##// END OF EJS Templates
docs: updated nginx/apache configurations....
marcink -
r1263:dd531307 default
parent child
Show More
@@ -1,32 +1,68
1 .. _apache-conf-eg:
1 .. _apache-conf-eg:
2
2
3 Apache Configuration Examples
3 Apache Configuration Example
4 -----------------------------
4 ----------------------------
5
6 Use the following example to configure Apache as a your web server.
7 Below config if for an Apache Reverse Proxy configuration.
8
9 .. note::
10
11 Apache requires the following modules to be enabled. Below is an example
12 how to enable them on Ubuntu Server
13
5
14
6 Use the following example to securely configure your Apache HTTP virtual hosts
15 .. code-block:: bash
7 file.
16
17 $ sudo a2enmod proxy
18 $ sudo a2enmod proxy_http
19 $ sudo a2enmod proxy_balancer
20 $ sudo a2enmod headers
21 $ sudo a2enmod ssl
22 $ sudo a2enmod rewrite
23
24 # requires Apache 2.4+, required to handle websockets/channelstream
25 $ sudo a2enmod proxy_wstunnel
26
8
27
9 .. code-block:: apache
28 .. code-block:: apache
10
29
30 ## HTTP to HTTPS rewrite
11 <VirtualHost *:80>
31 <VirtualHost *:80>
12 ServerName hg.myserver.com
32 ServerName rhodecode.myserver.com
13 ServerAlias hg.myserver.com
33 DocumentRoot /var/www/html
34 Redirect permanent / https://rhodecode.myserver.com/
35 </VirtualHost>
36
37 ## MAIN SSL enabled server
38 <VirtualHost *:443>
39
40 ServerName rhodecode.myserver.com
41 ServerAlias rhodecode.myserver.com
42
43 ## serve static files by Apache, recommended for performance
44 #Alias /_static /home/ubuntu/.rccontrol/community-1/static
45
46 RequestHeader set X-Forwarded-Proto "https"
47
48 ## channelstream websocket handling
49 ProxyPass /_channelstream ws://localhost:9800
50 ProxyPassReverse /_channelstream ws://localhost:9800
14
51
15 <Proxy *>
52 <Proxy *>
16 Order allow,deny
53 Order allow,deny
17 Allow from all
54 Allow from all
18 </Proxy>
55 </Proxy>
19
56
20 # important !
57 # Directive to properly generate url (clone url) for RhodeCode
21 # Directive to properly generate url (clone url) for pylons
22
23 ProxyPreserveHost On
58 ProxyPreserveHost On
24
59
25 #rhodecode instance
60 # Url to running RhodeCode instance. This is shown as `- URL:` when
26 ProxyPass / http://127.0.0.1:5000/
61 # running rccontrol status.
27 ProxyPassReverse / http://127.0.0.1:5000/
62 ProxyPass / http://127.0.0.1:10002/
63 ProxyPassReverse / http://127.0.0.1:10002/
28
64
29 # Set strict HTTPS
65 # strict http prevents from https -> http downgrade
30 Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
66 Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
31
67
32 # Set x-frame options
68 # Set x-frame options
@@ -35,80 +71,17 file.
35 # To enable https use line below
71 # To enable https use line below
36 # SetEnvIf X-Url-Scheme https HTTPS=1
72 # SetEnvIf X-Url-Scheme https HTTPS=1
37
73
38 # Secure your Diffie-hellmann deployment
74 # SSL setup
75 SSLEngine On
76 SSLCertificateFile /etc/apache2/ssl/rhodecode.myserver.pem
77 SSLCertificateKeyFile /etc/apache2/ssl/rhodecode.myserver.key
78
39 SSLProtocol all -SSLv2 -SSLv3
79 SSLProtocol all -SSLv2 -SSLv3
40 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
80 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
41 SSLHonorCipherOrder on
81 SSLHonorCipherOrder on
42 SSLOpenSSLConfCmd DHParameters "{path to dhparams.pem}"
82
83 # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
84 #SSLOpenSSLConfCmd DHParameters "/etc/apache2/dhparam.pem"
43
85
44 </VirtualHost>
86 </VirtualHost>
45
87
46 Use the following example to configure Apache for a multi-node setup. The
47 timeout setting should be increased if you experience timeouts when working
48 with large |repos|.
49
50 .. code-block:: apache
51
52 #
53 # Timeout: The number of seconds before receives and sends time out.
54 #
55 Timeout 600
56
57 <VirtualHost *:80>
58
59 ProxyRequests off
60
61 #important !
62 #Directive to properly generate url (clone url) for pylons
63 ProxyPreserveHost On
64
65 ServerName your.rce.com
66 ServerAlias your.rce.com
67
68 <Proxy balancer://mycluster>
69 # WebHead1
70 BalancerMember http://10.58.1.171:10002 route=1
71 # WebHead2
72 BalancerMember http://10.58.1.172:10001 route=2
73
74 # Security "technically we aren't blocking
75 # anyone but this the place to make those
76 # chages
77 Order Deny,Allow
78 Deny from none
79 Allow from all
80
81 # Load Balancer Settings
82 # We will be configuring a simple Round
83 # Robin style load balancer. This means
84 # that all webheads take an equal share of
85 # of the load.
86 ProxySet stickysession=ROUTEID
87
88 </Proxy>
89
90 # balancer-manager
91 # This tool is built into the mod_proxy_balancer
92 # module and will allow you to do some simple
93 # modifications to the balanced group via a gui
94 # web interface.
95 <Location /balancer-manager>
96 SetHandler balancer-manager
97
98 # recommend locking this one down to your
99 # your office
100 Order deny,allow
101 Allow from all
102 </Location>
103
104 # Point of Balance
105 # This setting will allow to explicitly name the
106 # the location in the site that we want to be
107 # balanced, in this example we will balance "/"
108 # or everything in the site.
109 ProxyPass /balancer-manager !
110 ProxyPass / balancer://mycluster/
111
112 ProxyPassReverse / balancer://mycluster/
113
114 </VirtualHost>
@@ -9,7 +9,6 the information in the following section
9 .. toctree::
9 .. toctree::
10
10
11 apache-diffie-hellman
11 apache-diffie-hellman
12 apache-conf-examples
12 apache-conf-example
13 apache-subdirectory
13 apache-subdirectory
14 apache-reverse-proxy
15 apache-wsgi-coding
14 apache-wsgi-coding
@@ -7,7 +7,8 Use the following example to configure A
7
7
8 .. code-block:: apache
8 .. code-block:: apache
9
9
10 <Location /<someprefix>/ # Change <someprefix> into your chosen prefix
10 # Change someprefix into your chosen prefix
11 <Location /someprefix >
11 ProxyPreserveHost On
12 ProxyPreserveHost On
12 ProxyPass "http://127.0.0.1:5000/"
13 ProxyPass "http://127.0.0.1:5000/"
13 ProxyPassReverse "http://127.0.0.1:5000/"
14 ProxyPassReverse "http://127.0.0.1:5000/"
@@ -3,6 +3,7 Nginx Configuration Example
3
3
4 Use the following example to configure Nginx as a your web server.
4 Use the following example to configure Nginx as a your web server.
5
5
6
6 .. code-block:: nginx
7 .. code-block:: nginx
7
8
8 log_format log_custom '$remote_addr - $remote_user [$time_local] '
9 log_format log_custom '$remote_addr - $remote_user [$time_local] '
@@ -10,8 +11,10 Use the following example to configure N
10 '"$http_referer" "$http_user_agent" '
11 '"$http_referer" "$http_user_agent" '
11 '$request_time $upstream_response_time $pipe';
12 '$request_time $upstream_response_time $pipe';
12
13
14 ## define upstream (local RhodeCode instance) to connect to
13 upstream rc {
15 upstream rc {
14
16 # Url to running RhodeCode instance.
17 # This is shown as `- URL:` in output from rccontrol status.
15 server 127.0.0.1:10002;
18 server 127.0.0.1:10002;
16
19
17 # add more instances for load balancing
20 # add more instances for load balancing
@@ -19,8 +22,17 Use the following example to configure N
19 # server 127.0.0.1:10004;
22 # server 127.0.0.1:10004;
20 }
23 }
21
24
22 ## gist alias server, for serving nicer GIST urls
25 ## HTTP to HTTPS rewrite
26 server {
27 listen 80;
28 server_name rhodecode.myserver.com;
23
29
30 if ($http_host = rhodecode.myserver.com) {
31 rewrite (.*) https://rhodecode.myserver.com$1 permanent;
32 }
33 }
34
35 ## Optional gist alias server, for serving nicer GIST urls.
24 server {
36 server {
25 listen 443;
37 listen 443;
26 server_name gist.myserver.com;
38 server_name gist.myserver.com;
@@ -37,6 +49,7 Use the following example to configure N
37 ssl_prefer_server_ciphers on;
49 ssl_prefer_server_ciphers on;
38 ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
50 ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
39
51
52 # strict http prevents from https -> http downgrade
40 add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
53 add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
41
54
42 # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
55 # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
@@ -46,15 +59,6 Use the following example to configure N
46 rewrite (.*) https://rhodecode.myserver.com/_admin/gists;
59 rewrite (.*) https://rhodecode.myserver.com/_admin/gists;
47 }
60 }
48
61
49 ## HTTP to HTTPS rewrite
50 server {
51 listen 80;
52 server_name rhodecode.myserver.com;
53
54 if ($http_host = rhodecode.myserver.com) {
55 rewrite (.*) https://rhodecode.myserver.com$1 permanent;
56 }
57 }
58
62
59 ## MAIN SSL enabled server
63 ## MAIN SSL enabled server
60 server {
64 server {
@@ -79,14 +83,15 Use the following example to configure N
79
83
80 include /etc/nginx/proxy.conf;
84 include /etc/nginx/proxy.conf;
81
85
82 ## serve static files by nginx, recommended
86 ## serve static files by Nginx, recommended for performance
83 # location /_static/rhodecode {
87 # location /_static/rhodecode {
84 # alias /path/to/.rccontrol/enterprise-1/static;
88 # alias /path/to/.rccontrol/enterprise-1/static;
85 # }
89 # }
86
90
87 ## channel stream live components
91 ## channelstream websocket handling
88 location /_channelstream {
92 location /_channelstream {
89 rewrite /_channelstream/(.*) /$1 break;
93 rewrite /_channelstream/(.*) /$1 break;
94
90 proxy_pass http://127.0.0.1:9800;
95 proxy_pass http://127.0.0.1:9800;
91
96
92 proxy_connect_timeout 10;
97 proxy_connect_timeout 10;
@@ -1,7 +1,7
1 .. _nginx-ws-ref:
1 .. _nginx-ws-ref:
2
2
3 Nginx Configuration
3 Nginx HTTP Server Configuration
4 ===================
4 -------------------------------
5
5
6 To set up your Nginx Web Server for optimal performance and security, use
6 To set up your Nginx Web Server for optimal performance and security, use
7 the information in the following sections.
7 the information in the following sections.
1 NO CONTENT: file was removed
NO CONTENT: file was removed
General Comments 0
You need to be logged in to leave comments. Login now