diff --git a/docs/admin/apache-conf-examples.rst b/docs/admin/apache-conf-example.rst
rename from docs/admin/apache-conf-examples.rst
rename to docs/admin/apache-conf-example.rst
--- a/docs/admin/apache-conf-examples.rst
+++ b/docs/admin/apache-conf-example.rst
@@ -1,32 +1,68 @@
.. _apache-conf-eg:
-Apache Configuration Examples
------------------------------
+Apache Configuration Example
+----------------------------
+
+Use the following example to configure Apache as a your web server.
+Below config if for an Apache Reverse Proxy configuration.
+
+.. note::
+
+ Apache requires the following modules to be enabled. Below is an example
+ how to enable them on Ubuntu Server
+
-Use the following example to securely configure your Apache HTTP virtual hosts
-file.
+.. code-block:: bash
+
+ $ sudo a2enmod proxy
+ $ sudo a2enmod proxy_http
+ $ sudo a2enmod proxy_balancer
+ $ sudo a2enmod headers
+ $ sudo a2enmod ssl
+ $ sudo a2enmod rewrite
+
+ # requires Apache 2.4+, required to handle websockets/channelstream
+ $ sudo a2enmod proxy_wstunnel
+
.. code-block:: apache
+ ## HTTP to HTTPS rewrite
- ServerName hg.myserver.com
- ServerAlias hg.myserver.com
+ ServerName rhodecode.myserver.com
+ DocumentRoot /var/www/html
+ Redirect permanent / https://rhodecode.myserver.com/
+
+
+ ## MAIN SSL enabled server
+
+
+ ServerName rhodecode.myserver.com
+ ServerAlias rhodecode.myserver.com
+
+ ## serve static files by Apache, recommended for performance
+ #Alias /_static /home/ubuntu/.rccontrol/community-1/static
+
+ RequestHeader set X-Forwarded-Proto "https"
+
+ ## channelstream websocket handling
+ ProxyPass /_channelstream ws://localhost:9800
+ ProxyPassReverse /_channelstream ws://localhost:9800
Order allow,deny
Allow from all
- # important !
- # Directive to properly generate url (clone url) for pylons
-
+ # Directive to properly generate url (clone url) for RhodeCode
ProxyPreserveHost On
- #rhodecode instance
- ProxyPass / http://127.0.0.1:5000/
- ProxyPassReverse / http://127.0.0.1:5000/
+ # Url to running RhodeCode instance. This is shown as `- URL:` when
+ # running rccontrol status.
+ ProxyPass / http://127.0.0.1:10002/
+ ProxyPassReverse / http://127.0.0.1:10002/
- # Set strict HTTPS
+ # strict http prevents from https -> http downgrade
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
# Set x-frame options
@@ -35,80 +71,17 @@ file.
# To enable https use line below
# SetEnvIf X-Url-Scheme https HTTPS=1
- # Secure your Diffie-hellmann deployment
+ # SSL setup
+ SSLEngine On
+ SSLCertificateFile /etc/apache2/ssl/rhodecode.myserver.pem
+ SSLCertificateKeyFile /etc/apache2/ssl/rhodecode.myserver.key
+
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder on
- SSLOpenSSLConfCmd DHParameters "{path to dhparams.pem}"
+
+ # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
+ #SSLOpenSSLConfCmd DHParameters "/etc/apache2/dhparam.pem"
-Use the following example to configure Apache for a multi-node setup. The
-timeout setting should be increased if you experience timeouts when working
-with large |repos|.
-
-.. code-block:: apache
-
- #
- # Timeout: The number of seconds before receives and sends time out.
- #
- Timeout 600
-
-
-
- ProxyRequests off
-
- #important !
- #Directive to properly generate url (clone url) for pylons
- ProxyPreserveHost On
-
- ServerName your.rce.com
- ServerAlias your.rce.com
-
-
- # WebHead1
- BalancerMember http://10.58.1.171:10002 route=1
- # WebHead2
- BalancerMember http://10.58.1.172:10001 route=2
-
- # Security "technically we aren't blocking
- # anyone but this the place to make those
- # chages
- Order Deny,Allow
- Deny from none
- Allow from all
-
- # Load Balancer Settings
- # We will be configuring a simple Round
- # Robin style load balancer. This means
- # that all webheads take an equal share of
- # of the load.
- ProxySet stickysession=ROUTEID
-
-
-
- # balancer-manager
- # This tool is built into the mod_proxy_balancer
- # module and will allow you to do some simple
- # modifications to the balanced group via a gui
- # web interface.
-
- SetHandler balancer-manager
-
- # recommend locking this one down to your
- # your office
- Order deny,allow
- Allow from all
-
-
- # Point of Balance
- # This setting will allow to explicitly name the
- # the location in the site that we want to be
- # balanced, in this example we will balance "/"
- # or everything in the site.
- ProxyPass /balancer-manager !
- ProxyPass / balancer://mycluster/
-
- ProxyPassReverse / balancer://mycluster/
-
-
diff --git a/docs/admin/apache-config.rst b/docs/admin/apache-config.rst
--- a/docs/admin/apache-config.rst
+++ b/docs/admin/apache-config.rst
@@ -9,7 +9,6 @@ the information in the following section
.. toctree::
apache-diffie-hellman
- apache-conf-examples
+ apache-conf-example
apache-subdirectory
- apache-reverse-proxy
apache-wsgi-coding
diff --git a/docs/admin/apache-reverse-proxy.rst b/docs/admin/apache-reverse-proxy.rst
deleted file mode 100644
--- a/docs/admin/apache-reverse-proxy.rst
+++ /dev/null
@@ -1,33 +0,0 @@
-Apache Reverse Proxy
-^^^^^^^^^^^^^^^^^^^^
-
-Here is a sample configuration file for using Apache as a reverse proxy.
-
-.. code-block:: apache
-
-
- ServerName hg.myserver.com
- ServerAlias hg.myserver.com
-
- ## uncomment to serve static files by Apache
- ## ProxyPass /_static/rhodecode !
- ## Alias /_static/rhodecode /path/to/.rccontrol/enterprise-1/static
-
-
- Order allow,deny
- Allow from all
-
-
- ## Important !
- ## Directive to properly generate url (clone url) for pylons
- ProxyPreserveHost On
-
- ## RhodeCode instance running
- ProxyPass / http://127.0.0.1:10002/
- ProxyPassReverse / http://127.0.0.1:10002/
-
- ## to enable https use line below
- #SetEnvIf X-Url-Scheme https HTTPS=1
-
-
-
diff --git a/docs/admin/apache-subdirectory.rst b/docs/admin/apache-subdirectory.rst
--- a/docs/admin/apache-subdirectory.rst
+++ b/docs/admin/apache-subdirectory.rst
@@ -7,7 +7,8 @@ Use the following example to configure A
.. code-block:: apache
- / # Change into your chosen prefix
+ # Change someprefix into your chosen prefix
+
ProxyPreserveHost On
ProxyPass "http://127.0.0.1:5000/"
ProxyPassReverse "http://127.0.0.1:5000/"
diff --git a/docs/admin/nginx-config-example.rst b/docs/admin/nginx-config-example.rst
--- a/docs/admin/nginx-config-example.rst
+++ b/docs/admin/nginx-config-example.rst
@@ -3,6 +3,7 @@ Nginx Configuration Example
Use the following example to configure Nginx as a your web server.
+
.. code-block:: nginx
log_format log_custom '$remote_addr - $remote_user [$time_local] '
@@ -10,8 +11,10 @@ Use the following example to configure N
'"$http_referer" "$http_user_agent" '
'$request_time $upstream_response_time $pipe';
+ ## define upstream (local RhodeCode instance) to connect to
upstream rc {
-
+ # Url to running RhodeCode instance.
+ # This is shown as `- URL:` in output from rccontrol status.
server 127.0.0.1:10002;
# add more instances for load balancing
@@ -19,8 +22,17 @@ Use the following example to configure N
# server 127.0.0.1:10004;
}
- ## gist alias server, for serving nicer GIST urls
+ ## HTTP to HTTPS rewrite
+ server {
+ listen 80;
+ server_name rhodecode.myserver.com;
+ if ($http_host = rhodecode.myserver.com) {
+ rewrite (.*) https://rhodecode.myserver.com$1 permanent;
+ }
+ }
+
+ ## Optional gist alias server, for serving nicer GIST urls.
server {
listen 443;
server_name gist.myserver.com;
@@ -37,6 +49,7 @@ Use the following example to configure N
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
+ # strict http prevents from https -> http downgrade
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
@@ -46,15 +59,6 @@ Use the following example to configure N
rewrite (.*) https://rhodecode.myserver.com/_admin/gists;
}
- ## HTTP to HTTPS rewrite
- server {
- listen 80;
- server_name rhodecode.myserver.com;
-
- if ($http_host = rhodecode.myserver.com) {
- rewrite (.*) https://rhodecode.myserver.com$1 permanent;
- }
- }
## MAIN SSL enabled server
server {
@@ -79,14 +83,15 @@ Use the following example to configure N
include /etc/nginx/proxy.conf;
- ## serve static files by nginx, recommended
+ ## serve static files by Nginx, recommended for performance
# location /_static/rhodecode {
# alias /path/to/.rccontrol/enterprise-1/static;
# }
- ## channel stream live components
+ ## channelstream websocket handling
location /_channelstream {
rewrite /_channelstream/(.*) /$1 break;
+
proxy_pass http://127.0.0.1:9800;
proxy_connect_timeout 10;
diff --git a/docs/admin/nginx-config.rst b/docs/admin/nginx-config.rst
--- a/docs/admin/nginx-config.rst
+++ b/docs/admin/nginx-config.rst
@@ -1,7 +1,7 @@
.. _nginx-ws-ref:
-Nginx Configuration
-===================
+Nginx HTTP Server Configuration
+-------------------------------
To set up your Nginx Web Server for optimal performance and security, use
the information in the following sections.