In the previous section of this guide we were logged in as root, and were running commands as root. This is generally considered bad practice, for good reasons, and so from this point forth we shall be logging in as our unprivileged user ("user" if you've followed the guide without making any changes) and making use of sudo for all commands that need root privileges.

Before we install gitea we need to install and configure some services that our git server is going to need to function. A webserver that can handle SSL termination (to keep our users safe from snooping when they connect to our server), and a mail server to send out emails. The mail server is largely optional, but if you want to allow users to register we need some way to enable that without allowing in bots and scammers, and it can also be useful for other purposes, like informing us when something goes wrong.

Before we go any further we need an FQDN (Fully Qualified Domain Name, a technical way of saying a domain name that points specifically at our server) to work for our server. Most hosting providers will give you one for your server, but it won't be pretty, and it will be a sub domain of their domain. You could use that, but if you already have a domain you could point a sub domain of that at our server and use that. For this guide we'll use the subdomain "git" of the domain "example.com", so our sever will live at "git.example.com"

Now we are ready to install and configure our web server software. I am going to use Apache HTTPD as it is what I am most comfortable with, however it shouldn't be too dificult to adjust these instructions to use nginx or any other web server you wish to use. We're not doing anything too complicated. I'm also going to be using certbot to get free SSL certificates from Let's Encrypt.

sudo apt-get install apache2 certbot
sudo a2dissite 000-default.conf
cat << EOF | sudo tee -a /etc/apache2/sites-available/git.example.com.conf > /dev/null
<VirtualHost *:80>
        ServerName git.example.com

        AddDefaultCharset utf-8

        RewriteEngine on
        RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC]
        RewriteRule ^/(.*) https://git.example.com/$1 [R=301,QSA]

        Alias "/.well-known/acme-challenge" "/var/www/acme-challenge"
        <Directory /var/www/acme-challenge/>
                Order allow,deny
                allow from all
        </Directory>

        ErrorLog \$\{APACHE_LOG_DIR\}/error.log
        CustomLog \$\{APACHE_LOG_DIR\}/access.log combined

</VirtualHost>
<IfModule ssl_module>
<VirtualHost *:443>
        ServerName git.example.com

        SSLEngine on
        SSLHonorCipherOrder On
        SSLProtocol -ALL +TLSv1.2 +TLSv1.1 +TLSv1
        SSLCipherSuite TLSv1.2:TLSv1.1:TLSv1:!ADH:!NULL:!MEDIUM:!LOW:!EXPORT:!AECDH:!RSA:!3DES

        SSLCertificateFile /etc/letsencrypt/live/git.example.com/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/git.example.com/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/git.example.com/chain.pem

        AddDefaultCharset utf-8

        Header add Strict-Transport-Security "max-age=15768000;includeSubDomains"

        ProxyPreserveHost On
        ProxyRequests off
        RemoteIPHeader X-Real-IP
        ProxyPass / http://localhost:3000/
        ProxyPassReverse / http://localhost:3000/

        ErrorLog \$\{APACHE_LOG_DIR\}/error.log
        CustomLog \$\{APACHE_LOG_DIR\}/access.log combined


</VirtualHost>
</IfModule>
EOF
sudo a2ensite git.example.com.conf
sudo apache2ctl restart

This installs apache and certbot, but disables the default webserver, which we do not need, and creates the one we do. Note that the redirect to the https version of the site will not work as that is not yet enabled. Until we enable the ssl module it will remain that way. But we need the SSL certs first, and that is what certbot is for.

Before we get our free SSL cert we want to control how it validates that we own the domain we are requesting a certificate for, and then we want to request our certificate.

sudo mkdir /root/certbot
cat << EOF | sudo tee -a /root/certbot/auth.sh > /dev/null
#!/bin/bash
mkdir -p /var/www/acme-challenge
echo $CERTBOT_VALIDATION > /var/www/acme-challenge/$CERTBOT_TOKEN
EOF
sudo chmod u+x /root/certbot/auth.sh
cat << EOF | sudo tee -a /root/certbot/clean.sh > /dev/null
#!/bin/bash
rm -f /var/www/acme-challenge/$CERTBOT_TOKEN
EOF
sudo chmod u+x /root/certbot/clean.sh
cat << EOF | sudo tee -a /root/certbot/renew.sh > /dev/null
#!/bin/bash
/usr/bin/service apache2 restart
EOF
sudo chmod u+x /root/certbot/renew.sh
sudo certbot --manual-auth-hook /root/certbot/auth.sh\
             --manual-cleanup-hook /root/certbot/clean.sh\
             --rsa-key-size 4096 -d git.example.com certonly --manual

This last command will ask you for an email address that will be used to send reminders if your certificate is about to expire, we will prevent that later on in the guide, or if there are urgent problems, I suggest using a valid email address for this reason. It will also ask you to agree to Let's Encrypts terms, and if you are OK with your IP address being logged. Assuming that you agree and accept that your IP will be logged (the IP of your server that is) then you will get an SSL certificate. So now we need to enable some modules for apache and restart it so that our reverse proxy works.

sudo a2enmod proxy proxy_http ssl headers remoteip
sudo apache2ctl restart

Our webserver is now ready, and we can move onto setting up a mail server to send out emails.

Starting With a Secure Base|Main Page|Installing a Mail Server