Listek Consulting

Listek Consulting

309.319.6385
  • twitter
  • facebook
  • linkedin
  • Home
  • About
  • Services
  • Pricing
  • Testimonials
  • Articles
  • Contact Us

Cloudflare Full SSL with GOGS (Go Git Service) using NGINX

Cloudflare Full SSL with GOGS (Go Git Service) using NGINX

Overview

Cloudflare offers the use of Flexible SSL, Full SSL and Full SSL (Strict). Although Flexible SSL is a good option, all requests from Cloudflare to your server will still be unencrypted. If you opt to use Full SSL, you need to provide an SSL certificate for the site (can be self-signed). Using the NGINX web server with GOGS (Go Git Service) allows you to redirect (not rewrite as this is more expensive an operation) all requests for you web site to a full SSL encrypted connection.

Generate Self-Signed SSL Certificate

  1. Make a work directory to hold the certificate (in the current users home folder)
  2. Create a 2048 key size self-signed certificate valid for one year
  3. Make a directory under your NGINX configuration directory to store the certificate
  4. Make a directory under your GOGS custom configuration directory to store the certificate
    1. Note: In this example, GOGS is installed to “/usr/lib/gogs” but you can choose to put it anywhere
  5. Modify the user and owner of the certificate in GOGS to be that of the GOGS user
    1. Note: If you are using a different user to run GOGS, replace “gogs” below with that user

Notes

  • This certificate is valid for one year, you will need to remember to rotate this every year.

 

mkdir ~/ssl
cd ~/ssl
openssl genrsa -out key.pem 2048
openssl req -new -key key.pem -out csr.pem
openssl req -x509 -days 365 -key key.pem -in csr.pem -out certificate.pem
mkdir /etc/nginx/ssl
cp *.pem /etc/nginx/ssl
mkdir /usr/lib/gogs/custom/ssl
cp *.pem /usr/lib/gogs/custom/ssl
chown -R gogs:gogs /usr/lib/gogs/custom/ssl

Modify NGINX Configuration

  1. Create a GOGS configuration file in /etc/nginx/vhosts.d/gogs.conf
  2. Restart NGINX
    1. service nginx restart (on an Ubuntu server, will vary for different Linux OS’s)

Assumptions

  • Location of SSL certificate is /etc/nginx/ssl
  • GOGS is running on port 3000 (default)

Notes

  • The reason that I make NGINX only allow TLSv1.2 and a very limited cipher set is because Cloudflare should be the only client communicating with this server so I opt for a more secure configuration
  • Also note that you SSL certificates should be owned by the user running NGINX (often root)

 

server {
    listen 80;
    server_name gogs.myserver.com;
    return 301 https://$server_name$request_uri;
}
 
server {
    listen 443 ssl;
    server_name gogs.myserver.com;
 
    ssl_certificate /etc/nginx/ssl/certificate.pem;
    ssl_certificate_key /etc/nginx/ssl/key.pem;
 
    ssl_protocols TLSv1.2;
    ssl_prefer_server_ciphers on;
 
    ssl_ciphers 'EECDH+AES128:EDH+AES128';
 
    add_header Strict-Transport-Security max-age=31536000;
 
    location / {
        proxy_pass https://localhost:3000;
    }
}

Modify GOGS Configuration

  1. Modify your apps.ini configuration file
  2. Restart GOGS
    1. service gogs restart (on an Ubuntu server, will vary for different Linux OS’s)

Notes

  • This assumes you are using an “apps.ini” configuration located at {gogs directory}/custom/conf/apps.ini
    • This is required for changes in newer versions of GOGS and does make it upgrade proof
  • I recommend changing your SSH port to something different even though the example below uses the default
  • GOGS is installed to /usr/lib/gogs in this example, replace this with wherever you have installed GOGS

 

[server]
SSH_PORT = 22
LISTEN = 127.0.0.1
DOMAIN = gogs.myserver.com
HTTP_PORT = 3000
PROTOCOL = https
ROOT_URL = https://gogs.myserver.com:3000/
OFFLINE_MODE = false
CERT_FILE = /usr/lib/gogs/custom/ssl/certificate.pem
KEY_FILE = /usr/lib/gogs/custom/ssl/key.pem

Tags

gogsnginxssl

Search

Testimonials

  • I worked with Adam as a consultant installing and configuring Altiris at Illinois State. Adam is extremely sharp and was using the product with considerable skill before my engagement was over. Since… read more →
    Stu Harris – ITAM Consulting Lead at ITS Partners
  • Adam never ceased to amaze me with his technical background. He proved to me on more than one occasion that his knowledge in IT is exceptional. More importantly, Adam is an excellent… read more →
    Chris Wanzung – IT Support Specialist at Young Innovations
  • Adam is an extremely focused, results driven individual who always ensures deadlines are met. In the time I spent working with Adam at Illinois State University, he was always extremely professional and… read more →
    Steve Koivisto – Manager, Information Technology at Horizon Pharma
  • Adam does nearly all of the on-site website optimization for my clients. We've been working together for almost a year now. He is incredibly competent in programming and web design. What distinguishes… read more →
    Chris Al-Aswad – Founder at Escape Into Life
back up
© Copyright 2021 Listek Consulting