Tigase Forge
Dashboards
Projects
Global Views
Code Search
sztab
Issues
List
Boards
Iterations
Builds
Statistics
Child Projects
OneDev 11.9.7
Documentation Support & Bug Report RESTful API Incompatibilities License Agreement Check Update
Projects sztab Issues SZ-57
Forgejo support: Setup reverse-proxy to secure Forgejo git credentials (SZ-57)
rk@tigase.net opened 2 days ago

Description

Forgejo integration in Sztab requires repositories to be accessed over HTTPS. Sztabina (the Go microservice that probes git repos for Sztab) intentionally rejects non-HTTPS Git URLs to prevent credentials (username / token) from being transmitted in cleartext.

Currently, Forgejo is exposed only via HTTP in the development / test setup. As a result:

  • Repository creation and cloning work
  • Default branch discovery fails
  • Downstream PR and commit introspection cannot function

To complete Forgejo support, an HTTPS reverse proxy must be placed in front of Forgejo.

This is an infrastructure task, not a functional defect in Forgejo or Sztabina.

Root Cause

  • Sztabina enforces HTTPS-only Git URLs by design
  • Forgejo is running on plain HTTP (port 3000)
  • No TLS termination exists in the current Docker Compose setup

Proposed Solution

I prefer to use Caddy as the lightweight reverse proxy:

  • Terminate TLS at Caddy
  • Forward traffic to Forgejo on port 3000
  • Configure Forgejo ROOT_URL to HTTPS
  • Use self-signed for local testing

Acceptance Criteria

  • Forgejo accessible via HTTPS
  • git clone https://… works for Forgejo repositories
  • Sztabina successfully resolves default branch via HTTPS Git URL
  • No credentials transmitted over HTTP
  • Existing HTTP access either disabled or redirected to HTTPS

Notes

This task completes Forgejo readiness for:

  • Repository discovery
  • Default branch probing
  • Upcoming pull request and commit features

Forgejo is functional now; but without TLS, it cannot be used in production.

  • rk@tigase.net commented 2 days ago

    Time Estimate

    • Reverse proxy selection and configuration: 1.5 hours
    • TLS setup (self-signed / local CA): 1 hour
    • Docker Compose integration and testing: 1 hour
    • End-to-end validation with Sztabina: 0.5 hour

    Total estimate: ~4 hours

    Work Log (Planned)

    • Analyze Forgejo HTTPS requirements
    • Add reverse proxy service to docker-compose
    • Configure TLS termination
    • Update Forgejo configuration (ROOT_URL)
    • Validate Git clone / push via HTTPS
    • Verify default branch discovery via Sztabina
    • Document Forgejo HTTPS setup in release notes
  • rk@tigase.net commented 2 days ago 
    rksuma@Ramakrishnans-MacBook-Pro sztab % git checkout wolnosc
Switched to branch 'wolnosc'
Your branch is up to date with 'origin/wolnosc'.

rksuma@Ramakrishnans-MacBook-Pro sztab % git pull
Already up to date.

rksuma@Ramakrishnans-MacBook-Pro sztab %  git checkout -b feature/forgejo-https-proxy
Switched to a new branch 'feature/forgejo-https-proxy'
rksuma@Ramakrishnans-MacBook-Pro sztab %
  • rk@tigase.net changed state to 'In Progress' 2 days ago
    Previous Value Current Value 
    Open
    		 
    In Progress
  • rk@tigase.net commented 1 day ago

    PR tested and merged: https://tigase.dev/sztab/~pulls/6

  • rk@tigase.net changed state to 'Closed' 1 day ago
    Previous Value Current Value 
    In Progress
    		 
    Closed
issue 1 of 1
Type
New Feature
Priority
Blocker
Assignee
rk@tigase.net
Version
1.0
Sprints
n/a
Customer
n/a
Issue Votes (0)
Login to vote
Watchers (3)
Reference
SZ-57
Please wait...
Page is in error, reload to recover