##// END OF EJS Templates
docs: updated nginx example...
marcink -
r636:546e87c2 default
parent child Browse files
Show More
@@ -1,92 +1,120 b''
1 Nginx Configuration Example
1 Nginx Configuration Example
2 ---------------------------
2 ---------------------------
3
3
4 Use the following example to configure Nginx as a your web server.
4 Use the following example to configure Nginx as a your web server.
5
5
6 .. code-block:: nginx
6 .. code-block:: nginx
7
7
8 log_format log_custom '$remote_addr - $remote_user [$time_local] '
9 '"$request" $status $body_bytes_sent '
10 '"$http_referer" "$http_user_agent" '
11 '$request_time $upstream_response_time $pipe';
12
8 upstream rc {
13 upstream rc {
9
14
10 server 127.0.0.1:10002;
15 server 127.0.0.1:10002;
11
16
12 # add more instances for load balancing
17 # add more instances for load balancing
13 # server 127.0.0.1:10003;
18 # server 127.0.0.1:10003;
14 # server 127.0.0.1:10004;
19 # server 127.0.0.1:10004;
15 }
20 }
16
21
17 ## gist alias
22 ## gist alias server, for serving nicer GIST urls
18
23
19 server {
24 server {
20 listen 443;
25 listen 443;
21 server_name gist.myserver.com;
26 server_name gist.myserver.com;
22 access_log /var/log/nginx/gist.access.log;
27 access_log /var/log/nginx/gist.access.log log_custom;
23 error_log /var/log/nginx/gist.error.log;
28 error_log /var/log/nginx/gist.error.log;
24
29
25 ssl on;
30 ssl on;
26 ssl_certificate gist.rhodecode.myserver.com.crt;
31 ssl_certificate gist.rhodecode.myserver.com.crt;
27 ssl_certificate_key gist.rhodecode.myserver.com.key;
32 ssl_certificate_key gist.rhodecode.myserver.com.key;
28
33
29 ssl_session_timeout 5m;
34 ssl_session_timeout 5m;
30
35
31 ssl_protocols SSLv3 TLSv1;
36 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
32 ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
33 ssl_prefer_server_ciphers on;
37 ssl_prefer_server_ciphers on;
38 ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
39
34 add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
40 add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
35
41
36 # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
42 # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
37 ssl_dhparam /etc/nginx/ssl/dhparam.pem;
43 #ssl_dhparam /etc/nginx/ssl/dhparam.pem;
38
44
39 rewrite ^/(.+)$ https://rhodecode.myserver.com/_admin/gists/$1;
45 rewrite ^/(.+)$ https://rhodecode.myserver.com/_admin/gists/$1;
40 rewrite (.*) https://rhodecode.myserver.com/_admin/gists;
46 rewrite (.*) https://rhodecode.myserver.com/_admin/gists;
41 }
47 }
42
48
49 ## HTTP to HTTPS rewrite
43 server {
50 server {
44 listen 443;
51 listen 80;
45 server_name rhodecode.myserver.com;
52 server_name rhodecode.myserver.com;
46 access_log /var/log/nginx/rhodecode.access.log;
53
47 error_log /var/log/nginx/rhodecode.error.log;
54 if ($http_host = rhodecode.myserver.com) {
55 rewrite (.*) https://rhodecode.myserver.com$1 permanent;
56 }
57 }
58
59 ## MAIN SSL enabled server
60 server {
61 listen 443 ssl;
62 server_name rhodecode.myserver.com;
63
64 access_log /var/log/nginx/rhodecode.access.log log_custom;
65 error_log /var/log/nginx/rhodecode.error.log;
48
66
49 ssl on;
67 ssl on;
50 ssl_certificate rhodecode.myserver.com.crt;
68 ssl_certificate rhodecode.myserver.com.crt;
51 ssl_certificate_key rhodecode.myserver.com.key;
69 ssl_certificate_key rhodecode.myserver.com.key;
52
70
53 ssl_session_timeout 5m;
71 ssl_session_timeout 5m;
54
72
55 ssl_protocols SSLv3 TLSv1;
73 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
56 ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
57 ssl_prefer_server_ciphers on;
74 ssl_prefer_server_ciphers on;
75 ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
58
76
59 include /etc/nginx/proxy.conf;
77 # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
78 #ssl_dhparam /etc/nginx/ssl/dhparam.pem;
60
79
61 ## uncomment to serve static files by nginx
80 include /etc/nginx/proxy.conf;
81
82 ## serve static files by nginx, recommended
62 # location /_static/rhodecode {
83 # location /_static/rhodecode {
63 # alias /path/to/.rccontrol/enterprise-1/static;
84 # alias /path/to/.rccontrol/enterprise-1/static;
64 # }
85 # }
65
86
66 ## channel stream live components
87 ## channel stream live components
67 location /_channelstream {
88 location /_channelstream {
68 rewrite /_channelstream/(.*) /$1 break;
89 rewrite /_channelstream/(.*) /$1 break;
90 proxy_pass http://127.0.0.1:9800;
91
69 proxy_connect_timeout 10;
92 proxy_connect_timeout 10;
70 proxy_send_timeout 10m;
93 proxy_send_timeout 10m;
71 proxy_read_timeout 10m;
94 proxy_read_timeout 10m;
72 tcp_nodelay off;
95 tcp_nodelay off;
73 proxy_pass http://127.0.0.1:9800;
74 proxy_set_header Host $host;
96 proxy_set_header Host $host;
75 proxy_set_header X-Real-IP $remote_addr;
97 proxy_set_header X-Real-IP $remote_addr;
76 proxy_set_header X-Url-Scheme $scheme;
98 proxy_set_header X-Url-Scheme $scheme;
77 proxy_set_header X-Forwarded-Proto $scheme;
99 proxy_set_header X-Forwarded-Proto $scheme;
78 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
100 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
79 gzip off;
101 gzip off;
80 proxy_http_version 1.1;
102 proxy_http_version 1.1;
81 proxy_set_header Upgrade $http_upgrade;
103 proxy_set_header Upgrade $http_upgrade;
82 proxy_set_header Connection "upgrade";
104 proxy_set_header Connection "upgrade";
83 }
105 }
84
106
85 location / {
107 location / {
86 try_files $uri @rhode;
108 try_files $uri @rhode;
87 }
109 }
88
110
89 location @rhode {
111 location @rhode {
90 proxy_pass http://rc;
112 proxy_pass http://rc;
91 }
113 }
92 }
114
115 ## custom 502 error page
116 error_page 502 /502.html;
117 location = /502.html {
118 root /path/to/.rccontrol/enterprise-1/static;
119 }
120 } No newline at end of file
General Comments 0
You need to be logged in to leave comments. Login now