rhodecode-enterprise-ce Commit - r3341:6387bcda

docs: updated configuration for nginx and reverse proxy.

marcink -

r3341:6387bcda stable

parent child

docs/admin/nginx-config-example.rst

0 +40 -25

              .. code-block:: nginx
-                 ## rate limiter for certain pages to prevent brute force attacks
+                 ## Rate limiter for certain pages to prevent brute force attacks
                  limit_req_zone  $binary_remote_addr  zone=req_limit:10m   rate=1r/s;
-                 ## custom log format
+                 ## Custom log format
                  log_format log_custom '$remote_addr - $remote_user [$time_local] '
                                        '"$request" $status $body_bytes_sent '
                                        '"$http_referer" "$http_user_agent" '
                                        '$request_time $upstream_response_time $pipe';
-                 ## define upstream (local RhodeCode instance) to connect to
+                 ## Define one or more upstreams (local RhodeCode instance) to connect to
                  upstream rc {
                      # Url to running RhodeCode instance.
                      # This is shown as `- URL: <host>` in output from rccontrol status.
                      ssl_prefer_server_ciphers on;
                      ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
-                     # strict http prevents from https -> http downgrade
+                     ## Strict http prevents from https -> http downgrade
                      add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
-                     # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
+                     ## Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
                      #ssl_dhparam /etc/nginx/ssl/dhparam.pem;
                      rewrite ^/(.+)$ https://rhodecode.myserver.com/_admin/gists/$1;
                  ## MAIN SSL enabled server
                  server {
-                     listen       443 ssl;
+                     listen       443 ssl http2;
                      server_name  rhodecode.myserver.com;
                      access_log   /var/log/nginx/rhodecode.access.log log_custom;
                      error_log    /var/log/nginx/rhodecode.error.log;
-                     ssl on;
                      ssl_certificate     rhodecode.myserver.com.crt;
                      ssl_certificate_key rhodecode.myserver.com.key;
+                     # enable session resumption to improve https performance
+                     # http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
+                     ssl_session_cache shared:SSL:50m;
                      ssl_session_timeout 5m;
-                     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-                     ssl_prefer_server_ciphers on;
-                     ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
-                     # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
+                     ## Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
                      #ssl_dhparam /etc/nginx/ssl/dhparam.pem;
-                     # example of proxy.conf can be found in our docs.
-                     include     /etc/nginx/proxy.conf;
+                     # enables server-side protection from BEAST attacks
+                     # http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
+                     ssl_prefer_server_ciphers on;
+                     # disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
+                     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+                     # ciphers chosen for forward secrecy and compatibility
+                     # http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
+                     ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+                     client_body_buffer_size     128k;
+                     # maximum number and size of buffers for large headers to read from client request
+                     large_client_header_buffers 16 256k;
                      ## uncomment to serve static files by Nginx, recommended for performance
                      # location /_static/rhodecode {
                      #    alias /path/to/.rccontrol/enterprise-1/static;
                      # }
-                     ## channelstream websocket handling
+                     ## channelstream location handler, if channelstream live chat and notifications
+                     ## are enable this will proxy the requests to channelstream websocket server
                      location /_channelstream {
                          rewrite /_channelstream/(.*) /$1 break;
-                         proxy_pass                  http://127.0.0.1:9800;
+                         gzip                         off;
+                         tcp_nodelay                  off;
                          proxy_connect_timeout        10;
                          proxy_send_timeout           10m;
                          proxy_read_timeout           10m;
-                         tcp_nodelay                  off;
                          proxy_set_header             Host $host;
                          proxy_set_header             X-Real-IP $remote_addr;
                          proxy_set_header             X-Url-Scheme $scheme;
                          proxy_set_header             X-Forwarded-Proto $scheme;
                          proxy_set_header             X-Forwarded-For $proxy_add_x_forwarded_for;
-                         gzip                         off;
                          proxy_http_version           1.1;
                          proxy_set_header Upgrade     $http_upgrade;
                          proxy_set_header Connection  "upgrade";
+                         proxy_pass                  http://127.0.0.1:9800;
                      }
                      ## rate limit this endpoint to prevent login page brute-force attacks
                      location /_admin/login {
                          limit_req  zone=req_limit  burst=10  nodelay;
-                         try_files $uri @rhode;
+                         try_files $uri @rhodecode_http;
                      }
                      location / {
-                         try_files $uri @rhode;
+                         try_files $uri @rhodecode_http;
                      }
-                     location @rhode {
-                         proxy_pass      http://rc;
+                     location @rhodecode_http {
+                         # example of proxy.conf can be found in our docs.
+                         include     /etc/nginx/proxy.conf;
+                         proxy_pass  http://rc;
                      }
-                     ## custom 502 error page. Will be displayed while RhodeCode server
-                     ## is turned off
+                     ## Custom 502 error page.
+                     ## Will be displayed while RhodeCode server is turned off
                      error_page 502 /502.html;
                      location = /502.html {
                         #root  /path/to/.rccontrol/community-1/static;

docs/admin/nginx-proxy-conf.rst

0 +20 -7

                  proxy_redirect              off;
                  proxy_set_header            Host $http_host;
+                 ## If you use HTTPS make sure you disable gzip compression
+                 ## to be safe against BREACH attack.
+                 gzip                        off;
+                 # Don't buffer requests in NGINX stream them using chunked-encoding
+                 proxy_buffering             off;
+                 ## This is also required for later GIT to use streaming.
+                 ## Works only for Nginx 1.7.11 and newer
+                 proxy_request_buffering off;
+                 proxy_http_version 1.1;
+                 ## Set this to a larger number if you experience timeouts
+                 ## or 413 Request Entity Too Large, 10GB is enough for most cases
+                 client_max_body_size        10240m;
                  ## needed for container auth
-                 # proxy_set_header            REMOTE_USER $remote_user;
-                 # proxy_set_header            X-Forwarded-User $remote_user;
+                 # proxy_set_header          REMOTE_USER $remote_user;
+                 # proxy_set_header          X-Forwarded-User $remote_user;
                  proxy_set_header            X-Url-Scheme $scheme;
                  proxy_set_header            X-Host $http_host;
                  proxy_set_header            X-Real-IP $remote_addr;
                  proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
                  proxy_set_header            Proxy-host $proxy_host;
-                 proxy_buffering             off;
                  proxy_connect_timeout       7200;
                  proxy_send_timeout          7200;
                  proxy_read_timeout          7200;
                  proxy_buffers               8 32k;
-                 # Set this to a larger number if you experience timeouts
-                 client_max_body_size        1024m;
-                 client_body_buffer_size     128k;
-                 large_client_header_buffers 8 64k;
                  add_header X-Frame-Options SAMEORIGIN;
                  add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages