GitLab Pages not working properly, getting 301 loops
Hi! I know this is about Cloudflare Pages, but I cannot get any location where to even ask my question.
I followed and repeated the guide on GitLab Pages about 5 times now.
https://docs.gitlab.com/ee/user/project/pages/custom_domains_ssl_tls_certification/#for-both-root-and-subdomains
It works for 15 minutes. And then the page starts going into 301 redirect loops, images stop working and eventually its unreachable.
If you have any advice where to turn to please also tell me.
7 Replies
#general-help would be the right channel. Your issue is probably your SSL/TLS Mode (SSL/TLS -> Overview, while in the cf dashboard under your website), should be "Full (Strict)" never "Flexible"
If not that, would be helpful to have the exact link the issue occurs on
I will put more elaborate here, I don't use Discord otherwise, and I don't know how to move the message in the correct place.
you can't move topics/messages, limit of Discord, you can just elaborate here, that's fine
I now enabled the strict mode, which seems to work for one of the subdomains.
I have https://www.fast-order.ninja/, which now seems to work (but might not in a few minutes)
I also have https://fast-order.ninja/, which seems to also work, and previously failed.
Both of these were intended to point to the GitLab Pages, so this part is ok.
However, I also have 2 subdomains that actually point to my real server using A DNS records.
https://table.fast-order.ninja/
https://worker.fast-order.ninja/
Both of these now seem not to work, anymore, and previously worked. What these are is single IP, NGINX proxy routing based on subdomain to 2 different FastAPI REST services.
I do not have any special SSL/TLS certificates setup for the FastAPI endpoints, as I am just experimenting at this point.
yea, so the issue with Gitlab Pages is that with Flexible, it connects over HTTP and Gitlab is redirecting to https forever
and now that you have Full Strict, it's going over HTTPS. Which is great -- it allows Gitlab to work, but it means your other origins now have to support HTTPS (listen on port 443 with a valid certificate) too
The best fix for this is just to deploy HTTPS on them. CF under SSL/TLS -> Origin Server has 15 year long certs trusted by the CF Proxy. It's a bit of a pain to setup if you haven't done so before, but Flexible is lying to your visitors about security and completely insecure. Alternatively you can use Cloudflare Tunnels, has a connector piece which runs on your host and can connect insecurely/not require https, because it's encrypted edge <- internet -> tunnel running on same machine.
With FastAPI, you could use nginx and proxy back over http to them, like tunnels would, or setup https with them directly
You could also deploy a Cloudflare Configuration rule to disable https on those, forgoing any security
I will try the secure setup, this is anyways a learning project with no time pressure so I want to learn all the HTTPS fun. Thank you for the answer, I am really grateful!
Now I also understand better what was going on 🙂
yea, if it took ~15 minutes to kick in, most likely it was Gitlab Pages working over http until they had the certificate issued on their end, and then forcing all traffic over https