Generate Self-Signed SSL Certificate

  1. Make a work directory to hold the certificate (in the current users home folder)
    Create a 2048 key size self-signed certificate valid for one year
  2. Make a directory under your NGINX configuration directory to store the certificate
  3. Make a directory under your GOGS custom configuration directory to store the certificate
    • Note: In this example, GOGS is installed to /usr/lib/gogs but you can choose to put it anywhere
  4. Modify the user and owner of the certificate in GOGS to be that of the GOGS user
    • Note: If you are using a different user to run GOGS, replace “gogs” below with that user

Note
This certificate is valid for one year, you will need to remember to rotate this every year.

1
2
3
4
5
6
7
8
9
10
mkdir ~/ssl
cd ~/ssl
openssl genrsa -out key.pem 2048
openssl req -new -key key.pem -out csr.pem
openssl req -x509 -days 365 -key key.pem -in csr.pem -out certificate.pem
mkdir /etc/nginx/ssl
cp *.pem /etc/nginx/ssl
mkdir /usr/lib/gogs/custom/ssl
cp *.pem /usr/lib/gogs/custom/ssl
chown -R gogs:gogs /usr/lib/gogs/custom/ssl

Modify NGINX Configuration

  • Create a GOGS configuration file in /etc/nginx/vhosts.d/gogs.conf
  • Restart NGINX
  • service nginx restart (on an Ubuntu server, will vary for different Linux OS’s)
    Assumptions

Location of SSL certificate is /etc/nginx/ssl
GOGS is running on port 3000 (default)

Notes
The reason that I make NGINX only allow TLSv1.2 and a very limited cipher set is because Cloudflare should be the only client communicating with this server so I opt for a more secure configuration
Also note that you SSL certificates should be owned by the user running NGINX (often root)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
server {
listen 80;
server_name gogs.myserver.com;
return 301 https://$server_name$request_uri;
}

server {
listen 443 ssl;
server_name gogs.myserver.com;

ssl_certificate /etc/nginx/ssl/certificate.pem;
ssl_certificate_key /etc/nginx/ssl/key.pem;

ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;

ssl_ciphers 'EECDH+AES128:EDH+AES128';

add_header Strict-Transport-Security max-age=31536000;

location / {
proxy_pass https://localhost:3000;
}
}

Modify GOGS Configuration

  • Modify your apps.ini configuration file
  • Restart GOGS
  • service gogs restart (on an Ubuntu server, will vary for different Linux OS’s)

Notes
This assumes you are using an “apps.ini” configuration located at {gogs directory}/custom/conf/apps.ini
This is required for changes in newer versions of GOGS and does make it upgrade proof
I recommend changing your SSH port to something different even though the example below uses the default
GOGS is installed to /usr/lib/gogs in this example, replace this with wherever you have installed GOGS

1
2
3
4
5
6
7
8
9
10
[server]
SSH_PORT = 22
LISTEN = 127.0.0.1
DOMAIN = gogs.myserver.com
HTTP_PORT = 3000
PROTOCOL = https
ROOT_URL = https://gogs.myserver.com:3000/
OFFLINE_MODE = false
CERT_FILE = /usr/lib/gogs/custom/ssl/certificate.pem
KEY_FILE = /usr/lib/gogs/custom/ssl/key.pem