-
-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pipeline Artifact API provides upload action with external app URL #32554
Comments
LOCAL_ROOT_URL is only designed to be used by gitea's builtin commands, it is never expected to be used out of the local network. In all cases, you should use ROOT_URL |
If you are running Gitea behind a proxy, then you must pass https://docs.gitea.com/administration/reverse-proxies#general-configuration |
I am running Gitea behind a proxy for external requests. I do not expect internal requests coming from runner containers passing through the reverse proxy though, this is why I set LOCAL_ROOT_URL to the container hostname, bypassing the reverse proxy. |
But I do not see why "not expect |
This is the point that I do not understand, internal traffic are generally safer then external, but internals are denied? |
The problem is that the Docker network is dynamic enough that I don't have a specific IP address to whitelist. Since Gitea supports running without a reverse proxy, I expected to be able to route requests from runners to the instance directly.
Could you clarify why LOCAL_ROOT_URL is still being used for the first "Artifact URL" mentioned in my runner logs? |
Maybe there could be some approaches like this, make the containers could use docker host's IP as gitea server's IP , then accessing "http://gitea-server:3000" will be able to go to the "gitea" container.
I just read the description, it said:
So I think it just uses "ROOT_URL" as expected? If you think there is a problem, please show your full config details. |
Not a feasible solution in my case, as I do not want to publish any ports on the host interface. There are two mentions of URLs in the runner log: first one is resolved using LOCAL_ROOT_URL, second one using ROOT_URL:
|
My compose file looks like this:
relevant server section in
runner config:
|
That would also not work if |
It seems that it is from If you would really like make the runner use container's network, it could be like this (still, not perfect, but maybe it works for your usage)
Otherwise, I would suggest you to setup a new nginx container in the docker compose to handle "runner" requests, but not using LOCAL_ROOT_URL (please forget it ....) |
I see, it looks like I was misled there.
On the existing reverse proxy I am already doing this.
I have actually tried this and it resulted in a big warning banner telling me to fix my I guess I will investigate the routing from runner to reverse proxy, make it somewhat deterministic and see if I can find a way to allow traffic.
Possible but not great because of two servers fighting for SSL |
There could be another choice, you could apply a simple patch to build your own program, or introduce a new option to control the "guessing" behavior:
Then:
This approach wasn't used to "guess" the host due to the comment (well, the comment also said so: |
Resolves go-gitea#32554 This option can be set to make Gitea always use the "Host" request header for construction of absolute URLs.
Resolves go-gitea#32554 This option can be set to make Gitea always use the "Host" request header for construction of absolute URLs.
Resolves go-gitea#32554 This option can be set to make Gitea always use the "Host" request header for construction of absolute URLs.
Resolves go-gitea#32554 This option can be set to make Gitea always use the "Host" request header for construction of absolute URLs.
For now, I have solved this issue by configuring the runner to launch containers in a network that my reverse proxy is also part of. This, in combination with an extra argument Nevertheless I have opened a PR #32564 that adds a new config option which would allow targeting Gitea without a reverse proxy - provided that any potential proxy is configured to pass the correct headers. |
Description
My setup is powered by Docker Compose, and I have Gitea and a Gitea Runner instance in the same Docker network. New task containers are also in this network, this is done by setting
container.network: "gitea_default"
in the runner configuration file.There is an external reverse proxy pointing at Gitea for requests from outside. Internal requests are supposed to fail because of a IP allowlist - and I cannot allow the internal Gitea network. Thus, I have to rely on
LOCAL_ROOT_URL
to be used for all internal communication.Unfortunately, it seems that when using the
actions/upload-artifact@v3
action, the runner tries to access Gitea using the externalROOT_URL
: (this is withACTIONS_STEP_DEBUG=true
)As you can see,
Upload Resource URL
is resolved based onROOT_URL
rather thanLOCAL_ROOT_URL
. A similar error appears with (the patched variant of) v4.I took a look at the source code for
actions/upload-artifact@v3
and stumbled upon this: https://github.com/actions/toolkit/blob/%40actions/artifact%401.1.1/packages/artifact/src/internal/artifact-client.ts#L118Here, it appears the URL is provided by an API endpoint. In Gitea, the
fileContainerResourceUrl
is computed here: https://github.com/go-gitea/gitea/blob/main/modules/httplib/url.go#L61It seems to account for the
Host
header here, but only if the request is coming from a reverse proxy (X-Forwarded-Proto
present).I realized I can workaround this problem by running an additional reverse proxy for internal requests, but I'd rather avoid that.
Gitea Version
1.22.3
Can you reproduce the bug on the Gitea demo site?
No
Log Gist
No response
Screenshots
No response
Git Version
No response
Operating System
docker compose
How are you running Gitea?
I am using official Gitea Docker images on the
latest
tag.Database
SQLite
The text was updated successfully, but these errors were encountered: