Using Gitea with runner and WebAuthn

[jonastaedcke]

Description

I use

• gitea version 1.23.7,
• runner version 0.2.11 with
• WebAuthn activated and
• traefik as proxy.

Both runner and WebAuthn use root_url.
Since runner should use the local url to access the Gitea instance, root_url must have the value http://gitea:3000/.
WebAuthn only works in https environments and then the value of root_url must be https://gitea.example.com/.
How can I resolve this conflict? As a workaround, I do not log in via WebAuthn.

Thank you for your very good work. I may have made a mistake or runner (local) and WebAuthn (https) cannot be used together.

---

Understandably, I receive this message on my gitea instance under https://gitea.example.com/:

Your ROOT_URL in app.ini is "http://gitea:3000/", it's unlikely matching the site you are visiting.
Mismatched ROOT_URL config causes wrong URL links for web UI/mail content/webhook notification/OAuth2 sign-in.

app.ini for gitea

[server]
APP_DATA_PATH = /data/gitea
DOMAIN = gitea.example.com
SSH_DOMAIN = gitea.example.com
HTTP_PORT = 3000
ROOT_URL = http://gitea:3000/
DISABLE_SSH = false
DISABLE_HTTP_GIT = true
SSH_PORT = 43
SSH_LISTEN_PORT = 22
LFS_ALLOW_PURE_SSH = true
LFS_START_SERVER = true
LFS_JWT_SECRET = a-secret
OFFLINE_MODE = true

config.yaml for runner

log:
  level: info

runner:
  file: .runner
  capacity: 1
  envs:
    A_TEST_ENV_NAME_1: a_test_env_value_1
    A_TEST_ENV_NAME_2: a_test_env_value_2
  env_file: .env
  timeout: 3h
  shutdown_timeout: 0s
  insecure: false
  fetch_timeout: 5s
  fetch_interval: 2s
  labels:
    - "ubuntu-latest:docker://docker.gitea.com/runner-images:ubuntu-latest"
    - "ubuntu-22.04:docker://docker.gitea.com/runner-images:ubuntu-22.04"
    - "ubuntu-20.04:docker://docker.gitea.com/runner-images:ubuntu-20.04"

cache:
  enabled: true
  dir: ""
  host: ""
  port: 0
  external_server: ""

container:
  network: "service-gitea"
  privileged: false
  options:
  workdir_parent:
  valid_volumes: []
  docker_host: ""
  force_pull: true
  force_rebuild: false

host:
  workdir_parent:

Gitea Version

1.23.7

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

https://gist.github.com/jonastaedcke/ad84634e169df81d33667986970d9a04

Screenshots

Git Version

2.47.2

Operating System

Synology NAS

How are you running Gitea?

docker-compose.yml

networks:
  traefik_proxy:
    name: traefik_proxy
    external: true
  service-gitea:
    name: service-gitea

services:
  gitea:
      image: docker.gitea.com/gitea:latest
      container_name: gitea
      environment:
        - USER_UID=${PUID}
        - USER_GID=${PGID}
        - TZ=${TZ}
        - GITEA__database__[...]
        - GITEA__mailer__[...]
        - GITEA__openid__[...]
        - GITEA__repository__[...]
        - GITEA__service__[...]
  
        - GITEA__server__ROOT_URL=http://gitea:3000/
        - GITEA__server__DOMAIN=gitea.example.com
        - GITEA__server__OFFLINE_MODE=true
        - GITEA__server__SSH_PORT=43
        - GITEA__server__SSH_LISTEN_PORT=22
        - GITEA__server__SSH_DOMAIN=gitea.example.com
      restart: always
      networks:
        - traefik_proxy
        - service-gitea
      volumes:
        - ./service-gitea/gitea/data:/data
        - /etc/localtime:/etc/localtime:ro
      depends_on:
        - gitea-postgres
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.gitea.entrypoints=websecure"
        - "traefik.http.routers.gitea.rule=Host(`gitea.example.com`)"
        - "traefik.http.services.gitea.loadbalancer.server.port=3000"
        - "traefik.docker.network=traefik_proxy"
  
        - "traefik.tcp.routers.gitea-ssh-router.entrypoints=ssh-gitea"
        - "traefik.tcp.routers.gitea-ssh-router.rule=HostSNI(`*`)"
        - "traefik.tcp.routers.gitea-ssh-router.service=gitea-ssh-service"
        - "traefik.tcp.services.gitea-ssh-service.loadbalancer.server.port=22"
    gitea-postgres: [...]
    gitea-runner:
      container_name: gitea-runner
      image: docker.io/gitea/act_runner:latest
      environment:
        - CONFIG_FILE=/config.yaml
        - GITEA_INSTANCE_URL=gitea:3000
        - GITEA_RUNNER_REGISTRATION_TOKEN=my-secret
        - GITEA_RUNNER_NAME=Gitea Runner
      networks:
        - service-gitea
      depends_on:
        - gitea
      volumes:
        - ./service-gitea/gitea-runner/config.yaml:/config.yaml:ro
        - ./service-gitea/gitea-runner/data:/data
        - /var/run/docker.sock:/var/run/docker.sock

Database

PostgreSQL

[wxiaoguang]

In short: ROOT_URL must be the website's public URL to end users.

---

I think it is related to #32554 and maybe you could refer to that workaround.

And maybe you could wait for this one in 1.24 " Make public URL generation configurable #34250 "

[jonastaedcke]

Awesome! Thank you very much! I can wait 😴 :)
I'll give feedback with the new version

[wxiaoguang]

That change is in main-nightly build now (which will be 1.24 soon), feel free to try:

• https://dl.gitea.com/gitea/main-nightly/
• https://hub.docker.com/r/gitea/gitea/tags?name=nightly

Then set this in your "app.ini":

[server]
ROOT_URL = https://gitea.example.com/
PUBLIC_URL_DETECTION = auto

[jonastaedcke]

The nightly build works great without any problems! Awesome job :)