git/gitea-homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bb68b6b9f2159d0b0a9a6976ad977049eecc6086
gitea-homelab/docs/cloudflare-networking.md
Raghav bb68b6b9f2 Initial commit 
Co-Authored-By: Oz <oz-agent@warp.dev>
2026-04-16 09:04:22 +05:30

53 lines
2.3 KiB
Markdown
Raw Blame History

# Cloudflare DNS + Home Network Setup for `git.bhatfamily.in`
## Goal
Expose local Gitea securely from home network while preserving Git-over-SSH support.
## Recommended Cloudflare DNS records
Create DNS records in Cloudflare for zone `bhatfamily.in`:
1. `A` record
- Name: `git`
- Content: your home public IPv4
- Proxy status: **DNS only** (gray cloud)
2. Optional `AAAA` record
- Name: `git`
- Content: your home public IPv6
- Proxy status: **DNS only**
## Why DNS-only is recommended
This setup uses direct inbound routing for both HTTPS and custom SSH (`2222` by default). DNS-only avoids Cloudflare proxy protocol limitations around direct SSH forwarding.
## Router/NAT rules
Create forwards to this server's LAN IP:
- TCP 80 -> `<server_lan_ip>:80` (ACME challenge + redirect)
- TCP 443 -> `<server_lan_ip>:443` (HTTPS via Caddy)
- TCP 2222 -> `<server_lan_ip>:2222` (Git SSH)
## Firewall alignment
If UFW is active, use install flag to open public web ports:
- `./scripts/install.sh --with-tls --open-public-web`
To close those later:
- `./scripts/uninstall.sh --with-tls --close-public-web`
## ISP constraints check
Some ISPs block inbound ports. Validate from outside your network:
- `curl -I https://git.bhatfamily.in`
- `nc -vz git.bhatfamily.in 2222`
If blocked, use alternate routing (VPN/tunnel) or ISP-compatible ports.
## Recommended hardening
- Keep strong secrets in `.env`
- Restrict SSH source ranges if practical
- Keep containers patched (`docker compose pull` and recreate)
- Add off-host backups for gitea/postgres/caddy data directories
## Post-cutover verification checklist
Run these after DNS/NAT/firewall updates to confirm end-to-end readiness:
1. DNS resolution
- `dig +short git.bhatfamily.in A`
2. HTTPS response and redirect chain
- `curl -I https://git.bhatfamily.in`
- `curl -I http://git.bhatfamily.in`
3. Certificate validity/issuer
- `openssl s_client -connect git.bhatfamily.in:443 -servername git.bhatfamily.in </dev/null 2>/dev/null | openssl x509 -noout -subject -issuer -dates`
4. Git SSH port reachability
- `nc -vz git.bhatfamily.in 2222`
5. Stack self-check
- `./scripts/test.sh --with-tls`
If any check fails during first-time propagation, run:
- `./scripts/test.sh --with-tls --allow-pending-external`
Then re-run strict checks once DNS/certificate propagation completes.
Reference in New Issue View Git Blame Copy Permalink