Skip to content

fix: preserve HTTP protocol for self-hosted Gitea/Forgejo instances#12439

Merged
neubig merged 1 commit intoOpenHands:mainfrom
MkDev11:fix/http-protocol-gitea-forgejo
Jan 15, 2026
Merged

fix: preserve HTTP protocol for self-hosted Gitea/Forgejo instances#12439
neubig merged 1 commit intoOpenHands:mainfrom
MkDev11:fix/http-protocol-gitea-forgejo

Conversation

@MkDev11
Copy link
Copy Markdown
Contributor

@MkDev11 MkDev11 commented Jan 15, 2026

Summary of PR

This PR fixes the issue where self-hosted Gitea/Forgejo instances running on HTTP fail with a 500 Internal Server Error due to the sandbox forcing HTTPS for git clone operations.

The root cause was that get_authenticated_git_url() in provider.py strips the protocol from the host and always reconstructs URLs with https://, regardless of the user's configuration. This causes a GnuTLS handshake failure when the target server only supports HTTP.

Changes:

  • Detect the protocol from the host before normalizing the domain
  • Use the detected protocol (http or https) when constructing git clone URLs for all providers (GitLab, Bitbucket, GitHub, Forgejo)
  • Fix web_base_url in Forgejo service to preserve the protocol from BASE_URL

Demo Screenshots/Videos

N/A - Backend fix, no UI changes.

Change Type

  • Bug fix
  • New feature
  • Breaking change
  • Refactor
  • Other (dependency update, docs, typo fixes, etc.)

Checklist

  • I have read and reviewed the code and I understand what the code is doing.
  • I have tested the code to the best of my ability and ensured it works as expected.

Fixes

Resolves #12358

Release Notes

  • Include this change in the Release Notes.

Self-hosted Gitea/Forgejo instances running on HTTP now work correctly. Previously, the sandbox would force HTTPS for git clone operations, causing connection failures.

Contribution by Gittensor, see my contribution statistics at https://gittensor.io/miners/details?githubId=94194147

@MkDev11 MkDev11 force-pushed the fix/http-protocol-gitea-forgejo branch from 4322a60 to 9c928ee Compare January 15, 2026 15:12
@neubig neubig requested review from neubig and removed request for hieptl, malhotra5 and tofarr January 15, 2026 15:13
@neubig
Copy link
Copy Markdown
Contributor

neubig commented Jan 15, 2026

I can review this one!

@MkDev11 MkDev11 force-pushed the fix/http-protocol-gitea-forgejo branch from 9c928ee to 0d1552a Compare January 15, 2026 15:17
@MkDev11
Copy link
Copy Markdown
Contributor Author

MkDev11 commented Jan 15, 2026

@neubig I am open to your idea, just let me know if you have any feedback

neubig
neubig requested changes Jan 15, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@neubig neubig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @MkDev11, thanks for contributing this!

I can understand this, but I'm a little bit worried about supporting http:// silently, because http is insecure. But maybe we can make sure that the user understands the consequences and require an environment variable ALLOW_INSECURE_GIT_ACCESS, and if it is set to true we allow this connection. If it is unset or set to false, we throw an error saying something like "Attempting to connect to an insecure git repository. If you'd like to allow this nonetheless, set ALLOW_INSECURE_GIT_ACCESS=true as an environment variable"

@MkDev11 MkDev11 force-pushed the fix/http-protocol-gitea-forgejo branch from 0d1552a to 38012e5 Compare January 15, 2026 16:02
@MkDev11
Copy link
Copy Markdown
Contributor Author

MkDev11 commented Jan 15, 2026

Hi @MkDev11, thanks for contributing this!

I can understand this, but I'm a little bit worried about supporting http:// silently, because http is insecure. But maybe we can make sure that the user understands the consequences and require an environment variable ALLOW_INSECURE_GIT_ACCESS, and if it is set to true we allow this connection. If it is unset or set to false, we throw an error saying something like "Attempting to connect to an insecure git repository. If you'd like to allow this nonetheless, set ALLOW_INSECURE_GIT_ACCESS=true as an environment variable"

Done!

@MkDev11 MkDev11 requested a review from neubig January 15, 2026 16:03
neubig
neubig reviewed Jan 15, 2026
View reviewed changes
Comment thread openhands/integrations/provider.py Outdated
Comment thread openhands/integrations/provider.py Outdated
@MkDev11
fix: preserve HTTP protocol for self-hosted Gitea/Forgejo instances
34c1ccf 
Fixes OpenHands#12358

- Detect protocol from host before normalizing domain in get_authenticated_git_url()
- Use detected protocol (http/https) when constructing git clone URLs
- Fix web_base_url in Forgejo service to preserve protocol from BASE_URL

This allows self-hosted Gitea/Forgejo instances running on HTTP to work
without the sandbox forcing HTTPS and causing GnuTLS handshake failures.
@MkDev11 MkDev11 force-pushed the fix/http-protocol-gitea-forgejo branch from 38012e5 to 34c1ccf Compare January 15, 2026 16:17
@MkDev11 MkDev11 requested a review from neubig January 15, 2026 16:19
neubig
neubig approved these changes Jan 15, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@neubig neubig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the contribution!

@MkDev11
Copy link
Copy Markdown
Contributor Author

MkDev11 commented Jan 15, 2026

can you merge it now?

@neubig neubig merged commit b5a615a into OpenHands:main Jan 15, 2026
21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@neubig neubig neubig approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: 500 Internal Server Error with self-hosted Gitea (HTTP) - Sandbox forces HTTPS causing GnuTLS handshake failure

2 participants

@MkDev11 @neubig