配置nginx ssl反向代理Gogs - idwtwt的专栏 - CSDN博客

原文:https://www.guai.im/2016/04/03/Full%20SSL%20with%20GOGS%20using%20NGINX/

Generate Self-Signed SSL Certificate

  1. Make a work directory to hold the certificate (in the current users home folder)
    Create a 2048 key size self-signed certificate valid for one year
  2. Make a directory under your NGINX configuration directory to store the certificate

  3. Make a directory under your GOGS custom configuration directory to store the certificate

    • Note: In this example, GOGS is installed to /usr/lib/gogs but you can choose to put it anywhere

  4. Modify the user and owner of the certificate in GOGS to be that of the GOGS user

    • Note: If you are using a different user to run GOGS, replace “gogs” below with that user

Note
This certificate is valid for one year, you will need to remember to rotate this every year.

mkdir ~/sslcd ~/sslopenssl genrsa -out key.pem 2048openssl req -new -key key.pem -out csr.pemopenssl req -x509 -days 365 -key key.pem -in csr.pem -out certificate.pemmkdir /etc/nginx/sslcp *.pem /etc/nginx/sslmkdir /usr/lib/gogs/custom/sslcp *.pem /usr/lib/gogs/custom/sslchown -R gogs:gogs /usr/lib/gogs/custom/ssl

Modify NGINX Configuration

  • Create a GOGS configuration file in /etc/nginx/vhosts.d/gogs.conf
  • Restart NGINX
  • service nginx restart (on an Ubuntu server, will vary for different Linux OS’s)
    Assumptions

Location of SSL certificate is /etc/nginx/ssl
GOGS is running on port 3000 (default)

Notes
The reason that I make NGINX only allow TLSv1.2 and a very limited cipher set is because Cloudflare should be the only client communicating with this server so I opt for a more secure configuration
Also note that you SSL certificates should be owned by the user running NGINX (often root)

server {    listen 80;    server_name gogs.myserver.com;    return 301 https://$server_name$request_uri;} server {    listen 443 ssl;    server_name gogs.myserver.com;     ssl_certificate /etc/nginx/ssl/certificate.pem;    ssl_certificate_key /etc/nginx/ssl/key.pem;     ssl_protocols TLSv1.2;    ssl_prefer_server_ciphers on;     ssl_ciphers 'EECDH+AES128:EDH+AES128';     add_header Strict-Transport-Security max-age=31536000;     location / {        proxy_pass https://localhost:3000;    }}

Modify GOGS Configuration

  • Modify your apps.ini configuration file
  • Restart GOGS
  • service gogs restart (on an Ubuntu server, will vary for different Linux OS’s)
Notes
This assumes you are using an “apps.ini” configuration located at {gogs directory}/custom/conf/apps.ini
This is required for changes in newer versions of GOGS and does make it upgrade proof
I recommend changing your SSH port to something different even though the example below uses the default
GOGS is installed to /usr/lib/gogs in this example, replace this with wherever you have installed GOGS
[server]SSH_PORT = 22LISTEN = 127.0.0.1DOMAIN = gogs.myserver.comHTTP_PORT = 3000PROTOCOL = httpsROOT_URL = https://gogs.myserver.com:3000/OFFLINE_MODE = falseCERT_FILE = /usr/lib/gogs/custom/ssl/certificate.pemKEY_FILE = /usr/lib/gogs/custom/ssl/key.pem

原网址: 访问
创建于: 2018-10-27 02:09:55
目录: default
标签: 无

未标明原创文章均为采集,版权归作者所有,转载无需和我联系,请注明原出处,南摩阿彌陀佛,知识,不只知道,要得到

请先后发表评论
  • 最新评论
  • 总共0条评论