Received HTTP code 400 from proxy after CONNECT

Manuel Vacelet (vaceletm)

2023-08-29 09:37

Status changed from New to Closed
Close date set to 2023-08-29

Jörg Bernau (joerg_bernau)

2023-08-28 18:01

last edited by: Jörg Bernau (joerg_bernau)

2023-08-28 20:26

Manuel, THX, you are right. Well git.example.com:443 is the nginx-proxy for gitlab worhhouse. So I removed sys_proxy and ended up in 500: Internal Server Error

2023-08-28T19:49:47+02:00 [18138] [error] Unhandled exception: Encryption key must be SODIUM_CRYPTO_SECRETBOX_KEYBYTES long but is: 0 bytes: *)
#0 /usr/share/tuleap/src/common/Cryptography/KeyFactory.php(45): Tuleap\Cryptography\Symmetric\EncryptionKey->__construct()
#1 /usr/share/tuleap/plugins/gitlab/include/Repository/Webhook/WebhookCreator.php(99): Tuleap\Cryptography\KeyFactory->getEncryptionKey()
#2 /usr/share/tuleap/plugins/gitlab/include/Repository/Webhook/WebhookCreator.php(80): Tuleap\Gitlab\Repository\Webhook\WebhookCreator->createNewGitlabWebhook()
#3 /usr/share/tuleap/plugins/gitlab/include/Repository/GitlabRepositoryCreator.php(140): Tuleap\Gitlab\Repository\Webhook\WebhookCreator->generateWebhookInGitlabProject()
#4 /usr/share/tuleap/plugins/gitlab/include/Repository/GitlabRepositoryCreator.php(115): Tuleap\Gitlab\Repository\GitlabRepositoryCreator->createGitlabRepositoryIntegration()
#5 /usr/share/tuleap/src/vendor/paragonie/easydb/src/EasyDB.php(1263): Tuleap\Gitlab\Repository\GitlabRepositoryCreator->Tuleap\Gitlab\Repository\{closure}()
#6 /usr/share/tuleap/src/common/DB/DBTransactionExecutorWithConnection.php(44): ParagonIE\EasyDB\EasyDB->tryFlatTransaction()
#7 /usr/share/tuleap/plugins/gitlab/include/Repository/GitlabRepositoryCreator.php(120): Tuleap\DB\DBTransactionExecutorWithConnection->execute()
#8 /usr/share/tuleap/plugins/gitlab/include/REST/v1/GitlabRepositoryResource.php(177): Tuleap\Gitlab\Repository\GitlabRepositoryCreator->integrateGitlabRepositoryInProject()
#9 [internal function]: Tuleap\Gitlab\REST\v1\GitlabRepositoryResource->createGitlabRepository()
#10 /usr/share/tuleap/src/vendor/luracast/restler/vendor/Luracast/Restler/Restler.php(1058): ReflectionMethod->invokeArgs()
#11 /usr/share/tuleap/src/vendor/luracast/restler/vendor/Luracast/Restler/Restler.php(304): Luracast\Restler\Restler->call()
#12 /usr/share/tuleap/src/www/api/index.php(91): Luracast\Restler\Restler->handle()
#13 {main}

*) source code modified for debugging

FIXED: Just for google search: /etc/tuleap/conf/encryption_secret.key was empty. So close this request. Thanks for your support.

Manuel Vacelet (vaceletm)

2023-08-28 09:28

I doubt that git.example.com is actually a proxy server so it's likely that tuleap config-set sys_proxy: git.example.com:443 causes the issue.

Jörg Bernau (joerg_bernau)

2023-08-25 17:29

last edited by: Jörg Bernau (joerg_bernau)

2023-08-25 17:34

@vaceletm

#> tuleap config-set sys_proxy: git.example.com:443

#> tuleap config-get http_outbound_requests_deny_ranges: 0.0.0.0/0,::/0

#> tuleap config-get http_outbound_requests_allow_ranges: '172.XXX.AAA.192/32,172.XXX.BBB.0/24,192.168.CCC.0/24'

with 172.XXX.AAA.192/32 IP to public VPN proxy (nginx) on that gitlab is accessible externally; 172.XXX.BBB.0/24 company's VPN net and 192.168.CCC.0/24 LAN I which both servers are running (tuleap and gitlab are on the same machine)

Jörg Bernau (joerg_bernau)

2023-08-25 17:05

@tgerbet Thank you for the notice. I changed it already on the day I submitted this issue.

Thomas Gerbet (tgerbet)

2023-08-25 15:46

On a side note you have leaked what looks like a GitLab token, I would strongly recommend to revoke it if it is a valid one.

Manuel Vacelet (vaceletm)

2023-08-25 15:41

It's likely that you have a misconfiguration of https://docs.tuleap.org/administration-guide/system-administration/filtering-outbound-requests.html

Esp. check for sys_proxy value

Public

Follow-ups