Network
Gitea should be run via a Reverse Proxy, allowing you to isolate and wrap connections in SSL. See NGINX for more details. See Setup Base Proxy Control for basic proxy configuration.
Note
Adjust client_max_body_size to expected max size of data in a git change.
See Gitea reverse proxy reference.
Ports
---
###############################################################################
# Ports Configuration
###############################################################################
# Ports should be managed externally via an OS role.
ports:
- {proto: 'tcp', from_ip: 'any', to_port: 3000, direction: 'in', comment: 'gitea http'}
- {proto: 'tcp', from_ip: 'any', to_port: 22, direction: 'in', comment: 'gitea ssh'}
Using Subdomains
This requires a hard IP resolution. Hairpin NAT / NAT reflection will result in
the web front working but git pull/push/clones failing. This is due to the way
Gitea handles these requests with custom written handlers. Setup DNS resolution
or add to hosts file.
0644 root root
nginx/conf.d/reverse-proxy.confserver {
listen 443 ssl http2;
server_name gitea.{DOMAIN} gitea;
location / {
proxy_pass http://gitea:3000;
client_max_body_size 1024m;
}
}
Using Subpaths
0644 root root
nginx/conf.d/reverse-proxy.confserver {
location /gitea/ {
proxy_pass http://gitea:3000/;
client_max_body_size 1024m;
}
}
SSL Client Cert Authentication
A reverse proxy requiring SSL client certification authentication requires no change in the Gitea configuration.
See Git Configuration to configure your git client.