SSL & HTTPS

Automatic SSL (Default)

By default, GitBlixt automatically obtains and renews a free SSL certificate from Let's Encrypt using the ACME HTTP-01 challenge. No configuration is needed beyond setting GITBLIXT_HOST.

Requirements for automatic SSL:

• GITBLIXT_HOST must be a real domain pointing at your server's public IP
• Port 80 must be reachable from the internet (Let's Encrypt needs to verify domain ownership)
• The domain cannot be an IP address or localhost

Certificates are stored in /data/ssl and renewed automatically 30 days before expiry.

Manual SSL

If you want to supply your own certificate (e.g. from a corporate CA, or a wildcard cert):

1. Set SSL_MODE=manual
2. Place your certificate at /data/ssl/cert.pem and your private key at /data/ssl/key.pem
3. Restart the container

GitBlixt will load your certificate on startup. You are responsible for renewal — replace the files and restart the container when your cert is renewed.

Behind a Reverse Proxy (SSL Off)

If GitBlixt sits behind Nginx, Caddy, Traefik, or another reverse proxy that handles SSL termination, set SSL_MODE=off. GitBlixt will serve plain HTTP and trust the X-Forwarded-For and X-Forwarded-Proto headers from the proxy.

Example Nginx config:

server {
    listen 443 ssl;
    server_name git.yourdomain.com;

    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;

    location / {
        proxy_pass http://localhost:4000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
    }
}