sslhttpsiptablesgitea

gitea using a normal user and https


I am trying to setup gitea to use https with a certificate I got from letsencrypt running the service as a normal user.

I already got it working with http on port 80 with a normal user git and redirecting port 80 to port 3000 using iptables.

Also I already got it working with https on port 3000 redirecting to port 3080.

But I can't figure out how to configure it (maybe along with iptables) so that requests to port 80 redirect to the appropiate port (3000? 3080?).

I redirect the port 80 to port 3000 using this iptables command as root:

# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3000

And this is the relevant part of my configuration for HTTP

RUN_USER         = git

LOCAL_ROOT_URL   = http://localhost:3000/
DOMAIN           = example
HTTP_PORT        = 80
ROOT_URL         = http://example.com

This is my configuration for HTTP on port 3000 redirecting to port 3080

RUN_USER            = git

PROTOCOL            = https
LOCAL_ROOT_URL      = https://localhost:3000/
DOMAIN              = example.com
HTTP_PORT           = 3000
REDIRECT_OTHER_PORT = true
PORT_TO_REDIRECT    = 3080
ROOT_URL            = https://example.com
CERT_FILE           = /etc/letsencrypt/live/example.com/fullchain.pem
KEY_FILE            = /etc/letsencrypt/live/example.com/privkey.pem

With this configuration I can visit https://example.com:3000 and it works fine but if I visit https://example.com:3080 I get an Secure Connection Failed with Error code: SSL_ERROR_RX_RECORD_TOO_LONG.

I tried to redirect the port 80 to port 3080 using iptables but it didn't work.

Can you help me set it up so I can run the service as normal user in port 80 so that people can visit it at https://example.com ? (maybe using iptables as root beforehand to redirect some ports) Thanks in advance


Solution

  • The port for HTTPS is 443. Most people would solve this by using a reverse proxy, not iptables.

    Gitea can handle letsencrypt itself. Here's how:

    [server]
    PROTOCOL=https
    DOMAIN=git.example.com
    ENABLE_LETSENCRYPT=true
    LETSENCRYPT_ACCEPTTOS=true
    LETSENCRYPT_DIRECTORY=https
    LETSENCRYPT_EMAIL=email@example.com
    

    Taken from: https://docs.gitea.io/en-us/https-setup/