Local requests redirected to HTTPS when using Let's Encrypt or redirecting HTTP to HTTPS #2658

Closed
opened 2025-11-02 04:43:45 -06:00 by GiteaMirror · 2 comments
Owner

Originally created by @gregkare on GitHub (Dec 13, 2018).

  • Gitea version (or commit ref): master
  • Operating system: macOS, Linux
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
    • No
    • Not relevant

Description

We ran into this after setting up Let's Encrypt, but I think it's an issue as well with a regular TLS setup with regular certificates. The auto-generated LOCAL_ROOT_URL is https://localhost:${HTTP_PORT}, so internal requests (for example when cloning a repo) are to https://localhost:${HTTP_PORT}/api/internal/repo/user/repo, which doesn't contain a valid cert for localhost. Setting it to http://localhost:${PORT_TO_REDIRECT} does not help, as all requests not going to the Let's Encrypt validation endpoint (/.well-known/acme-challenge/*) get redirected to HTTPS. So as far as I can see it's also the case when not using Let's Encrypt but REDIRECT_OTHER_PORT is set to true

We worked around it by setting LOCAL_ROOT_URL = https://example.com/, making the requests go through the public URL using TLS.

Local requests should probably not be redirected to HTTPS. If not, then the TLS and Let's Encrypt guides should mention that having to set LOCAL_ROOT_URL to the domain name is required.

What do you think?

Originally created by @gregkare on GitHub (Dec 13, 2018). - Gitea version (or commit ref): master - Operating system: macOS, Linux - Can you reproduce the bug at https://try.gitea.io: - [ ] Yes (provide example URL) - [ ] No - [x] Not relevant ## Description We ran into this after setting up Let's Encrypt, but I think it's an issue as well with a regular TLS setup with regular certificates. The auto-generated `LOCAL_ROOT_URL` is `https://localhost:${HTTP_PORT}`, so internal requests (for example when cloning a repo) are to `https://localhost:${HTTP_PORT}/api/internal/repo/user/repo`, which doesn't contain a valid cert for localhost. Setting it to `http://localhost:${PORT_TO_REDIRECT}` does not help, as all requests not going to the Let's Encrypt validation endpoint (`/.well-known/acme-challenge/*`) get redirected to HTTPS. So as far as I can see it's also the case when not using Let's Encrypt but `REDIRECT_OTHER_PORT` is set to `true` We worked around it by setting `LOCAL_ROOT_URL = https://example.com/`, making the requests go through the public URL using TLS. Local requests should probably not be redirected to HTTPS. If not, then the TLS and Let's Encrypt guides should mention that having to set `LOCAL_ROOT_URL` to the domain name is required. What do you think?
GiteaMirror added the type/docs label 2025-11-02 04:43:45 -06:00
Author
Owner

@techknowlogick commented on GitHub (Dec 21, 2018):

I think maybe setting LOCAL_ROOT_URL to ROOT_URL if LE is enabled (I think that is what you are suggesting in your 2nd paragraph) is the best route, as then it won't fail due to localhost not having a valid cert.

However, docs with this caveat are also accepted.

@techknowlogick commented on GitHub (Dec 21, 2018): I think maybe setting `LOCAL_ROOT_URL` to `ROOT_URL` if LE is enabled (I think that is what you are suggesting in your 2nd paragraph) is the best route, as then it won't fail due to localhost not having a valid cert. However, docs with this caveat are also accepted.
Author
Owner

@techknowlogick commented on GitHub (Jan 31, 2019):

This has been solved in another PR

@techknowlogick commented on GitHub (Jan 31, 2019): This has been solved in another PR
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#2658