From d5687dc5a0ee5c440a6a84248ce1b6a419aa8df1 Mon Sep 17 00:00:00 2001 From: c_fons Date: Tue, 18 Nov 2025 17:22:52 +0000 Subject: [PATCH 1/9] Add setting for ActionCable allowed origins This enables admins to setup allowed origins for websocket requests through ActionCable in order to ensure communication between secondary and primary Geo sites via websockets EE: true Changelog: added --- config/gitlab.yml.example | 4 +++ config/initializers/1_settings.rb | 5 ++++ config/initializers/action_cable.rb | 18 +++++++++++- ee/spec/initializers/1_settings_spec.rb | 37 +++++++++++++++++++++++++ spec/initializers/action_cable_spec.rb | 26 +++++++++++++++++ 5 files changed, 89 insertions(+), 1 deletion(-) diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example index 282acb448efc8d..2350ed26df81e4 100644 --- a/config/gitlab.yml.example +++ b/config/gitlab.yml.example @@ -756,6 +756,10 @@ production: &base # enabled: true # primary_api_url: http://localhost:5000/ # internal address to the primary registry, will be used by GitLab to directly communicate with primary registry API + # To configure ActionCable allowed request origins, add the external_url, without trailing slashes, of all nodes + # to the array below + action_cable_allowed_origins: [] + ## Feature Flag https://docs.gitlab.com/ee/operations/feature_flags.html feature_flags: unleash: diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb index fd3d4fa5cc06c5..29f00676821c42 100644 --- a/config/initializers/1_settings.rb +++ b/config/initializers/1_settings.rb @@ -395,6 +395,11 @@ # Settings.geo['registry_replication'] ||= {} Settings.geo.registry_replication['enabled'] ||= false + + # + # ActionCable allowed origins + # + Settings.geo['action_cable_allowed_origins'] ||= [] end # diff --git a/config/initializers/action_cable.rb b/config/initializers/action_cable.rb index b2ac3e8c1ae0dc..c9d7861fde83b5 100644 --- a/config/initializers/action_cable.rb +++ b/config/initializers/action_cable.rb @@ -7,12 +7,28 @@ config.action_cable.url = Gitlab::Utils.append_path(Gitlab.config.gitlab.relative_url_root, '/-/cable') config.action_cable.worker_pool_size = Gitlab::ActionCable::Config.worker_pool_size - config.action_cable.allowed_request_origins = [Gitlab.config.gitlab.url] if Rails.env.development? || Rails.env.test? if Rails.env.development? || Rails.env.test? + config.action_cable.allowed_request_origins = [Gitlab.config.gitlab.url] config.action_cable.disable_request_forgery_protection = Gitlab::Utils.to_boolean( ENV.fetch('ACTION_CABLE_DISABLE_REQUEST_FORGERY_PROTECTION', false) ) end + + if Gitlab.config.geo.action_cable_allowed_origins.present? + # sanitize URLs + allowed_origins = Gitlab.config.geo.action_cable_allowed_origins.filter_map do |url| + begin + uri = URI.parse(url) + next unless uri.is_a?(URI::HTTP) && uri.host.present? + rescue URI::InvalidURIError + next + end + + url.chomp('/') + end + + config.action_cable.allowed_request_origins = allowed_origins if allowed_origins.present? + end end ActionCable::SubscriptionAdapter::Base.prepend(Gitlab::Patch::ActionCableSubscriptionAdapterIdentifier) diff --git a/ee/spec/initializers/1_settings_spec.rb b/ee/spec/initializers/1_settings_spec.rb index 41df16c5ab142c..a8d8db08bad8cd 100644 --- a/ee/spec/initializers/1_settings_spec.rb +++ b/ee/spec/initializers/1_settings_spec.rb @@ -445,4 +445,41 @@ end end end + + describe 'geo' do + let(:config) { {} } + + before do + Settings.geo = config + load_settings + end + + after do + Settings.geo = {} + load_settings + end + + it 'provides default config' do + expect(Settings.geo.node_name).to eq(Settings.gitlab['url']) + expect(Settings.geo.registry_replication['enabled']).to eq(false) + expect(Settings.geo.action_cable_allowed_origins).to eq([]) + end + + context 'when config is provided' do + let(:config) do + { + node_name: 'my primary node', + registry_replication: { enabled: true, primary_api_url: 'http://primary.url' }, + action_cable_allowed_origins: %w[http://origin1.url http://origin2.url] + } + end + + it 'uses provided config' do + expect(Settings.geo.node_name).to eq('my primary node') + expect(Settings.geo.registry_replication['enabled']).to eq(true) + expect(Settings.geo.registry_replication['primary_api_url']).to eq('http://primary.url') + expect(Settings.geo.action_cable_allowed_origins).to eq(%w[http://origin1.url http://origin2.url]) + end + end + end end diff --git a/spec/initializers/action_cable_spec.rb b/spec/initializers/action_cable_spec.rb index 0cdac970c4adfe..b8c91685c361f1 100644 --- a/spec/initializers/action_cable_spec.rb +++ b/spec/initializers/action_cable_spec.rb @@ -50,6 +50,7 @@ stub_env('ACTION_CABLE_DISABLE_REQUEST_FORGERY_PROTECTION', disable_request_forgery_protection.to_s) stub_rails_env(rails_env) if rails_env stub_config_setting(relative_url_root: '/gitlab/root', url: 'example.com', https: true) + stub_config(geo: { action_cable_allowed_origins: origins }) if origins load Rails.root.join('config/initializers/action_cable.rb') end @@ -64,6 +65,7 @@ let(:rails_env) { nil } let(:disable_request_forgery_protection) { false } + let(:origins) { nil } subject(:config) { Rails.application.config.action_cable } @@ -104,6 +106,30 @@ let(:rails_env) { 'production' } it { is_expected.to eq(nil) } + + context 'with allowed_origins setting' do + let(:origins) { [] } + + it { is_expected.to eq(nil) } + + context 'with invalid origins' do + let(:origins) { ['invalid_url'] } + + it { is_expected.to eq(nil) } + end + + context 'with valid origins' do + let(:origins) { ['http://test.com/'] } + + it { is_expected.to eq(['http://test.com']) } + end + + context 'with valid and invalid origins' do + let(:origins) { ['http://test.com/', 'invalid_url'] } + + it { is_expected.to eq(['http://test.com']) } + end + end end end -- GitLab From 7ea0718674a1310f536f167c800a83e1ff33d867 Mon Sep 17 00:00:00 2001 From: c_fons Date: Wed, 19 Nov 2025 16:16:20 +0000 Subject: [PATCH 2/9] Add documentation steps --- .../geo/replication/configuration.md | 24 +++++++++++++++ .../geo/setup/two_single_node_sites.md | 30 +++++++++++++++++++ 2 files changed, 54 insertions(+) diff --git a/doc/administration/geo/replication/configuration.md b/doc/administration/geo/replication/configuration.md index bf7fc3c13a80b9..11c3c81abb0a83 100644 --- a/doc/administration/geo/replication/configuration.md +++ b/doc/administration/geo/replication/configuration.md @@ -281,6 +281,30 @@ that the **secondary** site can act on those notifications immediately. Be sure the secondary site is running and accessible. You can sign in to the secondary site with the same credentials as were used with the primary site. +### Add primary and secondary URLs as allowed ActionCable origins + +This step allows websockets to work seamlessly from primary and secondary sites. + +1. Collect the **internal and external URLs** of your sites (primary and secondary). You can find them in the Site pages in the Admin area, as mentioned in the section above. +1. SSH into each Rails and Sidekiq node on your primary and secondary sites and sign in as root: + + ```shell + sudo -i + ``` + +1. Edit `/etc/gitlab/gitlab.rb` to add the URLs collected in step 1 to the `action_cable_allowed_origins` setting: + + ```ruby + gitlab_rails['action_cable_allowed_origins'] = ['https://gitlab.example.com', 'https://secondary.example.com', 'https://primary.example.com'] + ``` + +1. To apply the changes, reconfigure each Rails and Sidekiq node and restart the service: + + ```shell + gitlab-ctl reconfigure + gitlab-ctl restart + ``` + ## Step 4. (Optional) Using custom certificates You can safely skip this step if: diff --git a/doc/administration/geo/setup/two_single_node_sites.md b/doc/administration/geo/setup/two_single_node_sites.md index 6136c71af78dbb..758a284461f249 100644 --- a/doc/administration/geo/setup/two_single_node_sites.md +++ b/doc/administration/geo/setup/two_single_node_sites.md @@ -676,6 +676,30 @@ that the secondary site can act on the notifications immediately. Be sure the secondary site is running and accessible. You can sign in to the secondary site with the same credentials as were used with the primary site. +### Add primary and secondary URLs as allowed ActionCable origins + +This step allows websockets to work seamlessly from primary and secondary sites. + +1. Collect the **internal and external URLs** of your sites (primary and secondary). You can find them in the Site pages in the Admin area, as mentioned in the section above. +1. SSH into each Rails and Sidekiq node on your primary and secondary site and sign in as root: + + ```shell + sudo -i + ``` + +1. Edit `/etc/gitlab/gitlab.rb` to add the URLs collected in step 1 to the `action_cable_allowed_origins` setting: + + ```ruby + gitlab_rails['action_cable_allowed_origins'] = ['https://gitlab.example.com', 'https://secondary.example.com', 'https://primary.example.com'] + ``` + +1. To apply the changes, reconfigure each Rails and Sidekiq node and restart the service: + + ```shell + gitlab-ctl reconfigure + gitlab-ctl restart + ``` + ### Enable Git access over HTTP/HTTPS and SSH Geo synchronizes repositories over HTTP/HTTPS, and therefore requires this clone @@ -765,6 +789,9 @@ gitlab_rails['monitoring_whitelist'] = ['127.0.0.0/8', '10.0.0.0/8'] gitaly['configuration'] = { prometheus_listen_addr: '0.0.0.0:9236', } + +## ActionCable allowed origins +gitlab_rails['action_cable_allowed_origins'] = ['https://gitlab.example.com', 'https://secondary.example.com', 'https://primary.example.com'] ``` ### Complete secondary site @@ -817,6 +844,9 @@ gitlab_rails['monitoring_whitelist'] = ['127.0.0.0/8', '10.0.0.0/8'] gitaly['configuration'] = { prometheus_listen_addr: '0.0.0.0:9236', } + +## ActionCable allowed origins +gitlab_rails['action_cable_allowed_origins'] = ['https://gitlab.example.com', 'https://secondary.example.com', 'https://primary.example.com'] ``` ## Related topics -- GitLab From f75b75f54f8aa12b92970e04a08cc1e4e83f805d Mon Sep 17 00:00:00 2001 From: c_fons Date: Thu, 20 Nov 2025 10:51:35 +0000 Subject: [PATCH 3/9] Move setting out of Geo --- config/gitlab.yml.example | 12 ++++++---- config/initializers/1_settings.rb | 10 ++++---- config/initializers/action_cable.rb | 4 ++-- ee/spec/initializers/1_settings_spec.rb | 31 +++++++++++++++++++++---- spec/initializers/action_cable_spec.rb | 2 +- 5 files changed, 43 insertions(+), 16 deletions(-) diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example index 2350ed26df81e4..a455f84133689b 100644 --- a/config/gitlab.yml.example +++ b/config/gitlab.yml.example @@ -81,6 +81,14 @@ production: &base allowed_hosts: [] + # ActionCable allowed request origins + # Customize if you have GitLab Geo enabled + # Add the internal and external URLs of primary and secondary sites: + action_cable_allowed_origins: + #- https://primary-internal.url + #- https://secondary-internal.url + #- https://unified.url + # Trusted Proxies # Customize if you have GitLab behind a reverse proxy which is running on a different machine. # Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address. @@ -756,10 +764,6 @@ production: &base # enabled: true # primary_api_url: http://localhost:5000/ # internal address to the primary registry, will be used by GitLab to directly communicate with primary registry API - # To configure ActionCable allowed request origins, add the external_url, without trailing slashes, of all nodes - # to the array below - action_cable_allowed_origins: [] - ## Feature Flag https://docs.gitlab.com/ee/operations/feature_flags.html feature_flags: unleash: diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb index 29f00676821c42..6c2562dd9d4a60 100644 --- a/config/initializers/1_settings.rb +++ b/config/initializers/1_settings.rb @@ -275,6 +275,11 @@ Settings.zoekt['bin_path'] ||= Gitlab::Utils.which('gitlab-zoekt') end +# +# ActionCable +# +Settings.gitlab['action_cable_allowed_origins'] ||= [] + # # CI # @@ -395,11 +400,6 @@ # Settings.geo['registry_replication'] ||= {} Settings.geo.registry_replication['enabled'] ||= false - - # - # ActionCable allowed origins - # - Settings.geo['action_cable_allowed_origins'] ||= [] end # diff --git a/config/initializers/action_cable.rb b/config/initializers/action_cable.rb index c9d7861fde83b5..4a1f365ba2fa26 100644 --- a/config/initializers/action_cable.rb +++ b/config/initializers/action_cable.rb @@ -14,9 +14,9 @@ ) end - if Gitlab.config.geo.action_cable_allowed_origins.present? + if Gitlab.config.gitlab.action_cable_allowed_origins.present? # sanitize URLs - allowed_origins = Gitlab.config.geo.action_cable_allowed_origins.filter_map do |url| + allowed_origins = Gitlab.config.gitlab.action_cable_allowed_origins.filter_map do |url| begin uri = URI.parse(url) next unless uri.is_a?(URI::HTTP) && uri.host.present? diff --git a/ee/spec/initializers/1_settings_spec.rb b/ee/spec/initializers/1_settings_spec.rb index a8d8db08bad8cd..a2d5e0ae39a0df 100644 --- a/ee/spec/initializers/1_settings_spec.rb +++ b/ee/spec/initializers/1_settings_spec.rb @@ -446,6 +446,32 @@ end end + describe 'ActionCable allowed origins' do + let(:config) { {} } + + before do + Settings.gitlab = config + load_settings + end + + after do + Settings.gitlab = {} + load_settings + end + + it 'returns default setting' do + expect(Settings.gitlab.action_cable_allowed_origins).to eq([]) + end + + context 'with settings' do + let(:config) { { action_cable_allowed_origins: %w[http://origin1.url http://origin2.url] } } + + it 'uses provided config' do + expect(Settings.gitlab.action_cable_allowed_origins).to eq(%w[http://origin1.url http://origin2.url]) + end + end + end + describe 'geo' do let(:config) { {} } @@ -462,15 +488,13 @@ it 'provides default config' do expect(Settings.geo.node_name).to eq(Settings.gitlab['url']) expect(Settings.geo.registry_replication['enabled']).to eq(false) - expect(Settings.geo.action_cable_allowed_origins).to eq([]) end context 'when config is provided' do let(:config) do { node_name: 'my primary node', - registry_replication: { enabled: true, primary_api_url: 'http://primary.url' }, - action_cable_allowed_origins: %w[http://origin1.url http://origin2.url] + registry_replication: { enabled: true, primary_api_url: 'http://primary.url' } } end @@ -478,7 +502,6 @@ expect(Settings.geo.node_name).to eq('my primary node') expect(Settings.geo.registry_replication['enabled']).to eq(true) expect(Settings.geo.registry_replication['primary_api_url']).to eq('http://primary.url') - expect(Settings.geo.action_cable_allowed_origins).to eq(%w[http://origin1.url http://origin2.url]) end end end diff --git a/spec/initializers/action_cable_spec.rb b/spec/initializers/action_cable_spec.rb index b8c91685c361f1..b64d9d8b2832dd 100644 --- a/spec/initializers/action_cable_spec.rb +++ b/spec/initializers/action_cable_spec.rb @@ -50,7 +50,7 @@ stub_env('ACTION_CABLE_DISABLE_REQUEST_FORGERY_PROTECTION', disable_request_forgery_protection.to_s) stub_rails_env(rails_env) if rails_env stub_config_setting(relative_url_root: '/gitlab/root', url: 'example.com', https: true) - stub_config(geo: { action_cable_allowed_origins: origins }) if origins + stub_config_setting(action_cable_allowed_origins: origins) if origins load Rails.root.join('config/initializers/action_cable.rb') end -- GitLab From f823a3f1a9885804e91c33a619a99f452991bd75 Mon Sep 17 00:00:00 2001 From: c_fons Date: Thu, 20 Nov 2025 17:10:13 +0000 Subject: [PATCH 4/9] Fail when URLs are invalid --- config/initializers/action_cable.rb | 7 +- spec/initializers/action_cable_spec.rb | 95 +++++++++++++++++++------- 2 files changed, 74 insertions(+), 28 deletions(-) diff --git a/config/initializers/action_cable.rb b/config/initializers/action_cable.rb index 4a1f365ba2fa26..aed6ba28090399 100644 --- a/config/initializers/action_cable.rb +++ b/config/initializers/action_cable.rb @@ -16,12 +16,15 @@ if Gitlab.config.gitlab.action_cable_allowed_origins.present? # sanitize URLs + error_message = 'Invalid URL found in action_cable_allowed_origins configuration. ' \ + 'Please fix this in your gitlab.yml before starting GitLab.' + allowed_origins = Gitlab.config.gitlab.action_cable_allowed_origins.filter_map do |url| begin uri = URI.parse(url) - next unless uri.is_a?(URI::HTTP) && uri.host.present? + raise error_message unless uri.is_a?(URI::HTTP) && uri.host.present? rescue URI::InvalidURIError - next + raise error_message end url.chomp('/') diff --git a/spec/initializers/action_cable_spec.rb b/spec/initializers/action_cable_spec.rb index b64d9d8b2832dd..bc963a949d992e 100644 --- a/spec/initializers/action_cable_spec.rb +++ b/spec/initializers/action_cable_spec.rb @@ -50,7 +50,6 @@ stub_env('ACTION_CABLE_DISABLE_REQUEST_FORGERY_PROTECTION', disable_request_forgery_protection.to_s) stub_rails_env(rails_env) if rails_env stub_config_setting(relative_url_root: '/gitlab/root', url: 'example.com', https: true) - stub_config_setting(action_cable_allowed_origins: origins) if origins load Rails.root.join('config/initializers/action_cable.rb') end @@ -65,7 +64,6 @@ let(:rails_env) { nil } let(:disable_request_forgery_protection) { false } - let(:origins) { nil } subject(:config) { Rails.application.config.action_cable } @@ -106,30 +104,6 @@ let(:rails_env) { 'production' } it { is_expected.to eq(nil) } - - context 'with allowed_origins setting' do - let(:origins) { [] } - - it { is_expected.to eq(nil) } - - context 'with invalid origins' do - let(:origins) { ['invalid_url'] } - - it { is_expected.to eq(nil) } - end - - context 'with valid origins' do - let(:origins) { ['http://test.com/'] } - - it { is_expected.to eq(['http://test.com']) } - end - - context 'with valid and invalid origins' do - let(:origins) { ['http://test.com/', 'invalid_url'] } - - it { is_expected.to eq(['http://test.com']) } - end - end end end @@ -156,4 +130,73 @@ end end end + + describe 'config.allowed_origins setting' do + before do + stub_config_setting(action_cable_allowed_origins: origins) + stub_rails_env(rails_env) if rails_env + end + + around do |example| + old = config.deep_dup + Rails.application.config.action_cable.clear + example.run + ensure + Rails.application.config.action_cable = old + end + + let(:load_config) { load Rails.root.join('config/initializers/action_cable.rb') } + let(:config) { Rails.application.config.action_cable } + let(:rails_env) { nil } + let_it_be(:message) do + 'Invalid URL found in action_cable_allowed_origins configuration. ' \ + 'Please fix this in your gitlab.yml before starting GitLab.' + end + + context 'with valid and invalid origins' do + let(:origins) { ['http://test.com/', 'invalid_url'] } + + it 'raises an exception' do + expect { load_config }.to raise_error(RuntimeError, message) + end + end + + context 'with invalid origins' do + let(:origins) { ['invalid_url'] } + + it 'raises an exception' do + expect { load_config }.to raise_error(RuntimeError, message) + end + end + + context 'with default setting' do + let(:origins) { [] } + + before do + load_config + end + + it 'returns localhost' do + expect(config.allowed_request_origins).to eq(["http://localhost"]) + end + + context 'when in production' do + let(:rails_env) { 'production' } + + it 'returns nil' do + expect(config.allowed_request_origins).to be_nil + end + end + end + + context 'with valid origins' do + let(:origins) { ['http://test.com/'] } + + it 'returns the passed values without slash' do + load_config + + expect(config.allowed_request_origins).to eq(['http://test.com']) + end + end + end end -- GitLab From 9937c5e4c301b169875973e1004f01758a5f71eb Mon Sep 17 00:00:00 2001 From: c_fons Date: Fri, 21 Nov 2025 10:25:00 +0000 Subject: [PATCH 5/9] Make sure all ending slashes are removed --- config/initializers/action_cable.rb | 2 +- spec/initializers/action_cable_spec.rb | 26 ++++++++++++++++++++++---- 2 files changed, 23 insertions(+), 5 deletions(-) diff --git a/config/initializers/action_cable.rb b/config/initializers/action_cable.rb index aed6ba28090399..ed45559909a72c 100644 --- a/config/initializers/action_cable.rb +++ b/config/initializers/action_cable.rb @@ -27,7 +27,7 @@ raise error_message end - url.chomp('/') + url.sub(%r{/+$}, '') end config.action_cable.allowed_request_origins = allowed_origins if allowed_origins.present? diff --git a/spec/initializers/action_cable_spec.rb b/spec/initializers/action_cable_spec.rb index bc963a949d992e..400c07e528e40b 100644 --- a/spec/initializers/action_cable_spec.rb +++ b/spec/initializers/action_cable_spec.rb @@ -190,12 +190,30 @@ end context 'with valid origins' do - let(:origins) { ['http://test.com/'] } + shared_examples 'returns the passed value with no ending slash' do + it 'returns the passed values without ending slash' do + load_config - it 'returns the passed values without slash' do - load_config + expect(config.allowed_request_origins).to contain_exactly('http://test.com') + end + end + + context 'when origin contains no trailing slash' do + let(:origins) { ['http://test.com'] } + + it_behaves_like 'returns the passed value with no ending slash' + end + + context 'when origin contains one trailing slash' do + let(:origins) { ['http://test.com/'] } + + it_behaves_like 'returns the passed value with no ending slash' + end + + context 'when origin contains several trailing slashes' do + let(:origins) { ['http://test.com//'] } - expect(config.allowed_request_origins).to eq(['http://test.com']) + it_behaves_like 'returns the passed value with no ending slash' end end end -- GitLab From f0f3b7ed29f4ae25ef1e599934f277cfe936ae37 Mon Sep 17 00:00:00 2001 From: Chloe Fons Date: Thu, 27 Nov 2025 13:38:34 +0000 Subject: [PATCH 6/9] Apply 1 suggestion(s) to 1 file(s) Co-authored-by: Michael Kozono --- spec/initializers/action_cable_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/initializers/action_cable_spec.rb b/spec/initializers/action_cable_spec.rb index 400c07e528e40b..7b284c28136665 100644 --- a/spec/initializers/action_cable_spec.rb +++ b/spec/initializers/action_cable_spec.rb @@ -131,7 +131,7 @@ end end - describe 'config.allowed_origins setting' do + describe 'config.allowed_request_origins setting' do before do stub_config_setting(action_cable_allowed_origins: origins) stub_rails_env(rails_env) if rails_env -- GitLab From fc9a76cab8a91c50af5304d91d0d6107b3899177 Mon Sep 17 00:00:00 2001 From: c_fons Date: Fri, 28 Nov 2025 11:35:40 +0000 Subject: [PATCH 7/9] Update docs to add setting to primary only --- doc/administration/geo/replication/configuration.md | 2 +- doc/administration/geo/setup/two_single_node_sites.md | 5 +---- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/doc/administration/geo/replication/configuration.md b/doc/administration/geo/replication/configuration.md index 11c3c81abb0a83..7a225378c4d14a 100644 --- a/doc/administration/geo/replication/configuration.md +++ b/doc/administration/geo/replication/configuration.md @@ -286,7 +286,7 @@ secondary site with the same credentials as were used with the primary site. This step allows websockets to work seamlessly from primary and secondary sites. 1. Collect the **internal and external URLs** of your sites (primary and secondary). You can find them in the Site pages in the Admin area, as mentioned in the section above. -1. SSH into each Rails and Sidekiq node on your primary and secondary sites and sign in as root: +1. SSH into each Rails and Sidekiq node on your **primary site** and sign in as root: ```shell sudo -i diff --git a/doc/administration/geo/setup/two_single_node_sites.md b/doc/administration/geo/setup/two_single_node_sites.md index 758a284461f249..7f525de9c84f38 100644 --- a/doc/administration/geo/setup/two_single_node_sites.md +++ b/doc/administration/geo/setup/two_single_node_sites.md @@ -681,7 +681,7 @@ secondary site with the same credentials as were used with the primary site. This step allows websockets to work seamlessly from primary and secondary sites. 1. Collect the **internal and external URLs** of your sites (primary and secondary). You can find them in the Site pages in the Admin area, as mentioned in the section above. -1. SSH into each Rails and Sidekiq node on your primary and secondary site and sign in as root: +1. SSH into each Rails and Sidekiq node on your **primary site** and sign in as root: ```shell sudo -i @@ -844,9 +844,6 @@ gitlab_rails['monitoring_whitelist'] = ['127.0.0.0/8', '10.0.0.0/8'] gitaly['configuration'] = { prometheus_listen_addr: '0.0.0.0:9236', } - -## ActionCable allowed origins -gitlab_rails['action_cable_allowed_origins'] = ['https://gitlab.example.com', 'https://secondary.example.com', 'https://primary.example.com'] ``` ## Related topics -- GitLab From 4cc298fe451e6471612c52aae1872bd293102830 Mon Sep 17 00:00:00 2001 From: c_fons Date: Wed, 3 Dec 2025 11:54:11 +0000 Subject: [PATCH 8/9] Only mention external URLs in docs --- config/gitlab.yml.example | 6 +++--- doc/administration/geo/replication/configuration.md | 4 ++-- doc/administration/geo/setup/two_single_node_sites.md | 6 +++--- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example index a455f84133689b..49f79b5fc81692 100644 --- a/config/gitlab.yml.example +++ b/config/gitlab.yml.example @@ -83,11 +83,11 @@ production: &base # ActionCable allowed request origins # Customize if you have GitLab Geo enabled - # Add the internal and external URLs of primary and secondary sites: + # Add the external URLs of all sites: action_cable_allowed_origins: - #- https://primary-internal.url - #- https://secondary-internal.url #- https://unified.url + #- https://primary-external.url (if different from the above) + #- https://secondary-external.url (if different from the above) # Trusted Proxies # Customize if you have GitLab behind a reverse proxy which is running on a different machine. diff --git a/doc/administration/geo/replication/configuration.md b/doc/administration/geo/replication/configuration.md index 7a225378c4d14a..df90bca7ba3992 100644 --- a/doc/administration/geo/replication/configuration.md +++ b/doc/administration/geo/replication/configuration.md @@ -285,7 +285,7 @@ secondary site with the same credentials as were used with the primary site. This step allows websockets to work seamlessly from primary and secondary sites. -1. Collect the **internal and external URLs** of your sites (primary and secondary). You can find them in the Site pages in the Admin area, as mentioned in the section above. +1. Collect the **external URLs** of your sites (primary and secondary). You can find them in the Site pages in the Admin area, as mentioned in the section above. 1. SSH into each Rails and Sidekiq node on your **primary site** and sign in as root: ```shell @@ -295,7 +295,7 @@ This step allows websockets to work seamlessly from primary and secondary sites. 1. Edit `/etc/gitlab/gitlab.rb` to add the URLs collected in step 1 to the `action_cable_allowed_origins` setting: ```ruby - gitlab_rails['action_cable_allowed_origins'] = ['https://gitlab.example.com', 'https://secondary.example.com', 'https://primary.example.com'] + gitlab_rails['action_cable_allowed_origins'] = ['https://secondary.example.com', 'https://primary.example.com'] ``` 1. To apply the changes, reconfigure each Rails and Sidekiq node and restart the service: diff --git a/doc/administration/geo/setup/two_single_node_sites.md b/doc/administration/geo/setup/two_single_node_sites.md index 7f525de9c84f38..f2677d8be343f4 100644 --- a/doc/administration/geo/setup/two_single_node_sites.md +++ b/doc/administration/geo/setup/two_single_node_sites.md @@ -680,7 +680,7 @@ secondary site with the same credentials as were used with the primary site. This step allows websockets to work seamlessly from primary and secondary sites. -1. Collect the **internal and external URLs** of your sites (primary and secondary). You can find them in the Site pages in the Admin area, as mentioned in the section above. +1. Collect the **external URLs** of your sites (primary and secondary). You can find them in the Site pages in the Admin area, as mentioned in the section above. 1. SSH into each Rails and Sidekiq node on your **primary site** and sign in as root: ```shell @@ -690,7 +690,7 @@ This step allows websockets to work seamlessly from primary and secondary sites. 1. Edit `/etc/gitlab/gitlab.rb` to add the URLs collected in step 1 to the `action_cable_allowed_origins` setting: ```ruby - gitlab_rails['action_cable_allowed_origins'] = ['https://gitlab.example.com', 'https://secondary.example.com', 'https://primary.example.com'] + gitlab_rails['action_cable_allowed_origins'] = ['https://secondary.example.com', 'https://primary.example.com'] ``` 1. To apply the changes, reconfigure each Rails and Sidekiq node and restart the service: @@ -791,7 +791,7 @@ gitaly['configuration'] = { } ## ActionCable allowed origins -gitlab_rails['action_cable_allowed_origins'] = ['https://gitlab.example.com', 'https://secondary.example.com', 'https://primary.example.com'] +gitlab_rails['action_cable_allowed_origins'] = ['https://secondary.example.com', 'https://primary.example.com'] ``` ### Complete secondary site -- GitLab From 21f438421adf0173bcaa3a642bedbd68cb2195f1 Mon Sep 17 00:00:00 2001 From: c_fons Date: Wed, 3 Dec 2025 11:55:54 +0000 Subject: [PATCH 9/9] Update wording with suggestion --- config/gitlab.yml.example | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example index 49f79b5fc81692..14219b24b5d6af 100644 --- a/config/gitlab.yml.example +++ b/config/gitlab.yml.example @@ -82,8 +82,8 @@ production: &base allowed_hosts: [] # ActionCable allowed request origins - # Customize if you have GitLab Geo enabled - # Add the external URLs of all sites: + # Customize if you browse your GitLab application through multiple URLs + # If you have GitLab Geo enabled, then add the external URLs of every site: action_cable_allowed_origins: #- https://unified.url #- https://primary-external.url (if different from the above) -- GitLab