Traefik Ingress for Forgejo (or Gitea)

dan · March 3, 2025, 8:54am

So, on to another app move to Compose, this time Forgejo. As with Tube Archivist, they provide a Compose file, and the Gitea docs even include instructions to add labels for ingress via Traefik (and since Forgejo is a fork of Gitea, I’d expect it to work identically). Great. So what’s my problem?

Well, the Compose file (below) exposes two ports, one for HTTP and the other for SSH. I want Traefik to terminate HTTPS and proxy traffic for the HTTP port, but I don’t expect it can do this for SSH. And my “normal” configuration for ingress puts the stack on a proxy network, which only Traefik sees.

One option is to forego both the proxy network (thus exposing both 3000 and 222 to my LAN), and edit Traefik’s config.yml to add the proxy for port 3000. That gives me TLS termination and ingress, but plaintext HTTP is still exposed. Thoughts on a better way to do this?

networks:
  forgejo:
    external: false

services:
  server:
    image: codeberg.org/forgejo/forgejo:10
    container_name: forgejo
    environment:
      - USER_UID=1000
      - USER_GID=1000
    restart: always
    networks:
      - forgejo
    volumes:
      - ./forgejo:/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    ports:
      - '3000:3000'
      - '222:22'

LarsR · March 3, 2025, 9:09am

As far as i understood it from this post on the traefik forum ssh can’t be proxied due to security reasons.

dan · March 3, 2025, 9:25am

That makes sense. But a little more noodling on the question after I posted resulted in this, which seems to work:

networks:
  proxy:
    external: true

services:
  server:
    image: codeberg.org/forgejo/forgejo:10
    container_name: forgejo
    environment:
      - USER_UID=568
      - USER_GID=568
      - FORGEJO__server__SSH_PORT=2222
      - FORGEJO__server__SSH_LISTEN_PORT=22
    restart: unless-stopped
    networks:
      - proxy
    volumes:
      - ./forgejo:/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    ports:
      # - '3000:3000'
      - '2222:22'
    labels:
      - traefik.enable=true
      - traefik.http.routers.forgejo.rule=Host(`forgejo.mydomain`)
      - traefik.http.routers.forgejo.entrypoints=https
      - traefik.http.routers.forgejo.tls=true
      - traefik.http.services.forgejo.loadbalancer.server.port=3000
      - traefik.docker.network=proxy

I’m defining “work” as Traefik picks up the site and serves it, enabling HTTPS as expected; I can’t access it over my LAN at port 3000; and I’m able to git clone a test repo over SSH.

I’ve removed the forgejo network from the original Compose file as I just don’t see any reason for it with the basic SQLite deployment–and probably the - traefik.docker.network=proxy line isn’t necessary either. If I were using MariaDB or Postgres, I expect I’d need both.