原文:https://www.guai.im/2016/04/03/Full%20SSL%20with%20GOGS%20using%20NGINX/
Generate Self-Signed SSL Certificate
- Make a work directory to hold the certificate (in the current users home folder)
Create a 2048 key size self-signed certificate valid for one year - Make a directory under your NGINX configuration directory to store the certificate
- Make a directory under your GOGS custom configuration directory to store the certificate
- Note: In this example, GOGS is installed to
/usr/lib/gogs
but you can choose to put it anywhere
- Note: In this example, GOGS is installed to
- Modify the user and owner of the certificate in GOGS to be that of the GOGS user
- Note: If you are using a different user to run GOGS, replace “gogs” below with that user
Note
This certificate is valid for one year, you will need to remember to rotate this every year.
mkdir ~/ssl
cd ~/ssl
openssl genrsa -out key.pem 2048
openssl req -new -key key.pem -out csr.pem
openssl req -x509 -days 365 -key key.pem -in csr.pem -out certificate.pem
mkdir /etc/nginx/ssl
cp *.pem /etc/nginx/ssl
mkdir /usr/lib/gogs/custom/ssl
cp *.pem /usr/lib/gogs/custom/ssl
chown -R gogs:gogs /usr/lib/gogs/custom/ssl
Modify NGINX Configuration
- Create a GOGS configuration file in
/etc/nginx/vhosts.d/gogs.conf
- Restart NGINX
- service nginx restart (on an Ubuntu server, will vary for different Linux OS’s)
Assumptions
Location of SSL certificate is /etc/nginx/ssl
GOGS is running on port 3000
(default)
Notes
The reason that I make NGINX only allow TLSv1.2 and a very limited cipher set is because Cloudflare should be the only client communicating with this server so I opt for a more secure configuration
Also note that you SSL certificates should be owned by the user running NGINX (often root)
server {
listen 80;
server_name gogs.myserver.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name gogs.myserver.com;
ssl_certificate /etc/nginx/ssl/certificate.pem;
ssl_certificate_key /etc/nginx/ssl/key.pem;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AES128:EDH+AES128';
add_header Strict-Transport-Security max-age=31536000;
location / {
proxy_pass https://localhost:3000;
}
}
Modify GOGS Configuration
- Modify your
apps.ini
configuration file - Restart GOGS
- service gogs restart (on an Ubuntu server, will vary for different Linux OS’s)
Notes
This assumes you are using an “apps.ini” configuration located at{gogs directory}/custom/conf/apps.ini
This is required for changes in newer versions of GOGS and does make it upgrade proof
I recommend changing your SSH port to something different even though the example below uses the default
GOGS is installed to/usr/lib/gogs
in this example, replace this with wherever you have installed GOGS
[server]
SSH_PORT = 22
LISTEN = 127.0.0.1
DOMAIN = gogs.myserver.com
HTTP_PORT = 3000
PROTOCOL = https
ROOT_URL = https://gogs.myserver.com:3000/
OFFLINE_MODE = false
CERT_FILE = /usr/lib/gogs/custom/ssl/certificate.pem
KEY_FILE = /usr/lib/gogs/custom/ssl/key.pem