503 Service Unavailable After Reverse Proxy and HTTPS

Install/Maintain/Configure
1

Hey All,

I am new to Gitea and excited to start using it. I have a server running Fedora 34 that I use for hosting all of my services. It is configured to use Apache as its primary web service and I have SSL certificates working. After installing Gitea using the default localhost:3000 settings, I was able to confirm it was working. I then set out to set up a reverse proxy using Apache in order to be able to reach it using git.mydomain.com/git/, per the Gitea documentation. I also followed Gitea’s guide on configuring Gitea to use HTTPS. I made the required changes to my Apache and Gitea configuration files, then restarted both services. I now get a 503 Service Unavailable page when I try to visit https://git.mydomain.com/git. Both services are still running according to systemctl, and there are no log files present in the log directory listed in my Gitea configuration. I am not sure where to go from here in terms of troubleshooting. Can anyone assist?

2

Did you check the Apache logs (within /var/log/httpd/) ?
The Gitea log directory is defined within the [log] section of the Gitea configuration file.

3

Thanks for the tip. I get the following messages in Apache’s error_log file when I refresh my Gitea URL:

[Mon Mar 28 07:56:19.127161 2022] [proxy:error] [pid 3833154:tid 3833261] (111)Connection refused: AH00957: http: attempt to connect to 127.0.0.1:3000 (localhost) failed
[Mon Mar 28 07:56:19.127215 2022] [proxy_http:error] [pid 3833154:tid 3833261] [client <ip-address>:59948] AH01114: HTTP: failed to make connection to backend: localhost

For completeness’ sake, here is my Gitea app.ini with sensitive data redacted:

APP_NAME = <app-name>
RUN_USER = <app-user>
RUN_MODE = prod

[database]
DB_TYPE  = mssql
HOST     = <db-host>
NAME     = <db-name>
USER     = <db-user>
PASSWD   = <password>
SCHEMA   =
SSL_MODE = disable
CHARSET  = utf8
PATH     = <db-path>
LOG_SQL  = false

[repository]
ROOT = <repo-root>

[server]
PROTOCOL         = https
ROOT_URL         = <root-url>
HTTP_PORT        = 3000
CERT_FILE        = <cert-file>
KEY_FILE         = <key-file>

LFS_START_SERVER = true
LFS_CONTENT_PATH = <lfs-path>
LFS_JWT_SECRET   = <secret>

[mailer]
ENABLED = false

[service]
REGISTER_EMAIL_CONFIRM            = false
ENABLE_NOTIFY_MAIL                = false
DISABLE_REGISTRATION              = false
ALLOW_ONLY_EXTERNAL_REGISTRATION  = false
ENABLE_CAPTCHA                    = false
REQUIRE_SIGNIN_VIEW               = false
DEFAULT_KEEP_EMAIL_PRIVATE        = false
DEFAULT_ALLOW_CREATE_ORGANIZATION = true
DEFAULT_ENABLE_TIMETRACKING       = true
NO_REPLY_ADDRESS                  = noreply.localhost

[picture]
DISABLE_GRAVATAR        = false
ENABLE_FEDERATED_AVATAR = true

[openid]
ENABLE_OPENID_SIGNIN = true
ENABLE_OPENID_SIGNUP = true

[session]
PROVIDER = file

[log]
MODE      = console
LEVEL     = info
ROOT_PATH = /var/lib/gitea/log
ROUTER    = console

[security]
INSTALL_LOCK       = true

And here is the gitea.conf file I created in /etc/httpd/conf.d. I copied this verbatim from the Gitea instructions page (under the “Apache HTTPD with a sub-path” section), but perhaps I am missing something?

<VirtualHost *:80>
   <Proxy *>
      Order allow,deny
      Allow from all
   </Proxy>
   AllowEncodedSlashes NoDecode
   ProxyPass /git http://localhost:3000 nocanon
</VirtualHost>
4

If you use a reverse-proxy with Apache, you set-up SSL on Apache and no SSL (or, preferably, fastcgi) on gitea. It is the service that directly faces the user that performs all the SSL processing.
If you (incorrectly) insist on SSL in Apache–gitea link over localhost, there should be ProxyPass /git https://localhost:3000 nocanon, but with no SSL on Apache the users would still connect via plaintext http with it.

USER ------------- Apache -------------- Gitea
         ^                      ^
   You need SSL here         not here
1 Like
5

That was the issue, thank you! I removed the SSL settings from my app.ini and now I can hit my Gitea instance from my URL.