Cloudflare offers the use of Flexible SSL, Full SSL and Full SSL (Strict). Although Flexible SSL is a good option, all requests from Cloudflare to your server will still be unencrypted. If you opt to use Full SSL, you need to provide an SSL certificate for the site (can be self-signed). Using the NGINX web server with GOGS (Go Git Service) allows you to redirect (not rewrite as this is more expensive an operation) all requests for you web site to a full SSL encrypted connection.

1. Make a work directory to hold the certificate (in the current users home folder)
2. Create a 2048 key size self-signed certificate valid for one year
3. Make a directory under your NGINX configuration directory to store the certificate
4. Make a directory under your GOGS custom configuration directory to store the certificate
   1. Note: In this example, GOGS is installed to “/usr/lib/gogs” but you can choose to put it anywhere
5. Modify the user and owner of the certificate in GOGS to be that of the GOGS user
   1. Note: If you are using a different user to run GOGS, replace “gogs” below with that user

• This certificate is valid for one year, you will need to remember to rotate this every year.

 

mkdir ~/ssl
cd ~/ssl
openssl genrsa -out key.pem 2048
openssl req -new -key key.pem -out csr.pem
openssl req -x509 -days 365 -key key.pem -in csr.pem -out certificate.pem
mkdir /etc/nginx/ssl
cp *.pem /etc/nginx/ssl
mkdir /usr/lib/gogs/custom/ssl
cp *.pem /usr/lib/gogs/custom/ssl
chown -R gogs:gogs /usr/lib/gogs/custom/ssl

1. Create a GOGS configuration file in /etc/nginx/vhosts.d/gogs.conf
2. Restart NGINX
   1. service nginx restart (on an Ubuntu server, will vary for different Linux OS’s)

Assumptions

• Location of SSL certificate is /etc/nginx/ssl
• GOGS is running on port 3000 (default)

• The reason that I make NGINX only allow TLSv1.2 and a very limited cipher set is because Cloudflare should be the only client communicating with this server so I opt for a more secure configuration
• Also note that you SSL certificates should be owned by the user running NGINX (often root)

 

server {
    listen 80;
    server_name gogs.myserver.com;
    return 301 https://$server_name$request_uri;
}
 
server {
    listen 443 ssl;
    server_name gogs.myserver.com;
 
    ssl_certificate /etc/nginx/ssl/certificate.pem;
    ssl_certificate_key /etc/nginx/ssl/key.pem;
 
    ssl_protocols TLSv1.2;
    ssl_prefer_server_ciphers on;
 
    ssl_ciphers 'EECDH+AES128:EDH+AES128';
 
    add_header Strict-Transport-Security max-age=31536000;
 
    location / {
        proxy_pass https://localhost:3000;
    }
}

1. Modify your apps.ini configuration file
2. Restart GOGS
   1. service gogs restart (on an Ubuntu server, will vary for different Linux OS’s)

Notes

• This assumes you are using an “apps.ini” configuration located at {gogs directory}/custom/conf/apps.ini
  • This is required for changes in newer versions of GOGS and does make it upgrade proof
• I recommend changing your SSH port to something different even though the example below uses the default
• GOGS is installed to /usr/lib/gogs in this example, replace this with wherever you have installed GOGS

 

[server]
SSH_PORT = 22
LISTEN = 127.0.0.1
DOMAIN = gogs.myserver.com
HTTP_PORT = 3000
PROTOCOL = https
ROOT_URL = https://gogs.myserver.com:3000/
OFFLINE_MODE = false
CERT_FILE = /usr/lib/gogs/custom/ssl/certificate.pem
KEY_FILE = /usr/lib/gogs/custom/ssl/key.pem