4

I am trying to setup gitea to use https with a certificate I got from letsencrypt running the service as a normal user.

I already got it working with http on port 80 with a normal user git and redirecting port 80 to port 3000 using iptables.

Also I already got it working with https on port 3000 redirecting to port 3080.

But I can't figure out how to configure it (maybe along with iptables) so that requests to port 80 redirect to the appropiate port (3000? 3080?).

I redirect the port 80 to port 3000 using this iptables command as root:

# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3000

And this is the relevant part of my configuration for HTTP

RUN_USER         = git

LOCAL_ROOT_URL   = http://localhost:3000/
DOMAIN           = example
HTTP_PORT        = 80
ROOT_URL         = http://example.com

This is my configuration for HTTP on port 3000 redirecting to port 3080

RUN_USER            = git

PROTOCOL            = https
LOCAL_ROOT_URL      = https://localhost:3000/
DOMAIN              = example.com
HTTP_PORT           = 3000
REDIRECT_OTHER_PORT = true
PORT_TO_REDIRECT    = 3080
ROOT_URL            = https://example.com
CERT_FILE           = /etc/letsencrypt/live/example.com/fullchain.pem
KEY_FILE            = /etc/letsencrypt/live/example.com/privkey.pem

With this configuration I can visit https://example.com:3000 and it works fine but if I visit https://example.com:3080 I get an Secure Connection Failed with Error code: SSL_ERROR_RX_RECORD_TOO_LONG.

I tried to redirect the port 80 to port 3080 using iptables but it didn't work.

Can you help me set it up so I can run the service as normal user in port 80 so that people can visit it at https://example.com ? (maybe using iptables as root beforehand to redirect some ports) Thanks in advance

Vicfred
  • 318
  • 1
  • 3
  • 9

3 Answers3

3

In case someone else need it here is the final configuration file is this, it redirects http requests to https.

I used # setcap cap_net_bind_service=+ep /path/to/binary/gitea as ptman suggested.

RUN_USER            = git

[server]
PROTOCOL            = https
DOMAIN              = example.com
HTTP_PORT           = 443
REDIRECT_OTHER_PORT = true
CERT_FILE           = /etc/letsencrypt/live/example.com/fullchain.pem
KEY_FILE            = /etc/letsencrypt/live/example.com/privkey.pem
SSH_DOMAIN          = example.com
DISABLE_SSH         = false
SSH_PORT            = 22
OFFLINE_MODE        = false
Vicfred
  • 318
  • 1
  • 3
  • 9
2

The port for HTTPS is 443. Most people would solve this by using a reverse proxy, not iptables.

Gitea can handle letsencrypt itself. Here's how:

[server]
PROTOCOL=https
DOMAIN=git.example.com
ENABLE_LETSENCRYPT=true
LETSENCRYPT_ACCEPTTOS=true
LETSENCRYPT_DIRECTORY=https
LETSENCRYPT_EMAIL=email@example.com

Taken from: https://docs.gitea.io/en-us/https-setup/

ptman
  • 787
  • 13
  • 19
  • 1
    that requires the normal user to be able to open port 80, the point of my question is about not having to run the service as root – Vicfred Oct 01 '19 at 11:07
  • 2
    `setcap cap_net_bind_service=+ep /path/to/binary/gitea` – ptman Oct 01 '19 at 11:07
2

The letsencrypt api is included in gitea. To setup gitea with docker-compose and let's encrypt just edit your [server] configuration like this:

....
[server]
APP_DATA_PATH    = /data/gitea
DOMAIN           = example.com
SSH_DOMAIN       = example.com
HTTP_PORT        = 443
ROOT_URL         = http://example.com
PROTOCOL=https
ENABLE_LETSENCRYPT=true
LETSENCRYPT_ACCEPTTOS=true
LETSENCRYPT_DIRECTORY=https
LETSENCRYPT_EMAIL=info@foo.com
.....

and your docker-compose.yaml port configuration will look like this:

  server:
    image: gitea/gitea:1.13.2
    container_name: gitea
    ports:
      - "443:443"
      - "222:22"
....
Ralph
  • 4,500
  • 9
  • 48
  • 87