HTTPS setup to encrypt connections to Gitea
Using the built-in server
Before you enable HTTPS, make sure that you have valid SSL/TLS certificates.
You could use self-generated certificates for evaluation and testing. Please run gitea cert --host [HOST]
to generate a self signed certificate.
If you are using Apache or nginx on the server, it's recommended to check the reverse proxy guide.
To use Gitea's built-in HTTPS support, you must change your app.ini
file:
[server]
PROTOCOL = https
ROOT_URL = https://git.example.com:3000/
HTTP_PORT = 3000
CERT_FILE = cert.pem
KEY_FILE = key.pem
Note that if your certificate is signed by a third party certificate authority (i.e. not self-signed), then cert.pem should contain the certificate chain. The server certificate must be the first entry in cert.pem, followed by the intermediaries in order (if any). The root certificate does not have to be included because the connecting client must already have it in order to estalbish the trust relationship. To learn more about the config values, please checkout the Config Cheat Sheet.
For the CERT_FILE
or KEY_FILE
field, the file path is relative to the GITEA_CUSTOM
environment variable when it is a relative path. It can be an absolute path as well.
Setting up HTTP redirection
The Gitea server is only able to listen to one port; to redirect HTTP requests to the HTTPS port, you will need to enable the HTTP redirection service:
[server]
REDIRECT_OTHER_PORT = true
; Port the redirection service should listen on
PORT_TO_REDIRECT = 3080
If you are using Docker, make sure that this port is configured in your docker-compose.yml
file.