Setting up Forgejo with SSH

NobbZ · December 26, 2025, 2:45pm

As I get nothing but timeouts when trying to connect to ssh on that domain and as the IP is owned by cloud flare, can you please share a screenshot of how you have set the domain up in your CF DNS dashboard?

PS: it would have helped, if you had said from the beginning that the SSH output was incomplete. We assumed you were logged in to the remote system.

ahoneybun · December 26, 2025, 5:10pm

I’m checking Cloudflare now as I suspect it is because it only does HTTP by default not other protocols like SSH.

For SSH I can ssh into the server from remote systems without issues.

NobbZ · December 26, 2025, 5:29pm

If it’s just DNS protocols don’t matter, though if you use their “web” forwarding, it obviously works for web only.

mohamed · January 3, 2026, 5:40am

So, what fixed this issue for me is to add “forgejo” to ssh’s AllowUsers:

   services.openssh.settings.AllowUsers = [
     "forgejo"
   ];

(I think you need to also include any users that need to ssh into the server, as the option’s description says “If specified, login is allowed only for the listed users. …”)

The smoking gun was the sshd logs included the line:

User forgejo from [ip] not allowed because not listed in AllowUsers

Perhaps this would work for you?

ahoneybun · January 5, 2026, 6:17pm

I’m check that out!

I don’t see the smoking gun in my sshd logs like this:

journalctl -u sshd | grep forgejo

NobbZ · January 5, 2026, 6:32pm

Do you still have the problem, or was it indeed a misconfiguration in the CF-DNS?

ahoneybun · January 5, 2026, 6:44pm

I do, if I change to DNS on CF I can’t access the site at all. It could be a mix of both a CF since they only serve HTTP traffic, I have seen some talks about setting up another forward for git.ssh.ahoneybun.net or something like that to point to the SSH port or something.

NobbZ · January 5, 2026, 6:51pm

What do you mean, you can’t access at all? That then sounds like a much deeper problem in your setup, though as long as you have “proxied” rather than “DNS only”, you will not be able to access anything but HTTP(S).

ahoneybun · January 7, 2026, 1:30am

well I could not access the webpage or clone with git+ssh either so nothing of benefit.

NobbZ · January 7, 2026, 6:17am

As said, this sounds like a massive misconfiguration on the server.

If CF can proxy the page, you should also be able to access it. The only thing that I could imagine is that you do not have set up HTTPS, but because of HLTS your browser tries to enforce HTTPS.

And that of course is not accessible then.

But while CF proxy is enabled, they do the HTTPS for you.

Not being able to SSH in is likely a seperate problem.

Alternatively you simply have retried far too eagerly, not waiting for the change in DNS to propagate.

I would like you to:

disable proxy
wait for DNS to propagate (~1h at least)
curl your site, share the logs, if there were any errors
try in browser, share a screenshot of the very exact error message
try cloning, tell us the very exact command you used, share the very exact error message, share your forgejo config.

ahoneybun · January 7, 2026, 3:09pm

I waited over a day once I turned off the Proxy for CF, it redirects HTTP traffic so I think I simply can’t do SSH over it (the docs say that as well).

Currently forgejo config:

https://gitlab.com/ahoneybun/nix-configs/-/blob/update-homelab/homelab/forgejo/default.nix?ref_type=heads

SSH commands I have tried:

git clone ssh://forgejo@git.ahoneybun.net/ahoneybun/lazarus.git

ssh -Tvvv git@git.ahoneybun.net

they all timeout which is most likely since CF does not do SSH traffic.

EDIT: Yea I’m pretty sure this is an issue of my own based on this:

EDIT2: I’ll try this and update:

NobbZ · January 7, 2026, 3:16pm

git.ahoneybun.net resolves to 104.21.39.202, which is owned by CF, I therefore assume you either have the proxy still active or DNS didn’t propagate to my end yet. When did you disable the proxy? Please specify time n UTC.

ahoneybun · January 7, 2026, 3:17pm

This was a few days ago and I have turned it back on so I can access the Forgejo over HTTP on the browser. I don’t know the time in UTC.

NobbZ · January 7, 2026, 3:23pm

If you switched back, then the time is not relevant anyway. I thought the setting was disabled right now.

Also I realize now, you use cloudflared with tunnels, rather than a local reverse proxy.

This would have been valuable information. I have no clue how to deal with this kind of setup.

ahoneybun · January 8, 2026, 2:17am

Alright I got it to work! I did not use the articles I linked but I want to explain the way I got it to work and we can close this post.

I have Tailscale setup on my laptop and the server in question so I setup a A record for git-ssh@ahoneybun.net going to the Tailscale IPv4 address with no Proxy so just DNS. Once that synced I am able to connect with:

ssh forgejo@git-ssh.ahoneybun.net

PTY allocation request failed on channel 0
Hi there, ahoneybun! You’ve successfully authenticated with the key named aaronhoneycutt@protonmail.com, but Forgejo does not provide shell access.
If this is unexpected, please log in with password and setup Forgejo under another user.
Connection to git-ssh.ahoneybun.net closed.

and I can clone now with:

git clone ssh://forgejo@git-ssh.ahoneybun.net/ahoneybun/lazarus.git