0

I set up Nginx 1.23.2 on Debian 10 to forward specific requests to port 3999 on which gitea is running at.

Nginx configuration:

server {
        listen                  443 ssl;
        server_name             www.subdomain.domain.com subdomain.domain.com;
        access_log              logs/subdomain.domain.com.access.log main;
        
        ssl_certificate         /home/gitea/ssl/cert.pem;
        ssl_certificate_key     /home/gitea/ssl/privkey.pem;
        ssl_protocols           TLSv1.2 TLSv1.3;

        location / {
                proxy_pass                              https://127.0.0.1:3999/;
                proxy_set_header                        Host    $host;
                proxy_set_header X-Real-IP              $remote_addr;
                proxy_set_header X-Forwarded-For        &proxy_add_x_forwarded_for;
        }
}

Part of output from nginx -T command proving that configuration is picked up:

...
# configuration file /etc/nginx/conf.d/gitea.ispf.sk.conf:
server {
        listen                  443 ssl;
        server_name             www.subdomain.domain.com subdomain.domain.com;
        access_log              logs/subdomain.domain.com.access.log main;

        ssl_certificate         /home/gitea/ssl/cert.pem;
        ssl_certificate_key     /home/gitea/ssl/privkey.pem;
        ssl_protocols           TLSv1.2 TLSv1.3;

        location / {
                proxy_pass                              https://127.0.0.1:3999/;
                proxy_set_header                        Host    $host;
                proxy_set_header X-Real-IP              $remote_addr;
                proxy_set_header X-Forwarded-For        &proxy_add_x_forwarded_for;
        }
}
...

(Obviously domain name is changed)

However when I enter www.subdomain.domain.com i get 502 bad gateway error.

Output from ss -tulpn command proving that nginx is listening at 443 and gitea is running at 3999 port:

Netid            State             Recv-Q            Send-Q                       Local Address:Port                        Peer Address:Port            Process                                                                                                                                                      
tcp              LISTEN            0                 511                                0.0.0.0:443                              0.0.0.0:*                users:(("nginx",pid=306831,fd=8),("nginx",pid=306830,fd=8),("nginx",pid=306829,fd=8))                                                                      
tcp              LISTEN            0                 4096                                     *:3999                                   *:*                users:(("gitea",pid=305999,fd=14))

Server part of gitea configuration:

[server]
SSH_DOMAIN       = subdomain.domain.com
DOMAIN           = subdomain.domain.com
HTTP_ADDR        = 0.0.0.0
HTTP_PORT        = 3999
DISABLE_SSH      = true
OFFLINE_MODE     = false

Gitea version is 1.17.3. I can access gitea when I enter SERVER IP ADDRESS:3999 into the address bar in browsers.

What am I doing wrong?

Wortig
  • 103
  • 2

1 Answers1

1

Your app.ini does not contain

[server]
PROTOCOL = https

The protocol defaults to plain http, and the purpose of the reverse proxy is to add the TLS encryption, as described in HTTPS setup to encrypt connections to Gitea.

Therefore, you need

proxy_pass http://127.0.0.1:3999/;

with http:// instead of https://.

Additionally, you might want to prevent direct non-TLS connections with

[server]
HTTP_ADDR = 127.0.0.1
Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
  • I am not listening on port 80 by nginx, so i kept proxy_pass with https. Additionally i had to define CERT_FILE and KEY_FILE in gitea app.ini. Thanks for help. – Wortig Dec 31 '22 at 19:05
  • 1
    The `proxy_pass http://` has nothing to do with port 80, though. The additional TLS between Nginx and Gitea on the same host does not add much. – Esa Jokinen Dec 31 '22 at 19:17
  • What is really happening when nginx server listen is using ssl and i forward request to http only as in your answer? Is the request still encrypted between nginx and gitea? Is response from gitea unencrypted when it goes back to nginx and nginx encrypts it? I did it as in your answer, its working, and i am interested. Could you/someone give some material on this topic? – Wortig Jan 09 '23 at 15:24
  • It's unencrypted but as it's on the local loopback interface, there's not much room form MitM. – Esa Jokinen Jan 09 '23 at 20:16