gitea/docs/content/administration/https-support.en-us.md

---
date: "2018-06-02T11:00:00+02:00"
title: "HTTPS setup"
slug: "https-setup"
sidebar_position: 12
toc: false
draft: false
aliases:
  - /en-us/https-setup
menu:
  sidebar:
    parent: "administration"
    name: "HTTPS setup"
    sidebar_position: 12
    identifier: "https-setup"
---

# HTTPS setup to encrypt connections to Gitea

## Using the built-in server

Before you enable HTTPS, make sure that you have valid SSL/TLS certificates.
You could use self-generated certificates for evaluation and testing. Please run `gitea cert --host [HOST]` to generate a self signed certificate.

If you are using Apache or nginx on the server, it's recommended to check the [reverse proxy guide](administration/reverse-proxies.md).

To use Gitea's built-in HTTPS support, you must change your `app.ini` file:

```ini
[server]
PROTOCOL  = https
ROOT_URL  = https://git.example.com:3000/
HTTP_PORT = 3000
CERT_FILE = cert.pem
KEY_FILE  = key.pem
```

Note that if your certificate is signed by a third party certificate authority (i.e. not self-signed), then cert.pem should contain the certificate chain. The server certificate must be the first entry in cert.pem, followed by the intermediaries in order (if any). The root certificate does not have to be included because the connecting client must already have it in order to estalbish the trust relationship.
To learn more about the config values, please checkout the [Config Cheat Sheet](../config-cheat-sheet#server-server).

For the `CERT_FILE` or `KEY_FILE` field, the file path is relative to the `GITEA_CUSTOM` environment variable when it is a relative path. It can be an absolute path as well.

### Setting up HTTP redirection

The Gitea server is only able to listen to one port; to redirect HTTP requests to the HTTPS port, you will need to enable the HTTP redirection service:

```ini
[server]
REDIRECT_OTHER_PORT = true
; Port the redirection service should listen on
PORT_TO_REDIRECT = 3080
```

If you are using Docker, make sure that this port is configured in your `docker-compose.yml` file.

## Using ACME (Default: Let's Encrypt)

[ACME](https://tools.ietf.org/html/rfc8555) is a Certificate Authority standard protocol that allows you to automatically request and renew SSL/TLS certificates. [Let's Encrypt](https://letsencrypt.org/) is a free publicly trusted Certificate Authority server using this standard. Only `HTTP-01` and `TLS-ALPN-01` challenges are implemented. In order for ACME challenges to pass and verify your domain ownership, external traffic to the gitea domain on port `80` (`HTTP-01`) or port `443` (`TLS-ALPN-01`) has to be served by the gitea instance. Setting up [HTTP redirection](#setting-up-http-redirection) and port-forwards might be needed for external traffic to route correctly. Normal traffic to port `80` will otherwise be automatically redirected to HTTPS. **You must consent** to the ACME provider's terms of service (default Let's Encrypt's [terms of service](https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf)).

Minimum setup using the default Let's Encrypt:

```ini
[server]
PROTOCOL=https
DOMAIN=git.example.com
ENABLE_ACME=true
ACME_ACCEPTTOS=true
ACME_DIRECTORY=https
;; Email can be omitted here and provided manually at first run, after which it is cached
ACME_EMAIL=email@example.com
```

Minimum setup using a [smallstep CA](https://github.com/smallstep/certificates), refer to [their tutorial](https://smallstep.com/docs/tutorials/acme-challenge) for more information.

```ini
[server]
PROTOCOL=https
DOMAIN=git.example.com
ENABLE_ACME=true
ACME_ACCEPTTOS=true
ACME_URL=https://ca.example.com/acme/acme/directory
;; Can be omitted if using the system's trust is preferred
;ACME_CA_ROOT=/path/to/root_ca.crt
ACME_DIRECTORY=https
ACME_EMAIL=email@example.com
```

To learn more about the config values, please checkout the [Config Cheat Sheet](../config-cheat-sheet#server-server).

## Using a reverse proxy

Setup up your reverse proxy as shown in the [reverse proxy guide](../reverse-proxies).

After that, enable HTTPS by following one of these guides:

- [nginx](https://nginx.org/en/docs/http/configuring_https_servers.html)
- [apache2/httpd](https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html)
- [caddy](https://caddyserver.com/docs/tls)

Note: Enabling HTTPS only at the proxy level is referred as [TLS Termination Proxy](https://en.wikipedia.org/wiki/TLS_termination_proxy). The proxy server accepts incoming TLS connections, decrypts the contents, and passes the now unencrypted contents to Gitea. This is normally fine as long as both the proxy and Gitea instances are either on the same machine, or on different machines within private network (with the proxy is exposed to outside network). If your Gitea instance is separated from your proxy over a public network, or if you want full end-to-end encryption, you can also [enable HTTPS support directly in Gitea using built-in server](#using-the-built-in-server) and forward the connections over HTTPS instead.
Add how-to for enabling HTTPS (#4101) Signed-off-by: Jonas Franz <info@jonasfranz.de> 7 years ago			`---`
			`date: "2018-06-02T11:00:00+02:00"`
Adjust some documentations titles (#23941) As title. 2 years ago			`title: "HTTPS setup"`
Add how-to for enabling HTTPS (#4101) Signed-off-by: Jonas Franz <info@jonasfranz.de> 7 years ago			`slug: "https-setup"`
Docusaurus-ify (#26051) This PR cleans up the docs in a way to make them simpler to ingest by our [docs repo](https://gitea.com/gitea/gitea-docusaurus). 1. It includes all of the sed invocations our ingestion did, removing the need to do it at build time. 2. It replaces the shortcode variable replacement method with `@variable@` style, simply for easier sed invocations when required. 3. It removes unused files and moves the docs up a level as cleanup. --------- Signed-off-by: jolheiser <john.olheiser@gmail.com> 1 year ago			`sidebar_position: 12`
Reformat docs (#13897) Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: Lauris BH <lauris@nix.lv> 4 years ago			`toc: false`
Add how-to for enabling HTTPS (#4101) Signed-off-by: Jonas Franz <info@jonasfranz.de> 7 years ago			`draft: false`
Refactor docs (#23752) This was intended to be a small followup for https://github.com/go-gitea/gitea/pull/23712, but...here we are. 1. Our docs currently use `slug` as the entire URL, which makes refactoring tricky (see https://github.com/go-gitea/gitea/pull/23712). Instead, this PR attempts to make future refactoring easier by using slugs as an extension of the section. (Hugo terminology) - What the above boils down to is this PR attempts to use directory organization as URL management. e.g. `usage/comparison.en-us.md` -> `en-us/usage/comparison/`, `usage/packages/overview.en-us.md` -> `en-us/usage/packages/overview/` - Technically we could even remove `slug`, as Hugo defaults to using filename, however at least with this PR it means `slug` only needs to be the name for the current file rather than an entire URL 2. This PR adds appropriate aliases (redirects) for pages, so anything on the internet that links to our docs should hopefully not break. 3. A minor nit I've had for a while, renaming `seek-help` to `support`. It's a minor thing, but `seek-help` has a strange connotation to it. 4. The commits are split such that you can review the first which is the "actual" change, and the second is added redirects so that the first doesn't break links elsewhere. --------- Signed-off-by: jolheiser <john.olheiser@gmail.com> 2 years ago			`aliases:`
			`- /en-us/https-setup`
Add how-to for enabling HTTPS (#4101) Signed-off-by: Jonas Franz <info@jonasfranz.de> 7 years ago			`menu:`
			`sidebar:`
Restructure documentation. Now the documentation has installation, administration, usage, development, contributing the 5 main parts (#23629) - Installation: includes how to install Gitea and related other tools, also includes upgrade Gitea - Administration: includes how to configure Gitea, customize Gitea and manage Gitea instance out of Gitea admin UI - Usage: includes how to use Gitea's functionalities. A sub documentation is about packages, in future we could also include CI/CD and others. - Development: includes how to integrate with Gitea's API, how to develop new features within Gitea - Contributing: includes how to contribute code to Gitea repositories. After this is merged, I think we can have a sub-documentation of `Usage` part named `Actions` to describe how to use Gitea actions --------- Co-authored-by: John Olheiser <john.olheiser@gmail.com> 2 years ago			`parent: "administration"`
Add how-to for enabling HTTPS (#4101) Signed-off-by: Jonas Franz <info@jonasfranz.de> 7 years ago			`name: "HTTPS setup"`
Docusaurus-ify (#26051) This PR cleans up the docs in a way to make them simpler to ingest by our [docs repo](https://gitea.com/gitea/gitea-docusaurus). 1. It includes all of the sed invocations our ingestion did, removing the need to do it at build time. 2. It replaces the shortcode variable replacement method with `@variable@` style, simply for easier sed invocations when required. 3. It removes unused files and moves the docs up a level as cleanup. --------- Signed-off-by: jolheiser <john.olheiser@gmail.com> 1 year ago			`sidebar_position: 12`
Add how-to for enabling HTTPS (#4101) Signed-off-by: Jonas Franz <info@jonasfranz.de> 7 years ago			`identifier: "https-setup"`
			`---`

			`# HTTPS setup to encrypt connections to Gitea`

Fix headline (#6353) 6 years ago			`## Using the built-in server`
Add how-to for enabling HTTPS (#4101) Signed-off-by: Jonas Franz <info@jonasfranz.de> 7 years ago
Copyedit docs (#6275) 6 years ago			`Before you enable HTTPS, make sure that you have valid SSL/TLS certificates.`
Add how-to for enabling HTTPS (#4101) Signed-off-by: Jonas Franz <info@jonasfranz.de> 7 years ago			You could use self-generated certificates for evaluation and testing. Please run `gitea cert --host [HOST]` to generate a self signed certificate.

Docusaurus-ify (#26051) This PR cleans up the docs in a way to make them simpler to ingest by our [docs repo](https://gitea.com/gitea/gitea-docusaurus). 1. It includes all of the sed invocations our ingestion did, removing the need to do it at build time. 2. It replaces the shortcode variable replacement method with `@variable@` style, simply for easier sed invocations when required. 3. It removes unused files and moves the docs up a level as cleanup. --------- Signed-off-by: jolheiser <john.olheiser@gmail.com> 1 year ago			`If you are using Apache or nginx on the server, it's recommended to check the [reverse proxy guide](administration/reverse-proxies.md).`
Doc recommend to use reverse proxy if Apache/nginx is also running on… (#8384) * Doc recommend to use reverse proxy if Apache/nginx is also running on server * Update docs/content/doc/usage/https-support.md Co-Authored-By: John Olheiser <42128690+jolheiser@users.noreply.github.com> 5 years ago
Copyedit docs (#6275) 6 years ago			To use Gitea's built-in HTTPS support, you must change your `app.ini` file:
Add how-to for enabling HTTPS (#4101) Signed-off-by: Jonas Franz <info@jonasfranz.de> 7 years ago
			```ini
			`[server]`
Cleanup https support code snippet (#8370) 5 years ago			`PROTOCOL = https`
			`ROOT_URL = https://git.example.com:3000/`
Add how-to for enabling HTTPS (#4101) Signed-off-by: Jonas Franz <info@jonasfranz.de> 7 years ago			`HTTP_PORT = 3000`
			`CERT_FILE = cert.pem`
Cleanup https support code snippet (#8370) 5 years ago			`KEY_FILE = key.pem`
Add how-to for enabling HTTPS (#4101) Signed-off-by: Jonas Franz <info@jonasfranz.de> 7 years ago			```
Reformat docs (#13897) Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: Lauris BH <lauris@nix.lv> 4 years ago
Clarification on the use of certificate chains (#12986) * Clarification on the use of certificate chains * As per @bagasme Co-authored-by: Bagas Sanjaya <bagasdotme@gmail.com> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: Bagas Sanjaya <bagasdotme@gmail.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io> 4 years ago			`Note that if your certificate is signed by a third party certificate authority (i.e. not self-signed), then cert.pem should contain the certificate chain. The server certificate must be the first entry in cert.pem, followed by the intermediaries in order (if any). The root certificate does not have to be included because the connecting client must already have it in order to estalbish the trust relationship.`
Fix various typos in docs (#17844) 3 years ago			`To learn more about the config values, please checkout the [Config Cheat Sheet](../config-cheat-sheet#server-server).`
Add how-to for enabling HTTPS (#4101) Signed-off-by: Jonas Franz <info@jonasfranz.de> 7 years ago
[doc] https-setup: explain relative paths for {CERT,KEY}_FILE fields. (#18244) Closes: https://github.com/go-gitea/gitea/issues/14401 3 years ago			For the `CERT_FILE` or `KEY_FILE` field, the file path is relative to the `GITEA_CUSTOM` environment variable when it is a relative path. It can be an absolute path as well.

Copyedit docs (#6275) 6 years ago			`### Setting up HTTP redirection`
Documentation: Clarity for HTTPS setups (#5626) [https-setup] - Made it clearer that HTTP redirection is possible [config-cheat-sheet] - Clarified the behavihour of the redirection-related config keys 6 years ago
			`The Gitea server is only able to listen to one port; to redirect HTTP requests to the HTTPS port, you will need to enable the HTTP redirection service:`

			```ini
			`[server]`
			`REDIRECT_OTHER_PORT = true`
			`; Port the redirection service should listen on`
			`PORT_TO_REDIRECT = 3080`
			```

			If you are using Docker, make sure that this port is configured in your `docker-compose.yml` file.

Support custom ACME provider (#18340) * Added ACMECAURL option to support custom ACME provider. Closes #18306 * Refactor setting.go https settings, renamed options and variables, and documented app.example.ini * Refactored runLetsEncrypt to runACME * Improved documentation 3 years ago			`## Using ACME (Default: Let's Encrypt)`
add letsencrypt to Gitea (#4189) 6 years ago
Support custom ACME provider (#18340) * Added ACMECAURL option to support custom ACME provider. Closes #18306 * Refactor setting.go https settings, renamed options and variables, and documented app.example.ini * Refactored runLetsEncrypt to runACME * Improved documentation 3 years ago			[ACME](https://tools.ietf.org/html/rfc8555) is a Certificate Authority standard protocol that allows you to automatically request and renew SSL/TLS certificates. [Let's Encrypt](https://letsencrypt.org/) is a free publicly trusted Certificate Authority server using this standard. Only `HTTP-01` and `TLS-ALPN-01` challenges are implemented. In order for ACME challenges to pass and verify your domain ownership, external traffic to the gitea domain on port `80` (`HTTP-01`) or port `443` (`TLS-ALPN-01`) has to be served by the gitea instance. Setting up [HTTP redirection](#setting-up-http-redirection) and port-forwards might be needed for external traffic to route correctly. Normal traffic to port `80` will otherwise be automatically redirected to HTTPS. You must consent to the ACME provider's terms of service (default Let's Encrypt's [terms of service](https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf)).
add letsencrypt to Gitea (#4189) 6 years ago
Support custom ACME provider (#18340) * Added ACMECAURL option to support custom ACME provider. Closes #18306 * Refactor setting.go https settings, renamed options and variables, and documented app.example.ini * Refactored runLetsEncrypt to runACME * Improved documentation 3 years ago			`Minimum setup using the default Let's Encrypt:`
Add markdownlint (#20512) Add `markdownlint` linter and fix issues. Config is based on the one from electron's repo with a few rules relaxed. 2 years ago
Support custom ACME provider (#18340) * Added ACMECAURL option to support custom ACME provider. Closes #18306 * Refactor setting.go https settings, renamed options and variables, and documented app.example.ini * Refactored runLetsEncrypt to runACME * Improved documentation 3 years ago			```ini
			`[server]`
			`PROTOCOL=https`
			`DOMAIN=git.example.com`
			`ENABLE_ACME=true`
			`ACME_ACCEPTTOS=true`
			`ACME_DIRECTORY=https`
			`;; Email can be omitted here and provided manually at first run, after which it is cached`
			`ACME_EMAIL=email@example.com`
			```
add letsencrypt to Gitea (#4189) 6 years ago
Fix typo (#20993) 2 years ago			`Minimum setup using a [smallstep CA](https://github.com/smallstep/certificates), refer to [their tutorial](https://smallstep.com/docs/tutorials/acme-challenge) for more information.`
Add markdownlint (#20512) Add `markdownlint` linter and fix issues. Config is based on the one from electron's repo with a few rules relaxed. 2 years ago
add letsencrypt to Gitea (#4189) 6 years ago			```ini
			`[server]`
			`PROTOCOL=https`
			`DOMAIN=git.example.com`
Support custom ACME provider (#18340) * Added ACMECAURL option to support custom ACME provider. Closes #18306 * Refactor setting.go https settings, renamed options and variables, and documented app.example.ini * Refactored runLetsEncrypt to runACME * Improved documentation 3 years ago			`ENABLE_ACME=true`
			`ACME_ACCEPTTOS=true`
			`ACME_URL=https://ca.example.com/acme/acme/directory`
			`;; Can be omitted if using the system's trust is preferred`
			`;ACME_CA_ROOT=/path/to/root_ca.crt`
			`ACME_DIRECTORY=https`
			`ACME_EMAIL=email@example.com`
add letsencrypt to Gitea (#4189) 6 years ago			```

Fix various typos in docs (#17844) 3 years ago			`To learn more about the config values, please checkout the [Config Cheat Sheet](../config-cheat-sheet#server-server).`
add letsencrypt to Gitea (#4189) 6 years ago
Reformat docs (#13897) Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: Lauris BH <lauris@nix.lv> 4 years ago			`## Using a reverse proxy`
Add how-to for enabling HTTPS (#4101) Signed-off-by: Jonas Franz <info@jonasfranz.de> 7 years ago
Copyedit docs (#6275) 6 years ago			`Setup up your reverse proxy as shown in the [reverse proxy guide](../reverse-proxies).`
Add how-to for enabling HTTPS (#4101) Signed-off-by: Jonas Franz <info@jonasfranz.de> 7 years ago
			`After that, enable HTTPS by following one of these guides:`

Reformat docs (#13897) Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: Lauris BH <lauris@nix.lv> 4 years ago			`- [nginx](https://nginx.org/en/docs/http/configuring_https_servers.html)`
			`- [apache2/httpd](https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html)`
			`- [caddy](https://caddyserver.com/docs/tls)`
Add how-to for enabling HTTPS (#4101) Signed-off-by: Jonas Franz <info@jonasfranz.de> 7 years ago
[Docs] Grammar Edit on Enabling HTTPS Using Reverse Proxy (#9649) * Use infinitives for accept and pass * Close parentheeses for proxy exposed 5 years ago			Note: Enabling HTTPS only at the proxy level is referred as [TLS Termination Proxy](https://en.wikipedia.org/wiki/TLS_termination_proxy). The proxy server accepts incoming TLS connections, decrypts the contents, and passes the now unencrypted contents to Gitea. This is normally fine as long as both the proxy and Gitea instances are either on the same machine, or on different machines within private network (with the proxy is exposed to outside network). If your Gitea instance is separated from your proxy over a public network, or if you want full end-to-end encryption, you can also [enable HTTPS support directly in Gitea using built-in server](#using-the-built-in-server) and forward the connections over HTTPS instead.