##// END OF EJS Templates
app: disconect auth plugin loading from authentication registry....
r3241:611f6ed0 default
Show More
nginx-config-example.rst
145 lines | 6.5 KiB | text/x-rst | RstLexer
/ docs / admin / nginx-config-example.rst
project: added all source files and assets
r1 Nginx Configuration Example
---------------------------
Use the following example to configure Nginx as a your web server.
docs: updated nginx/apache configurations....
r1263
project: added all source files and assets
r1 .. code-block:: nginx
docs: small rst fixes.
r1856
dan
docs: added example how to secure login page from brute force attacks.
r1808 ## rate limiter for certain pages to prevent brute force attacks
docs: updated scaling/cluster docs
r3018 limit_req_zone $binary_remote_addr zone=req_limit:10m rate=1r/s;
project: added all source files and assets
r1
dan
docs: added example how to secure login page from brute force attacks.
r1808 ## custom log format
docs: updated nginx example...
r636 log_format log_custom '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'$request_time $upstream_response_time $pipe';
docs: updated nginx/apache configurations....
r1263 ## define upstream (local RhodeCode instance) to connect to
project: added all source files and assets
r1 upstream rc {
docs: updated nginx/apache configurations....
r1263 # Url to running RhodeCode instance.
docs: updated scaling/cluster docs
r3018 # This is shown as `- URL: <host>` in output from rccontrol status.
docs: updated apache/nginx configs
r120 server 127.0.0.1:10002;
project: added all source files and assets
r1
# add more instances for load balancing
docs: updated apache/nginx configs
r120 # server 127.0.0.1:10003;
# server 127.0.0.1:10004;
project: added all source files and assets
r1 }
docs: updated nginx/apache configurations....
r1263 ## HTTP to HTTPS rewrite
server {
listen 80;
server_name rhodecode.myserver.com;
project: added all source files and assets
r1
docs: updated nginx/apache configurations....
r1263 if ($http_host = rhodecode.myserver.com) {
rewrite (.*) https://rhodecode.myserver.com$1 permanent;
}
}
## Optional gist alias server, for serving nicer GIST urls.
project: added all source files and assets
r1 server {
listen 443;
server_name gist.myserver.com;
docs: updated nginx example...
r636 access_log /var/log/nginx/gist.access.log log_custom;
project: added all source files and assets
r1 error_log /var/log/nginx/gist.error.log;
ssl on;
ssl_certificate gist.rhodecode.myserver.com.crt;
ssl_certificate_key gist.rhodecode.myserver.com.key;
ssl_session_timeout 5m;
docs: updated nginx example...
r636 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
project: added all source files and assets
r1 ssl_prefer_server_ciphers on;
docs: updated nginx example...
r636 ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
docs: updated nginx/apache configurations....
r1263 # strict http prevents from https -> http downgrade
project: added all source files and assets
r1 add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
docs: updated nginx example...
r636 #ssl_dhparam /etc/nginx/ssl/dhparam.pem;
project: added all source files and assets
r1
rewrite ^/(.+)$ https://rhodecode.myserver.com/_admin/gists/$1;
rewrite (.*) https://rhodecode.myserver.com/_admin/gists;
}
docs: updated nginx example...
r636
## MAIN SSL enabled server
server {
listen 443 ssl;
server_name rhodecode.myserver.com;
access_log /var/log/nginx/rhodecode.access.log log_custom;
error_log /var/log/nginx/rhodecode.error.log;
project: added all source files and assets
r1
ssl on;
ssl_certificate rhodecode.myserver.com.crt;
ssl_certificate_key rhodecode.myserver.com.key;
ssl_session_timeout 5m;
docs: updated nginx example...
r636 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
project: added all source files and assets
r1 ssl_prefer_server_ciphers on;
docs: updated nginx example...
r636 ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
project: added all source files and assets
r1
docs: updated nginx example...
r636 # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
#ssl_dhparam /etc/nginx/ssl/dhparam.pem;
project: added all source files and assets
r1
docs: updated scaling/cluster docs
r3018 # example of proxy.conf can be found in our docs.
docs: updated nginx example...
r636 include /etc/nginx/proxy.conf;
docs: updated scaling/cluster docs
r3018 ## uncomment to serve static files by Nginx, recommended for performance
static: change static path to serve rhodecode static assets from...
r522 # location /_static/rhodecode {
docs: added gzip into static files for nginx
r2146 # gzip on;
# gzip_min_length 500;
# gzip_proxied any;
# gzip_comp_level 4;
# gzip_types text/css text/javascript text/xml text/plain text/x-component application/javascript application/json application/xml application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;
# gzip_vary on;
# gzip_disable "msie6";
docs: updated scaling/cluster docs
r3018 # alias /path/to/.rccontrol/community-1/static;
dan
docs: update example nginx/apache configs to use .rccontrol static path
r457 # alias /path/to/.rccontrol/enterprise-1/static;
dan
config: update ini/config files to account for /_static path
r456 # }
docs: updated apache/nginx configs
r120
docs: updated nginx/apache configurations....
r1263 ## channelstream websocket handling
docs: added channelstream example
r477 location /_channelstream {
rewrite /_channelstream/(.*) /$1 break;
docs: updated nginx/apache configurations....
r1263
docs: updated nginx example...
r636 proxy_pass http://127.0.0.1:9800;
docs: added channelstream example
r477 proxy_connect_timeout 10;
proxy_send_timeout 10m;
proxy_read_timeout 10m;
docs: updated nginx example...
r636 tcp_nodelay off;
docs: added channelstream example
r477 proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
docs: updated nginx example...
r636 proxy_set_header X-Url-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
docs: added channelstream example
r477 gzip off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
docs: updated scaling/cluster docs
r3018 ## rate limit this endpoint to prevent login page brute-force attacks
dan
docs: added example how to secure login page from brute force attacks.
r1808 location /_admin/login {
docs: updated scaling/cluster docs
r3018 limit_req zone=req_limit burst=10 nodelay;
dan
docs: added example how to secure login page from brute force attacks.
r1808 try_files $uri @rhode;
}
docs: updated apache/nginx configs
r120 location / {
try_files $uri @rhode;
}
project: added all source files and assets
r1
docs: added channelstream example
r477 location @rhode {
proxy_pass http://rc;
}
docs: updated nginx example...
r636
docs: added 502 page instructions for nginx and apache
r2145 ## custom 502 error page. Will be displayed while RhodeCode server
## is turned off
docs: updated nginx example...
r636 error_page 502 /502.html;
location = /502.html {
docs: updated scaling/cluster docs
r3018 #root /path/to/.rccontrol/community-1/static;
docs: updated nginx example...
r636 root /path/to/.rccontrol/enterprise-1/static;
}
}