Unable to access 'https://gogs.example.com/user/repo.git/`: The requested URL returned 403

Let me preface this with the fact that I have searched long and hard to find a solution before coming here for help :stuck_out_tongue:. With my current setup, I have drone and gogs both running behind a Traefik reverse proxy. Currently, activating repos works fine, however on the clone step of any drone build, it always errors like this:

+ git init
Initialized empty Git repository in /drone/src/gogs.example.com/user/repo/.git/
+ git remote add origin https://gogs.example.com/user/repo.git
+ git fetch --no-tags origin +refs/heads/master:
remote: User permission denied
fatal: unable to access 'https://gogs.example.com/user/repo.git/': The requested URL returned error: 403
exit status 128

(Personal information is redacted for obvious reasons)

Both repos I have tested are private, as this is a private gogs instance, all repos are hidden from the public.
My drone environment settings from the docker-compose.yml are as follows:

- DRONE_HOST=https://drone.example.com
- DRONE_GOGS_URL=https://gogs.example.com
- DRONE_SECRET=redacted
- DRONE_DATABASE_DATASOURCE=drone:redacted@tcp(

I have tested with and without DRONE_GOGS_PRIVATE_MODE, DRONE_GOGS_GIT_USERNAME and DRONE_GOGS_GIT_PASSWORD, these seem to have no effect on it.

I have fully deleted drone’s database to start over (and ensure that it recognizes the repos as private and whatnot), and the same thing still happens.

Gogs is running on port 3000 inside its docker container, so I even tried setting the DRONE_GOGS_URL to gogs.example.com:3000 both with and without http/s, and also tried using the docker-compose network name (just gogs in this case). However all this yields is that now repositories are unable to be activated.

I have fully investigated Traefik’s involvement in this, and have specified all endpoints to Forward Headers, and as far as I can tell from reading, Traefik automatically handles websockets, but in any case here is a copy of my entryPoints configuration from my traefik.toml config.

  address = ":80"
      entryPoint = "https"
	  insecure = false
          trustedIPs = [""] # Docker subnet
  address = ":443"
	  insecure = false
          trustedIPs = [""] # Docker subnet

Some other information that may be useful is that both drone and gogs are internally (underneath the reverse proxy) configured to not use HTTPS due to the fact that Traefik handles that.

Please let me know if there is any more information I can provide to get to the bottom of this.

Hi @Arbyy !

I have been struggling with the same issue, the 403.
I am running Gitea in Kubernetes behind the HAProxy (at the BM host) and behind the nginx ingress controller (at the VM host) with the TCP proxy protocol enabled.

The very first thing that I have noticed was:

2018/01/10 00:32:22 [...routers/repo/http.go:213 HTTP()] [E] User permission denied

Eventually, removing the Drone and its sqlite database has helped to me, but only when I have disabled both DRONE_GITEA_GIT_USERNAME and DRONE_GITEA_GIT_PASSWORD before I started the Drone.

DRONE_OPEN: "false"

That way it did eventually work.

If it still won’t for you, then check Gogs logs for the 403 as it should be “User permission denied” as well and start digging from there. Make sure you are using latest version of Drone & Gogs.

If it won’t work, enable debug mode for Gogs and see what it writes in the logs when you trigger the Drone’s webhook.

Hope that helps.