Show More
@@ -1,114 +1,87 b'' | |||
|
1 | 1 | .. _apache-conf-eg: |
|
2 | 2 | |
|
3 |
Apache Configuration Example |
|
|
4 |
---------------------------- |
|
|
3 | Apache Configuration Example | |
|
4 | ---------------------------- | |
|
5 | ||
|
6 | Use the following example to configure Apache as a your web server. | |
|
7 | Below config if for an Apache Reverse Proxy configuration. | |
|
8 | ||
|
9 | .. note:: | |
|
10 | ||
|
11 | Apache requires the following modules to be enabled. Below is an example | |
|
12 | how to enable them on Ubuntu Server | |
|
13 | ||
|
5 | 14 | |
|
6 | Use the following example to securely configure your Apache HTTP virtual hosts | |
|
7 | file. | |
|
15 | .. code-block:: bash | |
|
16 | ||
|
17 | $ sudo a2enmod proxy | |
|
18 | $ sudo a2enmod proxy_http | |
|
19 | $ sudo a2enmod proxy_balancer | |
|
20 | $ sudo a2enmod headers | |
|
21 | $ sudo a2enmod ssl | |
|
22 | $ sudo a2enmod rewrite | |
|
23 | ||
|
24 | # requires Apache 2.4+, required to handle websockets/channelstream | |
|
25 | $ sudo a2enmod proxy_wstunnel | |
|
26 | ||
|
8 | 27 |
|
|
9 | 28 | .. code-block:: apache |
|
10 | 29 | |
|
30 | ## HTTP to HTTPS rewrite | |
|
11 | 31 | <VirtualHost *:80> |
|
12 |
|
|
|
13 | ServerAlias hg.myserver.com | |
|
32 | ServerName rhodecode.myserver.com | |
|
33 | DocumentRoot /var/www/html | |
|
34 | Redirect permanent / https://rhodecode.myserver.com/ | |
|
35 | </VirtualHost> | |
|
36 | ||
|
37 | ## MAIN SSL enabled server | |
|
38 | <VirtualHost *:443> | |
|
39 | ||
|
40 | ServerName rhodecode.myserver.com | |
|
41 | ServerAlias rhodecode.myserver.com | |
|
42 | ||
|
43 | ## serve static files by Apache, recommended for performance | |
|
44 | #Alias /_static /home/ubuntu/.rccontrol/community-1/static | |
|
45 | ||
|
46 | RequestHeader set X-Forwarded-Proto "https" | |
|
47 | ||
|
48 | ## channelstream websocket handling | |
|
49 | ProxyPass /_channelstream ws://localhost:9800 | |
|
50 | ProxyPassReverse /_channelstream ws://localhost:9800 | |
|
14 | 51 | |
|
15 | 52 | <Proxy *> |
|
16 | 53 | Order allow,deny |
|
17 | 54 | Allow from all |
|
18 | 55 | </Proxy> |
|
19 | 56 | |
|
20 | # important ! | |
|
21 | # Directive to properly generate url (clone url) for pylons | |
|
22 | ||
|
57 | # Directive to properly generate url (clone url) for RhodeCode | |
|
23 | 58 | ProxyPreserveHost On |
|
24 | 59 | |
|
25 | #rhodecode instance | |
|
26 | ProxyPass / http://127.0.0.1:5000/ | |
|
27 |
ProxyPass |
|
|
60 | # Url to running RhodeCode instance. This is shown as `- URL:` when | |
|
61 | # running rccontrol status. | |
|
62 | ProxyPass / http://127.0.0.1:10002/ | |
|
63 | ProxyPassReverse / http://127.0.0.1:10002/ | |
|
28 | 64 | |
|
29 | # Set strict HTTPS | |
|
65 | # strict http prevents from https -> http downgrade | |
|
30 | 66 | Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" |
|
31 | 67 | |
|
32 | 68 | # Set x-frame options |
|
33 | 69 | Header always append X-Frame-Options SAMEORIGIN |
|
34 | 70 | |
|
35 | 71 | # To enable https use line below |
|
36 | 72 | # SetEnvIf X-Url-Scheme https HTTPS=1 |
|
37 | 73 | |
|
38 | # Secure your Diffie-hellmann deployment | |
|
74 | # SSL setup | |
|
75 | SSLEngine On | |
|
76 | SSLCertificateFile /etc/apache2/ssl/rhodecode.myserver.pem | |
|
77 | SSLCertificateKeyFile /etc/apache2/ssl/rhodecode.myserver.key | |
|
78 | ||
|
39 | 79 | SSLProtocol all -SSLv2 -SSLv3 |
|
40 | 80 | SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA |
|
41 | 81 | SSLHonorCipherOrder on |
|
42 | SSLOpenSSLConfCmd DHParameters "{path to dhparams.pem}" | |
|
82 | ||
|
83 | # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits | |
|
84 | #SSLOpenSSLConfCmd DHParameters "/etc/apache2/dhparam.pem" | |
|
43 | 85 | |
|
44 | 86 | </VirtualHost> |
|
45 | 87 | |
|
46 | Use the following example to configure Apache for a multi-node setup. The | |
|
47 | timeout setting should be increased if you experience timeouts when working | |
|
48 | with large |repos|. | |
|
49 | ||
|
50 | .. code-block:: apache | |
|
51 | ||
|
52 | # | |
|
53 | # Timeout: The number of seconds before receives and sends time out. | |
|
54 | # | |
|
55 | Timeout 600 | |
|
56 | ||
|
57 | <VirtualHost *:80> | |
|
58 | ||
|
59 | ProxyRequests off | |
|
60 | ||
|
61 | #important ! | |
|
62 | #Directive to properly generate url (clone url) for pylons | |
|
63 | ProxyPreserveHost On | |
|
64 | ||
|
65 | ServerName your.rce.com | |
|
66 | ServerAlias your.rce.com | |
|
67 | ||
|
68 | <Proxy balancer://mycluster> | |
|
69 | # WebHead1 | |
|
70 | BalancerMember http://10.58.1.171:10002 route=1 | |
|
71 | # WebHead2 | |
|
72 | BalancerMember http://10.58.1.172:10001 route=2 | |
|
73 | ||
|
74 | # Security "technically we aren't blocking | |
|
75 | # anyone but this the place to make those | |
|
76 | # chages | |
|
77 | Order Deny,Allow | |
|
78 | Deny from none | |
|
79 | Allow from all | |
|
80 | ||
|
81 | # Load Balancer Settings | |
|
82 | # We will be configuring a simple Round | |
|
83 | # Robin style load balancer. This means | |
|
84 | # that all webheads take an equal share of | |
|
85 | # of the load. | |
|
86 | ProxySet stickysession=ROUTEID | |
|
87 | ||
|
88 | </Proxy> | |
|
89 | ||
|
90 | # balancer-manager | |
|
91 | # This tool is built into the mod_proxy_balancer | |
|
92 | # module and will allow you to do some simple | |
|
93 | # modifications to the balanced group via a gui | |
|
94 | # web interface. | |
|
95 | <Location /balancer-manager> | |
|
96 | SetHandler balancer-manager | |
|
97 | ||
|
98 | # recommend locking this one down to your | |
|
99 | # your office | |
|
100 | Order deny,allow | |
|
101 | Allow from all | |
|
102 | </Location> | |
|
103 | ||
|
104 | # Point of Balance | |
|
105 | # This setting will allow to explicitly name the | |
|
106 | # the location in the site that we want to be | |
|
107 | # balanced, in this example we will balance "/" | |
|
108 | # or everything in the site. | |
|
109 | ProxyPass /balancer-manager ! | |
|
110 | ProxyPass / balancer://mycluster/ | |
|
111 | ||
|
112 | ProxyPassReverse / balancer://mycluster/ | |
|
113 | ||
|
114 | </VirtualHost> |
@@ -1,15 +1,14 b'' | |||
|
1 | 1 | .. _apache-ws-ref: |
|
2 | 2 | |
|
3 | 3 | Apache HTTP Server Configuration |
|
4 | 4 | -------------------------------- |
|
5 | 5 | |
|
6 | 6 | To set up your Apache Web Server for optimal performance and security, use |
|
7 | 7 | the information in the following sections. |
|
8 | 8 | |
|
9 | 9 | .. toctree:: |
|
10 | 10 | |
|
11 | 11 | apache-diffie-hellman |
|
12 |
apache-conf-example |
|
|
12 | apache-conf-example | |
|
13 | 13 | apache-subdirectory |
|
14 | apache-reverse-proxy | |
|
15 | 14 | apache-wsgi-coding |
@@ -1,34 +1,35 b'' | |||
|
1 | 1 | .. _apache-sub-ref: |
|
2 | 2 | |
|
3 | 3 | Apache URL Prefix Configuration |
|
4 | 4 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
|
5 | 5 | |
|
6 | 6 | Use the following example to configure Apache to use a URL prefix. |
|
7 | 7 | |
|
8 | 8 | .. code-block:: apache |
|
9 | 9 | |
|
10 |
|
|
|
10 | # Change someprefix into your chosen prefix | |
|
11 | <Location /someprefix > | |
|
11 | 12 | ProxyPreserveHost On |
|
12 | 13 | ProxyPass "http://127.0.0.1:5000/" |
|
13 | 14 | ProxyPassReverse "http://127.0.0.1:5000/" |
|
14 | 15 | Header set X-Url-Scheme https env=HTTPS |
|
15 | 16 | </Location> |
|
16 | 17 | |
|
17 | 18 | In addition to the regular Apache setup you will need to add the following |
|
18 | 19 | lines into the ``rhodecode.ini`` file. |
|
19 | 20 | |
|
20 | 21 | * Above ``[app:main]`` section of the ``rhodecode.ini`` file add the |
|
21 | 22 | following section if it doesn't exist yet. |
|
22 | 23 | |
|
23 | 24 | .. code-block:: ini |
|
24 | 25 | |
|
25 | 26 | [filter:proxy-prefix] |
|
26 | 27 | use = egg:PasteDeploy#prefix |
|
27 | 28 | prefix = /<someprefix> # Change <someprefix> into your chosen prefix |
|
28 | 29 | |
|
29 | 30 | * In the the ``[app:main]`` section of your ``rhodecode.ini`` file add the |
|
30 | 31 | following line. |
|
31 | 32 | |
|
32 | 33 | .. code-block:: ini |
|
33 | 34 | |
|
34 | 35 | filter-with = proxy-prefix |
@@ -1,120 +1,125 b'' | |||
|
1 | 1 | Nginx Configuration Example |
|
2 | 2 | --------------------------- |
|
3 | 3 | |
|
4 | 4 | Use the following example to configure Nginx as a your web server. |
|
5 | 5 | |
|
6 | ||
|
6 | 7 | .. code-block:: nginx |
|
7 | 8 | |
|
8 | 9 | log_format log_custom '$remote_addr - $remote_user [$time_local] ' |
|
9 | 10 | '"$request" $status $body_bytes_sent ' |
|
10 | 11 | '"$http_referer" "$http_user_agent" ' |
|
11 | 12 | '$request_time $upstream_response_time $pipe'; |
|
12 | 13 | |
|
14 | ## define upstream (local RhodeCode instance) to connect to | |
|
13 | 15 | upstream rc { |
|
14 | ||
|
16 | # Url to running RhodeCode instance. | |
|
17 | # This is shown as `- URL:` in output from rccontrol status. | |
|
15 | 18 | server 127.0.0.1:10002; |
|
16 | 19 | |
|
17 | 20 | # add more instances for load balancing |
|
18 | 21 | # server 127.0.0.1:10003; |
|
19 | 22 | # server 127.0.0.1:10004; |
|
20 | 23 | } |
|
21 | 24 | |
|
22 | ## gist alias server, for serving nicer GIST urls | |
|
25 | ## HTTP to HTTPS rewrite | |
|
26 | server { | |
|
27 | listen 80; | |
|
28 | server_name rhodecode.myserver.com; | |
|
23 | 29 |
|
|
30 | if ($http_host = rhodecode.myserver.com) { | |
|
31 | rewrite (.*) https://rhodecode.myserver.com$1 permanent; | |
|
32 | } | |
|
33 | } | |
|
34 | ||
|
35 | ## Optional gist alias server, for serving nicer GIST urls. | |
|
24 | 36 | server { |
|
25 | 37 | listen 443; |
|
26 | 38 | server_name gist.myserver.com; |
|
27 | 39 | access_log /var/log/nginx/gist.access.log log_custom; |
|
28 | 40 | error_log /var/log/nginx/gist.error.log; |
|
29 | 41 | |
|
30 | 42 | ssl on; |
|
31 | 43 | ssl_certificate gist.rhodecode.myserver.com.crt; |
|
32 | 44 | ssl_certificate_key gist.rhodecode.myserver.com.key; |
|
33 | 45 | |
|
34 | 46 | ssl_session_timeout 5m; |
|
35 | 47 | |
|
36 | 48 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; |
|
37 | 49 | ssl_prefer_server_ciphers on; |
|
38 | 50 | ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; |
|
39 | 51 | |
|
52 | # strict http prevents from https -> http downgrade | |
|
40 | 53 | add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; |
|
41 | 54 | |
|
42 | 55 | # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits |
|
43 | 56 | #ssl_dhparam /etc/nginx/ssl/dhparam.pem; |
|
44 | 57 | |
|
45 | 58 | rewrite ^/(.+)$ https://rhodecode.myserver.com/_admin/gists/$1; |
|
46 | 59 | rewrite (.*) https://rhodecode.myserver.com/_admin/gists; |
|
47 | 60 | } |
|
48 | 61 | |
|
49 | ## HTTP to HTTPS rewrite | |
|
50 | server { | |
|
51 | listen 80; | |
|
52 | server_name rhodecode.myserver.com; | |
|
53 | ||
|
54 | if ($http_host = rhodecode.myserver.com) { | |
|
55 | rewrite (.*) https://rhodecode.myserver.com$1 permanent; | |
|
56 | } | |
|
57 | } | |
|
58 | 62 | |
|
59 | 63 | ## MAIN SSL enabled server |
|
60 | 64 | server { |
|
61 | 65 | listen 443 ssl; |
|
62 | 66 | server_name rhodecode.myserver.com; |
|
63 | 67 | |
|
64 | 68 | access_log /var/log/nginx/rhodecode.access.log log_custom; |
|
65 | 69 | error_log /var/log/nginx/rhodecode.error.log; |
|
66 | 70 | |
|
67 | 71 | ssl on; |
|
68 | 72 | ssl_certificate rhodecode.myserver.com.crt; |
|
69 | 73 | ssl_certificate_key rhodecode.myserver.com.key; |
|
70 | 74 | |
|
71 | 75 | ssl_session_timeout 5m; |
|
72 | 76 | |
|
73 | 77 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; |
|
74 | 78 | ssl_prefer_server_ciphers on; |
|
75 | 79 | ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; |
|
76 | 80 | |
|
77 | 81 | # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits |
|
78 | 82 | #ssl_dhparam /etc/nginx/ssl/dhparam.pem; |
|
79 | 83 | |
|
80 | 84 | include /etc/nginx/proxy.conf; |
|
81 | 85 | |
|
82 |
## serve static files by |
|
|
86 | ## serve static files by Nginx, recommended for performance | |
|
83 | 87 | # location /_static/rhodecode { |
|
84 | 88 | # alias /path/to/.rccontrol/enterprise-1/static; |
|
85 | 89 | # } |
|
86 | 90 | |
|
87 |
## channel |
|
|
91 | ## channelstream websocket handling | |
|
88 | 92 | location /_channelstream { |
|
89 | 93 | rewrite /_channelstream/(.*) /$1 break; |
|
94 | ||
|
90 | 95 | proxy_pass http://127.0.0.1:9800; |
|
91 | 96 | |
|
92 | 97 | proxy_connect_timeout 10; |
|
93 | 98 | proxy_send_timeout 10m; |
|
94 | 99 | proxy_read_timeout 10m; |
|
95 | 100 | tcp_nodelay off; |
|
96 | 101 | proxy_set_header Host $host; |
|
97 | 102 | proxy_set_header X-Real-IP $remote_addr; |
|
98 | 103 | proxy_set_header X-Url-Scheme $scheme; |
|
99 | 104 | proxy_set_header X-Forwarded-Proto $scheme; |
|
100 | 105 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
|
101 | 106 | gzip off; |
|
102 | 107 | proxy_http_version 1.1; |
|
103 | 108 | proxy_set_header Upgrade $http_upgrade; |
|
104 | 109 | proxy_set_header Connection "upgrade"; |
|
105 | 110 | } |
|
106 | 111 | |
|
107 | 112 | location / { |
|
108 | 113 | try_files $uri @rhode; |
|
109 | 114 | } |
|
110 | 115 | |
|
111 | 116 | location @rhode { |
|
112 | 117 | proxy_pass http://rc; |
|
113 | 118 | } |
|
114 | 119 | |
|
115 | 120 | ## custom 502 error page |
|
116 | 121 | error_page 502 /502.html; |
|
117 | 122 | location = /502.html { |
|
118 | 123 | root /path/to/.rccontrol/enterprise-1/static; |
|
119 | 124 | } |
|
120 | 125 | } No newline at end of file |
@@ -1,14 +1,14 b'' | |||
|
1 | 1 | .. _nginx-ws-ref: |
|
2 | 2 | |
|
3 | Nginx Configuration | |
|
4 | =================== | |
|
3 | Nginx HTTP Server Configuration | |
|
4 | ------------------------------- | |
|
5 | 5 | |
|
6 | 6 | To set up your Nginx Web Server for optimal performance and security, use |
|
7 | 7 | the information in the following sections. |
|
8 | 8 | |
|
9 | 9 | .. toctree:: |
|
10 | 10 | |
|
11 | 11 | nginx-diffie-hellman |
|
12 | 12 | nginx-config-example |
|
13 | 13 | nginx-tuning |
|
14 | 14 | nginx-url-prefix |
|
1 | NO CONTENT: file was removed |
General Comments 0
You need to be logged in to leave comments.
Login now