gitea/docs/content/doc/usage/https-support.md

---
date: "2018-06-02T11:00:00+02:00"
title: "Usage: HTTPS setup"
slug: "https-setup"
weight: 12
toc: true
draft: false
menu:
  sidebar:
    parent: "usage"
    name: "HTTPS setup"
    weight: 12
    identifier: "https-setup"
---

# HTTPS setup to encrypt connections to Gitea

## Using the built-in server

Before you enable HTTPS, make sure that you have valid SSL/TLS certificates.
You could use self-generated certificates for evaluation and testing. Please run `gitea cert --host [HOST]` to generate a self signed certificate.

To use Gitea's built-in HTTPS support, you must change your `app.ini` file:

```ini
[server]
PROTOCOL=https
ROOT_URL = `https://git.example.com:3000/`
HTTP_PORT = 3000
CERT_FILE = cert.pem
KEY_FILE = key.pem
```

To learn more about the config values, please checkout the [Config Cheat Sheet](../config-cheat-sheet#server).

### Setting up HTTP redirection

The Gitea server is only able to listen to one port; to redirect HTTP requests to the HTTPS port, you will need to enable the HTTP redirection service:

```ini
[server]
REDIRECT_OTHER_PORT = true
; Port the redirection service should listen on
PORT_TO_REDIRECT = 3080
```

If you are using Docker, make sure that this port is configured in your `docker-compose.yml` file.

## Using Let's Encrypt

[Let's Encrypt](https://letsencrypt.org/) is a Certificate Authority that allows you to automatically request and renew SSL/TLS certificates. In addition to starting Gitea on your configured port, to request HTTPS certificates, Gitea will also need to listed on port 80, and will set up an autoredirect to HTTPS for you. Let's Encrypt will need to be able to access Gitea via the Internet to verify your ownership of the domain.

By using Let's Encrypt **you must consent** to their [terms of service](https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf).

```ini
[server]
PROTOCOL=https
DOMAIN=git.example.com
ENABLE_LETSENCRYPT=true
LETSENCRYPT_ACCEPTTOS=true
LETSENCRYPT_DIRECTORY=https
LETSENCRYPT_EMAIL=email@example.com
```

To learn more about the config values, please checkout the [Config Cheat Sheet](../config-cheat-sheet#server).

## Using reverse proxy

Setup up your reverse proxy as shown in the [reverse proxy guide](../reverse-proxies).

After that, enable HTTPS by following one of these guides:

* [nginx](https://nginx.org/en/docs/http/configuring_https_servers.html)
* [apache2/httpd](https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html)
* [caddy](https://caddyserver.com/docs/tls)

Note: Your connection between your reverse proxy and Gitea might be unencrypted. To encrypt it too, follow the [built-in server guide](#using-built-in-server) and change
the proxy url to `https://[URL]`.
Add how-to for enabling HTTPS (#4101) Signed-off-by: Jonas Franz <info@jonasfranz.de> 2018-06-02 21:55:23 -04:00			`---`
			`date: "2018-06-02T11:00:00+02:00"`
			`title: "Usage: HTTPS setup"`
			`slug: "https-setup"`
			`weight: 12`
			`toc: true`
			`draft: false`
			`menu:`
			`sidebar:`
			`parent: "usage"`
			`name: "HTTPS setup"`
			`weight: 12`
			`identifier: "https-setup"`
			`---`

			`# HTTPS setup to encrypt connections to Gitea`

Fix headline (#6353) 2019-03-18 09:59:46 -04:00			`## Using the built-in server`
Add how-to for enabling HTTPS (#4101) Signed-off-by: Jonas Franz <info@jonasfranz.de> 2018-06-02 21:55:23 -04:00
Copyedit docs (#6275) 2019-03-09 16:15:45 -05:00			`Before you enable HTTPS, make sure that you have valid SSL/TLS certificates.`
Add how-to for enabling HTTPS (#4101) Signed-off-by: Jonas Franz <info@jonasfranz.de> 2018-06-02 21:55:23 -04:00			You could use self-generated certificates for evaluation and testing. Please run `gitea cert --host [HOST]` to generate a self signed certificate.

Copyedit docs (#6275) 2019-03-09 16:15:45 -05:00			To use Gitea's built-in HTTPS support, you must change your `app.ini` file:
Add how-to for enabling HTTPS (#4101) Signed-off-by: Jonas Franz <info@jonasfranz.de> 2018-06-02 21:55:23 -04:00
			```ini
			`[server]`
			`PROTOCOL=https`
			ROOT_URL = `https://git.example.com:3000/`
			`HTTP_PORT = 3000`
			`CERT_FILE = cert.pem`
			`KEY_FILE = key.pem`
			```
Documentation: Clarity for HTTPS setups (#5626) [https-setup] - Made it clearer that HTTP redirection is possible [config-cheat-sheet] - Clarified the behavihour of the redirection-related config keys 2019-01-03 10:46:07 -05:00
Add how-to for enabling HTTPS (#4101) Signed-off-by: Jonas Franz <info@jonasfranz.de> 2018-06-02 21:55:23 -04:00			`To learn more about the config values, please checkout the [Config Cheat Sheet](../config-cheat-sheet#server).`

Copyedit docs (#6275) 2019-03-09 16:15:45 -05:00			`### Setting up HTTP redirection`
Documentation: Clarity for HTTPS setups (#5626) [https-setup] - Made it clearer that HTTP redirection is possible [config-cheat-sheet] - Clarified the behavihour of the redirection-related config keys 2019-01-03 10:46:07 -05:00
			`The Gitea server is only able to listen to one port; to redirect HTTP requests to the HTTPS port, you will need to enable the HTTP redirection service:`

			```ini
			`[server]`
			`REDIRECT_OTHER_PORT = true`
			`; Port the redirection service should listen on`
			`PORT_TO_REDIRECT = 3080`
			```

			If you are using Docker, make sure that this port is configured in your `docker-compose.yml` file.

add letsencrypt to Gitea (#4189) 2018-08-21 09:56:50 -04:00			`## Using Let's Encrypt`

Copyedit docs (#6275) 2019-03-09 16:15:45 -05:00			`[Let's Encrypt](https://letsencrypt.org/) is a Certificate Authority that allows you to automatically request and renew SSL/TLS certificates. In addition to starting Gitea on your configured port, to request HTTPS certificates, Gitea will also need to listed on port 80, and will set up an autoredirect to HTTPS for you. Let's Encrypt will need to be able to access Gitea via the Internet to verify your ownership of the domain.`
add letsencrypt to Gitea (#4189) 2018-08-21 09:56:50 -04:00
Copyedit docs (#6275) 2019-03-09 16:15:45 -05:00			`By using Let's Encrypt you must consent to their [terms of service](https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf).`
add letsencrypt to Gitea (#4189) 2018-08-21 09:56:50 -04:00
			```ini
			`[server]`
			`PROTOCOL=https`
			`DOMAIN=git.example.com`
			`ENABLE_LETSENCRYPT=true`
			`LETSENCRYPT_ACCEPTTOS=true`
			`LETSENCRYPT_DIRECTORY=https`
			`LETSENCRYPT_EMAIL=email@example.com`
			```

			`To learn more about the config values, please checkout the [Config Cheat Sheet](../config-cheat-sheet#server).`

Add how-to for enabling HTTPS (#4101) Signed-off-by: Jonas Franz <info@jonasfranz.de> 2018-06-02 21:55:23 -04:00			`## Using reverse proxy`

Copyedit docs (#6275) 2019-03-09 16:15:45 -05:00			`Setup up your reverse proxy as shown in the [reverse proxy guide](../reverse-proxies).`
Add how-to for enabling HTTPS (#4101) Signed-off-by: Jonas Franz <info@jonasfranz.de> 2018-06-02 21:55:23 -04:00
			`After that, enable HTTPS by following one of these guides:`

Fix link in HTTPS doc (#4135) 2018-06-05 10:36:15 -04:00			`* [nginx](https://nginx.org/en/docs/http/configuring_https_servers.html)`
Add how-to for enabling HTTPS (#4101) Signed-off-by: Jonas Franz <info@jonasfranz.de> 2018-06-02 21:55:23 -04:00			`* [apache2/httpd](https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html)`
			`* [caddy](https://caddyserver.com/docs/tls)`

Copyedit docs (#6275) 2019-03-09 16:15:45 -05:00			`Note: Your connection between your reverse proxy and Gitea might be unencrypted. To encrypt it too, follow the [built-in server guide](#using-built-in-server) and change`
Add how-to for enabling HTTPS (#4101) Signed-off-by: Jonas Franz <info@jonasfranz.de> 2018-06-02 21:55:23 -04:00			the proxy url to `https://[URL]`.