Vicfred
Vicfred

Reputation: 348

gitea using a normal user and https

I am trying to setup gitea to use https with a certificate I got from letsencrypt running the service as a normal user.

I already got it working with http on port 80 with a normal user git and redirecting port 80 to port 3000 using iptables.

Also I already got it working with https on port 3000 redirecting to port 3080.

But I can't figure out how to configure it (maybe along with iptables) so that requests to port 80 redirect to the appropiate port (3000? 3080?).

I redirect the port 80 to port 3000 using this iptables command as root:

# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3000

And this is the relevant part of my configuration for HTTP

RUN_USER         = git

LOCAL_ROOT_URL   = http://localhost:3000/
DOMAIN           = example
HTTP_PORT        = 80
ROOT_URL         = http://example.com

This is my configuration for HTTP on port 3000 redirecting to port 3080

RUN_USER            = git

PROTOCOL            = https
LOCAL_ROOT_URL      = https://localhost:3000/
DOMAIN              = example.com
HTTP_PORT           = 3000
REDIRECT_OTHER_PORT = true
PORT_TO_REDIRECT    = 3080
ROOT_URL            = https://example.com
CERT_FILE           = /etc/letsencrypt/live/example.com/fullchain.pem
KEY_FILE            = /etc/letsencrypt/live/example.com/privkey.pem

With this configuration I can visit https://example.com:3000 and it works fine but if I visit https://example.com:3080 I get an Secure Connection Failed with Error code: SSL_ERROR_RX_RECORD_TOO_LONG.

I tried to redirect the port 80 to port 3080 using iptables but it didn't work.

Can you help me set it up so I can run the service as normal user in port 80 so that people can visit it at https://example.com ? (maybe using iptables as root beforehand to redirect some ports) Thanks in advance

Upvotes: 6

Views: 10469

Answers (4)

Igor
Igor

Reputation: 1182

💡 If you want to use Gitea with https/ssl from Let's Encrypt on 443 port without modifiyng /data/gitea/conf/app.ini inside docker container, you can pass Gitea built-in environment variables via docker-compose.yml. Template for variables are:

GITEA__[SECTION_NAME]__[VARIABLE]

For example in app.ini:

[server]
#...
DOMAIN = mysite.com

In the docker-compose.yml variable is

GITEA__server__DOMAIN: mysite.com

Full list of variables

👉 Docker-compose for https/SSL/[443 port]/LetsEncrypt for Gitea with MySQL

⚠️ NOTE: you can only use 3 ports:

80 [http]

443 [https]

3000 [internal Gitea port if 80 or 443 in use, or you use Nginx Proxy Manager]

services:
  server:
    image: gitea/gitea:latest
    container_name: gitea
    restart: always
    environment:
      USER_UID: 1000
      USER_GID: 1000
      # database
      GITEA__database__DB_TYPE: postgres
      GITEA__database__HOST: "db:${DB_PORT}"
      GITEA__database__USER: ${DB_USER}
      GITEA__database__PASSWD: ${DB_PASS}
      GITEA__database__NAME: ${DB_NAME}
      # server
      GITEA__server__DOMAIN: ${SITE_HOST}
      GITEA__server__SSH_DOMAIN: ${SITE_HOST}
      GITEA__server__HTTP_PORT: ${SITE_PORT}
      GITEA__server__REDIRECT_OTHER_PORT: ${REDIRECT_OTHER_PORT}
      GITEA__server__PROTOCOL: ${PROTOCOL}
      GITEA__server__ROOT_URL: https://${SITE_HOST}
      
      # COMMENT OUT LETSENCRYPT VALUES IF YOU HAVE OWN CERTS FILES!!
      #### !!!!DEPRECATED SINCE 1.19!!!!
      #GITEA__server__ENABLE_LETSENCRYPT: ${ENABLE_LETSENCRYPT}
      #GITEA__server__LETSENCRYPT_ACCEPTTOS: ${LETSENCRYPT_ACCEPTTOS}
      #GITEA__server__LETSENCRYPT_DIRECTORY: ${LETSENCRYPT_DIRECTORY}
      #GITEA__server__LETSENCRYPT_EMAIL: ${LETSENCRYPT_EMAIL}
      
      #ACME [since version 1.19]
      GITEA__server__ENABLE_ACME: ${ENABLE_ACME}
      GITEA__server__ACME_ACCEPTTOS: ${ACME_ACCEPTTOS}
      GITEA__server__ACME_DIRECTORY: ${ACME_DIRECTORY}
      GITEA__server__ACME_EMAIL: ${ACME_EMAIL}
      
      # OPTIONAL. OWN CERTS FILES IF YOU HAVE THE ONES
      #GITEA__server__CERT_FILE: ${CERT_FILE}
      #GITEA__server__KEY_FILE: ${KEY_FILE}
    networks:
      - gitea
    ports:
      - "${SITE_PORT}:${SITE_PORT}"
      #- "3000:3000"
      #- "80:80"
      #- "443:443"
      #- "3000:80"
      #- "222:22"
    volumes:
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
      # OPTIONAL. your custom generated certs from local folder mysite.com
      #- ./data/letsencrypt/mysite.com:/var/letsencrypt/mysite.com
    depends_on:
      - db
  db:
    image: postgres:13.2
    container_name: giteadb
    restart: unless-stopped
    environment:
      POSTGRESQL_VOLUME_DIR: /var/data/gitea/db
      POSTGRES_USER: ${DB_USER}
      POSTGRES_PASSWORD: ${DB_PASS}
      POSTGRES_DB: ${DB_NAME}
    networks:
      - gitea
networks:
  gitea:
    driver: bridge

⚙️ .env file

# docker
COMPOSE_PROJECT_NAME=gitea-mysite-com
# server
SITE_HOST="mysite.com"
# http
#SITE_PORT=80
#PROTOCOL=http
#REDIRECT_OTHER_PORT=false

# https/ssl
SITE_PORT=443
PROTOCOL=https
REDIRECT_OTHER_PORT=true
ENABLE_ACME=true
ACME_ACCEPTTOS=true
ACME_DIRECTORY=https
ACME_EMAIL=my@email.com

# OPTIONAL. ONLY IF YOU HAVE OWN CERTS
CERT_FILE=/var/letsencrypt/mysite.com/certfile.pem
KEY_FILE=/var/letsencrypt/mysite.com/keyfile.key

# database [Postgres]
# !!!ALWAYS 5432!!!
DB_PORT=5432
DB_NAME=gitea
DB_USER=gitea
DB_PASS="db_password"

Run docker compose up -d

😸 Go to [https://]mysite.com and install Gitea

Upvotes: 1

Ralph
Ralph

Reputation: 4868

The letsencrypt api is included in gitea. To setup gitea with docker-compose and let's encrypt just edit your [server] configuration like this:

....
[server]
APP_DATA_PATH    = /data/gitea
DOMAIN           = example.com
SSH_DOMAIN       = example.com
HTTP_PORT        = 443
ROOT_URL         = http://example.com
PROTOCOL=https
ENABLE_LETSENCRYPT=true
LETSENCRYPT_ACCEPTTOS=true
LETSENCRYPT_DIRECTORY=https
LETSENCRYPT_EMAIL=info@foo.com
.....

and your docker-compose.yaml port configuration will look like this:

  server:
    image: gitea/gitea:1.13.2
    container_name: gitea
    ports:
      - "443:443"
      - "222:22"
....

Upvotes: 2

Vicfred
Vicfred

Reputation: 348

In case someone else need it here is the final configuration file is this, it redirects http requests to https.

I used # setcap cap_net_bind_service=+ep /path/to/binary/gitea as ptman suggested.

RUN_USER            = git

[server]
PROTOCOL            = https
DOMAIN              = example.com
HTTP_PORT           = 443
REDIRECT_OTHER_PORT = true
CERT_FILE           = /etc/letsencrypt/live/example.com/fullchain.pem
KEY_FILE            = /etc/letsencrypt/live/example.com/privkey.pem
SSH_DOMAIN          = example.com
DISABLE_SSH         = false
SSH_PORT            = 22
OFFLINE_MODE        = false

Upvotes: 4

ptman
ptman

Reputation: 917

The port for HTTPS is 443. Most people would solve this by using a reverse proxy, not iptables.

Gitea can handle letsencrypt itself. Here's how:

[server]
PROTOCOL=https
DOMAIN=git.example.com
ENABLE_LETSENCRYPT=true
LETSENCRYPT_ACCEPTTOS=true
LETSENCRYPT_DIRECTORY=https
LETSENCRYPT_EMAIL=email@example.com

Taken from: https://docs.gitea.io/en-us/https-setup/

Upvotes: 3

Related Questions