##// END OF EJS Templates
docs: updated configuration for nginx and reverse proxy.
marcink -
r3341:6387bcda stable
parent child Browse files
Show More
@@ -6,16 +6,16 b' Use the following example to configure N'
6
6
7 .. code-block:: nginx
7 .. code-block:: nginx
8
8
9 ## rate limiter for certain pages to prevent brute force attacks
9 ## Rate limiter for certain pages to prevent brute force attacks
10 limit_req_zone $binary_remote_addr zone=req_limit:10m rate=1r/s;
10 limit_req_zone $binary_remote_addr zone=req_limit:10m rate=1r/s;
11
11
12 ## custom log format
12 ## Custom log format
13 log_format log_custom '$remote_addr - $remote_user [$time_local] '
13 log_format log_custom '$remote_addr - $remote_user [$time_local] '
14 '"$request" $status $body_bytes_sent '
14 '"$request" $status $body_bytes_sent '
15 '"$http_referer" "$http_user_agent" '
15 '"$http_referer" "$http_user_agent" '
16 '$request_time $upstream_response_time $pipe';
16 '$request_time $upstream_response_time $pipe';
17
17
18 ## define upstream (local RhodeCode instance) to connect to
18 ## Define one or more upstreams (local RhodeCode instance) to connect to
19 upstream rc {
19 upstream rc {
20 # Url to running RhodeCode instance.
20 # Url to running RhodeCode instance.
21 # This is shown as `- URL: <host>` in output from rccontrol status.
21 # This is shown as `- URL: <host>` in output from rccontrol status.
@@ -53,10 +53,10 b' Use the following example to configure N'
53 ssl_prefer_server_ciphers on;
53 ssl_prefer_server_ciphers on;
54 ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
54 ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
55
55
56 # strict http prevents from https -> http downgrade
56 ## Strict http prevents from https -> http downgrade
57 add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
57 add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
58
58
59 # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
59 ## Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
60 #ssl_dhparam /etc/nginx/ssl/dhparam.pem;
60 #ssl_dhparam /etc/nginx/ssl/dhparam.pem;
61
61
62 rewrite ^/(.+)$ https://rhodecode.myserver.com/_admin/gists/$1;
62 rewrite ^/(.+)$ https://rhodecode.myserver.com/_admin/gists/$1;
@@ -66,27 +66,37 b' Use the following example to configure N'
66
66
67 ## MAIN SSL enabled server
67 ## MAIN SSL enabled server
68 server {
68 server {
69 listen 443 ssl;
69 listen 443 ssl http2;
70 server_name rhodecode.myserver.com;
70 server_name rhodecode.myserver.com;
71
71
72 access_log /var/log/nginx/rhodecode.access.log log_custom;
72 access_log /var/log/nginx/rhodecode.access.log log_custom;
73 error_log /var/log/nginx/rhodecode.error.log;
73 error_log /var/log/nginx/rhodecode.error.log;
74
74
75 ssl on;
76 ssl_certificate rhodecode.myserver.com.crt;
75 ssl_certificate rhodecode.myserver.com.crt;
77 ssl_certificate_key rhodecode.myserver.com.key;
76 ssl_certificate_key rhodecode.myserver.com.key;
78
77
78 # enable session resumption to improve https performance
79 # http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
80 ssl_session_cache shared:SSL:50m;
79 ssl_session_timeout 5m;
81 ssl_session_timeout 5m;
80
82
81 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
83 ## Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
82 ssl_prefer_server_ciphers on;
83 ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
84
85 # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
86 #ssl_dhparam /etc/nginx/ssl/dhparam.pem;
84 #ssl_dhparam /etc/nginx/ssl/dhparam.pem;
87
85
88 # example of proxy.conf can be found in our docs.
86 # enables server-side protection from BEAST attacks
89 include /etc/nginx/proxy.conf;
87 # http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
88 ssl_prefer_server_ciphers on;
89
90 # disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
91 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
92
93 # ciphers chosen for forward secrecy and compatibility
94 # http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
95 ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
96
97 client_body_buffer_size 128k;
98 # maximum number and size of buffers for large headers to read from client request
99 large_client_header_buffers 16 256k;
90
100
91 ## uncomment to serve static files by Nginx, recommended for performance
101 ## uncomment to serve static files by Nginx, recommended for performance
92 # location /_static/rhodecode {
102 # location /_static/rhodecode {
@@ -101,43 +111,48 b' Use the following example to configure N'
101 # alias /path/to/.rccontrol/enterprise-1/static;
111 # alias /path/to/.rccontrol/enterprise-1/static;
102 # }
112 # }
103
113
104 ## channelstream websocket handling
114 ## channelstream location handler, if channelstream live chat and notifications
115 ## are enable this will proxy the requests to channelstream websocket server
105 location /_channelstream {
116 location /_channelstream {
106 rewrite /_channelstream/(.*) /$1 break;
117 rewrite /_channelstream/(.*) /$1 break;
107
118 gzip off;
108 proxy_pass http://127.0.0.1:9800;
119 tcp_nodelay off;
109
120
110 proxy_connect_timeout 10;
121 proxy_connect_timeout 10;
111 proxy_send_timeout 10m;
122 proxy_send_timeout 10m;
112 proxy_read_timeout 10m;
123 proxy_read_timeout 10m;
113 tcp_nodelay off;
124
114 proxy_set_header Host $host;
125 proxy_set_header Host $host;
115 proxy_set_header X-Real-IP $remote_addr;
126 proxy_set_header X-Real-IP $remote_addr;
116 proxy_set_header X-Url-Scheme $scheme;
127 proxy_set_header X-Url-Scheme $scheme;
117 proxy_set_header X-Forwarded-Proto $scheme;
128 proxy_set_header X-Forwarded-Proto $scheme;
118 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
129 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
119 gzip off;
130
120 proxy_http_version 1.1;
131 proxy_http_version 1.1;
121 proxy_set_header Upgrade $http_upgrade;
132 proxy_set_header Upgrade $http_upgrade;
122 proxy_set_header Connection "upgrade";
133 proxy_set_header Connection "upgrade";
134
135 proxy_pass http://127.0.0.1:9800;
123 }
136 }
124
137
125 ## rate limit this endpoint to prevent login page brute-force attacks
138 ## rate limit this endpoint to prevent login page brute-force attacks
126 location /_admin/login {
139 location /_admin/login {
127 limit_req zone=req_limit burst=10 nodelay;
140 limit_req zone=req_limit burst=10 nodelay;
128 try_files $uri @rhode;
141 try_files $uri @rhodecode_http;
129 }
142 }
130
143
131 location / {
144 location / {
132 try_files $uri @rhode;
145 try_files $uri @rhodecode_http;
133 }
146 }
134
147
135 location @rhode {
148 location @rhodecode_http {
136 proxy_pass http://rc;
149 # example of proxy.conf can be found in our docs.
150 include /etc/nginx/proxy.conf;
151 proxy_pass http://rc;
137 }
152 }
138
153
139 ## custom 502 error page. Will be displayed while RhodeCode server
154 ## Custom 502 error page.
140 ## is turned off
155 ## Will be displayed while RhodeCode server is turned off
141 error_page 502 /502.html;
156 error_page 502 /502.html;
142 location = /502.html {
157 location = /502.html {
143 #root /path/to/.rccontrol/community-1/static;
158 #root /path/to/.rccontrol/community-1/static;
@@ -12,23 +12,36 b' timeout during large pushes.'
12 proxy_redirect off;
12 proxy_redirect off;
13 proxy_set_header Host $http_host;
13 proxy_set_header Host $http_host;
14
14
15 ## If you use HTTPS make sure you disable gzip compression
16 ## to be safe against BREACH attack.
17 gzip off;
18
19 # Don't buffer requests in NGINX stream them using chunked-encoding
20 proxy_buffering off;
21
22 ## This is also required for later GIT to use streaming.
23 ## Works only for Nginx 1.7.11 and newer
24 proxy_request_buffering off;
25 proxy_http_version 1.1;
26
27 ## Set this to a larger number if you experience timeouts
28 ## or 413 Request Entity Too Large, 10GB is enough for most cases
29 client_max_body_size 10240m;
30
15 ## needed for container auth
31 ## needed for container auth
16 # proxy_set_header REMOTE_USER $remote_user;
32 # proxy_set_header REMOTE_USER $remote_user;
17 # proxy_set_header X-Forwarded-User $remote_user;
33 # proxy_set_header X-Forwarded-User $remote_user;
18
34
19 proxy_set_header X-Url-Scheme $scheme;
35 proxy_set_header X-Url-Scheme $scheme;
20 proxy_set_header X-Host $http_host;
36 proxy_set_header X-Host $http_host;
21 proxy_set_header X-Real-IP $remote_addr;
37 proxy_set_header X-Real-IP $remote_addr;
22 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
38 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
23 proxy_set_header Proxy-host $proxy_host;
39 proxy_set_header Proxy-host $proxy_host;
24 proxy_buffering off;
40
25 proxy_connect_timeout 7200;
41 proxy_connect_timeout 7200;
26 proxy_send_timeout 7200;
42 proxy_send_timeout 7200;
27 proxy_read_timeout 7200;
43 proxy_read_timeout 7200;
28 proxy_buffers 8 32k;
44 proxy_buffers 8 32k;
29 # Set this to a larger number if you experience timeouts
45
30 client_max_body_size 1024m;
31 client_body_buffer_size 128k;
32 large_client_header_buffers 8 64k;
33 add_header X-Frame-Options SAMEORIGIN;
46 add_header X-Frame-Options SAMEORIGIN;
34 add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
47 add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
General Comments 0
You need to be logged in to leave comments. Login now