# Nginx reverse proxy for Gitea — rendered from nginx-gitea.conf.tpl # SSL_ENABLED is set by the deployment script, not .env # HTTP server — always present server { listen 80; server_name ${GITEA_DOMAIN}; # ACME challenge for Let's Encrypt (used when SSL_MODE=letsencrypt) location /.well-known/acme-challenge/ { root /var/www/html; } # When SSL is enabled, redirect all other HTTP traffic to HTTPS # When SSL is not yet enabled, proxy directly to Gitea location / { # SSL_REDIRECT_BLOCK_START # This block is replaced by the deployment script: # - Before SSL: proxy_pass to Gitea # - After SSL: return 301 https://$host$request_uri; proxy_pass http://${UNRAID_IP}:${UNRAID_GITEA_PORT}; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # SSL_REDIRECT_BLOCK_END } } # HTTPS server — only present when SSL_ENABLED=true # SSL_HTTPS_BLOCK_START server { listen 443 ssl; server_name ${GITEA_DOMAIN}; # SSL certificate paths depend on SSL_MODE: # letsencrypt: /etc/letsencrypt/live/${GITEA_DOMAIN}/ # existing: ${SSL_CERT_PATH} and ${SSL_KEY_PATH} ssl_certificate ${SSL_CERT_FULLPATH}; ssl_certificate_key ${SSL_KEY_FULLPATH}; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; # Allow large git pushes and LFS uploads client_max_body_size 512m; location / { proxy_pass http://${UNRAID_IP}:${UNRAID_GITEA_PORT}; # Standard proxy headers proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; # WebSocket support (needed for Gitea live features) proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_buffering off; proxy_read_timeout 3600s; proxy_send_timeout 3600s; } } # SSL_HTTPS_BLOCK_END