I recently worked on a project where we had a Gitlab instance behind a Citrix NetscalerGateway and only accessible over http. 2FA credentials had to be first supplied to login to the gateway, only then the Gitlab (or other services behind the gateway) were accessible. It was impossible to clone the repository by ssh or http because Git also had to go through the gateway, thus impossible to correctly work.
A typical error message looks like:
$ git clone https://gitlab.example.com/project/project.git
Cloning into 'repo'...
fatal: unable to update url base from redirection:
asked for: https://gitlab.example.com/project/project.git
redirect: https://auth.example.com/logon/LogonPoint/index.html
The trick is to use a Git http.cookiefile setting that will send a cookie when connecting to the remote repository over http. Ssh won’t work because the ssh service is unavailable from the outside.
Steps are as follow:
- Authenticate to the gateway using a browser
- Fetch cookies data in the browser for the domain requiring authentication, it is usually the page redirected to when not authenticated (
auth.example.comif using the example above) - Copy all cookies and set them in
/<absolute path>/cookie.txt. For the Citrix NetscalerGateway we were using, the value looked like (replaceXXXXXXby the correct value):
auth.example.com FALSE / TRUE 0 NSC_TMAS XXXXXX
- Clone the repository over http and not ssh, using the
http.cookiefileparameter:
$ git -c http.cookiefile=/<absolute path>/cookie.txt clone https://gitlab.example.com/project/project.git
- Fill the required Gitlab username and password if required
- Finally, add the cookie in Git local config (in your cloned repository):
$ git config http.cookiefile /<absolute path>/cookie.txt
Check out the Git documentation for http.cookiefile.