[jira] [Updated] (NIFI-15692) GitLabRepositoryClient.deleteContent() fails with 403 when GitLab is behind reverse proxy due to getRawFile() usage

Ivan Majsinger (Jira) Tue, 10 Mar 2026 07:36:07 -0700


     [ 
https://issues.apache.org/jira/browse/NIFI-15692?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Ivan Majsinger updated NIFI-15692:
----------------------------------
    Description: 
h3. Problem
GitLabFlowRegistryClient fails to register flow snapshots when GitLab is behind 
an Apache reverse proxy. The verification passes all checks, but "Start Version 
Control" fails with 403 Forbidden.

h3. Root Cause
The \{{deleteContent()}} method in \{{GitLabRepositoryClient.java}} uses 
\{{getRawFile()}} which hits the 
\{{/api/v4/projects/.../repository/files/.../raw}} endpoint. This endpoint is 
handled differently by some reverse proxies, causing a redirect to HTTP port 80 
where authentication fails.

{code:java}
// Current implementation (line ~266)
public InputStream deleteContent(...) {
    return execute(() -> {
        final InputStream content = 
gitLab.getRepositoryFileApi().getRawFile(...); // FAILS HERE
        gitLab.getRepositoryFileApi().deleteFile(...);
        return content;
    });
}
{code}

h3. Error
{code}
org.gitlab4j.api.GitLabApiException: 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html><head><title>403 Forbidden</title></head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<address>Apache Server at [hostname] Port 80</address>
</body></html>
    at org.gitlab4j.api.RepositoryFileApi.getRawFile(RepositoryFileApi.java:422)
    at org.apache.nifi.gitlab.GitLabRepositoryClient.lambda$deleteContent$8
{code}

h3. Proposed Fix
Use \{{getFile()}} instead of \{{getRawFile()}}. The \{{getFile()}} method uses 
the standard \{{/api/v4/projects/.../repository/files/...}} endpoint (without 
\{{/raw}}) which returns Base64-encoded content and works correctly behind 
reverse proxies.

{code:java}
// Proposed fix
public InputStream deleteContent(...) {
    return execute(() -> {
        RepositoryFile file = 
gitLab.getRepositoryFileApi().getFile(projectPath, resolvedPath, branch);
        byte[] content = Base64.getDecoder().decode(file.getContent());
        gitLab.getRepositoryFileApi().deleteFile(...);
        return new ByteArrayInputStream(content);
    });
}
{code}

h3. Related
- gitlab4j-api issue: https://github.com/gmessner/gitlab4j-api/issues/282

h3. Environment
- NiFi 2.7.0
- GitLab behind Apache reverse proxy

  was:
h3. Problem

GitLabFlowRegistryClient fails to register flow snapshots when GitLab is behind 
an Apache reverse proxy. The verification passes all checks, but "Start Version 
Control" fails with 403 Forbidden.
h3. Root Cause


The \{{deleteContent()}} method in \{{GitLabRepositoryClient.java}} uses 
\{{getRawFile()}} which hits the 
\{{/api/v4/projects/.../repository/files/.../raw}} endpoint. This endpoint is 
handled differently by some reverse proxies, causing a redirect to HTTP port 80 
where authentication fails.

 
{code:java}
// Current implementation (line ~266)
public InputStream deleteContent(...) {
    return execute(() -> {
        final InputStream content = 
gitLab.getRepositoryFileApi().getRawFile(...); // FAILS HERE
        gitLab.getRepositoryFileApi().deleteFile(...);
        return content;
    }); {code}
 

 

{code:java}

}
{code}

h3. Error
{code}
org.gitlab4j.api.GitLabApiException: 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html><head><title>403 Forbidden</title></head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<address>Apache Server at [hostname] Port 80</address>
</body></html>
    at org.gitlab4j.api.RepositoryFileApi.getRawFile(RepositoryFileApi.java:422)
    at org.apache.nifi.gitlab.GitLabRepositoryClient.lambda$deleteContent$8
{code}

h3. Proposed Fix
Use \{{getFile()}} instead of \{{getRawFile()}}. The \{{getFile()}} method uses 
the standard \{{/api/v4/projects/.../repository/files/...}} endpoint (without 
\{{/raw}}) which returns Base64-encoded content and works correctly behind 
reverse proxies.

{code:java}
// Proposed fix
public InputStream deleteContent(...) {
    return execute(() -> {
        RepositoryFile file = 
gitLab.getRepositoryFileApi().getFile(projectPath, resolvedPath, branch);
        byte[] content = Base64.getDecoder().decode(file.getContent());
        gitLab.getRepositoryFileApi().deleteFile(...);
        return new ByteArrayInputStream(content);
    });
}
{code}

h3. Related
- gitlab4j-api issue: https://github.com/gmessner/gitlab4j-api/issues/282

h3. Environment
- NiFi 2.7.0
- GitLab behind Apache reverse proxy


> GitLabRepositoryClient.deleteContent() fails with 403 when GitLab is behind 
> reverse proxy due to getRawFile() usage
> -------------------------------------------------------------------------------------------------------------------
>
>                 Key: NIFI-15692
>                 URL: https://issues.apache.org/jira/browse/NIFI-15692
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Extensions
>    Affects Versions: 2.7.2
>            Reporter: Ivan Majsinger
>            Priority: Major
>
> h3. Problem
> GitLabFlowRegistryClient fails to register flow snapshots when GitLab is 
> behind an Apache reverse proxy. The verification passes all checks, but 
> "Start Version Control" fails with 403 Forbidden.
> h3. Root Cause
> The \{{deleteContent()}} method in \{{GitLabRepositoryClient.java}} uses 
> \{{getRawFile()}} which hits the 
> \{{/api/v4/projects/.../repository/files/.../raw}} endpoint. This endpoint is 
> handled differently by some reverse proxies, causing a redirect to HTTP port 
> 80 where authentication fails.
> {code:java}
> // Current implementation (line ~266)
> public InputStream deleteContent(...) {
>     return execute(() -> {
>         final InputStream content = 
> gitLab.getRepositoryFileApi().getRawFile(...); // FAILS HERE
>         gitLab.getRepositoryFileApi().deleteFile(...);
>         return content;
>     });
> }
> {code}
> h3. Error
> {code}
> org.gitlab4j.api.GitLabApiException: 
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
> <html><head><title>403 Forbidden</title></head><body>
> <h1>Forbidden</h1>
> <p>You don't have permission to access this resource.</p>
> <address>Apache Server at [hostname] Port 80</address>
> </body></html>
>     at 
> org.gitlab4j.api.RepositoryFileApi.getRawFile(RepositoryFileApi.java:422)
>     at org.apache.nifi.gitlab.GitLabRepositoryClient.lambda$deleteContent$8
> {code}
> h3. Proposed Fix
> Use \{{getFile()}} instead of \{{getRawFile()}}. The \{{getFile()}} method 
> uses the standard \{{/api/v4/projects/.../repository/files/...}} endpoint 
> (without \{{/raw}}) which returns Base64-encoded content and works correctly 
> behind reverse proxies.
> {code:java}
> // Proposed fix
> public InputStream deleteContent(...) {
>     return execute(() -> {
>         RepositoryFile file = 
> gitLab.getRepositoryFileApi().getFile(projectPath, resolvedPath, branch);
>         byte[] content = Base64.getDecoder().decode(file.getContent());
>         gitLab.getRepositoryFileApi().deleteFile(...);
>         return new ByteArrayInputStream(content);
>     });
> }
> {code}
> h3. Related
> - gitlab4j-api issue: https://github.com/gmessner/gitlab4j-api/issues/282
> h3. Environment
> - NiFi 2.7.0
> - GitLab behind Apache reverse proxy



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (NIFI-15692) GitLabRepositoryClient.deleteContent() fails with 403 when GitLab is behind reverse proxy due to getRawFile() usage

Reply via email to