Cloudflare Full SSL with GOGS (Go Git Service) using NGINX

Cloudflare Full SSL with GOGS (Go Git Service) using NGINX

Overview

Cloudflare offers the use of Flexible SSL, Full SSL and Full SSL (Strict). Although Flexible SSL is a good option, all requests from Cloudflare to your server will still be unencrypted. If you opt to use Full SSL, you need to provide an SSL certificate for the site (can be self-signed). Using the NGINX web server with GOGS (Go Git Service) allows you to redirect (not rewrite as this is more expensive an operation) all requests for you web site to a full SSL encrypted connection.

Generate Self-Signed SSL Certificate

  1. Make a work directory to hold the certificate (in the current users home folder)
  2. Create a 2048 key size self-signed certificate valid for one year
  3. Make a directory under your NGINX configuration directory to store the certificate
  4. Make a directory under your GOGS custom configuration directory to store the certificate
    1. Note: In this example, GOGS is installed to “/usr/lib/gogs” but you can choose to put it anywhere
  5. Modify the user and owner of the certificate in GOGS to be that of the GOGS user
    1. Note: If you are using a different user to run GOGS, replace “gogs” below with that user

Notes

  • This certificate is valid for one year, you will need to remember to rotate this every year.

 

Modify NGINX Configuration

  1. Create a GOGS configuration file in /etc/nginx/vhosts.d/gogs.conf
  2. Restart NGINX
    1. service nginx restart (on an Ubuntu server, will vary for different Linux OS’s)

Assumptions

  • Location of SSL certificate is /etc/nginx/ssl
  • GOGS is running on port 3000 (default)

Notes

  • The reason that I make NGINX only allow TLSv1.2 and a very limited cipher set is because Cloudflare should be the only client communicating with this server so I opt for a more secure configuration
  • Also note that you SSL certificates should be owned by the user running NGINX (often root)

 

Modify GOGS Configuration

  1. Modify your apps.ini configuration file
  2. Restart GOGS
    1. service gogs restart (on an Ubuntu server, will vary for different Linux OS’s)

Notes

  • This assumes you are using an “apps.ini” configuration located at {gogs directory}/custom/conf/apps.ini
    • This is required for changes in newer versions of GOGS and does make it upgrade proof
  • I recommend changing your SSH port to something different even though the example below uses the default
  • GOGS is installed to /usr/lib/gogs in this example, replace this with wherever you have installed GOGS

 

Tags

Leave a Reply

Your email address will not be published. Required fields are marked *