diff --git a/HTTPS-SETUP.md b/HTTPS-SETUP.md new file mode 100644 index 0000000..926c4c6 --- /dev/null +++ b/HTTPS-SETUP.md @@ -0,0 +1,81 @@ +# Setting Up HTTPS for Gitea with Traefik + +This guide explains how to configure Gitea with proper HTTPS using Traefik as a reverse proxy with automatic certificate management via Let's Encrypt. + +## Prerequisites + +- A domain name pointing to your server (currently using `bee8333.ddns.net`) +- Ports 80 and 443 open and forwarded to your server +- Docker and Docker Compose installed + +## Configuration Steps + +1. **Update email address in docker-compose.yml** + + Edit the `docker-compose.yml` file and replace `your-email@example.com` with your actual email address. Let's Encrypt will use this for certificate expiration notifications: + + ```yaml + --certificatesresolvers.letsencrypt.acme.email=your-email@example.com + ``` + +2. **Start the services** + + ```bash + docker-compose down + docker-compose up -d + ``` + +3. **Check the status** + + ```bash + docker-compose ps + ``` + + All services should be running without errors. + +## How It Works + +- **Traefik** acts as a reverse proxy, handling incoming HTTP/HTTPS traffic +- Automatically redirects HTTP to HTTPS +- Obtains and renews SSL certificates from Let's Encrypt +- Routes requests to the appropriate containers based on domain name + +## Troubleshooting + +If you encounter issues: + +1. **Check Traefik logs** + + ```bash + docker-compose logs traefik + ``` + +2. **Check Gitea logs** + + ```bash + docker-compose logs server + ``` + +3. **Verify DNS settings** + + Make sure your domain (`bee8333.ddns.net`) correctly points to your server's IP address. + +4. **Check firewall settings** + + Ensure ports 80 and 443 are open and properly forwarded to your server. + +## Git Client Configuration + +When pushing to your Gitea repository from your local machine, you'll now be using HTTPS with a valid certificate. Use the following URL format: + +``` +https://bee8333.ddns.net/username/repository.git +``` + +## SSH Access + +SSH access is still available on port 222. Use the following format in your SSH config or Git command: + +``` +ssh://git@bee8333.ddns.net:222/username/repository.git +``` \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml index e2a9ed5..1aa13ad 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -7,8 +7,39 @@ networks: volumes: gitea-data: postgres-data: + traefik-certs: services: + traefik: + image: traefik:v2.9 + container_name: traefik + restart: always + ports: + - "80:80" # HTTP + - "443:443" # HTTPS + - "8080:8080" # Dashboard + networks: + - gitea + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + - traefik-certs:/letsencrypt + command: + - "--providers.docker=true" + - "--providers.docker.exposedbydefault=false" + - "--providers.docker.network=gitea-docker_gitea" + - "--entrypoints.web.address=:80" + - "--entrypoints.websecure.address=:443" + - "--entrypoints.web.http.redirections.entryPoint.to=websecure" + - "--entrypoints.web.http.redirections.entryPoint.scheme=https" + - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true" + - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web" + - "--certificatesresolvers.letsencrypt.acme.email=bennett.l.david@gmail.com" + - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" + - "--api=true" + - "--api.dashboard=true" + - "--api.insecure=true" + - "--log.level=DEBUG" + server: image: gitea/gitea:latest container_name: gitea @@ -20,15 +51,20 @@ services: - GITEA__database__NAME=gitea - GITEA__database__USER=gitea - GITEA__database__PASSWD=gitea - # SSH Configuration + # Server Configuration - GITEA__server__DOMAIN=bee8333.ddns.net - - GITEA__server__SSH_DOMAIN=bee8333.ddns.net - GITEA__server__ROOT_URL=https://bee8333.ddns.net/ - - GITEA__server__SSH_PORT=222 + - GITEA__server__PROTOCOL=http + - GITEA__server__HTTP_PORT=3000 + - GITEA__server__SSH_DOMAIN=bee8333.ddns.net + - GITEA__server__SSH_PORT=2224 - GITEA__server__SSH_LISTEN_PORT=22 - - GITEA__server__PROTOCOL=https - - GITEA__server__CERT_FILE=/data/gitea/cert.pem - - GITEA__server__KEY_FILE=/data/gitea/key.pem + - GITEA__server__START_SSH_SERVER=false + - GITEA__server__OFFLINE_MODE=false + - GITEA__server__ENABLE_GZIP=true + # Reverse Proxy Settings + - GITEA__server__USE_PROXY_PROTOCOL=false + - GITEA__server__PROXY_PROTOCOL_TLS_BRIDGING=false restart: always networks: - gitea @@ -36,13 +72,25 @@ services: - gitea-data:/data - /etc/timezone:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro - - ./gitea/ssl/cert.pem:/data/gitea/cert.pem:ro - - ./gitea/ssl/key.pem:/data/gitea/key.pem:ro ports: - - "3000:3000" # Web UI: Host port 3000 -> Container port 3000 - - "222:22" # SSH: Host port 222 -> Container port 22 + - "2224:22" # SSH: Host port 2224 -> Container port 22 depends_on: - db + labels: + - "traefik.enable=true" + # HTTP Configuration for HTTPS access + - "traefik.http.routers.gitea.rule=Host(`bee8333.ddns.net`)" + - "traefik.http.routers.gitea.entrypoints=websecure" + - "traefik.http.routers.gitea.tls.certresolver=letsencrypt" + - "traefik.http.services.gitea.loadbalancer.server.port=3000" + - "traefik.http.middlewares.gitea-headers.headers.customrequestheaders.X-Forwarded-Proto=https" + - "traefik.http.routers.gitea.middlewares=gitea-headers@docker" + # HTTP Configuration for HTTP -> HTTPS redirection + - "traefik.http.routers.gitea-http.rule=Host(`bee8333.ddns.net`)" + - "traefik.http.routers.gitea-http.entrypoints=web" + - "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https" + - "traefik.http.middlewares.https-redirect.redirectscheme.permanent=true" + - "traefik.http.routers.gitea-http.middlewares=https-redirect@docker" db: image: postgres:14