GitLab Web Terminal Architecture and Operational Lifecycle

Published by TechMarmot Editorail Staff on | Category GitLab CI

The integration of interactive command-line interfaces within a web-based version control system represents a significant leap in developer productivity, allowing for the direct manipulation of environments without the need for local SSH configurations. Within the GitLab ecosystem, the web terminal functionality serves as a bridge between the browser-based user interface and the underlying compute resources, such as Kubernetes clusters or active CI/CD job runners. This capability enables developers to execute commands, debug applications, and inspect system states in real-time. While the platform has evolved, introducing a next-generation Web IDE based on the open-source VS Code project, the underlying mechanisms for terminal access—particularly those associated with legacy deprecated versions and the newer integrated versions—rely on complex WebSocket handshakes, proxying via GitLab Workhorse, and strict authorization guards to ensure that administrative access to production or staging environments remains secure and audited.

Deprecated Web Terminals in GitLab Self-Managed

In GitLab Self-Managed installations, the legacy web terminal feature was formally deprecated in version 14.5. Despite its deprecated status, it remains a component of the Free, Premium, and Ultimate tiers for those utilizing self-managed instances. This feature is designed specifically for environments where deployments are handled by a deployment service, such as the Kubernetes integration.

The availability of this feature is not active by default. To enable it, a GitLab administrator must manually activate a specific feature flag.

  • Feature Flag: certificate_based_clusters

The impact of this requirement means that simply installing GitLab is insufficient to gain terminal access; the administrator must explicitly opt-in to this functionality, ensuring that the infrastructure is prepared for the security implications of providing browser-based shell access.

Access to these deprecated terminals is strictly guarded by role-based access control (RBAC). Only users who possess at least the Maintainer role for a specific project are permitted to access the web terminals. For users who cannot push to a protected branch, they must be part of a group assigned the Reporter role to maintain visibility, although the primary execution power remains with the Maintainer or Owner roles.

Technical Architecture of Web Terminal Connectivity

The operational flow of a GitLab web terminal is a sophisticated sequence of requests involving the browser, the GitLab Rails application, the Workhorse proxy, and the target Kubernetes API.

When a user navigates to the terminal page for a specific environment, the process follows this logic:

  1. JavaScript Application Delivery: The user is served a JavaScript application in their browser.
  2. WebSocket Initiation: This application opens a WebSocket connection back to the GitLab instance.
  3. Workhorse Handling: The WebSocket connection is managed by Workhorse. It is critical to note that the connection is not handled by the Rails application server, as Rails is not optimized for the long-lived, stateful nature of WebSocket connections.
  4. Authorization Query: Workhorse does not independently verify permissions; it queries the Rails application to determine the connection details and whether the specific user has the required permissions to access the environment.
  5. Proxying: Once authorized, Workhorse acts as a proxy server. It passes WebSocket frames between the user's browser and the Kubernetes API.
  6. Continuous Polling: Workhorse regularly polls Rails to ensure the session remains valid. If the user's permissions are revoked or if the connection details change, Workhorse terminates the WebSocket connection immediately.

This architecture ensures that the session URL is never exposed to the end user. GitLab maintains all session states internally and proxies the traffic, preventing the leak of sensitive API endpoints to the client side.

Infrastructure Requirements and Network Configuration

The deployment of web terminals requires specific network configurations to support the WebSocket protocol, which differs significantly from standard HTTP requests.

Load Balancer Compatibility

The choice of load balancer is critical for the stability of web terminals.

  • AWS Classic Load Balancers: These do not support WebSockets and are therefore incompatible with GitLab web terminals.
  • AWS Network Load Balancers: These are the required alternative for users running GitLab on AWS to ensure WebSocket traffic is routed correctly.

Reverse Proxy Header Configuration

Every HTTP or HTTPS reverse proxy positioned in front of Workhorse must be configured to allow the passage of specific headers. Specifically, the Connection and Upgrade headers must be passed to the next entity in the chain. While GitLab is configured by default to handle this, external load balancers often strip these headers, which breaks the WebSocket handshake.

To optimize security and performance, administrators can choose one of two configuration paths:

  • Global Enablement: Enable support for these headers globally. Because Workhorse does not allow WebSocket requests to pass through to non-WebSocket endpoints, this is generally considered safe.
  • Restricted Enablement: Limit the header pass-through to specific URLs that end with /terminal.ws.

If an administrator wishes to disable web terminal support entirely, they must stop passing the Connection and Upgrade hop-by-hop headers in the first reverse proxy of the chain. In most standard Linux package installations, this is handled by the bundled NGINX server.

Security Framework for Interactive Terminals

To prevent unauthorized access and ensure data integrity, GitLab employs a multi-layered security strategy for interactive terminals, particularly those associated with GitLab Runners.

Interactive web terminals are completely disabled unless the [session_server] is properly configured. When a session is initiated, the following security measures are applied:

  • x509 Certificate Generation: Every time a runner starts, it generates an x509 certificate. This certificate is used to establish a Web Socket Secure (wss) connection.
  • Random Session URLs: For every created job, a unique, random URL is generated. This URL is discarded immediately upon the conclusion of the job.
  • URL Structure: The session URL follows the format (IP|HOST):PORT/session/$SOME_HASH, where the IP/HOST and PORT are derived from the configured listen_address.
  • Authorization Headers: Every session URL requires an authorization header to be sent to successfully establish the wss connection.
Security Component Function Impact
x509 Certificate Encryption Ensures the connection between runner and browser is encrypted.
session_server Master Switch Prevents terminal access if not explicitly configured.
Authorization Header Access Guard Validates that the requestor is authorized to enter the session.
Random Hash URL Session Isolation Prevents session hijacking by using ephemeral, unique identifiers.

The Next-Generation Web IDE and Integrated Terminals

The evolution of the GitLab Web IDE, announced in December 2022, moved the platform toward a more robust development environment by rebuilding the IDE on top of the open-source VS Code project. This transition allows for a more seamless integration of remote development environments and terminal capabilities.

Release Timeline and Availability

The new Web IDE experience was rolled out in phases:

  • GitLab.com: The Beta became available on December 19, 2022, and subsequently became the default experience.
  • GitLab Self-Managed: The Beta was introduced as part of the GitLab 15.7 release, available from December 22, 2022.

This new IDE is designed to eliminate the need for local development environments by allowing developers to connect securely to remote environments directly from the browser.

Extension Marketplace and Integration

The Web IDE's functionality is expanded through the use of extensions. By default, the Web IDE connects to the Open VSX Registry.

To install an extension, users must follow these steps:

  1. Navigate to the top menu bar.
  2. Select View > Extensions or use the keyboard shortcut Command+Shift+X.
  3. Enter the extension name in the search box.
  4. Select the desired extension.
  5. Select Install.

To uninstall an extension:

  1. Navigate to View > Extensions or press Command+Shift+X.
  2. Find the installed extension in the list.
  3. Select Uninstall.

Prerequisites for Extension Functionality

For extensions to operate, several requirements must be met:

  • User Preferences: The extension marketplace must be integrated within the user's preferences.
  • Administrator Activation: For Self-Managed and Dedicated instances, a GitLab administrator must enable the extension registry.
  • Enterprise Control: Group Owners must enable the Extension Marketplace for enterprise users.
  • Network Access: The browser must have access to the .cdn.web-ide.gitlab-static.net assets host. This is a security requirement to ensure that third-party extensions run in isolation and cannot access the user's account.

Troubleshooting and Advanced Configuration

Implementing web terminals and the Web IDE in a self-managed environment often introduces specific technical hurdles related to authentication and infrastructure.

OAuth Callback URL Mismatches

A common issue when using a proxy is a failure in the OAuth callback process. This occurs when the callback URL does not match the URL used to access the GitLab instance.

To resolve this, an administrator must perform the following:

  1. Select Admin in the upper-right corner.
  2. Select Applications from the left sidebar.
  3. Locate GitLab Web IDE and select Edit.
  4. Enter the correct OAuth callback URL. If multiple URLs are required, they should be separated by newlines.

Access Token Lifetime Constraints

In GitLab Self-Managed instances, users may encounter an error stating that the access token lifetime cannot be less than 5 minutes. This is a hard requirement for the Web IDE to function. If the instance is configured with an expiry time shorter than 5 minutes, the Web IDE will fail to operate. The solution is to increase the access token lifetime in the instance configuration to a minimum of 5 minutes.

Workhorse Dependencies

The Web IDE relies heavily on Workhorse. In Self-Managed environments, Workhorse must be installed and running in front of the GitLab Rails server. Failure to do so will result in the Web IDE failing to open or specific features, such as the Markdown preview, malfunctioning. This is because certain parts of the Web IDE must run in a separate origin for security reasons, and Workhorse manages the routing and proxying required for this isolation.

Conclusion

The GitLab web terminal and the integrated Web IDE represent a convergence of cloud-native orchestration and browser-based productivity. The architecture relies on a high-trust relationship between the GitLab Rails server, the Workhorse proxy, and the Kubernetes API, secured by x509 certificates and short-lived, hashed session URLs. While the deprecated web terminals provided the initial foundation for environment interaction, the transition to a VS Code-based Web IDE offers a more scalable and feature-rich environment. However, the success of these tools in a self-managed context is entirely dependent on the administrator's ability to correctly configure network headers, manage OAuth callback URLs, and ensure that the infrastructure—specifically the load balancers—supports the stateful nature of WebSocket communication. The shift toward remote development environments directly within the browser minimizes the friction of local setup while maintaining strict authorization guards, ensuring that the power of the terminal does not compromise the security of the production cluster.

Sources

  1. GitLab Web Terminals Documentation
  2. GitLab Environments Documentation
  3. GitLab Web IDE User Guide
  4. GitLab Blog: New Web IDE Announcement

Related Posts