We hide a Gitlab instance (among several other applications) behind a single Apache Reverse Proxy, that is doing user authentication (OpenID) before granting further access to the lower services.
This allows us to have only one Service (Apache) exposed to the public, one service being potentially attacked.
Since Gitlab provides access tokens (technically: basic auth) for granting access to its git repositories, we are forced to allow git URLs to pass our proxy without any authentication to have them authenticated by Gitlab itself.
This technically opens a second attack vector, since unauthenticated users can reach Gitlab directly.
Is there a feasible setup that does not open this second vector? Something like
- User sends request with token header
- Apache tries to authenticate against Gitlab using this token
- Only on successful authentication, Apache lets the request pass to Gitlab
