Skip to content

Document HTTPS proxy workaround for HTTP instances on macOS #160

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Byron wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Document HTTPS proxy workaround for HTTP instances on macOS #160

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 46 additions & 1 deletion content/docs/troubleshooting/custom-csp.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ title: Custom Content Security Policy (CSP)
description: Configure custom Content Security Policy settings to allow GitButler connections to self-hosted GitHub, GitLab, or Ollama instances.
---

import { Callout } from 'fumadocs-ui/components/callout';
import { Tab, Tabs } from 'fumadocs-ui/components/tabs';

By default GitButler uses a strict Content Security Policy (CSP) to protect against various attacks, such as cross-site scripting (XSS) and data injection attacks. This policy restricts the sources from which content can be loaded, as well as the hosts the application can connect to, ensuring that only trusted sources are allowed.
Expand Down Expand Up @@ -62,4 +63,48 @@ Note that if `extraCsp` is the only entry in the JSON file, you may want to encl
}
```

The changes will take effect the next time you start GitButler.
The changes will take effect the next time you start GitButler.

## Connecting to HTTP instances

If you are trying to connect to a self-hosted instance served over plain HTTP, you may find that GitButler cannot reach it even with the correct CSP configuration. This is because WebKit (used by GitButler on macOS) blocks insecure HTTP requests from applications. Other platforms may exhibit similar behavior depending on their WebView implementation.

<Callout type="info">
This only affects instances served over plain HTTP. If your self-hosted instance already uses HTTPS, you can skip this section.
</Callout>

As a workaround, you can run a local HTTPS reverse proxy using [Caddy](https://caddyserver.com). Caddy automatically generates a locally-trusted TLS certificate, so GitButler sees a secure connection while your self-hosted instance continues to run over HTTP.

### Setting up Caddy as a local HTTPS proxy

The following example uses [Homebrew](https://brew.sh) on macOS, but the same approach works on any platform where Caddy is available.

1. Install Caddy:

```sh
brew install caddy
```

2. Create a `Caddyfile` (for example in `~/.config/caddy/Caddyfile`):

```caddyfile
https://127.0.0.1:PORT {
tls internal

reverse_proxy http://YOUR_INSTANCE:PORT {
header_up Host YOUR_INSTANCE_HOSTNAME
}
}
```

Replace `YOUR_INSTANCE` and `PORT` with the hostname and port of your self-hosted instance. The `header_up Host` directive ensures the original `Host` header is forwarded correctly.

3. Start Caddy:

```sh
caddy run --config ~/.config/caddy/Caddyfile
```

4. In GitButler, set your forge URL to `https://127.0.0.1:PORT` (matching the port from your Caddyfile) instead of the original HTTP URL.

Your self-hosted instance should now be accessible through the local HTTPS proxy.