CGIT + NGINX : Not able to push

Hi, I plan to setup my own git web using cgit. For now I able to clone 
but I not able to push changes.

$ export GIT_CURL_VERBOSE=1
$ git push --set-upstream origin robbi.my_custom
23:24:24.335603 http.c:703              == Info: Couldn't find host 
source.robbi.my in the (nil) file; using defaults
23:24:24.339495 http.c:703              == Info:   Trying 172.64.80.1:443...
23:24:25.157231 http.c:703              == Info: Connected to 
source.robbi.my (172.64.80.1) port 443 (#0)
23:24:25.158730 http.c:703              == Info: ALPN: offers h2
23:24:25.158730 http.c:703              == Info: ALPN: offers http/1.1
23:24:25.169314 http.c:703              == Info:  CAfile: C:/Program 
Files/Git/mingw64/ssl/certs/ca-bundle.crt
23:24:25.169314 http.c:703              == Info:  CApath: none
23:24:25.169314 http.c:703              == Info: TLSv1.3 (OUT), TLS 
handshake, Client hello (1):
23:24:25.613101 http.c:703              == Info: TLSv1.3 (IN), TLS 
handshake, Server hello (2):
23:24:25.615105 http.c:703              == Info: TLSv1.3 (IN), TLS 
handshake, Encrypted Extensions (8):
23:24:25.615105 http.c:703              == Info: TLSv1.3 (IN), TLS 
handshake, Certificate (11):
23:24:25.619104 http.c:703              == Info: TLSv1.3 (IN), TLS 
handshake, CERT verify (15):
23:24:25.619104 http.c:703              == Info: TLSv1.3 (IN), TLS 
handshake, Finished (20):
23:24:25.620104 http.c:703              == Info: TLSv1.3 (OUT), TLS 
change cipher, Change cipher spec (1):
23:24:25.620104 http.c:703              == Info: TLSv1.3 (OUT), TLS 
handshake, Finished (20):
23:24:25.620104 http.c:703              == Info: SSL connection using 
TLSv1.3 / TLS_AES_256_GCM_SHA384
23:24:25.620104 http.c:703              == Info: ALPN: server accepted h2
23:24:25.620104 http.c:703              == Info: Server certificate:
23:24:25.620104 http.c:703              == Info:  subject: CN=*.robbi.my
23:24:25.620104 http.c:703              == Info:  start date: Oct 13 
02:03:14 2022 GMT
23:24:25.620104 http.c:703              == Info:  expire date: Jan 11 
02:03:13 2023 GMT
23:24:25.620104 http.c:703              == Info:  subjectAltName: host 
"source.robbi.my" matched cert's "*.robbi.my"
23:24:25.620104 http.c:703              == Info:  issuer: C=US; O=Let's 
Encrypt; CN=E1
23:24:25.620104 http.c:703              == Info:  SSL certificate verify ok.
23:24:25.620104 http.c:703              == Info: Using HTTP2, server 
supports multiplexing
23:24:25.620104 http.c:703              == Info: Copying HTTP/2 data in 
stream buffer to connection buffer after upgrade: len=0
23:24:25.620104 http.c:703              == Info: h2h3 [:method: GET]
23:24:25.620104 http.c:703              == Info: h2h3 [:path: 
/cgit-pink/info/refs?service=git-receive-pack]
23:24:25.620104 http.c:703              == Info: h2h3 [:scheme: https]
23:24:25.620104 http.c:703              == Info: h2h3 [:authority: 
source.robbi.my]
23:24:25.620104 http.c:703              == Info: h2h3 [user-agent: 
git/2.37.2.windows.2]
23:24:25.620104 http.c:703              == Info: h2h3 [accept: */*]
23:24:25.620104 http.c:703              == Info: h2h3 [accept-encoding: 
deflate, gzip, br, zstd]
23:24:25.620104 http.c:703              == Info: h2h3 [pragma: no-cache]
23:24:25.620104 http.c:703              == Info: Using Stream ID: 1 
(easy handle 0x22b7fa5f690)
23:24:25.620104 http.c:650              => Send header, 0000000190 bytes 
(0x000000be)
23:24:25.620104 http.c:662              => Send header: GET 
/cgit-pink/info/refs?service=git-receive-pack HTTP/2
23:24:25.620104 http.c:662              => Send header: Host: 
source.robbi.my
23:24:25.620104 http.c:662              => Send header: user-agent: 
git/2.37.2.windows.2
23:24:25.620104 http.c:662              => Send header: accept: */*
23:24:25.620104 http.c:662              => Send header: accept-encoding: 
deflate, gzip, br, zstd
23:24:25.620104 http.c:662              => Send header: pragma: no-cache
23:24:25.620104 http.c:662              => Send header:
23:24:25.962937 http.c:703              == Info: TLSv1.3 (IN), TLS 
handshake, Newsession Ticket (4):
23:24:25.963949 http.c:703              == Info: TLSv1.3 (IN), TLS 
handshake, Newsession Ticket (4):
23:24:25.963949 http.c:703              == Info: old SSL session ID is 
stale, removing
23:24:25.963949 http.c:703              == Info: Connection state 
changed (MAX_CONCURRENT_STREAMS == 256)!
23:24:26.253252 http.c:650              <= Recv header, 0000000013 bytes 
(0x0000000d)
23:24:26.253252 http.c:662              <= Recv header: HTTP/2 403
23:24:26.253252 http.c:650              <= Recv header, 0000000037 bytes 
(0x00000025)
23:24:26.253252 http.c:662              <= Recv header: date: Thu, 17 
Nov 2022 15:24:24 GMT
23:24:26.253252 http.c:650              <= Recv header, 0000000040 bytes 
(0x00000028)
23:24:26.253252 http.c:662              <= Recv header: expires: Fri, 01 
Jan 1980 00:00:00 GMT
23:24:26.253252 http.c:650              <= Recv header, 0000000040 bytes 
(0x00000028)
23:24:26.253252 http.c:662              <= Recv header: expires: Fri, 01 
Jan 1980 00:00:00 GMT
23:24:26.253252 http.c:650              <= Recv header, 0000000018 bytes 
(0x00000012)
23:24:26.253252 http.c:662              <= Recv header: pragma: no-cache
23:24:26.253252 http.c:650              <= Recv header, 0000000018 bytes 
(0x00000012)
23:24:26.253252 http.c:662              <= Recv header: pragma: no-cache
23:24:26.253252 http.c:650              <= Recv header, 0000000053 bytes 
(0x00000035)
23:24:26.253252 http.c:662              <= Recv header: cache-control: 
no-cache, max-age=0, must-revalidate
23:24:26.253252 http.c:650              <= Recv header, 0000000053 bytes 
(0x00000035)
23:24:26.253252 http.c:662              <= Recv header: cache-control: 
no-cache, max-age=0, must-revalidate
23:24:26.253252 http.c:650              <= Recv header, 0000000026 bytes 
(0x0000001a)
23:24:26.253252 http.c:662              <= Recv header: cf-cache-status: 
DYNAMIC
23:24:26.253252 http.c:650              <= Recv header, 0000000256 bytes 
(0x00000100)
23:24:26.253252 http.c:662              <= Recv header: report-to: 
{"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=fD6cyeHU7oKzC1IXV6hfWtcCXjRGLX7lNK39sEBhlpUSgG6%2F4V8RjFxV%2F20PIQPuFFJeb03csCfZb87f9Q7b7amvGWLhncuAPTZEZ9GraBoHdhs1MObZEz5FdlvADngnu8w%3D"}],"group":"cf-nel","max_age":604800}
23:24:26.253252 http.c:650              <= Recv header, 0000000067 bytes 
(0x00000043)
23:24:26.253252 http.c:662              <= Recv header: nel: 
{"success_fraction":0,"report_to":"cf-nel","max_age":604800}
23:24:26.253252 http.c:650              <= Recv header, 0000000038 bytes 
(0x00000026)
23:24:26.253252 http.c:662              <= Recv header: 
strict-transport-security: max-age=0
23:24:26.253252 http.c:650              <= Recv header, 0000000033 bytes 
(0x00000021)
23:24:26.253252 http.c:662              <= Recv header: 
x-content-type-options: nosniff
23:24:26.253252 http.c:650              <= Recv header, 0000000020 bytes 
(0x00000014)
23:24:26.253252 http.c:662              <= Recv header: server: cloudflare
23:24:26.253252 http.c:650              <= Recv header, 0000000030 bytes 
(0x0000001e)
23:24:26.253252 http.c:662              <= Recv header: cf-ray: 
76b9791ecb6405b7-IAD
23:24:26.253252 http.c:650              <= Recv header, 0000000054 bytes 
(0x00000036)
23:24:26.253252 http.c:662              <= Recv header: alt-svc: 
h3=":443"; ma=86400, h3-29=":443"; ma=86400
23:24:26.253252 http.c:650              <= Recv header, 0000000002 bytes 
(0x00000002)
23:24:26.253252 http.c:662              <= Recv header:
23:24:26.253252 http.c:703              == Info: Connection #0 to host 
source.robbi.my left intact
fatal: unable to access 'https://source.robbi.my/cgit-pink/': The 
requested URL returned error: 403

as you see, it give me 403

Here my NginX conf
$ cat /etc/nginx/sites-available/source.robbi.my.conf | sed -e 
's/#[^!].*$//'
server {
     listen [::]:80;
     listen 80;
     listen 443 ssl http2;
     listen [::]:443 ssl http2;

     server_name source.robbi.my;
     root /usr/share/cgit;
     try_files $uri @cgit;

     location @cgit {
         include             fastcgi_params;
         fastcgi_param           SCRIPT_FILENAME 
/var/www/htdocs/cgit/cgit.cgi;
         fastcgi_param           PATH_INFO       $request_uri;
         fastcgi_param           QUERY_STRING    $query_string;
         fastcgi_param           HTTP_HOST       $server_name;
         fastcgi_pass        unix:/run/fcgiwrap.socket;
     }

     location ~ /.+/(info/refs|git-upload-pack) {
         include             fastcgi_params;
         fastcgi_param       SCRIPT_FILENAME 
/usr/lib/git-core/git-http-backend;
         fastcgi_param       PATH_INFO           $uri;
         fastcgi_param       GIT_HTTP_EXPORT_ALL 1;
         fastcgi_param       GIT_PROJECT_ROOT    /srv/git;
         fastcgi_param       HOME                /srv/git;
         fastcgi_pass        unix:/run/fcgiwrap.socket;
     }
     ssl_certificate /etc/nginx/ssl/cloudflare.pem;
     ssl_certificate_key /etc/nginx/ssl/cloudflare.key;
}

It not sure what wrong here, it keep sending 403 when I tried to push

-- 
Regards
Robbi Nespu

PGP: 7816 3327 745D 4B14 0D70 0237 05C3 9BE3 9AAF 49F4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x05C39BE39AAF49F4.asc
Type: application/pgp-keys
Size: 3061 bytes
Desc: OpenPGP public key
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20221117/ca9a1f32/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20221117/ca9a1f32/attachment-0001.bin>