Apache-2 with reverse proxy and sub-url broken

[piyo]

First, thank you for this useful software.

Describe the bug
Commit 648d9e2 and after does not write the correct URLs for reverse proxying and sub-url with Apache 2, even after replacing the deprecated app.ini::[Server]ROOT_URL with app.ini::[Server]EXTERNAL_URL, causing the web client to be redirected to unexpected urls.

Gogs version or commit
648d9e2 "conf: overhaul server settings (#5928)" (2020-02-22 09:05:26 +0800 )
First appearance of undesired behavior.
The previous commit
5b14cc6 "docker: update link to Docker Hub and add info for gogs-rpi" works correctly.
I have checked the most recent commit, fe7b094 and it does not work correctly.

All gogs binaries were obtained from https://packager.io/gh/gogs/gogs

Git version
2.20.1

Operating system
Debian 10 (buster) x86_64

Database
sqlite

To Reproduce
Steps to reproduce the behavior:

1. Implement https://gogs.io/docs/intro/faqs#how-do-i-set-up-a-sub-url-with-apache-2%3F with self-signed cert. This means Apache 2 server is at https://internal-server.example.net:443 and gogs server is http://127.0.0.1:3000.
2. curl -i https://internal-server.example.net/gogs
3. See the found link does not have "/gogs" as a prefix. Also a normal web browser does not show a gogs web page.

Can you reproduce the bug at https://try.gogs.io?
No, cannot implement sub-url there.

Expected behavior

I have been using the configuration "apache-2-with-reverse-proxy" and "sub-url" by setting app.ini::[Server]ROOT_URL and apache.conf::ProxyPass, etc. as shown at:
https://gogs.io/docs/intro/faqs#how-do-i-set-up-a-sub-url-with-apache-2%3F

Curl shows this: (OK)

> curl -i https://internal-server.example.net/gogs
HTTP/1.1 302 Found
Date: Mon, 02 Mar 2020 15:53:53 GMT
Server: Apache/2.4.38 (Debian)
Content-Type: text/html; charset=utf-8
Location: /gogs/user/login
Content-Length: 39
Set-Cookie: lang=en-US; Path=/gogs; Max-Age=2147483647
Set-Cookie: i_like_gogits=HEX; Path=/gogs; HttpOnly
Set-Cookie: _csrf=HEX; Path=/gogs; Expires=Tue, 03 Mar 2020 15:53:53 GMT
Set-Cookie: redirect_to=%252Fgogs%252F; Path=/gogs

<a href="/gogs/user/login">Found</a>.

Actual behavior

However commit 648d9e2 and after shows the following behavior, and ultimately I cannot log into my gogs server. Replacing [Server]ROOT_URL with [Server]EXTERNAL_URL does not fix the situation.
Notice "Location:" header is not /gogs/user/login.
Notice Set-Cookie::Path=/ instead of Set-Cookie::Path=/gogs.
Notice link is "/user/login" instead of "/gogs/user/login"

Curl shows this: (NG)

> curl -i https://internal-server.example.net/gogs
HTTP/1.1 302 Found
Date: Mon, 02 Mar 2020 15:14:42 GMT
Server: Apache/2.4.38 (Debian)
Content-Type: text/html; charset=utf-8
Location: /user/login
Content-Length: 34
Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
Set-Cookie: i_like_gogits=HEX; Path=/; HttpOnly
Set-Cookie: _csrf=HEX; Path=/; Expires=Tue, 03 Mar 2020 15:14:42 GMT
Set-Cookie: redirect_to=%252F; Path=/

<a href="/user/login">Found</a>.

Screenshots

None.

Additional context

Nothing relevant.

[urda]

Upgrading to the gogs/gogs:latest docker image exposed this behavior to me. It caused my URLs, redirects, and requests to just ignore ROOT_URL and the like.

Current workaround was to downgrade to gogs/gogs:0.11.91 container.

[garyzoar]

Downgrading seems to be the normal at the moment!

[unknwon]

Thanks for your high quality bug report ❤️

My initial suspicion is this line:

gogs/internal/context/auth.go

Line 43 in 931da04

if !c.IsLogged && c.Req.RequestURI == "/" && conf.Server.LandingURL != "/" {

The LandingURL should check against subpath not hard-coded "/". Will investigate further tonight.

[unknwon]

BTW, it would be very helpful to check your Server configuration section on the /admin/config page, see if it reads EXTERNAL_URL correctly, and of course, the Landing URL as well.

[unknwon]

Hmm, I am not able to reproduce with latest master, the bug I fixed in #5964 seems irrelevant to this issue.

I set up reverse proxy via Caddy 1 and has EXTERNAL_URL as:

[server]
EXTERNAL_URL = http://%(DOMAIN)s/gogs/

→ curl -i http://localhost:2020/gogs/explore/repos
HTTP/1.1 302 Found
Content-Length: 39
Content-Type: text/html; charset=utf-8
Date: Tue, 03 Mar 2020 17:56:53 GMT
Location: /gogs/user/login
Server: Caddy
Set-Cookie: lang=en-US; Path=/gogs; Max-Age=2147483647
Set-Cookie: i_like_gogs=0d4b24f5a563c7eb; Path=/gogs; HttpOnly
Set-Cookie: _csrf=ZMvq4PapUmyZxttmDH8jL7sCJ2w6MTU4MzI1ODIxMzUyODQ4MDAwMA; Path=/gogs; Expires=Wed, 04 Mar 2020 17:56:53 GMT
Set-Cookie: redirect_to=%252Fgogs%252Fexplore%252Frepos; Path=/gogs

<a href="/gogs/user/login">Found</a>.

For my Caddyfile:

:2020
proxy /gogs http://localhost:3000 {
    without /gogs
}

PS: I'm using localhost for testing, does it matter?

[whoo]

Hi, it works for me with "EXTERNAL_URL" instead of ROOT_URL

[unknwon]

@whoo thanks for the info!

I'm closing this until further input.