##// END OF EJS Templates
pull-requests: increase stability of concurrent pull requests creation by flushing prematurly the statuses of commits....
pull-requests: increase stability of concurrent pull requests creation by flushing prematurly the statuses of commits. This is required to increase the versions on each concurrent call. Otherwise we could get into an integrity errors of commitsha+version+repo

File last commit:

r3326:e2b04156 default
r3408:2a133f7e stable
Show More
nginx-config-example.rst
160 lines | 7.2 KiB | text/x-rst | RstLexer
/ docs / admin / nginx-config-example.rst
project: added all source files and assets
r1 Nginx Configuration Example
---------------------------
Use the following example to configure Nginx as a your web server.
docs: updated nginx/apache configurations....
r1263
project: added all source files and assets
r1 .. code-block:: nginx
docs: small rst fixes.
r1856
docs: updated configuration for nginx and reverse proxy.
r3341 ## Rate limiter for certain pages to prevent brute force attacks
docs: updated scaling/cluster docs
r3018 limit_req_zone $binary_remote_addr zone=req_limit:10m rate=1r/s;
project: added all source files and assets
r1
docs: updated configuration for nginx and reverse proxy.
r3341 ## Custom log format
docs: updated nginx example...
r636 log_format log_custom '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'$request_time $upstream_response_time $pipe';
docs: updated configuration for nginx and reverse proxy.
r3341 ## Define one or more upstreams (local RhodeCode instance) to connect to
project: added all source files and assets
r1 upstream rc {
docs: updated nginx/apache configurations....
r1263 # Url to running RhodeCode instance.
docs: updated scaling/cluster docs
r3018 # This is shown as `- URL: <host>` in output from rccontrol status.
docs: updated apache/nginx configs
r120 server 127.0.0.1:10002;
project: added all source files and assets
r1
# add more instances for load balancing
docs: updated apache/nginx configs
r120 # server 127.0.0.1:10003;
# server 127.0.0.1:10004;
project: added all source files and assets
r1 }
docs: updated nginx/apache configurations....
r1263 ## HTTP to HTTPS rewrite
server {
listen 80;
server_name rhodecode.myserver.com;
project: added all source files and assets
r1
docs: updated nginx/apache configurations....
r1263 if ($http_host = rhodecode.myserver.com) {
rewrite (.*) https://rhodecode.myserver.com$1 permanent;
}
}
## Optional gist alias server, for serving nicer GIST urls.
project: added all source files and assets
r1 server {
listen 443;
server_name gist.myserver.com;
docs: updated nginx example...
r636 access_log /var/log/nginx/gist.access.log log_custom;
project: added all source files and assets
r1 error_log /var/log/nginx/gist.error.log;
ssl on;
ssl_certificate gist.rhodecode.myserver.com.crt;
ssl_certificate_key gist.rhodecode.myserver.com.key;
ssl_session_timeout 5m;
docs: updated nginx example...
r636 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
project: added all source files and assets
r1 ssl_prefer_server_ciphers on;
docs: updated nginx example...
r636 ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
docs: updated configuration for nginx and reverse proxy.
r3341 ## Strict http prevents from https -> http downgrade
project: added all source files and assets
r1 add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
docs: updated configuration for nginx and reverse proxy.
r3341 ## Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
docs: updated nginx example...
r636 #ssl_dhparam /etc/nginx/ssl/dhparam.pem;
project: added all source files and assets
r1
rewrite ^/(.+)$ https://rhodecode.myserver.com/_admin/gists/$1;
rewrite (.*) https://rhodecode.myserver.com/_admin/gists;
}
docs: updated nginx example...
r636
## MAIN SSL enabled server
server {
docs: updated configuration for nginx and reverse proxy.
r3341 listen 443 ssl http2;
docs: updated nginx example...
r636 server_name rhodecode.myserver.com;
access_log /var/log/nginx/rhodecode.access.log log_custom;
error_log /var/log/nginx/rhodecode.error.log;
project: added all source files and assets
r1
ssl_certificate rhodecode.myserver.com.crt;
ssl_certificate_key rhodecode.myserver.com.key;
docs: updated configuration for nginx and reverse proxy.
r3341 # enable session resumption to improve https performance
# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
ssl_session_cache shared:SSL:50m;
project: added all source files and assets
r1 ssl_session_timeout 5m;
docs: updated configuration for nginx and reverse proxy.
r3341 ## Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
docs: updated nginx example...
r636 #ssl_dhparam /etc/nginx/ssl/dhparam.pem;
project: added all source files and assets
r1
docs: updated configuration for nginx and reverse proxy.
r3341 # enables server-side protection from BEAST attacks
# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
ssl_prefer_server_ciphers on;
# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ciphers chosen for forward secrecy and compatibility
# http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
client_body_buffer_size 128k;
# maximum number and size of buffers for large headers to read from client request
large_client_header_buffers 16 256k;
docs: updated nginx example...
r636
docs: updated scaling/cluster docs
r3018 ## uncomment to serve static files by Nginx, recommended for performance
static: change static path to serve rhodecode static assets from...
r522 # location /_static/rhodecode {
docs: added gzip into static files for nginx
r2146 # gzip on;
# gzip_min_length 500;
# gzip_proxied any;
# gzip_comp_level 4;
# gzip_types text/css text/javascript text/xml text/plain text/x-component application/javascript application/json application/xml application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;
# gzip_vary on;
# gzip_disable "msie6";
docs: updated scaling/cluster docs
r3018 # alias /path/to/.rccontrol/community-1/static;
dan
docs: update example nginx/apache configs to use .rccontrol static path
r457 # alias /path/to/.rccontrol/enterprise-1/static;
dan
config: update ini/config files to account for /_static path
r456 # }
docs: updated apache/nginx configs
r120
docs: updated configuration for nginx and reverse proxy.
r3341 ## channelstream location handler, if channelstream live chat and notifications
## are enable this will proxy the requests to channelstream websocket server
docs: added channelstream example
r477 location /_channelstream {
rewrite /_channelstream/(.*) /$1 break;
docs: updated configuration for nginx and reverse proxy.
r3341 gzip off;
tcp_nodelay off;
docs: updated nginx example...
r636
docs: added channelstream example
r477 proxy_connect_timeout 10;
proxy_send_timeout 10m;
proxy_read_timeout 10m;
docs: updated configuration for nginx and reverse proxy.
r3341
docs: added channelstream example
r477 proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
docs: updated nginx example...
r636 proxy_set_header X-Url-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
docs: updated configuration for nginx and reverse proxy.
r3341
docs: added channelstream example
r477 proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
docs: updated configuration for nginx and reverse proxy.
r3341
proxy_pass http://127.0.0.1:9800;
docs: added channelstream example
r477 }
docs: updated scaling/cluster docs
r3018 ## rate limit this endpoint to prevent login page brute-force attacks
dan
docs: added example how to secure login page from brute force attacks.
r1808 location /_admin/login {
docs: updated scaling/cluster docs
r3018 limit_req zone=req_limit burst=10 nodelay;
docs: updated configuration for nginx and reverse proxy.
r3341 try_files $uri @rhodecode_http;
dan
docs: added example how to secure login page from brute force attacks.
r1808 }
docs: updated apache/nginx configs
r120 location / {
docs: updated configuration for nginx and reverse proxy.
r3341 try_files $uri @rhodecode_http;
docs: updated apache/nginx configs
r120 }
project: added all source files and assets
r1
docs: updated configuration for nginx and reverse proxy.
r3341 location @rhodecode_http {
# example of proxy.conf can be found in our docs.
include /etc/nginx/proxy.conf;
proxy_pass http://rc;
docs: added channelstream example
r477 }
docs: updated nginx example...
r636
docs: updated configuration for nginx and reverse proxy.
r3341 ## Custom 502 error page.
## Will be displayed while RhodeCode server is turned off
docs: updated nginx example...
r636 error_page 502 /502.html;
location = /502.html {
docs: updated scaling/cluster docs
r3018 #root /path/to/.rccontrol/community-1/static;
docs: updated nginx example...
r636 root /path/to/.rccontrol/enterprise-1/static;
}
}