Implement logout redirection for reverse proxy setups

eliroca · eliroca · commit 29ae0fb87596 · 2026-04-03T18:52:39.000+02:00
When authentication is handled externally by a reverse proxy,
users can be redirected to an external logout URL or relative path
defined on the reverse proxy.
diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
@@ -460,6 +460,11 @@ INTERNAL_TOKEN =
 ;; Name of cookie used to store authentication information.
 ;COOKIE_REMEMBER_NAME = gitea_incredible
 ;;
+;; URL or path that Gitea should redirect users to *after* performing its own logout.
+;; Use this, if needed, when authentication is handled by a reverse proxy or SSO.
+;; Mellon example: REVERSE_PROXY_LOGOUT_REDIRECT = /mellon/logout?ReturnTo=/
+;REVERSE_PROXY_LOGOUT_REDIRECT =
+;;
 ;; Reverse proxy authentication header name of user name, email, and full name
 ;REVERSE_PROXY_AUTHENTICATION_USER = X-WEBAUTH-USER
 ;REVERSE_PROXY_AUTHENTICATION_EMAIL = X-WEBAUTH-EMAIL
diff --git a/modules/setting/security.go b/modules/setting/security.go
@@ -31,6 +31,7 @@ var (
 	ReverseProxyAuthEmail              string
 	ReverseProxyAuthFullName           string
 	ReverseProxyLimit                  int
+	ReverseProxyLogoutRedirect         string
 	ReverseProxyTrustedProxies         []string
 	MinPasswordLength                  int
 	ImportLocalPaths                   bool
@@ -124,6 +125,7 @@ func loadSecurityFrom(rootCfg ConfigProvider) {
 	ReverseProxyAuthFullName = sec.Key("REVERSE_PROXY_AUTHENTICATION_FULL_NAME").MustString("X-WEBAUTH-FULLNAME")
 
 	ReverseProxyLimit = sec.Key("REVERSE_PROXY_LIMIT").MustInt(1)
+	ReverseProxyLogoutRedirect = sec.Key("REVERSE_PROXY_LOGOUT_REDIRECT").MustString("")
 	ReverseProxyTrustedProxies = sec.Key("REVERSE_PROXY_TRUSTED_PROXIES").Strings(",")
 	if len(ReverseProxyTrustedProxies) == 0 {
 		ReverseProxyTrustedProxies = []string{"127.0.0.0/8", "::1/128"}
diff --git a/routers/web/auth/auth.go b/routers/web/auth/auth.go
@@ -499,6 +499,9 @@ func buildSignOutRedirectURL(ctx *context.Context) string {
 			return s
 		}
 	}
+	if setting.ReverseProxyLogoutRedirect != "" {
+		return setting.ReverseProxyLogoutRedirect
+	}
 	return setting.AppSubURL + "/"
 }
 
diff --git a/tests/integration/signout_test.go b/tests/integration/signout_test.go
@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"testing"
 
+	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/test"
 	"code.gitea.io/gitea/tests"
 
@@ -26,3 +27,20 @@ func TestSignOut(t *testing.T) {
 	req = NewRequest(t, "GET", "/user2/repo2")
 	session.MakeRequest(t, req, http.StatusNotFound)
 }
+
+func TestSignOut_ReverseProxyLogoutRedirect(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	defer test.MockVariableValue(&setting.ReverseProxyLogoutRedirect, "/mellon/logout?ReturnTo=/")()
+
+	session := loginUser(t, "user2")
+
+	req := NewRequest(t, "GET", "/user/logout")
+	resp := session.MakeRequest(t, req, http.StatusSeeOther)
+
+	expected := "/mellon/logout?ReturnTo=/"
+	loc := resp.Header().Get("Location")
+	if loc != expected {
+		t.Fatalf("expected redirect to %q, got %q", expected, loc)
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -499,6 +499,9 @@ func buildSignOutRedirectURL(ctx *context.Context) string {`
`499`	`499`	`return s`
`500`	`500`	`}`
`501`	`501`	`}`
	`502`	`+ if setting.ReverseProxyLogoutRedirect != "" {`
	`503`	`+ return setting.ReverseProxyLogoutRedirect`
	`504`	`+ }`
`502`	`505`	`return setting.AppSubURL + "/"`
`503`	`506`	`}`
`504`	`507`