I recently worked on a project where we had a GitLab instance behind a Citrix NetscalerGateway that was only accessible over http. Two-factor authentication credentials had to be supplied first to log in to the gateway; only then were GitLab (or other services behind the gateway) accessible. It was impossible to clone the repository by SSH or HTTP because Git also had to go through the gateway, making it impossible to work correctly.
A typical error message looks like:
$ git clone https://gitlab.example.com/project/project.git
Cloning into 'repo'...
fatal: unable to update url base from redirection:
asked for: https://gitlab.example.com/project/project.git
redirect: https://auth.example.com/logon/LogonPoint/index.html
The trick is to use the Git http.cookiefile setting, which will send a cookie when connecting to the remote repository over HTTP. SSH will not work because the SSH service is unavailable from the outside.
The steps are as follows:
- authenticate to the gateway using a browser
- fetch the cookies data in the browser for the domain requiring authentication; this is usually the page redirected to when not authenticated (for example,
auth.example.com) - copy all cookies and save them in
/<absolute path>/cookie.txt. For the Citrix NetscalerGateway we were using, the value looked like (replaceXXXXXXwith the correct value):
auth.example.com FALSE / TRUE 0 NSC_TMAS XXXXXX
- clone the repository over HTTP and not SSH, using the
http.cookiefileparameter:
$ git -c http.cookiefile=/<absolute path>/cookie.txt clone https://gitlab.example.com/project/project.git
- fill in the required GitLab username and password if needed.
- finally, add the cookie to the Git local config (in your cloned repository):
$ git config http.cookiefile /<absolute path>/cookie.txt
Check the Git documentation for http.cookiefile.