Network

Gitea should be run via a Reverse Proxy, allowing you to isolate and wrap connections in SSL. See NGINX for more details. See Setup Base Proxy Control for basic proxy configuration.

Note

Adjust client_max_body_size to expected max size of data in a git change.

See Gitea reverse proxy reference.

Ports

---
###############################################################################
# Ports Configuration
###############################################################################
# Ports should be managed externally via an OS role.

ports:
  - {proto: 'tcp', from_ip: 'any', to_port: 3000, direction: 'in', comment: 'gitea http'}
  - {proto: 'tcp', from_ip: 'any', to_port: 22,   direction: 'in', comment: 'gitea ssh'}

Using Subdomains

This requires a hard IP resolution. Hairpin NAT / NAT reflection will result in the web front working but git pull/push/clones failing. This is due to the way Gitea handles these requests with custom written handlers. Setup DNS resolution or add to hosts file.

0644 root root nginx/conf.d/reverse-proxy.conf
server {
  listen                 443 ssl http2;
  server_name            gitea.{DOMAIN} gitea;

  location / {
    proxy_pass           http://gitea:3000;
    client_max_body_size 1024m;
  }
}

Reference

Using Subpaths

0644 root root nginx/conf.d/reverse-proxy.conf
server {
  location /gitea/ {
    proxy_pass           http://gitea:3000/;
    client_max_body_size 1024m;
  }
}

SSL Client Cert Authentication

A reverse proxy requiring SSL client certification authentication requires no change in the Gitea configuration.

See Git Configuration to configure your git client.