HTTP exposed over HTTPS


#1

I recently installed Gogs from source on a digital ocean droplet / debian 9.6. Everything went smoothly, Gogs is truly amazing. I encountered one little glitch when using GO 1.10… I had to use GO 1.9.6. but this is not the point of my message.

One thing I noticed is that, using an apache2 reverse proxy for https, the Gogs instance on port 3000 remains visible.

I think I could fix it using the debian firewall but is there a way the “use https option” built-in with Gogs can restrict the unencrypted usage to localhost?

Also, I would suggest you create a “Security” category on this forum :wink:


#2

The problem regarding GO is described here

The public Gogs endpoint is here : https://sslcube.com
The problem is that Gogs can still be accessed here: http://sslcube.com:3000

Not the best for a domain with “ssl” in it :wink:
It uses the same cookies too…


#3

If you tell Gogs to listen on localhost not 0.0.0.0, other machine won’t be able to access the Gogs instance without proxy.