Reputation: 348
I am trying to setup gitea to use https with a certificate I got from letsencrypt running the service as a normal user.
I already got it working with http on port 80 with a normal user git
and redirecting port 80 to port 3000 using iptables.
Also I already got it working with https on port 3000 redirecting to port 3080.
But I can't figure out how to configure it (maybe along with iptables) so that requests to port 80 redirect to the appropiate port (3000? 3080?).
I redirect the port 80 to port 3000 using this iptables command as root:
# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3000
And this is the relevant part of my configuration for HTTP
RUN_USER = git
LOCAL_ROOT_URL = http://localhost:3000/
DOMAIN = example
HTTP_PORT = 80
ROOT_URL = http://example.com
This is my configuration for HTTP on port 3000 redirecting to port 3080
RUN_USER = git
PROTOCOL = https
LOCAL_ROOT_URL = https://localhost:3000/
DOMAIN = example.com
HTTP_PORT = 3000
REDIRECT_OTHER_PORT = true
PORT_TO_REDIRECT = 3080
ROOT_URL = https://example.com
CERT_FILE = /etc/letsencrypt/live/example.com/fullchain.pem
KEY_FILE = /etc/letsencrypt/live/example.com/privkey.pem
With this configuration I can visit https://example.com:3000
and it works fine but if I visit https://example.com:3080
I get an Secure Connection Failed
with Error code: SSL_ERROR_RX_RECORD_TOO_LONG
.
I tried to redirect the port 80 to port 3080 using iptables but it didn't work.
Can you help me set it up so I can run the service as normal user in port 80 so that people can visit it at https://example.com
? (maybe using iptables as root beforehand to redirect some ports) Thanks in advance
Upvotes: 6
Views: 10469
Reputation: 1182
💡 If you want to use Gitea with https/ssl from Let's Encrypt on 443 port without modifiyng /data/gitea/conf/app.ini
inside docker container, you can pass Gitea built-in environment variables via docker-compose.yml
. Template for variables are:
GITEA__[SECTION_NAME]__[VARIABLE]
For example in app.ini
:
[server]
#...
DOMAIN = mysite.com
In the docker-compose.yml
variable is
GITEA__server__DOMAIN: mysite.com
⚠️ NOTE: you can only use 3 ports:
✅ 80
[http]
✅ 443
[https]
✅ 3000
[internal Gitea port if 80 or 443 in use, or you use Nginx Proxy Manager]
services:
server:
image: gitea/gitea:latest
container_name: gitea
restart: always
environment:
USER_UID: 1000
USER_GID: 1000
# database
GITEA__database__DB_TYPE: postgres
GITEA__database__HOST: "db:${DB_PORT}"
GITEA__database__USER: ${DB_USER}
GITEA__database__PASSWD: ${DB_PASS}
GITEA__database__NAME: ${DB_NAME}
# server
GITEA__server__DOMAIN: ${SITE_HOST}
GITEA__server__SSH_DOMAIN: ${SITE_HOST}
GITEA__server__HTTP_PORT: ${SITE_PORT}
GITEA__server__REDIRECT_OTHER_PORT: ${REDIRECT_OTHER_PORT}
GITEA__server__PROTOCOL: ${PROTOCOL}
GITEA__server__ROOT_URL: https://${SITE_HOST}
# COMMENT OUT LETSENCRYPT VALUES IF YOU HAVE OWN CERTS FILES!!
#### !!!!DEPRECATED SINCE 1.19!!!!
#GITEA__server__ENABLE_LETSENCRYPT: ${ENABLE_LETSENCRYPT}
#GITEA__server__LETSENCRYPT_ACCEPTTOS: ${LETSENCRYPT_ACCEPTTOS}
#GITEA__server__LETSENCRYPT_DIRECTORY: ${LETSENCRYPT_DIRECTORY}
#GITEA__server__LETSENCRYPT_EMAIL: ${LETSENCRYPT_EMAIL}
#ACME [since version 1.19]
GITEA__server__ENABLE_ACME: ${ENABLE_ACME}
GITEA__server__ACME_ACCEPTTOS: ${ACME_ACCEPTTOS}
GITEA__server__ACME_DIRECTORY: ${ACME_DIRECTORY}
GITEA__server__ACME_EMAIL: ${ACME_EMAIL}
# OPTIONAL. OWN CERTS FILES IF YOU HAVE THE ONES
#GITEA__server__CERT_FILE: ${CERT_FILE}
#GITEA__server__KEY_FILE: ${KEY_FILE}
networks:
- gitea
ports:
- "${SITE_PORT}:${SITE_PORT}"
#- "3000:3000"
#- "80:80"
#- "443:443"
#- "3000:80"
#- "222:22"
volumes:
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
# OPTIONAL. your custom generated certs from local folder mysite.com
#- ./data/letsencrypt/mysite.com:/var/letsencrypt/mysite.com
depends_on:
- db
db:
image: postgres:13.2
container_name: giteadb
restart: unless-stopped
environment:
POSTGRESQL_VOLUME_DIR: /var/data/gitea/db
POSTGRES_USER: ${DB_USER}
POSTGRES_PASSWORD: ${DB_PASS}
POSTGRES_DB: ${DB_NAME}
networks:
- gitea
networks:
gitea:
driver: bridge
# docker
COMPOSE_PROJECT_NAME=gitea-mysite-com
# server
SITE_HOST="mysite.com"
# http
#SITE_PORT=80
#PROTOCOL=http
#REDIRECT_OTHER_PORT=false
# https/ssl
SITE_PORT=443
PROTOCOL=https
REDIRECT_OTHER_PORT=true
ENABLE_ACME=true
ACME_ACCEPTTOS=true
ACME_DIRECTORY=https
ACME_EMAIL=my@email.com
# OPTIONAL. ONLY IF YOU HAVE OWN CERTS
CERT_FILE=/var/letsencrypt/mysite.com/certfile.pem
KEY_FILE=/var/letsencrypt/mysite.com/keyfile.key
# database [Postgres]
# !!!ALWAYS 5432!!!
DB_PORT=5432
DB_NAME=gitea
DB_USER=gitea
DB_PASS="db_password"
Run docker compose up -d
😸 Go to [https://]mysite.com and install Gitea
Upvotes: 1
Reputation: 4868
The letsencrypt api is included in gitea. To setup gitea with docker-compose and let's encrypt just edit your [server] configuration like this:
....
[server]
APP_DATA_PATH = /data/gitea
DOMAIN = example.com
SSH_DOMAIN = example.com
HTTP_PORT = 443
ROOT_URL = http://example.com
PROTOCOL=https
ENABLE_LETSENCRYPT=true
LETSENCRYPT_ACCEPTTOS=true
LETSENCRYPT_DIRECTORY=https
LETSENCRYPT_EMAIL=info@foo.com
.....
and your docker-compose.yaml port configuration will look like this:
server:
image: gitea/gitea:1.13.2
container_name: gitea
ports:
- "443:443"
- "222:22"
....
Upvotes: 2
Reputation: 348
In case someone else need it here is the final configuration file is this, it redirects http requests to https.
I used # setcap cap_net_bind_service=+ep /path/to/binary/gitea
as ptman suggested.
RUN_USER = git
[server]
PROTOCOL = https
DOMAIN = example.com
HTTP_PORT = 443
REDIRECT_OTHER_PORT = true
CERT_FILE = /etc/letsencrypt/live/example.com/fullchain.pem
KEY_FILE = /etc/letsencrypt/live/example.com/privkey.pem
SSH_DOMAIN = example.com
DISABLE_SSH = false
SSH_PORT = 22
OFFLINE_MODE = false
Upvotes: 4
Reputation: 917
The port for HTTPS is 443. Most people would solve this by using a reverse proxy, not iptables.
Gitea can handle letsencrypt itself. Here's how:
[server]
PROTOCOL=https
DOMAIN=git.example.com
ENABLE_LETSENCRYPT=true
LETSENCRYPT_ACCEPTTOS=true
LETSENCRYPT_DIRECTORY=https
LETSENCRYPT_EMAIL=email@example.com
Taken from: https://docs.gitea.io/en-us/https-setup/
Upvotes: 3