u/ewong/rhodecode-enterprise-ce-fork Commit - r1808:e5a0601c

1

Nginx Configuration Example

1

Nginx Configuration Example

2

---------------------------

2

---------------------------

3

4

Use the following example to configure Nginx as a your web server.

4

Use the following example to configure Nginx as a your web server.

5

6

7

.. code-block:: nginx

7

.. code-block:: nginx

8

## rate limiter for certain pages to prevent brute force attacks

9

limit_req_zone $binary_remote_addr zone=dl_limit:10m rate=1r/s;

8

10

11

## custom log format

9

log_format log_custom '$remote_addr - $remote_user [$time_local] '

12

log_format log_custom '$remote_addr - $remote_user [$time_local] '

10

'"$request" $status $body_bytes_sent '

13

'"$request" $status $body_bytes_sent '

11

'"$http_referer" "$http_user_agent" '

14

'"$http_referer" "$http_user_agent" '

12

'$request_time $upstream_response_time $pipe';

15

'$request_time $upstream_response_time $pipe';

13

16

14

## define upstream (local RhodeCode instance) to connect to

17

## define upstream (local RhodeCode instance) to connect to

15

upstream rc {

18

upstream rc {

16

# Url to running RhodeCode instance.

19

# Url to running RhodeCode instance.

17

# This is shown as `- URL:` in output from rccontrol status.

20

# This is shown as `- URL:` in output from rccontrol status.

18

server 127.0.0.1:10002;

21

server 127.0.0.1:10002;

19

22

20

# add more instances for load balancing

23

# add more instances for load balancing

21

# server 127.0.0.1:10003;

24

# server 127.0.0.1:10003;

22

# server 127.0.0.1:10004;

25

# server 127.0.0.1:10004;

23

}

26

}

24

27

25

## HTTP to HTTPS rewrite

28

## HTTP to HTTPS rewrite

26

server {

29

server {

27

listen 80;

30

listen 80;

28

server_name rhodecode.myserver.com;

31

server_name rhodecode.myserver.com;

29

32

30

if ($http_host = rhodecode.myserver.com) {

33

if ($http_host = rhodecode.myserver.com) {

31

rewrite (.*) https://rhodecode.myserver.com$1 permanent;

34

rewrite (.*) https://rhodecode.myserver.com$1 permanent;

32

}

35

}

33

}

36

}

34

37

35

## Optional gist alias server, for serving nicer GIST urls.

38

## Optional gist alias server, for serving nicer GIST urls.

36

server {

39

server {

37

listen 443;

40

listen 443;

38

server_name gist.myserver.com;

41

server_name gist.myserver.com;

39

access_log /var/log/nginx/gist.access.log log_custom;

42

access_log /var/log/nginx/gist.access.log log_custom;

40

error_log /var/log/nginx/gist.error.log;

43

error_log /var/log/nginx/gist.error.log;

41

44

42

ssl on;

45

ssl on;

43

ssl_certificate gist.rhodecode.myserver.com.crt;

46

ssl_certificate gist.rhodecode.myserver.com.crt;

44

ssl_certificate_key gist.rhodecode.myserver.com.key;

47

ssl_certificate_key gist.rhodecode.myserver.com.key;

45

48

46

ssl_session_timeout 5m;

49

ssl_session_timeout 5m;

47

50

48

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

51

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

49

ssl_prefer_server_ciphers on;

52

ssl_prefer_server_ciphers on;

50

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

53

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

51

54

52

# strict http prevents from https -> http downgrade

55

# strict http prevents from https -> http downgrade

53

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

56

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

54

57

55

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits

58

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits

56

#ssl_dhparam /etc/nginx/ssl/dhparam.pem;

59

#ssl_dhparam /etc/nginx/ssl/dhparam.pem;

57

60

58

rewrite ^/(.+)$ https://rhodecode.myserver.com/_admin/gists/$1;

61

rewrite ^/(.+)$ https://rhodecode.myserver.com/_admin/gists/$1;

59

rewrite (.*) https://rhodecode.myserver.com/_admin/gists;

62

rewrite (.*) https://rhodecode.myserver.com/_admin/gists;

60

}

63

}

61

64

62

65

63

## MAIN SSL enabled server

66

## MAIN SSL enabled server

64

server {

67

server {

65

listen 443 ssl;

68

listen 443 ssl;

66

server_name rhodecode.myserver.com;

69

server_name rhodecode.myserver.com;

67

70

68

access_log /var/log/nginx/rhodecode.access.log log_custom;

71

access_log /var/log/nginx/rhodecode.access.log log_custom;

69

error_log /var/log/nginx/rhodecode.error.log;

72

error_log /var/log/nginx/rhodecode.error.log;

70

73

71

ssl on;

74

ssl on;

72

ssl_certificate rhodecode.myserver.com.crt;

75

ssl_certificate rhodecode.myserver.com.crt;

73

ssl_certificate_key rhodecode.myserver.com.key;

76

ssl_certificate_key rhodecode.myserver.com.key;

74

77

75

ssl_session_timeout 5m;

78

ssl_session_timeout 5m;

76

79

77

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

80

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

78

ssl_prefer_server_ciphers on;

81

ssl_prefer_server_ciphers on;

79

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

82

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

80

83

81

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits

84

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits

82

#ssl_dhparam /etc/nginx/ssl/dhparam.pem;

85

#ssl_dhparam /etc/nginx/ssl/dhparam.pem;

83

86

84

include /etc/nginx/proxy.conf;

87

include /etc/nginx/proxy.conf;

85

88

86

## serve static files by Nginx, recommended for performance

89

## serve static files by Nginx, recommended for performance

87

# location /_static/rhodecode {

90

# location /_static/rhodecode {

88

# alias /path/to/.rccontrol/enterprise-1/static;

91

# alias /path/to/.rccontrol/enterprise-1/static;

89

# }

92

# }

90

93

91

## channelstream websocket handling

94

## channelstream websocket handling

92

location /_channelstream {

95

location /_channelstream {

93

rewrite /_channelstream/(.*) /$1 break;

96

rewrite /_channelstream/(.*) /$1 break;

94

97

95

proxy_pass http://127.0.0.1:9800;

98

proxy_pass http://127.0.0.1:9800;

96

99

97

proxy_connect_timeout 10;

100

proxy_connect_timeout 10;

98

proxy_send_timeout 10m;

101

proxy_send_timeout 10m;

99

proxy_read_timeout 10m;

102

proxy_read_timeout 10m;

100

tcp_nodelay off;

103

tcp_nodelay off;

101

proxy_set_header Host $host;

104

proxy_set_header Host $host;

102

proxy_set_header X-Real-IP $remote_addr;

105

proxy_set_header X-Real-IP $remote_addr;

103

proxy_set_header X-Url-Scheme $scheme;

106

proxy_set_header X-Url-Scheme $scheme;

104

proxy_set_header X-Forwarded-Proto $scheme;

107

proxy_set_header X-Forwarded-Proto $scheme;

105

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

108

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

106

gzip off;

109

gzip off;

107

proxy_http_version 1.1;

110

proxy_http_version 1.1;

108

proxy_set_header Upgrade $http_upgrade;

111

proxy_set_header Upgrade $http_upgrade;

109

proxy_set_header Connection "upgrade";

112

proxy_set_header Connection "upgrade";

110

}

113

}

111

114

115

location /_admin/login {

116

## rate limit this endpoint

117

limit_req zone=dl_limit burst=10 nodelay;

118

try_files $uri @rhode;

119

}

120

112

location / {

121

location / {

113

try_files $uri @rhode;

122

try_files $uri @rhode;

114

}

123

}

115

124

116

location @rhode {

125

location @rhode {

117

proxy_pass http://rc;

126

proxy_pass http://rc;

118

}

127

}

119

128

120

## custom 502 error page

129

## custom 502 error page

121

error_page 502 /502.html;

130

error_page 502 /502.html;

122

location = /502.html {

131

location = /502.html {

123

root /path/to/.rccontrol/enterprise-1/static;

132

root /path/to/.rccontrol/enterprise-1/static;

124

}

133

}

125

} No newline at end of file

134

}

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             Nginx Configuration Example
             ---------------------------
             Use the following example to configure Nginx as a your web server.
             .. code-block:: nginx
+                ## rate limiter for certain pages to prevent brute force attacks
+                limit_req_zone  $binary_remote_addr  zone=dl_limit:10m   rate=1r/s;
+                ## custom log format
                 log_format log_custom '$remote_addr - $remote_user [$time_local] '
                                       '"$request" $status $body_bytes_sent '
                                       '"$http_referer" "$http_user_agent" '
                                       '$request_time $upstream_response_time $pipe';
                 ## define upstream (local RhodeCode instance) to connect to
                 upstream rc {
                     # Url to running RhodeCode instance.
                     # This is shown as `- URL:` in output from rccontrol status.
                     server 127.0.0.1:10002;
                     # add more instances for load balancing
                     # server 127.0.0.1:10003;
                     # server 127.0.0.1:10004;
                 }
                 ## HTTP to HTTPS rewrite
                 server {
                     listen          80;
                     server_name     rhodecode.myserver.com;
                     if ($http_host = rhodecode.myserver.com) {
                         rewrite  (.*)  https://rhodecode.myserver.com$1 permanent;
                     }
                 }
                 ## Optional gist alias server, for serving nicer GIST urls.
                 server {
                     listen          443;
                     server_name     gist.myserver.com;
                     access_log      /var/log/nginx/gist.access.log log_custom;
                     error_log       /var/log/nginx/gist.error.log;
                     ssl on;
                     ssl_certificate     gist.rhodecode.myserver.com.crt;
                     ssl_certificate_key gist.rhodecode.myserver.com.key;
                     ssl_session_timeout 5m;
                     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
                     ssl_prefer_server_ciphers on;
                     ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
                     # strict http prevents from https -> http downgrade
                     add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
                     # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
                     #ssl_dhparam /etc/nginx/ssl/dhparam.pem;
                     rewrite ^/(.+)$ https://rhodecode.myserver.com/_admin/gists/$1;
                     rewrite (.*)    https://rhodecode.myserver.com/_admin/gists;
                 }
                 ## MAIN SSL enabled server
                 server {
                     listen       443 ssl;
                     server_name  rhodecode.myserver.com;
                     access_log   /var/log/nginx/rhodecode.access.log log_custom;
                     error_log    /var/log/nginx/rhodecode.error.log;
                     ssl on;
                     ssl_certificate     rhodecode.myserver.com.crt;
                     ssl_certificate_key rhodecode.myserver.com.key;
                     ssl_session_timeout 5m;
                     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
                     ssl_prefer_server_ciphers on;
                     ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
                     # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
                     #ssl_dhparam /etc/nginx/ssl/dhparam.pem;
                     include     /etc/nginx/proxy.conf;
                     ## serve static files by Nginx, recommended for performance
                     # location /_static/rhodecode {
                     #    alias /path/to/.rccontrol/enterprise-1/static;
                     # }
                     ## channelstream websocket handling
                     location /_channelstream {
                         rewrite /_channelstream/(.*) /$1 break;
                         proxy_pass                  http://127.0.0.1:9800;
                         proxy_connect_timeout        10;
                         proxy_send_timeout           10m;
                         proxy_read_timeout           10m;
                         tcp_nodelay                  off;
                         proxy_set_header             Host $host;
                         proxy_set_header             X-Real-IP $remote_addr;
                         proxy_set_header             X-Url-Scheme $scheme;
                         proxy_set_header             X-Forwarded-Proto $scheme;
                         proxy_set_header             X-Forwarded-For $proxy_add_x_forwarded_for;
                         gzip                         off;
                         proxy_http_version           1.1;
                         proxy_set_header Upgrade     $http_upgrade;
                         proxy_set_header Connection  "upgrade";
                     }
+                    location /_admin/login {
+                        ## rate limit this endpoint
+                        limit_req  zone=dl_limit  burst=10  nodelay;
+                        try_files $uri @rhode;
+                    }
                     location / {
                         try_files $uri @rhode;
                     }
                     location @rhode {
                         proxy_pass      http://rc;
                     }
                     ## custom 502 error page
                     error_page 502 /502.html;
                     location = /502.html {
                        root  /path/to/.rccontrol/enterprise-1/static;
                     }
                 }