Add Traefik reverse proxy configuration for Gitea with HTTPS support and updated server settings

HTTPS-SETUP.md

@@ -0,0 +1,81 @@
+# Setting Up HTTPS for Gitea with Traefik
+
+This guide explains how to configure Gitea with proper HTTPS using Traefik as a reverse proxy with automatic certificate management via Let's Encrypt.
+
+## Prerequisites
+
+- A domain name pointing to your server (currently using `bee8333.ddns.net`)
+- Ports 80 and 443 open and forwarded to your server
+- Docker and Docker Compose installed
+
+## Configuration Steps
+
+1. **Update email address in docker-compose.yml**
+
+   Edit the `docker-compose.yml` file and replace `your-email@example.com` with your actual email address. Let's Encrypt will use this for certificate expiration notifications:
+
+   ```yaml
+   --certificatesresolvers.letsencrypt.acme.email=your-email@example.com
+   ```
+
+2. **Start the services**
+
+   ```bash
+   docker-compose down
+   docker-compose up -d
+   ```
+
+3. **Check the status**
+
+   ```bash
+   docker-compose ps
+   ```
+
+   All services should be running without errors.
+
+## How It Works
+
+- **Traefik** acts as a reverse proxy, handling incoming HTTP/HTTPS traffic
+- Automatically redirects HTTP to HTTPS
+- Obtains and renews SSL certificates from Let's Encrypt
+- Routes requests to the appropriate containers based on domain name
+
+## Troubleshooting
+
+If you encounter issues:
+
+1. **Check Traefik logs**
+
+   ```bash
+   docker-compose logs traefik
+   ```
+
+2. **Check Gitea logs**
+
+   ```bash
+   docker-compose logs server
+   ```
+
+3. **Verify DNS settings**
+
+   Make sure your domain (`bee8333.ddns.net`) correctly points to your server's IP address.
+
+4. **Check firewall settings**
+
+   Ensure ports 80 and 443 are open and properly forwarded to your server.
+
+## Git Client Configuration
+
+When pushing to your Gitea repository from your local machine, you'll now be using HTTPS with a valid certificate. Use the following URL format:
+
+```
+https://bee8333.ddns.net/username/repository.git
+```
+
+## SSH Access
+
+SSH access is still available on port 222. Use the following format in your SSH config or Git command:
+
+```
+ssh://git@bee8333.ddns.net:222/username/repository.git
+``` 

docker-compose.yml

@@ -7,8 +7,39 @@ networks:
 volumes:
   gitea-data:
   postgres-data:
+  traefik-certs:
 
 services:
+  traefik:
+    image: traefik:v2.9
+    container_name: traefik
+    restart: always
+    ports:
+      - "80:80"      # HTTP
+      - "443:443"    # HTTPS
+      - "8080:8080"  # Dashboard
+    networks:
+      - gitea
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - traefik-certs:/letsencrypt
+    command:
+      - "--providers.docker=true"
+      - "--providers.docker.exposedbydefault=false"
+      - "--providers.docker.network=gitea-docker_gitea"
+      - "--entrypoints.web.address=:80"
+      - "--entrypoints.websecure.address=:443"
+      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
+      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
+      - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
+      - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
+      - "--certificatesresolvers.letsencrypt.acme.email=bennett.l.david@gmail.com"
+      - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
+      - "--api=true"
+      - "--api.dashboard=true"
+      - "--api.insecure=true"
+      - "--log.level=DEBUG"
+    
   server:
     image: gitea/gitea:latest
     container_name: gitea
@@ -20,15 +51,20 @@ services:
       - GITEA__database__NAME=gitea
       - GITEA__database__USER=gitea
       - GITEA__database__PASSWD=gitea
-      # SSH Configuration
+      # Server Configuration
       - GITEA__server__DOMAIN=bee8333.ddns.net
-      - GITEA__server__SSH_DOMAIN=bee8333.ddns.net
       - GITEA__server__ROOT_URL=https://bee8333.ddns.net/
-      - GITEA__server__SSH_PORT=222
+      - GITEA__server__PROTOCOL=http
+      - GITEA__server__HTTP_PORT=3000
+      - GITEA__server__SSH_DOMAIN=bee8333.ddns.net
+      - GITEA__server__SSH_PORT=2224
       - GITEA__server__SSH_LISTEN_PORT=22
-      - GITEA__server__PROTOCOL=https
+      - GITEA__server__START_SSH_SERVER=false
-      - GITEA__server__CERT_FILE=/data/gitea/cert.pem
+      - GITEA__server__OFFLINE_MODE=false
-      - GITEA__server__KEY_FILE=/data/gitea/key.pem
+      - GITEA__server__ENABLE_GZIP=true
+      # Reverse Proxy Settings
+      - GITEA__server__USE_PROXY_PROTOCOL=false
+      - GITEA__server__PROXY_PROTOCOL_TLS_BRIDGING=false
     restart: always
     networks:
       - gitea
@@ -36,13 +72,25 @@ services:
       - gitea-data:/data
       - /etc/timezone:/etc/timezone:ro
       - /etc/localtime:/etc/localtime:ro
-      - ./gitea/ssl/cert.pem:/data/gitea/cert.pem:ro
-      - ./gitea/ssl/key.pem:/data/gitea/key.pem:ro
     ports:
-      - "3000:3000"  # Web UI: Host port 3000 -> Container port 3000
+      - "2224:22"    # SSH: Host port 2224 -> Container port 22
-      - "222:22"     # SSH: Host port 222 -> Container port 22
     depends_on:
       - db
+    labels:
+      - "traefik.enable=true"
+      # HTTP Configuration for HTTPS access
+      - "traefik.http.routers.gitea.rule=Host(`bee8333.ddns.net`)"
+      - "traefik.http.routers.gitea.entrypoints=websecure"
+      - "traefik.http.routers.gitea.tls.certresolver=letsencrypt"
+      - "traefik.http.services.gitea.loadbalancer.server.port=3000"
+      - "traefik.http.middlewares.gitea-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
+      - "traefik.http.routers.gitea.middlewares=gitea-headers@docker"
+      # HTTP Configuration for HTTP -> HTTPS redirection
+      - "traefik.http.routers.gitea-http.rule=Host(`bee8333.ddns.net`)"
+      - "traefik.http.routers.gitea-http.entrypoints=web"
+      - "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.https-redirect.redirectscheme.permanent=true"
+      - "traefik.http.routers.gitea-http.middlewares=https-redirect@docker"
 
   db:
     image: postgres:14