From 280a845423382e51cb103865abb30052e63d56b5 Mon Sep 17 00:00:00 2001
From: c_fons <cfons@gitlab.com>
Date: Fri, 14 Nov 2025 17:11:52 +0000
Subject: [PATCH] Add internal URLs to ActionCable allowed origins

This fixes a bug where websockets are not
working on secondaries because their origin
is not recognised by the primary when proxied

Relates to: https://gitlab.com/gitlab-org/gitlab/-/issues/579074
Changelog: fixed
---
 config/initializers/action_cable.rb    |  4 +++-
 spec/initializers/action_cable_spec.rb | 14 ++++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/config/initializers/action_cable.rb b/config/initializers/action_cable.rb
index b2ac3e8c1ae0dc..0e08f22d143ae4 100644
--- a/config/initializers/action_cable.rb
+++ b/config/initializers/action_cable.rb
@@ -7,11 +7,13 @@
 
   config.action_cable.url = Gitlab::Utils.append_path(Gitlab.config.gitlab.relative_url_root, '/-/cable')
   config.action_cable.worker_pool_size = Gitlab::ActionCable::Config.worker_pool_size
-  config.action_cable.allowed_request_origins = [Gitlab.config.gitlab.url] if Rails.env.development? || Rails.env.test?
   if Rails.env.development? || Rails.env.test?
+    config.action_cable.allowed_request_origins = [Gitlab.config.gitlab.url]
     config.action_cable.disable_request_forgery_protection = Gitlab::Utils.to_boolean(
       ENV.fetch('ACTION_CABLE_DISABLE_REQUEST_FORGERY_PROTECTION', false)
     )
+  elsif Gitlab::Geo.enabled?
+    config.action_cable.allowed_request_origins = GeoNode.enabled.map { |node| node.internal_url.chomp('/') }.uniq
   end
 end
 
diff --git a/spec/initializers/action_cable_spec.rb b/spec/initializers/action_cable_spec.rb
index 0cdac970c4adfe..f7b40fea6f1a0f 100644
--- a/spec/initializers/action_cable_spec.rb
+++ b/spec/initializers/action_cable_spec.rb
@@ -51,6 +51,11 @@
       stub_rails_env(rails_env) if rails_env
       stub_config_setting(relative_url_root: '/gitlab/root', url: 'example.com', https: true)
 
+      if test_for_geo?
+        allow(Gitlab::Geo).to receive(:enabled?).and_return(true)
+        allow(GeoNode).to receive(:enabled).and_return([primary_node, secondary_node])
+      end
+
       load Rails.root.join('config/initializers/action_cable.rb')
     end
 
@@ -64,6 +69,7 @@
 
     let(:rails_env) { nil }
     let(:disable_request_forgery_protection) { false }
+    let(:test_for_geo?) { false }
 
     subject(:config) { Rails.application.config.action_cable }
 
@@ -104,6 +110,14 @@
         let(:rails_env) { 'production' }
 
         it { is_expected.to eq(nil) }
+
+        context 'when Geo is enabled' do
+          let(:test_for_geo?) { true }
+          let(:primary_node) { instance_double(GeoNode, internal_url: 'http://0.0.1.0/') }
+          let(:secondary_node) { instance_double(GeoNode, internal_url: 'http://0.0.2.0/') }
+
+          it { is_expected.to eq(%w[http://0.0.1.0 http://0.0.2.0]) }
+        end
       end
     end
 
-- 
GitLab