##// END OF EJS Templates
rhodecode-enterprise-ce
RSS
docs: added 502 page instructions for nginx and apache
marcink -
r2145:9fb0230b default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,99 +1,103 b''
1 1 .. _apache-conf-eg:
2 2
3 3 Apache Configuration Example
4 4 ----------------------------
5 5
6 6 Use the following example to configure Apache as a your web server.
7 7 Below config if for an Apache Reverse Proxy configuration.
8 8
9 9 .. note::
10 10
11 11 Apache requires the following modules to be enabled. Below is an example
12 12 how to enable them on Ubuntu Server
13 13
14 14
15 15 .. code-block:: bash
16 16
17 17 $ sudo a2enmod proxy
18 18 $ sudo a2enmod proxy_http
19 19 $ sudo a2enmod proxy_balancer
20 20 $ sudo a2enmod headers
21 21 $ sudo a2enmod ssl
22 22 $ sudo a2enmod rewrite
23 23
24 24 # requires Apache 2.4+, required to handle websockets/channelstream
25 25 $ sudo a2enmod proxy_wstunnel
26 26
27 27
28 28 .. code-block:: apache
29 29
30 30 ## HTTP to HTTPS rewrite
31 31 <VirtualHost *:80>
32 32 ServerName rhodecode.myserver.com
33 33 DocumentRoot /var/www/html
34 34 Redirect permanent / https://rhodecode.myserver.com/
35 35 </VirtualHost>
36 36
37 37 ## MAIN SSL enabled server
38 38 <VirtualHost *:443>
39 39
40 40 ServerName rhodecode.myserver.com
41 41 ServerAlias rhodecode.myserver.com
42 42
43 43 ## Skip ProxyPass the _static to backend server
44 44 #ProxyPass /_static !
45 45
46 46 ## serve static files by Apache, recommended for performance
47 47 #Alias /_static/rhodecode /home/ubuntu/.rccontrol/community-1/static
48 48
49 49 ## Allow Apache to access the static files in this directory
50 50 #<Directory /home/ubuntu/.rccontrol/community-1/static/>
51 51 # AllowOverride none
52 52 # Require all granted
53 53 #</Directory>
54 54
55 55 RequestHeader set X-Forwarded-Proto "https"
56 56
57 57 ## channelstream websocket handling
58 58 ProxyPass /_channelstream ws://localhost:9800
59 59 ProxyPassReverse /_channelstream ws://localhost:9800
60 60
61 61 <Proxy *>
62 62 Order allow,deny
63 63 Allow from all
64 64 </Proxy>
65 65
66 66 # Directive to properly generate url (clone url) for RhodeCode
67 67 ProxyPreserveHost On
68 68
69 69 # Url to running RhodeCode instance. This is shown as `- URL:` when
70 70 # running rccontrol status.
71 71 ProxyPass / http://127.0.0.1:10002/ timeout=7200 Keepalive=On
72 72 ProxyPassReverse / http://127.0.0.1:10002/
73 73
74 74 # Increase headers for large Mercurial headers
75 75 LimitRequestLine 16380
76 76
77 77 # strict http prevents from https -> http downgrade
78 78 Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
79 79
80 80 # Set x-frame options
81 81 Header always append X-Frame-Options SAMEORIGIN
82 82
83 83 # To enable https use line below
84 84 # SetEnvIf X-Url-Scheme https HTTPS=1
85 85
86 86 # SSL setup
87 87 SSLEngine On
88 88 SSLCertificateFile /etc/apache2/ssl/rhodecode.myserver.pem
89 89 SSLCertificateKeyFile /etc/apache2/ssl/rhodecode.myserver.key
90 90
91 91 SSLProtocol all -SSLv2 -SSLv3
92 92 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
93 93 SSLHonorCipherOrder on
94 94
95 95 # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
96 96 #SSLOpenSSLConfCmd DHParameters "/etc/apache2/dhparam.pem"
97 97
98 ## custom 502 error page. Will be displayed while RhodeCode server
99 ## is turned off
100 ErrorDocument 502 /path/to/.rccontrol/enterprise-1/static/502.html
101
98 102 </VirtualHost>
99 103
Show file before | Show file after | Hide comments
@@ -1,135 +1,136 b''
1 1 Nginx Configuration Example
2 2 ---------------------------
3 3
4 4 Use the following example to configure Nginx as a your web server.
5 5
6 6
7 7 .. code-block:: nginx
8 8
9 9 ## rate limiter for certain pages to prevent brute force attacks
10 10 limit_req_zone $binary_remote_addr zone=dl_limit:10m rate=1r/s;
11 11
12 12 ## custom log format
13 13 log_format log_custom '$remote_addr - $remote_user [$time_local] '
14 14 '"$request" $status $body_bytes_sent '
15 15 '"$http_referer" "$http_user_agent" '
16 16 '$request_time $upstream_response_time $pipe';
17 17
18 18 ## define upstream (local RhodeCode instance) to connect to
19 19 upstream rc {
20 20 # Url to running RhodeCode instance.
21 21 # This is shown as `- URL:` in output from rccontrol status.
22 22 server 127.0.0.1:10002;
23 23
24 24 # add more instances for load balancing
25 25 # server 127.0.0.1:10003;
26 26 # server 127.0.0.1:10004;
27 27 }
28 28
29 29 ## HTTP to HTTPS rewrite
30 30 server {
31 31 listen 80;
32 32 server_name rhodecode.myserver.com;
33 33
34 34 if ($http_host = rhodecode.myserver.com) {
35 35 rewrite (.*) https://rhodecode.myserver.com$1 permanent;
36 36 }
37 37 }
38 38
39 39 ## Optional gist alias server, for serving nicer GIST urls.
40 40 server {
41 41 listen 443;
42 42 server_name gist.myserver.com;
43 43 access_log /var/log/nginx/gist.access.log log_custom;
44 44 error_log /var/log/nginx/gist.error.log;
45 45
46 46 ssl on;
47 47 ssl_certificate gist.rhodecode.myserver.com.crt;
48 48 ssl_certificate_key gist.rhodecode.myserver.com.key;
49 49
50 50 ssl_session_timeout 5m;
51 51
52 52 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
53 53 ssl_prefer_server_ciphers on;
54 54 ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
55 55
56 56 # strict http prevents from https -> http downgrade
57 57 add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
58 58
59 59 # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
60 60 #ssl_dhparam /etc/nginx/ssl/dhparam.pem;
61 61
62 62 rewrite ^/(.+)$ https://rhodecode.myserver.com/_admin/gists/$1;
63 63 rewrite (.*) https://rhodecode.myserver.com/_admin/gists;
64 64 }
65 65
66 66
67 67 ## MAIN SSL enabled server
68 68 server {
69 69 listen 443 ssl;
70 70 server_name rhodecode.myserver.com;
71 71
72 72 access_log /var/log/nginx/rhodecode.access.log log_custom;
73 73 error_log /var/log/nginx/rhodecode.error.log;
74 74
75 75 ssl on;
76 76 ssl_certificate rhodecode.myserver.com.crt;
77 77 ssl_certificate_key rhodecode.myserver.com.key;
78 78
79 79 ssl_session_timeout 5m;
80 80
81 81 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
82 82 ssl_prefer_server_ciphers on;
83 83 ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
84 84
85 85 # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
86 86 #ssl_dhparam /etc/nginx/ssl/dhparam.pem;
87 87
88 88 include /etc/nginx/proxy.conf;
89 89
90 90 ## serve static files by Nginx, recommended for performance
91 91 # location /_static/rhodecode {
92 92 # alias /path/to/.rccontrol/enterprise-1/static;
93 93 # }
94 94
95 95 ## channelstream websocket handling
96 96 location /_channelstream {
97 97 rewrite /_channelstream/(.*) /$1 break;
98 98
99 99 proxy_pass http://127.0.0.1:9800;
100 100
101 101 proxy_connect_timeout 10;
102 102 proxy_send_timeout 10m;
103 103 proxy_read_timeout 10m;
104 104 tcp_nodelay off;
105 105 proxy_set_header Host $host;
106 106 proxy_set_header X-Real-IP $remote_addr;
107 107 proxy_set_header X-Url-Scheme $scheme;
108 108 proxy_set_header X-Forwarded-Proto $scheme;
109 109 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
110 110 gzip off;
111 111 proxy_http_version 1.1;
112 112 proxy_set_header Upgrade $http_upgrade;
113 113 proxy_set_header Connection "upgrade";
114 114 }
115 115
116 116 location /_admin/login {
117 117 ## rate limit this endpoint
118 118 limit_req zone=dl_limit burst=10 nodelay;
119 119 try_files $uri @rhode;
120 120 }
121 121
122 122 location / {
123 123 try_files $uri @rhode;
124 124 }
125 125
126 126 location @rhode {
127 127 proxy_pass http://rc;
128 128 }
129 129
130 ## custom 502 error page
130 ## custom 502 error page. Will be displayed while RhodeCode server
131 ## is turned off
131 132 error_page 502 /502.html;
132 133 location = /502.html {
133 134 root /path/to/.rccontrol/enterprise-1/static;
134 135 }
135 136 } No newline at end of file
General Comments 0
You need to be logged in to leave comments. Login now