly.

If you have the capacity, it might be nice to allow creating migrations regardless of accessibility of the source service, but delay it until intenet access is available. It could be useful for when internet is genuinely not accessible for some time, or for when the target server is unstable, so that users may have a slightly easier time rescuing their repos. Not sure how realistic are these scenarios, probably not too much.

@mpeter50 commented on GitHub (Aug 20, 2024): Hmm just did an additional test, and maybe this is happening while the Gitea container does not have internet access, e.g. because of container settings. Of course its fine that it cannot do the migration without access to the source service. The problem may be that the failure is handled incorrectly. If you have the capacity, it might be nice to allow creating migrations regardless of accessibility of the source service, but delay it until intenet access is available. It could be useful for when internet is genuinely not accessible for some time, or for when the target server is unstable, so that users may have a slightly easier time rescuing their repos. Not sure how realistic are these scenarios, probably not too much.
GiteaMirror commented 2025-11-02 10:39:06 -06:00
Author
Owner
Copy Link

@yp05327 commented on GitHub (Aug 20, 2024):

I also cannot reproduce it in main and release 1.22

@yp05327 commented on GitHub (Aug 20, 2024): I also cannot reproduce it in main and release 1.22
GiteaMirror commented 2025-11-02 10:39:07 -06:00
Author
Owner
Copy Link

@Dev-Wiki commented on GitHub (Aug 20, 2024):

@Dev-Wiki are you having the same problem?

problem resolved!

ini config for this:

[migrations]
ALLOW_LOCALNETWORKS = true
SKIP_TLS_VERIFY = true
ALLOWED_DOMAINS = *
BLOCKED_DOMAINS =

use * not empty!
use * not empty!
use * not empty!

@Dev-Wiki commented on GitHub (Aug 20, 2024): > @Dev-Wiki are you having the same problem? problem resolved! ini config for this: ```ini [migrations] ALLOW_LOCALNETWORKS = true SKIP_TLS_VERIFY = true ALLOWED_DOMAINS = * BLOCKED_DOMAINS = ``` use * not empty! use * not empty! use * not empty!
GiteaMirror commented 2025-11-02 10:39:07 -06:00
Author
Owner
Copy Link

@Dev-Wiki commented on GitHub (Aug 20, 2024):

I also cannot reproduce it in main and release 1.22

problem resolved!

ini config for this:

[migrations]
ALLOW_LOCALNETWORKS = true
SKIP_TLS_VERIFY = true
ALLOWED_DOMAINS = *
BLOCKED_DOMAINS =

use * not empty!
use * not empty!
use * not empty!

@Dev-Wiki commented on GitHub (Aug 20, 2024): > I also cannot reproduce it in main and release 1.22 problem resolved! ini config for this: ```ini [migrations] ALLOW_LOCALNETWORKS = true SKIP_TLS_VERIFY = true ALLOWED_DOMAINS = * BLOCKED_DOMAINS = ``` use * not empty! use * not empty! use * not empty!
GiteaMirror commented 2025-11-02 10:39:07 -06:00
Author
Owner
Copy Link

@yp05327 commented on GitHub (Aug 20, 2024):

@mpeter50 has mentioned this in the description

image

But I can not reproduce it even I left it empty in my app.ini

@yp05327 commented on GitHub (Aug 20, 2024): @mpeter50 has mentioned this in the description ![image](https://github.com/user-attachments/assets/4afbafcf-bf0f-4442-9972-b98072b18385) But I can not reproduce it even I left it empty in my app.ini
GiteaMirror commented 2025-11-02 10:39:07 -06:00
Author
Owner
Copy Link

@Dev-Wiki commented on GitHub (Aug 20, 2024):

@mpeter50 has mentioned this in the description

image

But I can not reproduce it even I left it empty in my app.ini

你使用的什么版本? 我是1.22.1, 这样配置没有提示任何错误, 但是我本地重新搭建了一个gitea 使用1.22.0 什么都没配置这个, 也能迁移任意网站, 现在还不清楚这个设置的逻辑.
我这个配置目前只在我自己的nas上测试可以,

另外一种可用的方式为:

[migrations]
ALLOW_LOCALNETWORKS = true
SKIP_TLS_VERIFY = true
ALLOWED_DOMAINS = *.github.com,github.com
@Dev-Wiki commented on GitHub (Aug 20, 2024): > @mpeter50 has mentioned this in the description > > ![image](https://private-user-images.githubusercontent.com/18380374/359311067-4afbafcf-bf0f-4442-9972-b98072b18385.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjQxMTk2MzAsIm5iZiI6MTcyNDExOTMzMCwicGF0aCI6Ii8xODM4MDM3NC8zNTkzMTEwNjctNGFmYmFmY2YtYmYwZi00NDQyLTk5NzItYjk4MDcyYjE4Mzg1LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA4MjAlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwODIwVDAyMDIxMFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTdkZWFkZTFjZTBhOWQ1NmZhOTQ5NmIyYmQ4MzM1OWRjMWZkMGNhMWJhNThjYmU2NzFhOTFkNWU4ODkwZjA3OGYmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.Fl3K6CfaQa7EnSpuS-llqPjEgcAwdp7f1nHF17pIBS4) > > But I can not reproduce it even I left it empty in my app.ini 你使用的什么版本? 我是1.22.1, 这样配置没有提示任何错误, 但是我本地重新搭建了一个gitea 使用1.22.0 什么都没配置这个, 也能迁移任意网站, 现在还不清楚这个设置的逻辑. 我这个配置目前只在我自己的nas上测试可以, 另外一种可用的方式为: ```ini [migrations] ALLOW_LOCALNETWORKS = true SKIP_TLS_VERIFY = true ALLOWED_DOMAINS = *.github.com,github.com ```
GiteaMirror commented 2025-11-02 10:39:07 -06:00
Author
Owner
Copy Link

@wxiaoguang commented on GitHub (Aug 20, 2024):

The reason is simple: the sentence Blank means everything will be allowed. is wrong, it is from #13610 (2020-11-29), which is older than the security fix by #17605 & #20016 (2021-11-20, 2022-06-19), since #17605, "empty" means allowing external hosts by default, but some document updating was forgotten at that time.

The document is just outdated and needs to be updated.

@wxiaoguang commented on GitHub (Aug 20, 2024): The reason is simple: the sentence `Blank means everything will be allowed.` is wrong, it is from #13610 (2020-11-29), which is older than the security fix by #17605 & #20016 (2021-11-20, 2022-06-19), since #17605, "empty" means allowing external hosts by default, but some document updating was forgotten at that time. The document is just outdated and needs to be updated.
GiteaMirror commented 2025-11-02 10:39:08 -06:00
Author
Owner
Copy Link

@lunny commented on GitHub (Aug 20, 2024):

The reason is simple: the sentence Blank means everything will be allowed. is wrong, it is from #13610 (2020-11-29), which is older than the security fix by #17605 & #20016 (2021-11-20, 2022-06-19), since #17605, "empty" means allowing external hosts by default, but some document updating was forgotten at that time.

The document is just outdated and needs to be updated.

Yes, see https://gitea.com/gitea/docs/pulls/55 .
But from the screenshot, it's migrating from github.com which should be an external address.

@lunny commented on GitHub (Aug 20, 2024): > The reason is simple: the sentence `Blank means everything will be allowed.` is wrong, it is from #13610 (2020-11-29), which is older than the security fix by #17605 & #20016 (2021-11-20, 2022-06-19), since #17605, "empty" means allowing external hosts by default, but some document updating was forgotten at that time. > > The document is just outdated and needs to be updated. Yes, see https://gitea.com/gitea/docs/pulls/55 . But from the screenshot, it's migrating from github.com which should be an external address.
GiteaMirror commented 2025-11-02 10:39:08 -06:00
Author
Owner
Copy Link

@wxiaoguang commented on GitHub (Aug 20, 2024):

Oh yes, re-read the code again, it is a bug. Will fix it.

@wxiaoguang commented on GitHub (Aug 20, 2024): ~~Oh yes, re-read the code again, it is a bug. Will fix it.~~
GiteaMirror commented 2025-11-02 10:39:08 -06:00
Author
Owner
Copy Link

@wxiaoguang commented on GitHub (Aug 20, 2024):

Well, no code problem, it is well covered by a test. Maybe some users are using fake-IP proxies to access GitHub?

image

@wxiaoguang commented on GitHub (Aug 20, 2024): Well, no code problem, it is well covered by a test. Maybe some users are using fake-IP proxies to access GitHub? ![image](https://github.com/user-attachments/assets/9433b539-5cab-43fb-acdc-9e89a623c232)
GiteaMirror commented 2025-11-02 10:39:08 -06:00
Author
Owner
Copy Link

@mpeter50 commented on GitHub (Aug 20, 2024):

To add a bit of a clarification, it seems that to me the problem was caused by my Gitea container being configured like this:

image

The proxy net is a reverse proxy through which I access Gitea, it does not work in the other direction.
Normally the container is not given the network that Docker Compose calls as default, and that means Gitea does not have access to the network to which the Docker Host is connected. This is when the discussed error occurs.
When I uncomment the default network, and recreate the Gitea container, the migration will work on the next try.

@mpeter50 commented on GitHub (Aug 20, 2024): To add a bit of a clarification, it seems that to me the problem was caused by my Gitea container being configured like this: ![image](https://github.com/user-attachments/assets/44a2e705-1a32-465a-9a4f-10cb371d1bec) The proxy net is a reverse proxy through which I access Gitea, it does not work in the other direction. Normally the container is not given the network that Docker Compose calls as `default`, and that means Gitea does not have access to the network to which the Docker Host is connected. This is when the discussed error occurs. When I uncomment the `default` network, and recreate the Gitea container, the migration will work on the next try.
GiteaMirror commented 2025-11-02 10:39:09 -06:00
Author
Owner
Copy Link

@wxiaoguang commented on GitHub (Aug 20, 2024):

Well, that's my guess, you are using proxy for external access ......

@wxiaoguang commented on GitHub (Aug 20, 2024): Well, that's my guess, you are using proxy for external access ......
GiteaMirror commented 2025-11-02 10:39:09 -06:00
Author
Owner
Copy Link

@mpeter50 commented on GitHub (Aug 20, 2024):

Well, no code problem, it is well covered by a test. Maybe some users are using fake-IP proxies to access GitHub?

I do not know about such happening here. I have an internal DNS server if that counts, but shouldnt modify anything.

@mpeter50 commented on GitHub (Aug 20, 2024): > Well, no code problem, it is well covered by a test. Maybe some users are using fake-IP proxies to access GitHub? I do not know about such happening here. I have an internal DNS server if that counts, but shouldnt modify anything.
GiteaMirror commented 2025-11-02 10:39:09 -06:00
Author
Owner
Copy Link

@wxiaoguang commented on GitHub (Aug 20, 2024):

More contexts:

@wxiaoguang commented on GitHub (Aug 20, 2024): More contexts: * #20325 * #20328
GiteaMirror commented 2025-11-02 10:39:09 -06:00
Author
Owner
Copy Link

@mpeter50 commented on GitHub (Aug 20, 2024):

This is the definition of the proxy network from above:

image

Here it is seen that it is externally defined, outside of the compose file.
According to running docker network inspect proxy-internal, the network only hosts a few other services' frontends, and an Nginx, which is only configured as a reverse proxy.

The default network is a network created by docker compose, technically named as gitea_default, according to docker network inspect gitea_default it uses the bridge driver. Only the Gitea container is connected to it.

@mpeter50 commented on GitHub (Aug 20, 2024): This is the definition of the `proxy` network from above: ![image](https://github.com/user-attachments/assets/6e909812-6d41-4f00-b0f2-fe4b5c1fcab1) Here it is seen that it is externally defined, outside of the compose file. According to running `docker network inspect proxy-internal`, the network only hosts a few other services' frontends, and an Nginx, which is only configured as a reverse proxy. The `default` network is a network created by docker compose, technically named as `gitea_default`, according to `docker network inspect gitea_default` it uses the bridge driver. Only the Gitea container is connected to it.
GiteaMirror commented 2025-11-02 10:39:10 -06:00
Author
Owner
Copy Link

@mpeter50 commented on GitHub (Aug 20, 2024):

If I can help with diagnosing in any way, let me know.

This is the result of nslookup github.com executed inside the Gitea container when it is not given access to the internet:

sudo docker exec -it gitea bash
fce11f93a4df:/var/lib/gitea$ nslookup github.com
Server:         127.0.0.11
Address:        127.0.0.11:53

** server can't find github.com: SERVFAIL

** server can't find github.com: SERVFAIL

fce11f93a4df:/var/lib/gitea$

This is the result of nslookup github.com executed inside the Gitea container when it is given access to the internet:

sudo docker exec -it gitea bash
cd1b6e0424cd:/var/lib/gitea$ nslookup github.com
Server:         127.0.0.11
Address:        127.0.0.11:53

Non-authoritative answer:

Non-authoritative answer:
Name:   github.com
Address: 140.82.121.4

cd1b6e0424cd:/var/lib/gitea$
@mpeter50 commented on GitHub (Aug 20, 2024): If I can help with diagnosing in any way, let me know. This is the result of `nslookup github.com` executed inside the Gitea container when it is not given access to the internet: ``` sudo docker exec -it gitea bash fce11f93a4df:/var/lib/gitea$ nslookup github.com Server: 127.0.0.11 Address: 127.0.0.11:53 ** server can't find github.com: SERVFAIL ** server can't find github.com: SERVFAIL fce11f93a4df:/var/lib/gitea$ ``` This is the result of `nslookup github.com` executed inside the Gitea container when it is given access to the internet: ``` sudo docker exec -it gitea bash cd1b6e0424cd:/var/lib/gitea$ nslookup github.com Server: 127.0.0.11 Address: 127.0.0.11:53 Non-authoritative answer: Non-authoritative answer: Name: github.com Address: 140.82.121.4 cd1b6e0424cd:/var/lib/gitea$ ```
GiteaMirror commented 2025-11-02 10:39:10 -06:00
Author
Owner
Copy Link

@mpeter50 commented on GitHub (Aug 20, 2024):

I was wondering if maybe Gitea would be processing the SERVFAIL response as an empty IP address being resolved or something like that, when trying to check if the migration source is allowed, and detecting that as a not-a-public address?

@mpeter50 commented on GitHub (Aug 20, 2024): I was wondering if maybe Gitea would be processing the SERVFAIL response as an empty IP address being resolved or something like that, when trying to check if the migration source is allowed, and detecting that as a not-a-public address?
GiteaMirror commented 2025-11-02 10:39:10 -06:00
Author
Owner
Copy Link

@wxiaoguang commented on GitHub (Aug 20, 2024):

Sorry but no more idea from my side ..... maybe it needs a reproducible setup and some code level debugging work, I am not able to provide more support at the moment. (and will leave keyboard for a while)

@wxiaoguang commented on GitHub (Aug 20, 2024): Sorry but no more idea from my side ..... maybe it needs a reproducible setup and some code level debugging work, I am not able to provide more support at the moment. (and will leave keyboard for a while)
GiteaMirror commented 2025-11-02 10:39:10 -06:00
Author
Owner
Copy Link

@mpeter50 commented on GitHub (Aug 20, 2024):

I just noticed that there are related entries in the System Notices:

image

However, by doing further tries with revoked internet access, these do not appear to be generated when the discussed disallowed host error apepars. I have tried to migrate a new repo several times, every time producing the error, but no new system notices have appeared.

@mpeter50 commented on GitHub (Aug 20, 2024): I just noticed that there are related entries in the System Notices: ![image](https://github.com/user-attachments/assets/18bfc356-e5e6-4660-861b-083db731682e) However, by doing further tries with revoked internet access, these do not appear to be generated when the discussed disallowed host error apepars. I have tried to migrate a new repo several times, every time producing the error, but no new system notices have appeared.
GiteaMirror commented 2025-11-02 10:39:10 -06:00
Author
Owner
Copy Link

@yp05327 commented on GitHub (Aug 20, 2024):

By the hit from https://github.com/go-gitea/gitea/issues/31733#issuecomment-2297912917 and https://github.com/go-gitea/gitea/issues/31733#issuecomment-2297872720

I added this in my hosts

127.0.0.1 github.com

Then I got the same error.

@yp05327 commented on GitHub (Aug 20, 2024): By the hit from https://github.com/go-gitea/gitea/issues/31733#issuecomment-2297912917 and https://github.com/go-gitea/gitea/issues/31733#issuecomment-2297872720 I added this in my hosts ``` 127.0.0.1 github.com ``` Then I got the same error.
GiteaMirror commented 2025-11-02 10:39:11 -06:00
Author
Owner
Copy Link

@GiteaBot commented on GitHub (Sep 20, 2024):

We close issues that need feedback from the author if there were no new comments for a month. 🍵

@GiteaBot commented on GitHub (Sep 20, 2024): We close issues that need feedback from the author if there were no new comments for a month. :tea:
GiteaMirror commented 2025-11-02 10:39:11 -06:00
Author
Owner
Copy Link

@mpeter50 commented on GitHub (Sep 22, 2024):

Can we reopen this issue? I do not know what additional feedback I can give. Though if you ask for something, of course I may be able to give more information.

@mpeter50 commented on GitHub (Sep 22, 2024): Can we reopen this issue? I do not know what additional feedback I can give. Though if you ask for something, of course I may be able to give more information.
GiteaMirror commented 2025-11-02 10:39:11 -06:00
Author
Owner
Copy Link

@wxiaoguang commented on GitHub (Oct 6, 2024):

I do not know what additional feedback I can give. Though if you ask for something, of course I may be able to give more information.

https://github.com/go-gitea/gitea/issues/31733#issuecomment-2297915772

it needs a reproducible setup (to make sure others could reproduce in their environments)

@wxiaoguang commented on GitHub (Oct 6, 2024): > I do not know what additional feedback I can give. Though if you ask for something, of course I may be able to give more information. https://github.com/go-gitea/gitea/issues/31733#issuecomment-2297915772 it needs a reproducible setup (to make sure others could reproduce in their environments)
GiteaMirror commented 2025-11-02 10:39:11 -06:00
Author
Owner
Copy Link

@mpeter50 commented on GitHub (Oct 6, 2024):

I will try to make a copy of the instance and trim it down to what is needed for this to happen. This will take some time, though.

If anyone else having this issue is reading this, please consider of you can make a reproducer too.

@mpeter50 commented on GitHub (Oct 6, 2024): I will try to make a copy of the instance and trim it down to what is needed for this to happen. This will take some time, though. If anyone else having this issue is reading this, please consider of you can make a reproducer too.
GiteaMirror commented 2025-11-02 10:39:11 -06:00
Author
Owner
Copy Link

@GiteaBot commented on GitHub (Nov 6, 2024):

We close issues that need feedback from the author if there were no new comments for a month. 🍵

@GiteaBot commented on GitHub (Nov 6, 2024): We close issues that need feedback from the author if there were no new comments for a month. :tea:
GiteaMirror commented 2025-11-02 10:39:12 -06:00
Author
Owner
Copy Link

@mpeter50 commented on GitHub (Nov 6, 2024):

Can we reopen this issue? I did not yet find the time to make a minimal reproducer installation.

@mpeter50 commented on GitHub (Nov 6, 2024): Can we reopen this issue? I did not yet find the time to make a minimal reproducer installation.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label topic/repo-migration type/bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#13343
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?