system-config/playbooks/roles/gitea/templates/gitea.vhost.j2

Listen 3081

<VirtualHost *:3081>
  ServerName {{ inventory_hostname }}
  ServerAdmin infra-root@opendev.org

  AllowEncodedSlashes On

  ErrorLog ${APACHE_LOG_DIR}/gitea-ssl-error.log

  LogLevel warn

  LogFormat "%h:%{remote}p %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combinedport
  CustomLog ${APACHE_LOG_DIR}/gitea-ssl-access.log combinedport

  SSLEngine on
  SSLProtocol All -SSLv2 -SSLv3
  # Note: this list should ensure ciphers that provide forward secrecy
  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
  SSLHonorCipherOrder on

  SSLCertificateFile /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.cer
  SSLCertificateKeyFile /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.key
  SSLCertificateChainFile /etc/letsencrypt-certs/{{ inventory_hostname }}/ca.cer

  SSLProxyEngine on

  Use UserAgentFilter

  ProxyPass  / https://{{ gitea_reverse_proxy_hostname }}:3000/ retry=0
  ProxyPassReverse / https://{{ gitea_reverse_proxy_hostname }}:3000/

</VirtualHost>