Show More
| @@ -1,99 +1,103 b'' | |||||
| 1 | .. _apache-conf-eg: |
|
1 | .. _apache-conf-eg: | |
| 2 |
|
2 | |||
| 3 | Apache Configuration Example |
|
3 | Apache Configuration Example | |
| 4 | ---------------------------- |
|
4 | ---------------------------- | |
| 5 |
|
5 | |||
| 6 | Use the following example to configure Apache as a your web server. |
|
6 | Use the following example to configure Apache as a your web server. | |
| 7 | Below config if for an Apache Reverse Proxy configuration. |
|
7 | Below config if for an Apache Reverse Proxy configuration. | |
| 8 |
|
8 | |||
| 9 | .. note:: |
|
9 | .. note:: | |
| 10 |
|
10 | |||
| 11 | Apache requires the following modules to be enabled. Below is an example |
|
11 | Apache requires the following modules to be enabled. Below is an example | |
| 12 | how to enable them on Ubuntu Server |
|
12 | how to enable them on Ubuntu Server | |
| 13 |
|
13 | |||
| 14 |
|
14 | |||
| 15 | .. code-block:: bash |
|
15 | .. code-block:: bash | |
| 16 |
|
16 | |||
| 17 | $ sudo a2enmod proxy |
|
17 | $ sudo a2enmod proxy | |
| 18 | $ sudo a2enmod proxy_http |
|
18 | $ sudo a2enmod proxy_http | |
| 19 | $ sudo a2enmod proxy_balancer |
|
19 | $ sudo a2enmod proxy_balancer | |
| 20 | $ sudo a2enmod headers |
|
20 | $ sudo a2enmod headers | |
| 21 | $ sudo a2enmod ssl |
|
21 | $ sudo a2enmod ssl | |
| 22 | $ sudo a2enmod rewrite |
|
22 | $ sudo a2enmod rewrite | |
| 23 |
|
23 | |||
| 24 | # requires Apache 2.4+, required to handle websockets/channelstream |
|
24 | # requires Apache 2.4+, required to handle websockets/channelstream | |
| 25 | $ sudo a2enmod proxy_wstunnel |
|
25 | $ sudo a2enmod proxy_wstunnel | |
| 26 |
|
26 | |||
| 27 |
|
27 | |||
| 28 | .. code-block:: apache |
|
28 | .. code-block:: apache | |
| 29 |
|
29 | |||
| 30 | ## HTTP to HTTPS rewrite |
|
30 | ## HTTP to HTTPS rewrite | |
| 31 | <VirtualHost *:80> |
|
31 | <VirtualHost *:80> | |
| 32 | ServerName rhodecode.myserver.com |
|
32 | ServerName rhodecode.myserver.com | |
| 33 | DocumentRoot /var/www/html |
|
33 | DocumentRoot /var/www/html | |
| 34 | Redirect permanent / https://rhodecode.myserver.com/ |
|
34 | Redirect permanent / https://rhodecode.myserver.com/ | |
| 35 | </VirtualHost> |
|
35 | </VirtualHost> | |
| 36 |
|
36 | |||
| 37 | ## MAIN SSL enabled server |
|
37 | ## MAIN SSL enabled server | |
| 38 | <VirtualHost *:443> |
|
38 | <VirtualHost *:443> | |
| 39 |
|
39 | |||
| 40 | ServerName rhodecode.myserver.com |
|
40 | ServerName rhodecode.myserver.com | |
| 41 | ServerAlias rhodecode.myserver.com |
|
41 | ServerAlias rhodecode.myserver.com | |
| 42 |
|
42 | |||
| 43 | ## Skip ProxyPass the _static to backend server |
|
43 | ## Skip ProxyPass the _static to backend server | |
| 44 | #ProxyPass /_static ! |
|
44 | #ProxyPass /_static ! | |
| 45 |
|
45 | |||
| 46 | ## serve static files by Apache, recommended for performance |
|
46 | ## serve static files by Apache, recommended for performance | |
| 47 | #Alias /_static/rhodecode /home/ubuntu/.rccontrol/community-1/static |
|
47 | #Alias /_static/rhodecode /home/ubuntu/.rccontrol/community-1/static | |
| 48 |
|
48 | |||
| 49 | ## Allow Apache to access the static files in this directory |
|
49 | ## Allow Apache to access the static files in this directory | |
| 50 | #<Directory /home/ubuntu/.rccontrol/community-1/static/> |
|
50 | #<Directory /home/ubuntu/.rccontrol/community-1/static/> | |
| 51 | # AllowOverride none |
|
51 | # AllowOverride none | |
| 52 | # Require all granted |
|
52 | # Require all granted | |
| 53 | #</Directory> |
|
53 | #</Directory> | |
| 54 |
|
54 | |||
| 55 | RequestHeader set X-Forwarded-Proto "https" |
|
55 | RequestHeader set X-Forwarded-Proto "https" | |
| 56 |
|
56 | |||
| 57 | ## channelstream websocket handling |
|
57 | ## channelstream websocket handling | |
| 58 | ProxyPass /_channelstream ws://localhost:9800 |
|
58 | ProxyPass /_channelstream ws://localhost:9800 | |
| 59 | ProxyPassReverse /_channelstream ws://localhost:9800 |
|
59 | ProxyPassReverse /_channelstream ws://localhost:9800 | |
| 60 |
|
60 | |||
| 61 | <Proxy *> |
|
61 | <Proxy *> | |
| 62 | Order allow,deny |
|
62 | Order allow,deny | |
| 63 | Allow from all |
|
63 | Allow from all | |
| 64 | </Proxy> |
|
64 | </Proxy> | |
| 65 |
|
65 | |||
| 66 | # Directive to properly generate url (clone url) for RhodeCode |
|
66 | # Directive to properly generate url (clone url) for RhodeCode | |
| 67 | ProxyPreserveHost On |
|
67 | ProxyPreserveHost On | |
| 68 |
|
68 | |||
| 69 | # Url to running RhodeCode instance. This is shown as `- URL:` when |
|
69 | # Url to running RhodeCode instance. This is shown as `- URL:` when | |
| 70 | # running rccontrol status. |
|
70 | # running rccontrol status. | |
| 71 | ProxyPass / http://127.0.0.1:10002/ timeout=7200 Keepalive=On |
|
71 | ProxyPass / http://127.0.0.1:10002/ timeout=7200 Keepalive=On | |
| 72 | ProxyPassReverse / http://127.0.0.1:10002/ |
|
72 | ProxyPassReverse / http://127.0.0.1:10002/ | |
| 73 |
|
73 | |||
| 74 | # Increase headers for large Mercurial headers |
|
74 | # Increase headers for large Mercurial headers | |
| 75 | LimitRequestLine 16380 |
|
75 | LimitRequestLine 16380 | |
| 76 |
|
76 | |||
| 77 | # strict http prevents from https -> http downgrade |
|
77 | # strict http prevents from https -> http downgrade | |
| 78 | Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" |
|
78 | Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" | |
| 79 |
|
79 | |||
| 80 | # Set x-frame options |
|
80 | # Set x-frame options | |
| 81 | Header always append X-Frame-Options SAMEORIGIN |
|
81 | Header always append X-Frame-Options SAMEORIGIN | |
| 82 |
|
82 | |||
| 83 | # To enable https use line below |
|
83 | # To enable https use line below | |
| 84 | # SetEnvIf X-Url-Scheme https HTTPS=1 |
|
84 | # SetEnvIf X-Url-Scheme https HTTPS=1 | |
| 85 |
|
85 | |||
| 86 | # SSL setup |
|
86 | # SSL setup | |
| 87 | SSLEngine On |
|
87 | SSLEngine On | |
| 88 | SSLCertificateFile /etc/apache2/ssl/rhodecode.myserver.pem |
|
88 | SSLCertificateFile /etc/apache2/ssl/rhodecode.myserver.pem | |
| 89 | SSLCertificateKeyFile /etc/apache2/ssl/rhodecode.myserver.key |
|
89 | SSLCertificateKeyFile /etc/apache2/ssl/rhodecode.myserver.key | |
| 90 |
|
90 | |||
| 91 | SSLProtocol all -SSLv2 -SSLv3 |
|
91 | SSLProtocol all -SSLv2 -SSLv3 | |
| 92 | SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA |
|
92 | SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA | |
| 93 | SSLHonorCipherOrder on |
|
93 | SSLHonorCipherOrder on | |
| 94 |
|
94 | |||
| 95 | # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits |
|
95 | # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits | |
| 96 | #SSLOpenSSLConfCmd DHParameters "/etc/apache2/dhparam.pem" |
|
96 | #SSLOpenSSLConfCmd DHParameters "/etc/apache2/dhparam.pem" | |
| 97 |
|
97 | |||
|
|
98 | ## custom 502 error page. Will be displayed while RhodeCode server | |||
|
|
99 | ## is turned off | |||
|
|
100 | ErrorDocument 502 /path/to/.rccontrol/enterprise-1/static/502.html | |||
|
|
101 | ||||
| 98 | </VirtualHost> |
|
102 | </VirtualHost> | |
| 99 |
|
103 | |||
| @@ -1,135 +1,136 b'' | |||||
| 1 | Nginx Configuration Example |
|
1 | Nginx Configuration Example | |
| 2 | --------------------------- |
|
2 | --------------------------- | |
| 3 |
|
3 | |||
| 4 | Use the following example to configure Nginx as a your web server. |
|
4 | Use the following example to configure Nginx as a your web server. | |
| 5 |
|
5 | |||
| 6 |
|
6 | |||
| 7 | .. code-block:: nginx |
|
7 | .. code-block:: nginx | |
| 8 |
|
8 | |||
| 9 | ## rate limiter for certain pages to prevent brute force attacks |
|
9 | ## rate limiter for certain pages to prevent brute force attacks | |
| 10 | limit_req_zone $binary_remote_addr zone=dl_limit:10m rate=1r/s; |
|
10 | limit_req_zone $binary_remote_addr zone=dl_limit:10m rate=1r/s; | |
| 11 |
|
11 | |||
| 12 | ## custom log format |
|
12 | ## custom log format | |
| 13 | log_format log_custom '$remote_addr - $remote_user [$time_local] ' |
|
13 | log_format log_custom '$remote_addr - $remote_user [$time_local] ' | |
| 14 | '"$request" $status $body_bytes_sent ' |
|
14 | '"$request" $status $body_bytes_sent ' | |
| 15 | '"$http_referer" "$http_user_agent" ' |
|
15 | '"$http_referer" "$http_user_agent" ' | |
| 16 | '$request_time $upstream_response_time $pipe'; |
|
16 | '$request_time $upstream_response_time $pipe'; | |
| 17 |
|
17 | |||
| 18 | ## define upstream (local RhodeCode instance) to connect to |
|
18 | ## define upstream (local RhodeCode instance) to connect to | |
| 19 | upstream rc { |
|
19 | upstream rc { | |
| 20 | # Url to running RhodeCode instance. |
|
20 | # Url to running RhodeCode instance. | |
| 21 | # This is shown as `- URL:` in output from rccontrol status. |
|
21 | # This is shown as `- URL:` in output from rccontrol status. | |
| 22 | server 127.0.0.1:10002; |
|
22 | server 127.0.0.1:10002; | |
| 23 |
|
23 | |||
| 24 | # add more instances for load balancing |
|
24 | # add more instances for load balancing | |
| 25 | # server 127.0.0.1:10003; |
|
25 | # server 127.0.0.1:10003; | |
| 26 | # server 127.0.0.1:10004; |
|
26 | # server 127.0.0.1:10004; | |
| 27 | } |
|
27 | } | |
| 28 |
|
28 | |||
| 29 | ## HTTP to HTTPS rewrite |
|
29 | ## HTTP to HTTPS rewrite | |
| 30 | server { |
|
30 | server { | |
| 31 | listen 80; |
|
31 | listen 80; | |
| 32 | server_name rhodecode.myserver.com; |
|
32 | server_name rhodecode.myserver.com; | |
| 33 |
|
33 | |||
| 34 | if ($http_host = rhodecode.myserver.com) { |
|
34 | if ($http_host = rhodecode.myserver.com) { | |
| 35 | rewrite (.*) https://rhodecode.myserver.com$1 permanent; |
|
35 | rewrite (.*) https://rhodecode.myserver.com$1 permanent; | |
| 36 | } |
|
36 | } | |
| 37 | } |
|
37 | } | |
| 38 |
|
38 | |||
| 39 | ## Optional gist alias server, for serving nicer GIST urls. |
|
39 | ## Optional gist alias server, for serving nicer GIST urls. | |
| 40 | server { |
|
40 | server { | |
| 41 | listen 443; |
|
41 | listen 443; | |
| 42 | server_name gist.myserver.com; |
|
42 | server_name gist.myserver.com; | |
| 43 | access_log /var/log/nginx/gist.access.log log_custom; |
|
43 | access_log /var/log/nginx/gist.access.log log_custom; | |
| 44 | error_log /var/log/nginx/gist.error.log; |
|
44 | error_log /var/log/nginx/gist.error.log; | |
| 45 |
|
45 | |||
| 46 | ssl on; |
|
46 | ssl on; | |
| 47 | ssl_certificate gist.rhodecode.myserver.com.crt; |
|
47 | ssl_certificate gist.rhodecode.myserver.com.crt; | |
| 48 | ssl_certificate_key gist.rhodecode.myserver.com.key; |
|
48 | ssl_certificate_key gist.rhodecode.myserver.com.key; | |
| 49 |
|
49 | |||
| 50 | ssl_session_timeout 5m; |
|
50 | ssl_session_timeout 5m; | |
| 51 |
|
51 | |||
| 52 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; |
|
52 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| 53 | ssl_prefer_server_ciphers on; |
|
53 | ssl_prefer_server_ciphers on; | |
| 54 | ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; |
|
54 | ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; | |
| 55 |
|
55 | |||
| 56 | # strict http prevents from https -> http downgrade |
|
56 | # strict http prevents from https -> http downgrade | |
| 57 | add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; |
|
57 | add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; | |
| 58 |
|
58 | |||
| 59 | # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits |
|
59 | # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits | |
| 60 | #ssl_dhparam /etc/nginx/ssl/dhparam.pem; |
|
60 | #ssl_dhparam /etc/nginx/ssl/dhparam.pem; | |
| 61 |
|
61 | |||
| 62 | rewrite ^/(.+)$ https://rhodecode.myserver.com/_admin/gists/$1; |
|
62 | rewrite ^/(.+)$ https://rhodecode.myserver.com/_admin/gists/$1; | |
| 63 | rewrite (.*) https://rhodecode.myserver.com/_admin/gists; |
|
63 | rewrite (.*) https://rhodecode.myserver.com/_admin/gists; | |
| 64 | } |
|
64 | } | |
| 65 |
|
65 | |||
| 66 |
|
66 | |||
| 67 | ## MAIN SSL enabled server |
|
67 | ## MAIN SSL enabled server | |
| 68 | server { |
|
68 | server { | |
| 69 | listen 443 ssl; |
|
69 | listen 443 ssl; | |
| 70 | server_name rhodecode.myserver.com; |
|
70 | server_name rhodecode.myserver.com; | |
| 71 |
|
71 | |||
| 72 | access_log /var/log/nginx/rhodecode.access.log log_custom; |
|
72 | access_log /var/log/nginx/rhodecode.access.log log_custom; | |
| 73 | error_log /var/log/nginx/rhodecode.error.log; |
|
73 | error_log /var/log/nginx/rhodecode.error.log; | |
| 74 |
|
74 | |||
| 75 | ssl on; |
|
75 | ssl on; | |
| 76 | ssl_certificate rhodecode.myserver.com.crt; |
|
76 | ssl_certificate rhodecode.myserver.com.crt; | |
| 77 | ssl_certificate_key rhodecode.myserver.com.key; |
|
77 | ssl_certificate_key rhodecode.myserver.com.key; | |
| 78 |
|
78 | |||
| 79 | ssl_session_timeout 5m; |
|
79 | ssl_session_timeout 5m; | |
| 80 |
|
80 | |||
| 81 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; |
|
81 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| 82 | ssl_prefer_server_ciphers on; |
|
82 | ssl_prefer_server_ciphers on; | |
| 83 | ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; |
|
83 | ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; | |
| 84 |
|
84 | |||
| 85 | # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits |
|
85 | # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits | |
| 86 | #ssl_dhparam /etc/nginx/ssl/dhparam.pem; |
|
86 | #ssl_dhparam /etc/nginx/ssl/dhparam.pem; | |
| 87 |
|
87 | |||
| 88 | include /etc/nginx/proxy.conf; |
|
88 | include /etc/nginx/proxy.conf; | |
| 89 |
|
89 | |||
| 90 | ## serve static files by Nginx, recommended for performance |
|
90 | ## serve static files by Nginx, recommended for performance | |
| 91 | # location /_static/rhodecode { |
|
91 | # location /_static/rhodecode { | |
| 92 | # alias /path/to/.rccontrol/enterprise-1/static; |
|
92 | # alias /path/to/.rccontrol/enterprise-1/static; | |
| 93 | # } |
|
93 | # } | |
| 94 |
|
94 | |||
| 95 | ## channelstream websocket handling |
|
95 | ## channelstream websocket handling | |
| 96 | location /_channelstream { |
|
96 | location /_channelstream { | |
| 97 | rewrite /_channelstream/(.*) /$1 break; |
|
97 | rewrite /_channelstream/(.*) /$1 break; | |
| 98 |
|
98 | |||
| 99 | proxy_pass http://127.0.0.1:9800; |
|
99 | proxy_pass http://127.0.0.1:9800; | |
| 100 |
|
100 | |||
| 101 | proxy_connect_timeout 10; |
|
101 | proxy_connect_timeout 10; | |
| 102 | proxy_send_timeout 10m; |
|
102 | proxy_send_timeout 10m; | |
| 103 | proxy_read_timeout 10m; |
|
103 | proxy_read_timeout 10m; | |
| 104 | tcp_nodelay off; |
|
104 | tcp_nodelay off; | |
| 105 | proxy_set_header Host $host; |
|
105 | proxy_set_header Host $host; | |
| 106 | proxy_set_header X-Real-IP $remote_addr; |
|
106 | proxy_set_header X-Real-IP $remote_addr; | |
| 107 | proxy_set_header X-Url-Scheme $scheme; |
|
107 | proxy_set_header X-Url-Scheme $scheme; | |
| 108 | proxy_set_header X-Forwarded-Proto $scheme; |
|
108 | proxy_set_header X-Forwarded-Proto $scheme; | |
| 109 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
|
109 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| 110 | gzip off; |
|
110 | gzip off; | |
| 111 | proxy_http_version 1.1; |
|
111 | proxy_http_version 1.1; | |
| 112 | proxy_set_header Upgrade $http_upgrade; |
|
112 | proxy_set_header Upgrade $http_upgrade; | |
| 113 | proxy_set_header Connection "upgrade"; |
|
113 | proxy_set_header Connection "upgrade"; | |
| 114 | } |
|
114 | } | |
| 115 |
|
115 | |||
| 116 | location /_admin/login { |
|
116 | location /_admin/login { | |
| 117 | ## rate limit this endpoint |
|
117 | ## rate limit this endpoint | |
| 118 | limit_req zone=dl_limit burst=10 nodelay; |
|
118 | limit_req zone=dl_limit burst=10 nodelay; | |
| 119 | try_files $uri @rhode; |
|
119 | try_files $uri @rhode; | |
| 120 | } |
|
120 | } | |
| 121 |
|
121 | |||
| 122 | location / { |
|
122 | location / { | |
| 123 | try_files $uri @rhode; |
|
123 | try_files $uri @rhode; | |
| 124 | } |
|
124 | } | |
| 125 |
|
125 | |||
| 126 | location @rhode { |
|
126 | location @rhode { | |
| 127 | proxy_pass http://rc; |
|
127 | proxy_pass http://rc; | |
| 128 | } |
|
128 | } | |
| 129 |
|
129 | |||
| 130 | ## custom 502 error page |
|
130 | ## custom 502 error page. Will be displayed while RhodeCode server | |
|
|
131 | ## is turned off | |||
| 131 | error_page 502 /502.html; |
|
132 | error_page 502 /502.html; | |
| 132 | location = /502.html { |
|
133 | location = /502.html { | |
| 133 | root /path/to/.rccontrol/enterprise-1/static; |
|
134 | root /path/to/.rccontrol/enterprise-1/static; | |
| 134 | } |
|
135 | } | |
| 135 | } No newline at end of file |
|
136 | } | |
General Comments 0
You need to be logged in to leave comments.
Login now