IIS 7.5 Reverse Proxy: Clone fails (401 Unauthorized)

Moving the conversation here after first posting an issue in github:
https://github.com/gogits/gogs/issues/2692#issuecomment-189935524

Relevant info

Gogs version: v0.8.25
Git version: 2.7.0.windows.1
Operating system: Windows Server 2008 R2 Standard
Database: SQLite
Last line in gogs.log: Listen: http://0.0.0.0:3000/gogs

Reversed proxied through IIS 7.5

Description

This is what I see on the command line output server side:

[Macaron] Started GET [repo].git/info/refs?service=git-upload-pack for [IP address]:50673
2016/02/23 14:36:26 [D] Session ID: 32ceb61ccd7132c0
2016/02/23 14:36:26 [D] CSRF Token: DUpRkQ_r7kYBSRwMijEY7P3ekmk6MTQ1NjI2MzM4NjU1
MTA5MjIwMA==
[Macaron] Completed [repo].git/info/refs?service=git-upload-pack 401
Unauthorized in 5.0003ms

This is what I see client side:

git clone [repoUrl].git --verbose
Cloning into ‘[repo]’…
fatal: unable to access ‘[repoUrl].git/’: The requested URL returned error: 500

I’m trying to see if there is any other way to debug this. Nothing is really showing in the logs.

So far everything non-git works fine. Nothing appears in the IIS logs.

What happens if you open this URL on your browser? Can you open the web conosle to see what is the response code?

Client side the console says:[url]/testrepo.git/info/refs?service=git-upload-pack Failed to load resource: the server responded with a status of 500 (Internal Server Error)

Page just displays: The page cannot be displayed because an internal server error has occurred.

The server cli says: 2016/03/03 11:51:44 [D] CSRF Token: MI7-zXp1-8ZZGrDFjXjsEKSqfm46MTQ1NzAzMTA2NjMw
NTIxODUwMA==
[Macaron] Completed /[user]/testrepo.git/info/refs?service=git-upload-pack 401
Unauthorized in 5.0003ms

To confirm again, git clone works without IIS?

Yes, this is the result if I do it outside of IIS:

2016/03/03 12:48:53 [I] Listen: http://0.0.0.0:3000
[Macaron] Started GET /[user]/testrepo.git/info/refs?service=git-upload-pack f
or [::1]
2016/03/03 12:48:58 [D] Session ID: 51823383a1f1f67f
2016/03/03 12:48:58 [D] CSRF Token: GJtEaQvYM3Q18JtAzDNteUt5sRg6MTQ1NzAzNDUzODA3
NzQxMjYwMA==
[Macaron] Completed /[user]/testrepo.git/info/refs?service=git-upload-pack 401
Unauthorized in 4.0002ms
[Macaron] Started GET /[user]/testrepo.git/info/refs?service=git-upload-pack f
or [::1]
2016/03/03 12:49:07 [D] Session ID: a9f7cf7167662651
2016/03/03 12:49:07 [D] CSRF Token: dJxsFu__61Qrj63nJJFnmtnt6686MTQ1NzAzNDU0Nzc1
NTk2NjIwMA==
[Macaron] Completed /[user]/testrepo.git/info/refs?service=git-upload-pack 401
Unauthorized in 4.0002ms
[Macaron] Started GET /[user]/testrepo.git/info/refs?service=git-upload-pack f
or [::1]
2016/03/03 12:49:07 [D] Session ID: 13d9cf23d4de2dfd
2016/03/03 12:49:07 [D] CSRF Token: JE6MA6ZzpNqnsmwlsZGR2EVovgg6MTQ1NzAzNDU0Nzc2
MDk2NjQwMA==
[Macaron] Completed /[user]/testrepo.git/info/refs?service=git-upload-pack 200
OK in 188.0108ms
[Macaron] Started POST /[user]/testrepo.git/git-upload-pack for [::1]
2016/03/03 12:49:08 [D] Session ID: 82df898a0a86d430
2016/03/03 12:49:08 [D] CSRF Token: OYD-4MLN6uhXtjv8ecs2cIpbPRg6MTQ1NzAzNDU0Nzk4
Nzk3OTQwMA==
[Macaron] Completed /[user]/testrepo.git/git-upload-pack 200 OK in 226.0129ms

This what happens when using IIS:
2016/03/03 12:54:02 [I] Listen: http://0.0.0.0:3000/[subpath]
[Macaron] Started GET /[user]/testrepo.git/info/refs?service=git-upload-pack f
or 10.31.7.55:54401
2016/03/03 12:54:04 [D] Session ID: b61ca2dff2e355bb
2016/03/03 12:54:04 [D] CSRF Token: 85e4ZlS2aMWsGmLY4H0yuZrCaQ06MTQ1NzAzNDg0NDk2
MDk0MDQwMA==
[Macaron] Completed /[user]/testrepo.git/info/refs?service=git-upload-pack 401
Unauthorized in 4.0002ms

Hmm… hope someone else uses windows and IIS could help.

@andreynering maybe?

I never had this problem, but we don’t use ISS.

Maybe it is an issue with reverse proxying with a subdirectory?

I already used reverse proxy (both Linux and Windows (not ISS)) and clones worked, but I proxied though subdomain, not subdirectory.

One could try reverse proxy with subdirectory on Linux to see what happens.

Hm… I tried to get proxy through a subdirectory with Caddy but couldn’t get it work. Not just clones don’t work, but nothing at all. Proxying through root works.

@Unknwon Is just nginx supported? Does Gogs depends on an HTTP header or anything?

My config:

# Caddyfile
localhost:80
proxy /git localhost:3000
; app.ini
[server]
DOMAIN = localhost
HTTP_PORT = 3000
ROOT_URL = http://localhost:3000/git/

Maybe try proxy /git/ localhost:3000?

Tried., the same.

Maybe there are some header missing vis reverse proxy, but NGINX pass them by default.

proxy /git localhost:3000 {
        without /git
}

Anything else I can do to help?

Hi, I can’t believe that IIS doesn’t have log for 500 reasons?

This is what the IIS logs show on a failed request (401) even though git shows 500 (“The requested URL returned error: 500”).

016-03-29 18:31:13 10.31.7.55 GET /[server]/testrepo.git/info/refs service=git-receive-pack&X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=89df0527-e2af-46d1-b158-329611277bd9&SERVER-STATUS=401 443 - 165.127.6.178 git/2.7.3 401 0 0 15

If I set REQUIRE_SIGNIN_VIEW = false, I can do cloning but pushing still fails. There is something being blocked when it comes to authentication.

This PR looks like indicated the real problem on Gogs: https://github.com/gogits/gogs/pull/2891

it works fine in my situation, host in IIS, proxy by application request routing