配置nginx ssl反向代理Gogs

原文：https://www.guai.im/2016/04/03/Full%20SSL%20with%20GOGS%20using%20NGINX/

Generate Self-Signed SSL Certificate

1. Make a work directory to hold the certificate (in the current users home folder)
   Create a 2048 key size self-signed certificate valid for one year
2. Make a directory under your NGINX configuration directory to store the certificate
3. Make a directory under your GOGS custom configuration directory to store the certificate
   • Note: In this example, GOGS is installed to /usr/lib/gogs but you can choose to put it anywhere
4. Modify the user and owner of the certificate in GOGS to be that of the GOGS user
   • Note: If you are using a different user to run GOGS, replace “gogs” below with that user

Note
This certificate is valid for one year, you will need to remember to rotate this every year.

mkdir ~/ssl
cd ~/ssl
openssl genrsa -out key.pem 2048
openssl req -new -key key.pem -out csr.pem
openssl req -x509 -days 365 -key key.pem -in csr.pem -out certificate.pem
mkdir /etc/nginx/ssl
cp *.pem /etc/nginx/ssl
mkdir /usr/lib/gogs/custom/ssl
cp *.pem /usr/lib/gogs/custom/ssl
chown -R gogs:gogs /usr/lib/gogs/custom/ssl

Modify NGINX Configuration

• Create a GOGS configuration file in /etc/nginx/vhosts.d/gogs.conf
• Restart NGINX
• service nginx restart (on an Ubuntu server, will vary for different Linux OS’s)
  Assumptions

Location of SSL certificate is /etc/nginx/ssl
GOGS is running on port 3000 (default)

Notes
The reason that I make NGINX only allow TLSv1.2 and a very limited cipher set is because Cloudflare should be the only client communicating with this server so I opt for a more secure configuration
Also note that you SSL certificates should be owned by the user running NGINX (often root)

server {
    listen 80;
    server_name gogs.myserver.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;
    server_name gogs.myserver.com;

    ssl_certificate /etc/nginx/ssl/certificate.pem;
    ssl_certificate_key /etc/nginx/ssl/key.pem;

    ssl_protocols TLSv1.2;
    ssl_prefer_server_ciphers on;

    ssl_ciphers 'EECDH+AES128:EDH+AES128';

    add_header Strict-Transport-Security max-age=31536000;

    location / {
        proxy_pass https://localhost:3000;
    }
}

Modify GOGS Configuration

• Modify your apps.ini configuration file
• Restart GOGS
• service gogs restart (on an Ubuntu server, will vary for different Linux OS’s)

Notes
This assumes you are using an “apps.ini” configuration located at {gogs directory}/custom/conf/apps.ini
This is required for changes in newer versions of GOGS and does make it upgrade proof
I recommend changing your SSH port to something different even though the example below uses the default
GOGS is installed to /usr/lib/gogs in this example, replace this with wherever you have installed GOGS

[server]
SSH_PORT = 22
LISTEN = 127.0.0.1
DOMAIN = gogs.myserver.com
HTTP_PORT = 3000
PROTOCOL = https
ROOT_URL = https://gogs.myserver.com:3000/
OFFLINE_MODE = false
CERT_FILE = /usr/lib/gogs/custom/ssl/certificate.pem
KEY_FILE = /usr/lib/gogs/custom/ssl/key.pem