Show More
| @@ -1,90 +1,99 b'' | |||||
| 1 | .. _apache-conf-eg: |
|
1 | .. _apache-conf-eg: | |
| 2 |
|
2 | |||
| 3 | Apache Configuration Example |
|
3 | Apache Configuration Example | |
| 4 | ---------------------------- |
|
4 | ---------------------------- | |
| 5 |
|
5 | |||
| 6 | Use the following example to configure Apache as a your web server. |
|
6 | Use the following example to configure Apache as a your web server. | |
| 7 | Below config if for an Apache Reverse Proxy configuration. |
|
7 | Below config if for an Apache Reverse Proxy configuration. | |
| 8 |
|
8 | |||
| 9 | .. note:: |
|
9 | .. note:: | |
| 10 |
|
10 | |||
| 11 | Apache requires the following modules to be enabled. Below is an example |
|
11 | Apache requires the following modules to be enabled. Below is an example | |
| 12 | how to enable them on Ubuntu Server |
|
12 | how to enable them on Ubuntu Server | |
| 13 |
|
13 | |||
| 14 |
|
14 | |||
| 15 | .. code-block:: bash |
|
15 | .. code-block:: bash | |
| 16 |
|
16 | |||
| 17 | $ sudo a2enmod proxy |
|
17 | $ sudo a2enmod proxy | |
| 18 | $ sudo a2enmod proxy_http |
|
18 | $ sudo a2enmod proxy_http | |
| 19 | $ sudo a2enmod proxy_balancer |
|
19 | $ sudo a2enmod proxy_balancer | |
| 20 | $ sudo a2enmod headers |
|
20 | $ sudo a2enmod headers | |
| 21 | $ sudo a2enmod ssl |
|
21 | $ sudo a2enmod ssl | |
| 22 | $ sudo a2enmod rewrite |
|
22 | $ sudo a2enmod rewrite | |
| 23 |
|
23 | |||
| 24 | # requires Apache 2.4+, required to handle websockets/channelstream |
|
24 | # requires Apache 2.4+, required to handle websockets/channelstream | |
| 25 | $ sudo a2enmod proxy_wstunnel |
|
25 | $ sudo a2enmod proxy_wstunnel | |
| 26 |
|
26 | |||
| 27 |
|
27 | |||
| 28 | .. code-block:: apache |
|
28 | .. code-block:: apache | |
| 29 |
|
29 | |||
| 30 | ## HTTP to HTTPS rewrite |
|
30 | ## HTTP to HTTPS rewrite | |
| 31 | <VirtualHost *:80> |
|
31 | <VirtualHost *:80> | |
| 32 | ServerName rhodecode.myserver.com |
|
32 | ServerName rhodecode.myserver.com | |
| 33 | DocumentRoot /var/www/html |
|
33 | DocumentRoot /var/www/html | |
| 34 | Redirect permanent / https://rhodecode.myserver.com/ |
|
34 | Redirect permanent / https://rhodecode.myserver.com/ | |
| 35 | </VirtualHost> |
|
35 | </VirtualHost> | |
| 36 |
|
36 | |||
| 37 | ## MAIN SSL enabled server |
|
37 | ## MAIN SSL enabled server | |
| 38 | <VirtualHost *:443> |
|
38 | <VirtualHost *:443> | |
| 39 |
|
39 | |||
| 40 | ServerName rhodecode.myserver.com |
|
40 | ServerName rhodecode.myserver.com | |
| 41 | ServerAlias rhodecode.myserver.com |
|
41 | ServerAlias rhodecode.myserver.com | |
| 42 |
|
42 | |||
|
|
43 | ## Skip ProxyPass the _static to backend server | |||
|
|
44 | #ProxyPass /_static ! | |||
|
|
45 | ||||
| 43 | ## serve static files by Apache, recommended for performance |
|
46 | ## serve static files by Apache, recommended for performance | |
| 44 | #Alias /_static /home/ubuntu/.rccontrol/community-1/static |
|
47 | #Alias /_static/rhodecode /home/ubuntu/.rccontrol/community-1/static | |
|
|
48 | ||||
|
|
49 | ## Allow Apache to access the static files in this directory | |||
|
|
50 | #<Directory /home/ubuntu/.rccontrol/community-1/static/> | |||
|
|
51 | # AllowOverride none | |||
|
|
52 | # Require all granted | |||
|
|
53 | #</Directory> | |||
| 45 |
|
54 | |||
| 46 | RequestHeader set X-Forwarded-Proto "https" |
|
55 | RequestHeader set X-Forwarded-Proto "https" | |
| 47 |
|
56 | |||
| 48 | ## channelstream websocket handling |
|
57 | ## channelstream websocket handling | |
| 49 | ProxyPass /_channelstream ws://localhost:9800 |
|
58 | ProxyPass /_channelstream ws://localhost:9800 | |
| 50 | ProxyPassReverse /_channelstream ws://localhost:9800 |
|
59 | ProxyPassReverse /_channelstream ws://localhost:9800 | |
| 51 |
|
60 | |||
| 52 | <Proxy *> |
|
61 | <Proxy *> | |
| 53 | Order allow,deny |
|
62 | Order allow,deny | |
| 54 | Allow from all |
|
63 | Allow from all | |
| 55 | </Proxy> |
|
64 | </Proxy> | |
| 56 |
|
65 | |||
| 57 | # Directive to properly generate url (clone url) for RhodeCode |
|
66 | # Directive to properly generate url (clone url) for RhodeCode | |
| 58 | ProxyPreserveHost On |
|
67 | ProxyPreserveHost On | |
| 59 |
|
68 | |||
| 60 | # Url to running RhodeCode instance. This is shown as `- URL:` when |
|
69 | # Url to running RhodeCode instance. This is shown as `- URL:` when | |
| 61 | # running rccontrol status. |
|
70 | # running rccontrol status. | |
| 62 | ProxyPass / http://127.0.0.1:10002/ timeout=7200 Keepalive=On |
|
71 | ProxyPass / http://127.0.0.1:10002/ timeout=7200 Keepalive=On | |
| 63 | ProxyPassReverse / http://127.0.0.1:10002/ |
|
72 | ProxyPassReverse / http://127.0.0.1:10002/ | |
| 64 |
|
73 | |||
| 65 | # Increase headers for large Mercurial headers |
|
74 | # Increase headers for large Mercurial headers | |
| 66 | LimitRequestLine 16380 |
|
75 | LimitRequestLine 16380 | |
| 67 |
|
76 | |||
| 68 | # strict http prevents from https -> http downgrade |
|
77 | # strict http prevents from https -> http downgrade | |
| 69 | Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" |
|
78 | Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" | |
| 70 |
|
79 | |||
| 71 | # Set x-frame options |
|
80 | # Set x-frame options | |
| 72 | Header always append X-Frame-Options SAMEORIGIN |
|
81 | Header always append X-Frame-Options SAMEORIGIN | |
| 73 |
|
82 | |||
| 74 | # To enable https use line below |
|
83 | # To enable https use line below | |
| 75 | # SetEnvIf X-Url-Scheme https HTTPS=1 |
|
84 | # SetEnvIf X-Url-Scheme https HTTPS=1 | |
| 76 |
|
85 | |||
| 77 | # SSL setup |
|
86 | # SSL setup | |
| 78 | SSLEngine On |
|
87 | SSLEngine On | |
| 79 | SSLCertificateFile /etc/apache2/ssl/rhodecode.myserver.pem |
|
88 | SSLCertificateFile /etc/apache2/ssl/rhodecode.myserver.pem | |
| 80 | SSLCertificateKeyFile /etc/apache2/ssl/rhodecode.myserver.key |
|
89 | SSLCertificateKeyFile /etc/apache2/ssl/rhodecode.myserver.key | |
| 81 |
|
90 | |||
| 82 | SSLProtocol all -SSLv2 -SSLv3 |
|
91 | SSLProtocol all -SSLv2 -SSLv3 | |
| 83 | SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA |
|
92 | SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA | |
| 84 | SSLHonorCipherOrder on |
|
93 | SSLHonorCipherOrder on | |
| 85 |
|
94 | |||
| 86 | # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits |
|
95 | # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits | |
| 87 | #SSLOpenSSLConfCmd DHParameters "/etc/apache2/dhparam.pem" |
|
96 | #SSLOpenSSLConfCmd DHParameters "/etc/apache2/dhparam.pem" | |
| 88 |
|
97 | |||
| 89 | </VirtualHost> |
|
98 | </VirtualHost> | |
| 90 |
|
99 | |||
General Comments 0
You need to be logged in to leave comments.
Login now