.. _apache-conf-eg: Apache Configuration Example ---------------------------- Use the following example to configure Apache as a your web server. Below config if for an Apache Reverse Proxy configuration. .. note:: Apache requires the following modules to be enabled. Below is an example how to enable them on Ubuntu Server .. code-block:: bash $ sudo a2enmod proxy $ sudo a2enmod proxy_http $ sudo a2enmod proxy_balancer $ sudo a2enmod headers $ sudo a2enmod ssl $ sudo a2enmod rewrite # requires Apache 2.4+, required to handle websockets/channelstream $ sudo a2enmod proxy_wstunnel .. code-block:: apache ## HTTP to HTTPS rewrite ServerName rhodecode.myserver.com DocumentRoot /var/www/html Redirect permanent / https://rhodecode.myserver.com/ ## MAIN SSL enabled server ServerName rhodecode.myserver.com ServerAlias rhodecode.myserver.com ## Skip ProxyPass the _static to backend server #ProxyPass /_static ! ## serve static files by Apache, recommended for performance #Alias /_static/rhodecode /home/ubuntu/.rccontrol/community-1/static ## Allow Apache to access the static files in this directory # # AllowOverride none # Require all granted # RequestHeader set X-Forwarded-Proto "https" ## channelstream websocket handling ProxyPass /_channelstream ws://localhost:9800 ProxyPassReverse /_channelstream ws://localhost:9800 Order allow,deny Allow from all # Directive to properly generate url (clone url) for RhodeCode ProxyPreserveHost On # It allows request bodies to be sent to the backend using chunked transfer encoding. SetEnv proxy-sendchunked 1 # Increase headers size for large Mercurial headers sent with many branches LimitRequestLine 16380 # Url to running RhodeCode instance. This is shown as `- URL:` when # running rccontrol status. ProxyPass / http://127.0.0.1:10002/ timeout=7200 Keepalive=On ProxyPassReverse / http://127.0.0.1:10002/ # strict http prevents from https -> http downgrade Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" # Set x-frame options Header always append X-Frame-Options SAMEORIGIN # To enable https use line below # SetEnvIf X-Url-Scheme https HTTPS=1 # SSL setup SSLEngine On SSLCertificateFile /etc/apache2/ssl/rhodecode.myserver.pem SSLCertificateKeyFile /etc/apache2/ssl/rhodecode.myserver.key SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA SSLHonorCipherOrder on # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits #SSLOpenSSLConfCmd DHParameters "/etc/apache2/dhparam.pem" ## custom 502 error page. Will be displayed while RhodeCode server ## is turned off ErrorDocument 502 /path/to/.rccontrol/enterprise-1/static/502.html