Login/Register
gitea using a normal user and https
Asked Answered
Solved sslhttpsiptablesgitea
C

4

6

I am trying to setup gitea to use https with a certificate I got from letsencrypt running the service as a normal user.

I already got it working with http on port 80 with a normal user git and redirecting port 80 to port 3000 using iptables.

Also I already got it working with https on port 3000 redirecting to port 3080.

But I can't figure out how to configure it (maybe along with iptables) so that requests to port 80 redirect to the appropiate port (3000? 3080?).

I redirect the port 80 to port 3000 using this iptables command as root:

# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3000

And this is the relevant part of my configuration for HTTP

RUN_USER         = git

LOCAL_ROOT_URL   = http://localhost:3000/
DOMAIN           = example
HTTP_PORT        = 80
ROOT_URL         = http://example.com

This is my configuration for HTTP on port 3000 redirecting to port 3080

RUN_USER            = git

PROTOCOL            = https
LOCAL_ROOT_URL      = https://localhost:3000/
DOMAIN              = example.com
HTTP_PORT           = 3000
REDIRECT_OTHER_PORT = true
PORT_TO_REDIRECT    = 3080
ROOT_URL            = https://example.com
CERT_FILE           = /etc/letsencrypt/live/example.com/fullchain.pem
KEY_FILE            = /etc/letsencrypt/live/example.com/privkey.pem

With this configuration I can visit https://example.com:3000 and it works fine but if I visit https://example.com:3080 I get an Secure Connection Failed with Error code: SSL_ERROR_RX_RECORD_TOO_LONG.

I tried to redirect the port 80 to port 3080 using iptables but it didn't work.

Can you help me set it up so I can run the service as normal user in port 80 so that people can visit it at https://example.com ? (maybe using iptables as root beforehand to redirect some ports) Thanks in advance

Cabbala answered 1/10, 2019 at 10:43 Comment(0)
G
3

The port for HTTPS is 443. Most people would solve this by using a reverse proxy, not iptables.

Gitea can handle letsencrypt itself. Here's how:

[server]
PROTOCOL=https
DOMAIN=git.example.com
ENABLE_LETSENCRYPT=true
LETSENCRYPT_ACCEPTTOS=true
LETSENCRYPT_DIRECTORY=https
[email protected]

Taken from: https://docs.gitea.io/en-us/https-setup/

Garygarza answered 1/10, 2019 at 10:53 Comment(2)
that requires the normal user to be able to open port 80, the point of my question is about not having to run the service as rootCabbala
setcap cap_net_bind_service=+ep /path/to/binary/giteaGarygarza
C
4

In case someone else need it here is the final configuration file is this, it redirects http requests to https.

I used # setcap cap_net_bind_service=+ep /path/to/binary/gitea as ptman suggested.

RUN_USER            = git

[server]
PROTOCOL            = https
DOMAIN              = example.com
HTTP_PORT           = 443
REDIRECT_OTHER_PORT = true
CERT_FILE           = /etc/letsencrypt/live/example.com/fullchain.pem
KEY_FILE            = /etc/letsencrypt/live/example.com/privkey.pem
SSH_DOMAIN          = example.com
DISABLE_SSH         = false
SSH_PORT            = 22
OFFLINE_MODE        = false
Cabbala answered 1/10, 2019 at 12:4 Comment(0)
G
3

The port for HTTPS is 443. Most people would solve this by using a reverse proxy, not iptables.

Gitea can handle letsencrypt itself. Here's how:

[server]
PROTOCOL=https
DOMAIN=git.example.com
ENABLE_LETSENCRYPT=true
LETSENCRYPT_ACCEPTTOS=true
LETSENCRYPT_DIRECTORY=https
[email protected]

Taken from: https://docs.gitea.io/en-us/https-setup/

Garygarza answered 1/10, 2019 at 10:53 Comment(2)
that requires the normal user to be able to open port 80, the point of my question is about not having to run the service as rootCabbala
setcap cap_net_bind_service=+ep /path/to/binary/giteaGarygarza
C
2

The letsencrypt api is included in gitea. To setup gitea with docker-compose and let's encrypt just edit your [server] configuration like this:

....
[server]
APP_DATA_PATH    = /data/gitea
DOMAIN           = example.com
SSH_DOMAIN       = example.com
HTTP_PORT        = 443
ROOT_URL         = http://example.com
PROTOCOL=https
ENABLE_LETSENCRYPT=true
LETSENCRYPT_ACCEPTTOS=true
LETSENCRYPT_DIRECTORY=https
[email protected]
.....

and your docker-compose.yaml port configuration will look like this:

  server:
    image: gitea/gitea:1.13.2
    container_name: gitea
    ports:
      - "443:443"
      - "222:22"
....
Cabezon answered 25/2, 2021 at 18:41 Comment(0)
C
1

💡 If you want to use Gitea with https/ssl from Let's Encrypt on 443 port without modifiyng /data/gitea/conf/app.ini inside docker container, you can pass Gitea built-in environment variables via docker-compose.yml. Template for variables are:

GITEA__[SECTION_NAME]__[VARIABLE]

For example in app.ini:

[server]
#...
DOMAIN = mysite.com

In the docker-compose.yml variable is

GITEA__server__DOMAIN: mysite.com

👉 Docker-compose for https/SSL/[443 port]/LetsEncrypt for Gitea with MySQL

⚠️ NOTE: you can only use 3 ports:

80 [http]

443 [https]

3000 [internal Gitea port if 80 or 443 in use, or you use Nginx Proxy Manager]

services:
  gitea_server:
    image: gitea/gitea:latest
    container_name: gitea
    restart: always
    environment:
      USER_UID: 1000
      USER_GID: 1000
      # database
      GITEA__database__DB_TYPE: mysql
      GITEA__database__HOST: "gitea_db:${DB_PORT}"
      GITEA__database__USER: ${DB_USER}
      GITEA__database__PASSWD: ${DB_PASS}
      GITEA__database__NAME: ${DB_NAME}
      # server
      GITEA__server__DOMAIN: ${DNS_NAME}
      GITEA__server__SSH_DOMAIN: ${DNS_NAME}
      GITEA__server__HTTP_PORT: ${HTTP_PORT}
      GITEA__server__REDIRECT_OTHER_PORT: ${REDIRECT_OTHER_PORT}
      GITEA__server__PROTOCOL: ${PROTOCOL}
      GITEA__server__ROOT_URL: https://${DNS_NAME}
      
      # COMMENT OUT LETSENCRYPT VALUES IF YOU HAVE OWN CERTS FILES!!
      GITEA__server__ENABLE_LETSENCRYPT: ${ENABLE_LETSENCRYPT}
      GITEA__server__LETSENCRYPT_ACCEPTTOS: ${LETSENCRYPT_ACCEPTTOS}
      GITEA__server__LETSENCRYPT_DIRECTORY: ${LETSENCRYPT_DIRECTORY}
      GITEA__server__LETSENCRYPT_EMAIL: ${LETSENCRYPT_EMAIL}
      
      # OPTIONAL. OWN CERTS FILES IF YOU HAVE THE ONES
      GITEA__server__CERT_FILE: ${CERT_FILE}
      GITEA__server__KEY_FILE: ${KEY_FILE}
    networks:
      - gitea
    ports:
      - "${HTTP_PORT}:${HTTP_PORT}"
      #- "3000:3000"
      #- "80:80"
      #- "443:443"
      #- "3000:80"
      - "222:22"
    volumes:
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
      # OPTIONAL. your custom generated certs from local folder mysite.com
      - ./data/letsencrypt/mysite.com:/var/letsencrypt/mysite.com
    depends_on:
      - gitea_db
  gitea_db:
    image: mysql:latest
    container_name: db
    restart: always
    environment:
      MYSQL_ROOT_PASSWORD: ${DB_ROOT_PASS}
      MYSQL_USER: ${DB_USER}
      MYSQL_PASSWORD: ${DB_PASS}
      MYSQL_DATABASE: ${DB_NAME}
    networks:
      - gitea
    volumes:
      - ./mysql:/var/lib/mysql
networks:
  gitea:
    external: false

⚙️ .env file

# docker
COMPOSE_PROJECT_NAME=gitea-mysite-com
# server
DNS_NAME="mysite.com"
# http
#HTTP_PORT=80
#PROTOCOL=http
#REDIRECT_OTHER_PORT=false

# https/ssl
HTTP_PORT=443
PROTOCOL=https
REDIRECT_OTHER_PORT=true
ENABLE_LETSENCRYPT=true
LETSENCRYPT_ACCEPTTOS=true
LETSENCRYPT_DIRECTORY=https
[email protected]

# OPTIONAL. ONLY IF YOU HAVE OWN CERTS
CERT_FILE=/var/letsencrypt/mysite.com/certfile.pem
KEY_FILE=/var/letsencrypt/mysite.com/keyfile.key

# database
# !!!ALWAYS 3306!!!
DB_PORT=3306
DB_ROOT_PASS="my_root_password"
DB_NAME=gitea
DB_USER=gitea
DB_PASS="db_password"

😸 Go to [https://]mysite.com and install Gitea

Caliginous answered 3/10 at 9:48 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.