we are running RhodeCode CE, 4.27.1 behind a SSL terminating Apache proxy. For authentication, we use header authentication where we extract the username from the certificate (a bit weird but historically grown). We redirect any non-SSL access to the SSL version.
This basically works. However:
1.) Sometimes (not always), when trying to e.g. show the main repository page, there are requests to http://baseurl (sans SSL) that are, of course, blocked by the browser
2.) When trying to do anything that involves a POST request, e.g. change any setting in the admin panel, chances are high that we receive either a
Cross-site request forgery detected, request denied…
or a plain 404.
Not always, though: sometimes it works, usually after reloading the page multiple times or trying to log out (which yields another 403) and going back. This makes it more or less unusable. It also seems this has changed at some point, are there any changes between RC 4.17 and 4.27 that might be related - we did an upgrade recently and I haven’t noticed the problem before, but maybe I just was lucky.
Also the log for these failed requests shows a POST URL with plain http, most of the time.
We have used the guides from here: Apache HTTP Server Configuration — RhodeCode Enterprise 4.27.1 4.27.1 documentation for the apache configuration, and an older one which I can’t find anymore for the Header authentication.
The fact that it seems to work after enough coaxing leads me to believe that it’s not a general problem with the setup, but maybe some kind of e.g. race condition, caching problem or the like. However right now I’m totally stumped where even to begin. I’ve tried to enable and disable basically every setting in the rhodecode config that could have to do something with this, but to no avail. These issues seem to be related, but maybe they’re not…
We don’t really want to turn off HEADER authentication, but it would be an option if nothing else works.
I can provide logs and/or config files if necessary, just let me know which ones you think are helpful.