Gitlab behind WAF

I’ve got a Gitlab published and our preferred cloning mechanism is HTTP (HTTPS) and not ssh.
I have enabled the WAF for all sites, as I need to secure some new on-line services.
Since WAF is on, I receive 403 when pushing code via “git push”.
Visiting the gitlab website via web browser is generally ok, until I hit the “.git” URL.
ex:
https://gitlab.company.com/group/project/ -> OK
https://gitlab.company.com/group/project.git/ -> 403 " Sorry, you have been blocked"

How can I securely use gitlab and WAF?
Thank you.
Best regards,
Giuseppe

FYI, I made an exclusion on the Page Rules with:
https://gitlab.company.com//.git/* -> Web Application Firewall: Off

So that I can let users push on the repos.
But I don’t believe this is a reasonable fix.

Hi there, disabling the WAF rule with ID 100016 should do it. It blocks attempts at accessing some potentially sensitive paths, /.git being one of them. Hope that helps!

Hi!
Disabling that rule did the trick.
As I have potentially other sites behind, I was wondering if it’s worth (or more secure) keeping this rule on and using my bespoke workaround… as this roule can potentially catch any developer that have published apps in the way they shouldn’t :wink:
Anyway, the gitlab is geofenced to only 3 countries.
Best regards,
Giuseppe

This topic was automatically closed after 30 days. New replies are no longer allowed.