503 Service Unavailable After Reverse Proxy and HTTPS

Hey All,

I am new to Gitea and excited to start using it. I have a server running Fedora 34 that I use for hosting all of my services. It is configured to use Apache as its primary web service and I have SSL certificates working. After installing Gitea using the default localhost:3000 settings, I was able to confirm it was working. I then set out to set up a reverse proxy using Apache in order to be able to reach it using git.mydomain.com/git/, per the Gitea documentation. I also followed Gitea’s guide on configuring Gitea to use HTTPS. I made the required changes to my Apache and Gitea configuration files, then restarted both services. I now get a 503 Service Unavailable page when I try to visit https://git.mydomain.com/git. Both services are still running according to systemctl, and there are no log files present in the log directory listed in my Gitea configuration. I am not sure where to go from here in terms of troubleshooting. Can anyone assist?

Did you check the Apache logs (within /var/log/httpd/) ?
The Gitea log directory is defined within the [log] section of the Gitea configuration file.

Thanks for the tip. I get the following messages in Apache’s error_log file when I refresh my Gitea URL:

[Mon Mar 28 07:56:19.127161 2022] [proxy:error] [pid 3833154:tid 3833261] (111)Connection refused: AH00957: http: attempt to connect to (localhost) failed
[Mon Mar 28 07:56:19.127215 2022] [proxy_http:error] [pid 3833154:tid 3833261] [client <ip-address>:59948] AH01114: HTTP: failed to make connection to backend: localhost

For completeness’ sake, here is my Gitea app.ini with sensitive data redacted:

APP_NAME = <app-name>
RUN_USER = <app-user>
RUN_MODE = prod

DB_TYPE  = mssql
HOST     = <db-host>
NAME     = <db-name>
USER     = <db-user>
PASSWD   = <password>
SSL_MODE = disable
CHARSET  = utf8
PATH     = <db-path>
LOG_SQL  = false

ROOT = <repo-root>

PROTOCOL         = https
ROOT_URL         = <root-url>
HTTP_PORT        = 3000
CERT_FILE        = <cert-file>
KEY_FILE         = <key-file>

LFS_CONTENT_PATH = <lfs-path>
LFS_JWT_SECRET   = <secret>

ENABLED = false

REGISTER_EMAIL_CONFIRM            = false
ENABLE_NOTIFY_MAIL                = false
DISABLE_REGISTRATION              = false
ENABLE_CAPTCHA                    = false
REQUIRE_SIGNIN_VIEW               = false
NO_REPLY_ADDRESS                  = noreply.localhost

DISABLE_GRAVATAR        = false



MODE      = console
LEVEL     = info
ROOT_PATH = /var/lib/gitea/log
ROUTER    = console

INSTALL_LOCK       = true

And here is the gitea.conf file I created in /etc/httpd/conf.d. I copied this verbatim from the Gitea instructions page (under the “Apache HTTPD with a sub-path” section), but perhaps I am missing something?

<VirtualHost *:80>
   <Proxy *>
      Order allow,deny
      Allow from all
   AllowEncodedSlashes NoDecode
   ProxyPass /git http://localhost:3000 nocanon

If you use a reverse-proxy with Apache, you set-up SSL on Apache and no SSL (or, preferably, fastcgi) on gitea. It is the service that directly faces the user that performs all the SSL processing.
If you (incorrectly) insist on SSL in Apache–gitea link over localhost, there should be ProxyPass /git https://localhost:3000 nocanon, but with no SSL on Apache the users would still connect via plaintext http with it.

USER ------------- Apache -------------- Gitea
         ^                      ^
   You need SSL here         not here
1 Like

That was the issue, thank you! I removed the SSL settings from my app.ini and now I can hit my Gitea instance from my URL.