Allow ACME challenge over HTTPS
What does this MR do?
Updates the NGINX config to locally resolve /.well-known/acme-challenge/*
over HTTPS when Letsencrypt is enabled.
This allows the HTTP-01 challenge to succeed in cases where there are automatic HTTPS redirects at CDN level.
It also restricts the existing HTTP location matcher to /.well-known/acme-challenge/*
, as the application itself uses a few endpoints there:
/.well-known/openid-configuration
/.well-known/webfinger
/.well-known/terraform.json
- Before
Letsencrypt -> HTTP -> CDN Redirect -> HTTPS -> App Redirect -> `/users/sign_in`
- After
Letsencrypt -> HTTP -> CDN Redirect -> HTTPS -> `/.well-known/acme-challenge/...`
Related issues
https://gitlab.com/gitlab-com/gl-infra/infrastructure/-/issues/13416
We enforce HTTPS at Cloudflare with Always Use HTTPS
, this prevents us from adding an exception for a single path/URL.
Checklist
See Definition of done.
For anything in this list which will not be completed, please provide a reason in the MR discussion
Required
-
Merge Request Title, and Description are up to date, accurate, and descriptive -
MR targeting the appropriate branch -
MR has a green pipeline on GitLab.com -
Pipeline is green on dev.gitlab.org if the change is touching anything besides documentation or internal cookbooks -
trigger-package
has a green pipeline running against latest commit
Expected (please provide an explanation if not completing)
-
Test plan indicating conditions for success has been posted and passes -
Documentation created/updated -
Tests added -
Integration tests added to GitLab QA -
Equivalent MR/issue for the GitLab Chart opened
Edited by Filipe Santos