Setting up SSL for Forgejo on your homelab/vps using nginx reverse proxy

March 13, 2024

Goal: Setup Forgejo on my VPS and be able to use SSL with it

Issues

I had no idea how to get Forgejo to use SSL
I didn’t use a wildcard with letsencrypt for my domain so git.smallweb.space wasn’t going to work
I needed to figure out how to get a subdirectory to proxy SSL to my http server via nginx (i.e., https://smallweb.space/git/* forwarded to 127.0.0.1:3000)

Solution

2 pieces of information were key:

Having nginx proxy all SSL requests to the forgejo http server
Finding the right nginx location directive to catch all /git/* requests correctly

Details

This assumes you have a newly installed Forgejo server running on your VPS at port 3000 and running under systemd. See Forgejo installation / admin docs for details.

Configure Nginx

Edit your Nginx config. I’m just using the default at:

$ vim /etc/nginx/sites-enabled/default

And add something like this inside your server block (preferably near the top so it’s the first match):

location ~/git(?.*)$ {

proxysetheader Host $host;

proxysetheader X-Real-IP $remote_addr;

proxysetheader X-Forwarded-For $remote_addr;

proxysetheader X-Forwarded-Proto: https;

proxysetheader X-Url-Scheme: https;

proxypass http://127.0.0.1:3000$subdir;

}

Explanation:

The ‘location’ defines a regular expression to catch ALL requests beginning with ‘/git’ and assigns it to a variable ‘sub_dir’ (which is used on the last line to pass to the Forgejo server
the next 3 lines setup the proxy headers
X-Forwarded-Proto – this is the key line, wherein nginx will proxy https requests to the forgejo server
proxypass – this is location of your Forgejo server. Notice that the $subdir is appended. If you don’t do this, Forgejo will fail to load anything but the bare-bones HTML page (no images, etc.)

Restart Nginx

$ sudo systemctl restart nginx

Configure forgejo for the subdirectory

$ sudo vim /etc/forgejo/app.ini

And change ‘ROOT_URL’ to point to your subdirectory

ROOT_URL = https://smallweb.space/git/

Restart forgejo

$ sudo systemctl restart forgejo

The End

That’s it, you should now be able to navigate to

https:///git/

and see forgejo loaded with https://

Go ahead and make that admin user (you didn’t do that over http did you?)

Sources

[Server Fault](https://serverfault.com/questions/792326/nginx-proxy-pass-using-subfolder)

[Nginx Location Examples](https://www.thegeekstuff.com/2017/05/nginx-location-examples/)

[SO Question on SSL with Nginx Reverse Proxy](https://stackoverflow.com/questions/16042647/whats-the-de-facto-standard-for-a-reverse-proxy-to-tell-the-backend-ssl-is-used)