We have identified the underlying issue causing the 400s. It seems that in recent versions, GitLab appears more sensitive to a blank Host header. Our reverse proxy supports HTTP/3 / QUIC, in which the host header is supposed to be replaced with the content of the pseudo-header :authority. The configuration we had for the GitLab host added the host header, using the contents of the request's host header. However, it did so using the $http_host variable instead of $host. $http_host strictly refers to a HTTP/1.1 style Host header, instead of the HTTP/3 pseudo-header that replaced it. Only $host properly checks this header. Thus, sending an HTTP/3 request results in an empty $http_host, and thus an empty Host header. GitLab must have previously not cared about this, but latest releases do.
We have accordingly solved the issue by changing our reverse proxy config to set Host headers based on $host.
Posted Mar 29, 2026 - 02:51 EDT
Identified
We have found a temporary change to our reverse proxy configuration that has fixed the issue, but we are still working to find the underlying cause.
Posted Mar 29, 2026 - 02:22 EDT
Investigating
We are investigating an inability to access GitLab following our maintenance period.