What is the name of the domain?
Related to
Cloudflare Tunnel
What is the error number?
fatal: unable to update url base from redirection:
What is the error message?
Cloning into ‘REPO’… fatal: unable to update url base from redirection:
What is the issue you’re encountering
Unable to Perform Git Operations Through Cloudflare Zero Trust Tunnel for Gitea
What steps have you taken to resolve the issue?
I have a self-hosted Gitea instance running on my server and accessible through a Cloudflare Zero Trust tunnel. The public hostname used to access the instance is:
Hostname: https://my.gitdomain.com
I have followed all necessary steps to configure Cloudflare Zero Trust to allow both browser-based access and Git operations like git clone, git pull, and git push. However, while browser access to the Gitea UI works perfectly, Git operations are failing with a redirection error.
Cloudflare Configuration
Public Hostname in Zero Trust Tunnel:
Subdomain: ehs
Domain: ceruleaninfotech.com
Path: /GIT_DIR_PATH/EHS.git/*
(Tried /, /GIT_DIR_PATH/, and /GIT_DIR_PATH/EHS.git/, but no success)
Access Policy Configuration:
Policy Name: git-access-token
Rules: Service Token is included.
Action: ALLOW
Session Duration: 24 hours.
Cloudflare Access Configuration:
Added a service token with proper authentication headers:
git config --global http.https://my.gitdomain.com.extraheader “CF-Access-Client-Id: ”
git config --global http.https://my.gitdomain.com.extraheader “CF-Access-Client-Secret: ”
Git Configuration:
Verified the headers are correctly added:
git config --global --get-all http.https://my.gitdomain.com.extraheader
Issue
Whenever I attempt to perform a Git operation like git clone, I receive the following error:
fatal: unable to update url base from redirection:
asked for: https://my.gitdomain.com/GIT_DIR_PATH/EHS.git/info/refs?service=git-upload-pack
redirect: https:///cdn-cgi/access/login/my.gitdomain.com?..
It appears that Cloudflare is still redirecting the Git client to a login page instead of allowing direct access via the service token.
Troubleshooting Tried
Verified that the git-access-token policy is applied to the ehs hostname.
Tried various paths in the Cloudflare Access application:
/
/GIT_DIR_PATH/*
/GIT_DIR_PATH/EHS.git/*
Added necessary headers in the Git global configuration for Cloudflare Access Client ID and Secret.
Confirmed that browser access to https://my.gitdomain.com works without issues.
Expected Behavior
I expect Git commands like git clone, git pull, and git push to work seamlessly through the Cloudflare tunnel without being redirected to the Cloudflare Access login page.
Questions for the Community
What should be the correct configuration for the “Path” field in the Cloudflare Access application to support Git operations?
Is there an additional step required to make Cloudflare Access policies apply to Git clients?
Does the use of service tokens need additional configuration for non-browser clients like Git?
Are there any best practices for enabling Git over Cloudflare tunnels?
Additional Information
Gitea Configuration:
ROOT_URL is set to https://my.gitdomain.com.
Gitea is accessible via public IP and works with Git operations when bypassing Cloudflare.
Cloudflare Tunnel Configuration:
Tunnel is configured correctly and is working for browser-based access.
Git Client Debug Output (with GIT_CURL_VERBOSE=1):
Shows that Git is being redirected to Cloudflare’s Access login URL.
What are the steps to reproduce the issue?
I have a self-hosted Gitea instance running on my server and accessible through a Cloudflare Zero Trust tunnel. The public hostname used to access the instance is:
Hostname: https://my.gitdomain.com
I have followed all necessary steps to configure Cloudflare Zero Trust to allow both browser-based access and Git operations like git clone, git pull, and git push. However, while browser access to the Gitea UI works perfectly, Git operations are failing with a redirection error.
Cloudflare Configuration
Public Hostname in Zero Trust Tunnel:
Subdomain: ehs
Domain: ceruleaninfotech.com
Path: /GIT_DIR_PATH/EHS.git/*
(Tried /, /GIT_DIR_PATH/, and /GIT_DIR_PATH/EHS.git/, but no success)
Access Policy Configuration:
Policy Name: git-access-token
Rules: Service Token is included.
Action: ALLOW
Session Duration: 24 hours.
Cloudflare Access Configuration:
Added a service token with proper authentication headers:
git config --global http.https://my.gitdomain.com.extraheader “CF-Access-Client-Id: ”
git config --global http.https://my.gitdomain.com.extraheader “CF-Access-Client-Secret: ”
Git Configuration:
Verified the headers are correctly added:
git config --global --get-all http.https://my.gitdomain.com.extraheader
Issue
Whenever I attempt to perform a Git operation like git clone, I receive the following error:
fatal: unable to update url base from redirection:
asked for: https://my.gitdomain.com/GIT_DIR_PATH/EHS.git/info/refs?service=git-upload-pack
redirect: https:///cdn-cgi/access/login/my.gitdomain.com?..
It appears that Cloudflare is still redirecting the Git client to a login page instead of allowing direct access via the service token.
Troubleshooting Tried
Verified that the git-access-token policy is applied to the ehs hostname.
Tried various paths in the Cloudflare Access application:
/
/GIT_DIR_PATH/*
/GIT_DIR_PATH/EHS.git/*
Added necessary headers in the Git global configuration for Cloudflare Access Client ID and Secret.
Confirmed that browser access to https://my.gitdomain.com works without issues.
Expected Behavior
I expect Git commands like git clone, git pull, and git push to work seamlessly through the Cloudflare tunnel without being redirected to the Cloudflare Access login page.
Questions for the Community
What should be the correct configuration for the “Path” field in the Cloudflare Access application to support Git operations?
Is there an additional step required to make Cloudflare Access policies apply to Git clients?
Does the use of service tokens need additional configuration for non-browser clients like Git?
Are there any best practices for enabling Git over Cloudflare tunnels?
Additional Information
Gitea Configuration:
ROOT_URL is set to https://my.gitdomain.com.
Gitea is accessible via public IP and works with Git operations when bypassing Cloudflare.
Cloudflare Tunnel Configuration:
Tunnel is configured correctly and is working for browser-based access.
Git Client Debug Output (with GIT_CURL_VERBOSE=1):
Shows that Git is being redirected to Cloudflare’s Access login URL.
