Commit 70022a99 authored by Harsh Chouraria's avatar Harsh Chouraria

PlantUML note about redirects when using TLS

The PlantUML service can be configured to serve traffic outside
of localhost, and the redirection can normally be avoided in
this situation.

However, on GitLab installations using TLS, new mixed-content browser
policies will perform a silent upgrade of HTTP connections to HTTPS
and/or refuse to load a HTTP resource altogether when TLS is in use.

The redirection becomes a requirement in this situation.

The change adds a note to the PlantUML redirect step
in docs to explain this.
parent c6d9e943
......@@ -90,8 +90,8 @@ the configuration below accordingly.
### Making local PlantUML accessible using custom GitLab setup
The PlantUML server runs locally on your server, so it is not accessible
externally. As such, it is necessary to catch external PlantUML calls and
redirect them to the local server.
externally by default. As such, it is necessary to catch external PlantUML
calls and redirect them to the local server.
The idea is to redirect each call to `https://gitlab.example.com/-/plantuml/`
to the local PlantUML server `http://plantuml:8080/` or `http://localhost:8080/plantuml/`, depending on your setup.
......@@ -112,6 +112,13 @@ To activate the changes, run the following command:
sudo gitlab-ctl reconfigure
```
NOTE:
The redirection through GitLab **must** be configured
when running [GitLab with TLS](https://docs.gitlab.com/omnibus/settings/ssl.html)
due to PlantUML's use of the insecure HTTP protocol. Newer browsers such
as [Google Chrome 86+](https://www.chromestatus.com/feature/4926989725073408)
do not load insecure HTTP resources on a page served over HTTPS.
### Security
PlantUML has features that allows fetching network resources.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment