rhodecode-enterprise-ce Files · docs/admin/nginx-config-example.rst

env-variables: make it safer if there's a syntax problem inside .ini file....

env-variables: make it safer if there's a syntax problem inside .ini file. It's better to not crash, since it means server wont start. Let users fix problems instead of breaking the startup because of that.

marcink - - Load All Authors

File last commit:

r3018:26521a96 stable


                r3237:5cf82ecc

default

Download file

             nginx-config-example.rst
        
                    145 lines
            
             | 6.5 KiB
            
                | text/x-rst
            
             |
                RstLexer
            
             / docs / admin / nginx-config-example.rst
          
                    History
                
                 |
                  Source
                 | Raw
                 |Copy content
                 |Copy permalink

        marcink
    
project: added all source files and assets

              r1
            
      Nginx Configuration Example

      ---------------------------

      Use the following example to configure Nginx as a your web server.

        marcink
    
docs: updated nginx/apache configurations....

              r1263
            
        marcink
    
project: added all source files and assets

              r1
            
      .. code-block:: nginx

        marcink
    
docs: small rst fixes.

              r1856
            
        dan
    
docs: added example how to secure login page from brute force attacks.

              r1808
            
          ## rate limiter for certain pages to prevent brute force attacks

        marcink
    
docs: updated scaling/cluster docs

              r3018
            
          limit_req_zone  $binary_remote_addr  zone=req_limit:10m   rate=1r/s;

        marcink
    
project: added all source files and assets

              r1
            
        dan
    
docs: added example how to secure login page from brute force attacks.

              r1808
            
          ## custom log format

        marcink
    
docs: updated nginx example...

              r636
            
          log_format log_custom '$remote_addr - $remote_user [$time_local] '

                                '"$request" $status $body_bytes_sent '

                                '"$http_referer" "$http_user_agent" '

                                '$request_time $upstream_response_time $pipe';

        marcink
    
docs: updated nginx/apache configurations....

              r1263
            
          ## define upstream (local RhodeCode instance) to connect to

        marcink
    
project: added all source files and assets

              r1
            
          upstream rc {

        marcink
    
docs: updated nginx/apache configurations....

              r1263
            
              # Url to running RhodeCode instance.

        marcink
    
docs: updated scaling/cluster docs

              r3018
            
              # This is shown as `- URL: <host>` in output from rccontrol status.

        marcink
    
docs: updated apache/nginx configs

              r120
            
              server 127.0.0.1:10002;

        marcink
    
project: added all source files and assets

              r1
            
              # add more instances for load balancing

        marcink
    
docs: updated apache/nginx configs

              r120
            
              # server 127.0.0.1:10003;

              # server 127.0.0.1:10004;

        marcink
    
project: added all source files and assets

              r1
            
          }

        marcink
    
docs: updated nginx/apache configurations....

              r1263
            
          ## HTTP to HTTPS rewrite

          server {

              listen          80;

              server_name     rhodecode.myserver.com;

        marcink
    
project: added all source files and assets

              r1
            
        marcink
    
docs: updated nginx/apache configurations....

              r1263
            
              if ($http_host = rhodecode.myserver.com) {

                  rewrite  (.*)  https://rhodecode.myserver.com$1 permanent;

              }

          }

          ## Optional gist alias server, for serving nicer GIST urls.

        marcink
    
project: added all source files and assets

              r1
            
          server {

              listen          443;

              server_name     gist.myserver.com;

        marcink
    
docs: updated nginx example...

              r636
            
              access_log      /var/log/nginx/gist.access.log log_custom;

        marcink
    
project: added all source files and assets

              r1
            
              error_log       /var/log/nginx/gist.error.log;

              ssl on;

              ssl_certificate     gist.rhodecode.myserver.com.crt;

              ssl_certificate_key gist.rhodecode.myserver.com.key;

              ssl_session_timeout 5m;

        marcink
    
docs: updated nginx example...

              r636
            
              ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        marcink
    
project: added all source files and assets

              r1
            
              ssl_prefer_server_ciphers on;

        marcink
    
docs: updated nginx example...

              r636
            
              ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

        marcink
    
docs: updated nginx/apache configurations....

              r1263
            
              # strict http prevents from https -> http downgrade

        marcink
    
project: added all source files and assets

              r1
            
              add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

              # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits

        marcink
    
docs: updated nginx example...

              r636
            
              #ssl_dhparam /etc/nginx/ssl/dhparam.pem;

        marcink
    
project: added all source files and assets

              r1
            
              rewrite ^/(.+)$ https://rhodecode.myserver.com/_admin/gists/$1;

              rewrite (.*)    https://rhodecode.myserver.com/_admin/gists;

          }

        marcink
    
docs: updated nginx example...

              r636
            
          ## MAIN SSL enabled server

          server {

              listen       443 ssl;

              server_name  rhodecode.myserver.com;

              access_log   /var/log/nginx/rhodecode.access.log log_custom;

              error_log    /var/log/nginx/rhodecode.error.log;

        marcink
    
project: added all source files and assets

              r1
            
              ssl on;

              ssl_certificate     rhodecode.myserver.com.crt;

              ssl_certificate_key rhodecode.myserver.com.key;

              ssl_session_timeout 5m;

        marcink
    
docs: updated nginx example...

              r636
            
              ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        marcink
    
project: added all source files and assets

              r1
            
              ssl_prefer_server_ciphers on;

        marcink
    
docs: updated nginx example...

              r636
            
              ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

        marcink
    
project: added all source files and assets

              r1
            
        marcink
    
docs: updated nginx example...

              r636
            
              # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits

              #ssl_dhparam /etc/nginx/ssl/dhparam.pem;

        marcink
    
project: added all source files and assets

              r1
            
        marcink
    
docs: updated scaling/cluster docs

              r3018
            
              # example of proxy.conf can be found in our docs.

        marcink
    
docs: updated nginx example...

              r636
            
              include     /etc/nginx/proxy.conf;

        marcink
    
docs: updated scaling/cluster docs

              r3018
            
              ## uncomment to serve static files by Nginx, recommended for performance

        marcink
    
static: change static path to serve rhodecode static assets from...

              r522
            
              # location /_static/rhodecode {

        marcink
    
docs: added gzip into static files for nginx

              r2146
            
              #    gzip on;

              #    gzip_min_length  500;

              #    gzip_proxied     any;

              #    gzip_comp_level 4;

              #    gzip_types  text/css text/javascript text/xml text/plain text/x-component application/javascript application/json application/xml application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;

              #    gzip_vary on;

              #    gzip_disable     "msie6";

        marcink
    
docs: updated scaling/cluster docs

              r3018
            
              #    alias /path/to/.rccontrol/community-1/static;

        dan
    
docs: update example nginx/apache configs to use .rccontrol static path

              r457
            
              #    alias /path/to/.rccontrol/enterprise-1/static;

        dan
    
config: update ini/config files to account for /_static path

              r456
            
              # }

        marcink
    
docs: updated apache/nginx configs

              r120
            
        marcink
    
docs: updated nginx/apache configurations....

              r1263
            
              ## channelstream websocket handling

        marcink
    
docs: added channelstream example

              r477
            
              location /_channelstream {

                  rewrite /_channelstream/(.*) /$1 break;

        marcink
    
docs: updated nginx/apache configurations....

              r1263
            
        marcink
    
docs: updated nginx example...

              r636
            
                  proxy_pass                  http://127.0.0.1:9800;

        marcink
    
docs: added channelstream example

              r477
            
                  proxy_connect_timeout        10;

                  proxy_send_timeout           10m;

                  proxy_read_timeout           10m;

        marcink
    
docs: updated nginx example...

              r636
            
                  tcp_nodelay                  off;

        marcink
    
docs: added channelstream example

              r477
            
                  proxy_set_header             Host $host;

                  proxy_set_header             X-Real-IP $remote_addr;

        marcink
    
docs: updated nginx example...

              r636
            
                  proxy_set_header             X-Url-Scheme $scheme;

                  proxy_set_header             X-Forwarded-Proto $scheme;

                  proxy_set_header             X-Forwarded-For $proxy_add_x_forwarded_for;

        marcink
    
docs: added channelstream example

              r477
            
                  gzip                         off;

                  proxy_http_version           1.1;

                  proxy_set_header Upgrade     $http_upgrade;

                  proxy_set_header Connection  "upgrade";

              }

        marcink
    
docs: updated scaling/cluster docs

              r3018
            
              ## rate limit this endpoint to prevent login page brute-force attacks

        dan
    
docs: added example how to secure login page from brute force attacks.

              r1808
            
              location /_admin/login {

        marcink
    
docs: updated scaling/cluster docs

              r3018
            
                  limit_req  zone=req_limit  burst=10  nodelay;

        dan
    
docs: added example how to secure login page from brute force attacks.

              r1808
            
                  try_files $uri @rhode;

              }

        marcink
    
docs: updated apache/nginx configs

              r120
            
              location / {

                  try_files $uri @rhode;

              }

        marcink
    
project: added all source files and assets

              r1
            
        marcink
    
docs: added channelstream example

              r477
            
              location @rhode {

                  proxy_pass      http://rc;

              }

        marcink
    
docs: updated nginx example...

              r636
            
        marcink
    
docs: added 502 page instructions for nginx and apache

              r2145
            
              ## custom 502 error page. Will be displayed while RhodeCode server

              ## is turned off

        marcink
    
docs: updated nginx example...

              r636
            
              error_page 502 /502.html;

              location = /502.html {

        marcink
    
docs: updated scaling/cluster docs

              r3018
            
                 #root  /path/to/.rccontrol/community-1/static;

        marcink
    
docs: updated nginx example...

              r636
            
                 root  /path/to/.rccontrol/enterprise-1/static;

              }

          }

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

marcink project: added all source files and assets	r1	Nginx Configuration Example
		---------------------------

		Use the following example to configure Nginx as a your web server.

marcink docs: updated nginx/apache configurations....	r1263
marcink project: added all source files and assets	r1	.. code-block:: nginx
marcink docs: small rst fixes.	r1856
dan docs: added example how to secure login page from brute force attacks.	r1808	## rate limiter for certain pages to prevent brute force attacks
marcink docs: updated scaling/cluster docs	r3018	limit_req_zone $binary_remote_addr zone=req_limit:10m rate=1r/s;
marcink project: added all source files and assets	r1
dan docs: added example how to secure login page from brute force attacks.	r1808	## custom log format
marcink docs: updated nginx example...	r636	log_format log_custom '$remote_addr - $remote_user [$time_local] '
		'"$request" $status $body_bytes_sent '
		'"$http_referer" "$http_user_agent" '
		'$request_time $upstream_response_time $pipe';

marcink docs: updated nginx/apache configurations....	r1263	## define upstream (local RhodeCode instance) to connect to
marcink project: added all source files and assets	r1	upstream rc {
marcink docs: updated nginx/apache configurations....	r1263	# Url to running RhodeCode instance.
marcink docs: updated scaling/cluster docs	r3018	# This is shown as `- URL: <host>` in output from rccontrol status.
marcink docs: updated apache/nginx configs	r120	server 127.0.0.1:10002;
marcink project: added all source files and assets	r1
		# add more instances for load balancing
marcink docs: updated apache/nginx configs	r120	# server 127.0.0.1:10003;
		# server 127.0.0.1:10004;
marcink project: added all source files and assets	r1	}

marcink docs: updated nginx/apache configurations....	r1263	## HTTP to HTTPS rewrite
		server {
		listen 80;
		server_name rhodecode.myserver.com;
marcink project: added all source files and assets	r1
marcink docs: updated nginx/apache configurations....	r1263	if ($http_host = rhodecode.myserver.com) {
		rewrite (.*) https://rhodecode.myserver.com$1 permanent;
		}
		}

		## Optional gist alias server, for serving nicer GIST urls.
marcink project: added all source files and assets	r1	server {
		listen 443;
		server_name gist.myserver.com;
marcink docs: updated nginx example...	r636	access_log /var/log/nginx/gist.access.log log_custom;
marcink project: added all source files and assets	r1	error_log /var/log/nginx/gist.error.log;

		ssl on;
		ssl_certificate gist.rhodecode.myserver.com.crt;
		ssl_certificate_key gist.rhodecode.myserver.com.key;

		ssl_session_timeout 5m;

marcink docs: updated nginx example...	r636	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
marcink project: added all source files and assets	r1	ssl_prefer_server_ciphers on;
marcink docs: updated nginx example...	r636	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

marcink docs: updated nginx/apache configurations....	r1263	# strict http prevents from https -> http downgrade
marcink project: added all source files and assets	r1	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

		# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
marcink docs: updated nginx example...	r636	#ssl_dhparam /etc/nginx/ssl/dhparam.pem;
marcink project: added all source files and assets	r1
		rewrite ^/(.+)$ https://rhodecode.myserver.com/_admin/gists/$1;
		rewrite (.*) https://rhodecode.myserver.com/_admin/gists;
		}

marcink docs: updated nginx example...	r636
		## MAIN SSL enabled server
		server {
		listen 443 ssl;
		server_name rhodecode.myserver.com;

		access_log /var/log/nginx/rhodecode.access.log log_custom;
		error_log /var/log/nginx/rhodecode.error.log;
marcink project: added all source files and assets	r1
		ssl on;
		ssl_certificate rhodecode.myserver.com.crt;
		ssl_certificate_key rhodecode.myserver.com.key;

		ssl_session_timeout 5m;

marcink docs: updated nginx example...	r636	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
marcink project: added all source files and assets	r1	ssl_prefer_server_ciphers on;
marcink docs: updated nginx example...	r636	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
marcink project: added all source files and assets	r1
marcink docs: updated nginx example...	r636	# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
		#ssl_dhparam /etc/nginx/ssl/dhparam.pem;
marcink project: added all source files and assets	r1
marcink docs: updated scaling/cluster docs	r3018	# example of proxy.conf can be found in our docs.
marcink docs: updated nginx example...	r636	include /etc/nginx/proxy.conf;

marcink docs: updated scaling/cluster docs	r3018	## uncomment to serve static files by Nginx, recommended for performance
marcink static: change static path to serve rhodecode static assets from...	r522	# location /_static/rhodecode {
marcink docs: added gzip into static files for nginx	r2146	# gzip on;
		# gzip_min_length 500;
		# gzip_proxied any;
		# gzip_comp_level 4;
		# gzip_types text/css text/javascript text/xml text/plain text/x-component application/javascript application/json application/xml application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;
		# gzip_vary on;
		# gzip_disable "msie6";
marcink docs: updated scaling/cluster docs	r3018	# alias /path/to/.rccontrol/community-1/static;
dan docs: update example nginx/apache configs to use .rccontrol static path	r457	# alias /path/to/.rccontrol/enterprise-1/static;
dan config: update ini/config files to account for /_static path	r456	# }
marcink docs: updated apache/nginx configs	r120
marcink docs: updated nginx/apache configurations....	r1263	## channelstream websocket handling
marcink docs: added channelstream example	r477	location /_channelstream {
		rewrite /_channelstream/(.*) /$1 break;
marcink docs: updated nginx/apache configurations....	r1263
marcink docs: updated nginx example...	r636	proxy_pass http://127.0.0.1:9800;

marcink docs: added channelstream example	r477	proxy_connect_timeout 10;
		proxy_send_timeout 10m;
		proxy_read_timeout 10m;
marcink docs: updated nginx example...	r636	tcp_nodelay off;
marcink docs: added channelstream example	r477	proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
marcink docs: updated nginx example...	r636	proxy_set_header X-Url-Scheme $scheme;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
marcink docs: added channelstream example	r477	gzip off;
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";
		}

marcink docs: updated scaling/cluster docs	r3018	## rate limit this endpoint to prevent login page brute-force attacks
dan docs: added example how to secure login page from brute force attacks.	r1808	location /_admin/login {
marcink docs: updated scaling/cluster docs	r3018	limit_req zone=req_limit burst=10 nodelay;
dan docs: added example how to secure login page from brute force attacks.	r1808	try_files $uri @rhode;
		}

marcink docs: updated apache/nginx configs	r120	location / {
		try_files $uri @rhode;
		}
marcink project: added all source files and assets	r1
marcink docs: added channelstream example	r477	location @rhode {
		proxy_pass http://rc;
		}
marcink docs: updated nginx example...	r636
marcink docs: added 502 page instructions for nginx and apache	r2145	## custom 502 error page. Will be displayed while RhodeCode server
		## is turned off
marcink docs: updated nginx example...	r636	error_page 502 /502.html;
		location = /502.html {
marcink docs: updated scaling/cluster docs	r3018	#root /path/to/.rccontrol/community-1/static;
marcink docs: updated nginx example...	r636	root /path/to/.rccontrol/enterprise-1/static;
		}
		}