github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-03-13 02:57:44 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

Integrate Let's Encrypt with Gitea #450

New Issue
Closed
opened 2025-11-02 03:23:50 -06:00 by GiteaMirror · 18 comments
GiteaMirror commented 2025-11-02 03:23:50 -06:00
Owner
Copy Link

Originally created by @pgaskin on GitHub (Mar 9, 2017).

It would be useful and encourage more people to use SSL if there is built in support for let's Encrypt.

Originally created by @pgaskin on GitHub (Mar 9, 2017). It would be useful and encourage more people to use SSL if there is built in support for let's Encrypt.
GiteaMirror added the type/enhancement label 2025-11-02 03:23:50 -06:00
GiteaMirror commented 2025-11-02 03:23:50 -06:00
Author
Owner
Copy Link

@tboerger commented on GitHub (Mar 9, 2017):

I think most people are using Gitea anyway behind a revers proxy. But with golang.org/x/crypto/acme/autocert it's pretty easy to implement it.

@tboerger commented on GitHub (Mar 9, 2017): I think most people are using Gitea anyway behind a revers proxy. But with `golang.org/x/crypto/acme/autocert` it's pretty easy to implement it.
GiteaMirror commented 2025-11-02 03:23:51 -06:00
Author
Owner
Copy Link

@asessa commented on GitHub (Apr 3, 2017):

This was just updated and looks interesting for let's encrypt integration:
https://go-review.googlesource.com/c/39207/

@asessa commented on GitHub (Apr 3, 2017): This was just updated and looks interesting for let's encrypt integration: https://go-review.googlesource.com/c/39207/
GiteaMirror commented 2025-11-02 03:23:51 -06:00
Author
Owner
Copy Link

@tboerger commented on GitHub (Apr 3, 2017):

Even without the latest change it have been damn easy to integrate

@tboerger commented on GitHub (Apr 3, 2017): Even without the latest change it have been damn easy to integrate
GiteaMirror commented 2025-11-02 03:23:51 -06:00
Author
Owner
Copy Link

@plessbd commented on GitHub (Apr 3, 2017):

It is extremely easy when using something like nginx as a proxy in front of gitea

# MANAGED BY PUPPET
server {
  listen *:80;
  server_name           server.tld;

  add_header              'Strict-Transport-Security' 'max-age=63072000; includeSubdomains; preload';
  add_header              'X-Content-Type-Options' 'nosniff';
  return 301 https://$host$request_uri;
  access_log            /var/log/nginx/server.tld.access.log combined;
  error_log             /var/log/nginx/server.tld.error.log;
}
# MANAGED BY PUPPET
server {
  listen       *:443 ssl http2;
  server_name  server.tld;

  ssl on;

  ssl_certificate           /etc/letsencrypt/live/server.tld/fullchain.pem;
  ssl_certificate_key       /etc/letsencrypt/live/server.tld/privkey.pem;
  ssl_dhparam               /etc/ssl/certs/dhparam.pem;
  ssl_session_cache         shared:SSL:10m;
  ssl_session_timeout       5m;
  ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers               ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
  ssl_prefer_server_ciphers on;

  index  index.html index.htm index.php;

  access_log            /var/log/nginx/ssl-server.tld.access.log combined;
  error_log             /var/log/nginx/ssl-server.tld.error.log;
  add_header              'Strict-Transport-Security' 'max-age=63072000; includeSubdomains; preload';
  add_header              'X-Content-Type-Options' 'nosniff';

  location /.well-known {
    root      /var/www;
    index     index.html index.htm index.php;
  }

  location /git/ {
    proxy_pass            http://localhost:3000/;
    proxy_read_timeout    90;
    proxy_connect_timeout 90;
    proxy_set_header      Host $host;
    proxy_set_header      X-Real-IP $remote_addr;
    proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header      Proxy "";
  }
}
@plessbd commented on GitHub (Apr 3, 2017): It is extremely easy when using something like nginx as a proxy in front of gitea ``` # MANAGED BY PUPPET server { listen *:80; server_name server.tld; add_header 'Strict-Transport-Security' 'max-age=63072000; includeSubdomains; preload'; add_header 'X-Content-Type-Options' 'nosniff'; return 301 https://$host$request_uri; access_log /var/log/nginx/server.tld.access.log combined; error_log /var/log/nginx/server.tld.error.log; } # MANAGED BY PUPPET server { listen *:443 ssl http2; server_name server.tld; ssl on; ssl_certificate /etc/letsencrypt/live/server.tld/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/server.tld/privkey.pem; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_session_cache shared:SSL:10m; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS; ssl_prefer_server_ciphers on; index index.html index.htm index.php; access_log /var/log/nginx/ssl-server.tld.access.log combined; error_log /var/log/nginx/ssl-server.tld.error.log; add_header 'Strict-Transport-Security' 'max-age=63072000; includeSubdomains; preload'; add_header 'X-Content-Type-Options' 'nosniff'; location /.well-known { root /var/www; index index.html index.htm index.php; } location /git/ { proxy_pass http://localhost:3000/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Proxy ""; } } ```
GiteaMirror commented 2025-11-02 03:23:51 -06:00
Author
Owner
Copy Link

@tboerger commented on GitHub (Apr 3, 2017):

There are still enough people that don't use a reverse proxy in front of the application. The autocert lib makes it damn easy to integrate. We are using traefik in front of our services

@tboerger commented on GitHub (Apr 3, 2017): There are still enough people that don't use a reverse proxy in front of the application. The autocert lib makes it damn easy to integrate. We are using traefik in front of our services
GiteaMirror commented 2025-11-02 03:23:51 -06:00
Author
Owner
Copy Link

@ptman commented on GitHub (Apr 5, 2017):

@plessbd how is that easier than a single flag in gitea config saying "use letsencrypt"?

@ptman commented on GitHub (Apr 5, 2017): @plessbd how is that easier than a single flag in gitea config saying "use letsencrypt"?
GiteaMirror commented 2025-11-02 03:23:52 -06:00
Author
Owner
Copy Link

@tboerger commented on GitHub (Apr 8, 2017):

Beside the let's encrypt integration itself we should also add an automated redirect to https like mentioned at https://github.com/drone/drone/pull/1921#issuecomment-292056587

@tboerger commented on GitHub (Apr 8, 2017): Beside the let's encrypt integration itself we should also add an automated redirect to https like mentioned at https://github.com/drone/drone/pull/1921#issuecomment-292056587
GiteaMirror commented 2025-11-02 03:23:52 -06:00
Author
Owner
Copy Link

@appleboy commented on GitHub (Apr 8, 2017):

@tboerger I try the solution from https://github.com/drone/drone/pull/1921#issuecomment-292056587 it can't work for me.

see the source: https://github.com/go-training/training/blob/master/example10-simple-http-server/server/server07.go

package main

import (
	"log"
	"net/http"

	"github.com/gin-gonic/gin"
	"golang.org/x/crypto/acme/autocert"
	"golang.org/x/sync/errgroup"
)

func main() {
	r := gin.Default()

	// Ping handler
	r.GET("/ping", func(c *gin.Context) {
		c.String(200, "pong")
	})

	var g errgroup.Group

	g.Go(func() error {
		return http.ListenAndServe(":http", http.RedirectHandler("https://example.com", 303))
	})
	g.Go(func() error {
		return http.Serve(autocert.NewListener("example.com"), r)
	})

	if err := g.Wait(); err != nil {
		log.Fatal(err)
	}
}
@appleboy commented on GitHub (Apr 8, 2017): @tboerger I try the solution from https://github.com/drone/drone/pull/1921#issuecomment-292056587 it can't work for me. see the source: https://github.com/go-training/training/blob/master/example10-simple-http-server/server/server07.go ```go package main import ( "log" "net/http" "github.com/gin-gonic/gin" "golang.org/x/crypto/acme/autocert" "golang.org/x/sync/errgroup" ) func main() { r := gin.Default() // Ping handler r.GET("/ping", func(c *gin.Context) { c.String(200, "pong") }) var g errgroup.Group g.Go(func() error { return http.ListenAndServe(":http", http.RedirectHandler("https://example.com", 303)) }) g.Go(func() error { return http.Serve(autocert.NewListener("example.com"), r) }) if err := g.Wait(); err != nil { log.Fatal(err) } } ```
GiteaMirror commented 2025-11-02 03:23:52 -06:00
Author
Owner
Copy Link

@plessbd commented on GitHub (Apr 10, 2017):

@ptman Guess it depends on setup.

Personally I think a lets encrypt library is just adding dependencies to something that doesn't need it.

Isolation of responsibilities and all.

All lets encrypt does is give you a certificate, all gitea should do in my opinion is let you specify an ssl cert and use it.

@plessbd commented on GitHub (Apr 10, 2017): @ptman Guess it depends on setup. Personally I think a lets encrypt library is just adding dependencies to something that doesn't need it. Isolation of responsibilities and all. All lets encrypt does is give you a certificate, all gitea should do in my opinion is let you specify an ssl cert and use it.
GiteaMirror commented 2025-11-02 03:23:52 -06:00
Author
Owner
Copy Link

@bkcsoft commented on GitHub (Apr 18, 2017):

We did have cert build-tag a while ago, might consider adding it again but with lets encrypt support :)

@bkcsoft commented on GitHub (Apr 18, 2017): We did have `cert` build-tag a while ago, might consider adding it again but with lets encrypt support :)
GiteaMirror commented 2025-11-02 03:23:52 -06:00
Author
Owner
Copy Link

@lunny commented on GitHub (Apr 18, 2017):

@bkcsoft great idea and we could use a new command name, for example le?

@lunny commented on GitHub (Apr 18, 2017): @bkcsoft great idea and we could use a new command name, for example `le`?
GiteaMirror commented 2025-11-02 03:23:53 -06:00
Author
Owner
Copy Link

@bkcsoft commented on GitHub (Apr 18, 2017):

No need for a new command IMO. There should be a background worker to check the cert every X interval and update is necessary

@bkcsoft commented on GitHub (Apr 18, 2017): No need for a new command IMO. There should be a background worker to check the cert every X interval and update is necessary
GiteaMirror commented 2025-11-02 03:23:53 -06:00
Author
Owner
Copy Link

@jrmiller82 commented on GitHub (Dec 8, 2017):

+1 for this being built in; I'd rather not have to set up nginx if the only service my cheap VPS is running is gitea. Would much rather gitea be the only service running.

@jrmiller82 commented on GitHub (Dec 8, 2017): +1 for this being built in; I'd rather not have to set up nginx if the only service my cheap VPS is running is gitea. Would much rather gitea be the only service running.
GiteaMirror commented 2025-11-02 03:23:53 -06:00
Author
Owner
Copy Link

@tboerger commented on GitHub (Dec 8, 2017):

@bkcsoft no background worker required, the autocert lib handles everything automatically. This is also used within drone and some of my projects.

@tboerger commented on GitHub (Dec 8, 2017): @bkcsoft no background worker required, the autocert lib handles everything automatically. This is also used within drone and some of my projects.
GiteaMirror commented 2025-11-02 03:23:54 -06:00
Author
Owner
Copy Link

@jrmiller82 commented on GitHub (Dec 8, 2017):

Yeah, the hardest part of setting up Lets Encrypt with a single service like this is setting up the way for LE to verify the domain is yours.

@jrmiller82 commented on GitHub (Dec 8, 2017): Yeah, the hardest part of setting up Lets Encrypt with a single service like this is setting up the way for LE to verify the domain is yours.
GiteaMirror commented 2025-11-02 03:23:54 -06:00
Author
Owner
Copy Link

@tboerger commented on GitHub (Dec 8, 2017):

The mentioned autocert lib handles that, it just doesn't support the DNS retrieval.

@tboerger commented on GitHub (Dec 8, 2017): The mentioned autocert lib handles that, it just doesn't support the DNS retrieval.
GiteaMirror commented 2025-11-02 03:23:54 -06:00
Author
Owner
Copy Link

@egtann commented on GitHub (Jun 8, 2018):

Any update on this? As @tboerger is pointing out, this should be a ~5 LOC change to read a new config option and use the autocert library if requested: https://godoc.org/golang.org/x/crypto/acme/autocert, giving everybody HTTPS out-of-the-box without needing to set up/maintain a proxy.

@egtann commented on GitHub (Jun 8, 2018): Any update on this? As @tboerger is pointing out, this should be a ~5 LOC change to read a new config option and use the `autocert` library if requested: https://godoc.org/golang.org/x/crypto/acme/autocert, giving everybody HTTPS out-of-the-box without needing to set up/maintain a proxy.
GiteaMirror commented 2025-11-02 03:23:54 -06:00
Author
Owner
Copy Link

@ghost commented on GitHub (Jun 8, 2018):

@egtann I've created a pull for this. It's a couple more than 5 LOC, but if reviewed successfully then perhaps it could be in 1.6 release 🤞

@ghost commented on GitHub (Jun 8, 2018): @egtann I've created a pull for this. It's a couple more than 5 LOC, but if reviewed successfully then perhaps it could be in 1.6 release 🤞
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label type/enhancement
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#450
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?