##// END OF EJS Templates
rhodecode-enterprise-ce
RSS
docs: updated nginx/apache configurations....
marcink -
r1263:dd531307 default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,114 +1,87 b''
1 1 .. _apache-conf-eg:
2 2
3 Apache Configuration Examples
4 -----------------------------
3 Apache Configuration Example
4 ----------------------------
5
6 Use the following example to configure Apache as a your web server.
7 Below config if for an Apache Reverse Proxy configuration.
8
9 .. note::
10
11 Apache requires the following modules to be enabled. Below is an example
12 how to enable them on Ubuntu Server
13
5 14
6 Use the following example to securely configure your Apache HTTP virtual hosts
7 file.
15 .. code-block:: bash
16
17 $ sudo a2enmod proxy
18 $ sudo a2enmod proxy_http
19 $ sudo a2enmod proxy_balancer
20 $ sudo a2enmod headers
21 $ sudo a2enmod ssl
22 $ sudo a2enmod rewrite
23
24 # requires Apache 2.4+, required to handle websockets/channelstream
25 $ sudo a2enmod proxy_wstunnel
26
8 27
9 28 .. code-block:: apache
10 29
30 ## HTTP to HTTPS rewrite
11 31 <VirtualHost *:80>
12 ServerName hg.myserver.com
13 ServerAlias hg.myserver.com
32 ServerName rhodecode.myserver.com
33 DocumentRoot /var/www/html
34 Redirect permanent / https://rhodecode.myserver.com/
35 </VirtualHost>
36
37 ## MAIN SSL enabled server
38 <VirtualHost *:443>
39
40 ServerName rhodecode.myserver.com
41 ServerAlias rhodecode.myserver.com
42
43 ## serve static files by Apache, recommended for performance
44 #Alias /_static /home/ubuntu/.rccontrol/community-1/static
45
46 RequestHeader set X-Forwarded-Proto "https"
47
48 ## channelstream websocket handling
49 ProxyPass /_channelstream ws://localhost:9800
50 ProxyPassReverse /_channelstream ws://localhost:9800
14 51
15 52 <Proxy *>
16 53 Order allow,deny
17 54 Allow from all
18 55 </Proxy>
19 56
20 # important !
21 # Directive to properly generate url (clone url) for pylons
22
57 # Directive to properly generate url (clone url) for RhodeCode
23 58 ProxyPreserveHost On
24 59
25 #rhodecode instance
26 ProxyPass / http://127.0.0.1:5000/
27 ProxyPassReverse / http://127.0.0.1:5000/
60 # Url to running RhodeCode instance. This is shown as `- URL:` when
61 # running rccontrol status.
62 ProxyPass / http://127.0.0.1:10002/
63 ProxyPassReverse / http://127.0.0.1:10002/
28 64
29 # Set strict HTTPS
65 # strict http prevents from https -> http downgrade
30 66 Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
31 67
32 68 # Set x-frame options
33 69 Header always append X-Frame-Options SAMEORIGIN
34 70
35 71 # To enable https use line below
36 72 # SetEnvIf X-Url-Scheme https HTTPS=1
37 73
38 # Secure your Diffie-hellmann deployment
74 # SSL setup
75 SSLEngine On
76 SSLCertificateFile /etc/apache2/ssl/rhodecode.myserver.pem
77 SSLCertificateKeyFile /etc/apache2/ssl/rhodecode.myserver.key
78
39 79 SSLProtocol all -SSLv2 -SSLv3
40 80 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
41 81 SSLHonorCipherOrder on
42 SSLOpenSSLConfCmd DHParameters "{path to dhparams.pem}"
82
83 # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
84 #SSLOpenSSLConfCmd DHParameters "/etc/apache2/dhparam.pem"
43 85
44 86 </VirtualHost>
45 87
46 Use the following example to configure Apache for a multi-node setup. The
47 timeout setting should be increased if you experience timeouts when working
48 with large |repos|.
49
50 .. code-block:: apache
51
52 #
53 # Timeout: The number of seconds before receives and sends time out.
54 #
55 Timeout 600
56
57 <VirtualHost *:80>
58
59 ProxyRequests off
60
61 #important !
62 #Directive to properly generate url (clone url) for pylons
63 ProxyPreserveHost On
64
65 ServerName your.rce.com
66 ServerAlias your.rce.com
67
68 <Proxy balancer://mycluster>
69 # WebHead1
70 BalancerMember http://10.58.1.171:10002 route=1
71 # WebHead2
72 BalancerMember http://10.58.1.172:10001 route=2
73
74 # Security "technically we aren't blocking
75 # anyone but this the place to make those
76 # chages
77 Order Deny,Allow
78 Deny from none
79 Allow from all
80
81 # Load Balancer Settings
82 # We will be configuring a simple Round
83 # Robin style load balancer. This means
84 # that all webheads take an equal share of
85 # of the load.
86 ProxySet stickysession=ROUTEID
87
88 </Proxy>
89
90 # balancer-manager
91 # This tool is built into the mod_proxy_balancer
92 # module and will allow you to do some simple
93 # modifications to the balanced group via a gui
94 # web interface.
95 <Location /balancer-manager>
96 SetHandler balancer-manager
97
98 # recommend locking this one down to your
99 # your office
100 Order deny,allow
101 Allow from all
102 </Location>
103
104 # Point of Balance
105 # This setting will allow to explicitly name the
106 # the location in the site that we want to be
107 # balanced, in this example we will balance "/"
108 # or everything in the site.
109 ProxyPass /balancer-manager !
110 ProxyPass / balancer://mycluster/
111
112 ProxyPassReverse / balancer://mycluster/
113
114 </VirtualHost>
Show file before | Show file after | Hide comments
@@ -1,15 +1,14 b''
1 1 .. _apache-ws-ref:
2 2
3 3 Apache HTTP Server Configuration
4 4 --------------------------------
5 5
6 6 To set up your Apache Web Server for optimal performance and security, use
7 7 the information in the following sections.
8 8
9 9 .. toctree::
10 10
11 11 apache-diffie-hellman
12 apache-conf-examples
12 apache-conf-example
13 13 apache-subdirectory
14 apache-reverse-proxy
15 14 apache-wsgi-coding
Show file before | Show file after | Hide comments
@@ -1,34 +1,35 b''
1 1 .. _apache-sub-ref:
2 2
3 3 Apache URL Prefix Configuration
4 4 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
5 5
6 6 Use the following example to configure Apache to use a URL prefix.
7 7
8 8 .. code-block:: apache
9 9
10 <Location /<someprefix>/ # Change <someprefix> into your chosen prefix
10 # Change someprefix into your chosen prefix
11 <Location /someprefix >
11 12 ProxyPreserveHost On
12 13 ProxyPass "http://127.0.0.1:5000/"
13 14 ProxyPassReverse "http://127.0.0.1:5000/"
14 15 Header set X-Url-Scheme https env=HTTPS
15 16 </Location>
16 17
17 18 In addition to the regular Apache setup you will need to add the following
18 19 lines into the ``rhodecode.ini`` file.
19 20
20 21 * Above ``[app:main]`` section of the ``rhodecode.ini`` file add the
21 22 following section if it doesn't exist yet.
22 23
23 24 .. code-block:: ini
24 25
25 26 [filter:proxy-prefix]
26 27 use = egg:PasteDeploy#prefix
27 28 prefix = /<someprefix> # Change <someprefix> into your chosen prefix
28 29
29 30 * In the the ``[app:main]`` section of your ``rhodecode.ini`` file add the
30 31 following line.
31 32
32 33 .. code-block:: ini
33 34
34 35 filter-with = proxy-prefix
Show file before | Show file after | Hide comments
@@ -1,120 +1,125 b''
1 1 Nginx Configuration Example
2 2 ---------------------------
3 3
4 4 Use the following example to configure Nginx as a your web server.
5 5
6
6 7 .. code-block:: nginx
7 8
8 9 log_format log_custom '$remote_addr - $remote_user [$time_local] '
9 10 '"$request" $status $body_bytes_sent '
10 11 '"$http_referer" "$http_user_agent" '
11 12 '$request_time $upstream_response_time $pipe';
12 13
14 ## define upstream (local RhodeCode instance) to connect to
13 15 upstream rc {
14
16 # Url to running RhodeCode instance.
17 # This is shown as `- URL:` in output from rccontrol status.
15 18 server 127.0.0.1:10002;
16 19
17 20 # add more instances for load balancing
18 21 # server 127.0.0.1:10003;
19 22 # server 127.0.0.1:10004;
20 23 }
21 24
22 ## gist alias server, for serving nicer GIST urls
25 ## HTTP to HTTPS rewrite
26 server {
27 listen 80;
28 server_name rhodecode.myserver.com;
23 29
30 if ($http_host = rhodecode.myserver.com) {
31 rewrite (.*) https://rhodecode.myserver.com$1 permanent;
32 }
33 }
34
35 ## Optional gist alias server, for serving nicer GIST urls.
24 36 server {
25 37 listen 443;
26 38 server_name gist.myserver.com;
27 39 access_log /var/log/nginx/gist.access.log log_custom;
28 40 error_log /var/log/nginx/gist.error.log;
29 41
30 42 ssl on;
31 43 ssl_certificate gist.rhodecode.myserver.com.crt;
32 44 ssl_certificate_key gist.rhodecode.myserver.com.key;
33 45
34 46 ssl_session_timeout 5m;
35 47
36 48 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
37 49 ssl_prefer_server_ciphers on;
38 50 ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
39 51
52 # strict http prevents from https -> http downgrade
40 53 add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
41 54
42 55 # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
43 56 #ssl_dhparam /etc/nginx/ssl/dhparam.pem;
44 57
45 58 rewrite ^/(.+)$ https://rhodecode.myserver.com/_admin/gists/$1;
46 59 rewrite (.*) https://rhodecode.myserver.com/_admin/gists;
47 60 }
48 61
49 ## HTTP to HTTPS rewrite
50 server {
51 listen 80;
52 server_name rhodecode.myserver.com;
53
54 if ($http_host = rhodecode.myserver.com) {
55 rewrite (.*) https://rhodecode.myserver.com$1 permanent;
56 }
57 }
58 62
59 63 ## MAIN SSL enabled server
60 64 server {
61 65 listen 443 ssl;
62 66 server_name rhodecode.myserver.com;
63 67
64 68 access_log /var/log/nginx/rhodecode.access.log log_custom;
65 69 error_log /var/log/nginx/rhodecode.error.log;
66 70
67 71 ssl on;
68 72 ssl_certificate rhodecode.myserver.com.crt;
69 73 ssl_certificate_key rhodecode.myserver.com.key;
70 74
71 75 ssl_session_timeout 5m;
72 76
73 77 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
74 78 ssl_prefer_server_ciphers on;
75 79 ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
76 80
77 81 # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
78 82 #ssl_dhparam /etc/nginx/ssl/dhparam.pem;
79 83
80 84 include /etc/nginx/proxy.conf;
81 85
82 ## serve static files by nginx, recommended
86 ## serve static files by Nginx, recommended for performance
83 87 # location /_static/rhodecode {
84 88 # alias /path/to/.rccontrol/enterprise-1/static;
85 89 # }
86 90
87 ## channel stream live components
91 ## channelstream websocket handling
88 92 location /_channelstream {
89 93 rewrite /_channelstream/(.*) /$1 break;
94
90 95 proxy_pass http://127.0.0.1:9800;
91 96
92 97 proxy_connect_timeout 10;
93 98 proxy_send_timeout 10m;
94 99 proxy_read_timeout 10m;
95 100 tcp_nodelay off;
96 101 proxy_set_header Host $host;
97 102 proxy_set_header X-Real-IP $remote_addr;
98 103 proxy_set_header X-Url-Scheme $scheme;
99 104 proxy_set_header X-Forwarded-Proto $scheme;
100 105 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
101 106 gzip off;
102 107 proxy_http_version 1.1;
103 108 proxy_set_header Upgrade $http_upgrade;
104 109 proxy_set_header Connection "upgrade";
105 110 }
106 111
107 112 location / {
108 113 try_files $uri @rhode;
109 114 }
110 115
111 116 location @rhode {
112 117 proxy_pass http://rc;
113 118 }
114 119
115 120 ## custom 502 error page
116 121 error_page 502 /502.html;
117 122 location = /502.html {
118 123 root /path/to/.rccontrol/enterprise-1/static;
119 124 }
120 125 } No newline at end of file
Show file before | Show file after | Hide comments
@@ -1,14 +1,14 b''
1 1 .. _nginx-ws-ref:
2 2
3 Nginx Configuration
4 ===================
3 Nginx HTTP Server Configuration
4 -------------------------------
5 5
6 6 To set up your Nginx Web Server for optimal performance and security, use
7 7 the information in the following sections.
8 8
9 9 .. toctree::
10 10
11 11 nginx-diffie-hellman
12 12 nginx-config-example
13 13 nginx-tuning
14 14 nginx-url-prefix
Show file before | Show file after | Hide comments
1 NO CONTENT: file was removed
General Comments 0
You need to be logged in to leave comments. Login now