nginx-config-example.rst
160 lines
| 7.2 KiB
| text/x-rst
|
RstLexer
| r1 | Nginx Configuration Example | ||
| --------------------------- | |||
| Use the following example to configure Nginx as a your web server. | |||
| r1263 | |||
| r1 | .. code-block:: nginx | ||
| r1856 | |||
| r3341 | ## Rate limiter for certain pages to prevent brute force attacks | ||
| r3018 | limit_req_zone $binary_remote_addr zone=req_limit:10m rate=1r/s; | ||
| r1 | |||
| r3341 | ## Custom log format | ||
| r636 | log_format log_custom '$remote_addr - $remote_user [$time_local] ' | ||
| '"$request" $status $body_bytes_sent ' | |||
| '"$http_referer" "$http_user_agent" ' | |||
| '$request_time $upstream_response_time $pipe'; | |||
| r3341 | ## Define one or more upstreams (local RhodeCode instance) to connect to | ||
| r1 | upstream rc { | ||
| r1263 | # Url to running RhodeCode instance. | ||
| r3018 | # This is shown as `- URL: <host>` in output from rccontrol status. | ||
| r120 | server 127.0.0.1:10002; | ||
| r1 | |||
| # add more instances for load balancing | |||
| r120 | # server 127.0.0.1:10003; | ||
| # server 127.0.0.1:10004; | |||
| r1 | } | ||
| r1263 | ## HTTP to HTTPS rewrite | ||
| server { | |||
| listen 80; | |||
| server_name rhodecode.myserver.com; | |||
| r1 | |||
| r1263 | if ($http_host = rhodecode.myserver.com) { | ||
| rewrite (.*) https://rhodecode.myserver.com$1 permanent; | |||
| } | |||
| } | |||
| ## Optional gist alias server, for serving nicer GIST urls. | |||
| r1 | server { | ||
| listen 443; | |||
| server_name gist.myserver.com; | |||
| r636 | access_log /var/log/nginx/gist.access.log log_custom; | ||
| r1 | error_log /var/log/nginx/gist.error.log; | ||
| ssl on; | |||
| ssl_certificate gist.rhodecode.myserver.com.crt; | |||
| ssl_certificate_key gist.rhodecode.myserver.com.key; | |||
| ssl_session_timeout 5m; | |||
| r636 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
| r1 | ssl_prefer_server_ciphers on; | ||
| r636 | ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; | ||
| r3341 | ## Strict http prevents from https -> http downgrade | ||
| r1 | add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; | ||
| r3341 | ## Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits | ||
| r636 | #ssl_dhparam /etc/nginx/ssl/dhparam.pem; | ||
| r1 | |||
| rewrite ^/(.+)$ https://rhodecode.myserver.com/_admin/gists/$1; | |||
| rewrite (.*) https://rhodecode.myserver.com/_admin/gists; | |||
| } | |||
| r636 | |||
| ## MAIN SSL enabled server | |||
| server { | |||
| r3341 | listen 443 ssl http2; | ||
| r636 | server_name rhodecode.myserver.com; | ||
| access_log /var/log/nginx/rhodecode.access.log log_custom; | |||
| error_log /var/log/nginx/rhodecode.error.log; | |||
| r1 | |||
| ssl_certificate rhodecode.myserver.com.crt; | |||
| ssl_certificate_key rhodecode.myserver.com.key; | |||
| r3341 | # enable session resumption to improve https performance | ||
| # http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html | |||
| ssl_session_cache shared:SSL:50m; | |||
| r1 | ssl_session_timeout 5m; | ||
| r3341 | ## Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits | ||
| r636 | #ssl_dhparam /etc/nginx/ssl/dhparam.pem; | ||
| r1 | |||
| r3341 | # enables server-side protection from BEAST attacks | ||
| # http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html | |||
| ssl_prefer_server_ciphers on; | |||
| # disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0 | |||
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |||
| # ciphers chosen for forward secrecy and compatibility | |||
| # http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html | |||
| ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; | |||
| client_body_buffer_size 128k; | |||
| # maximum number and size of buffers for large headers to read from client request | |||
| large_client_header_buffers 16 256k; | |||
| r636 | |||
| r3018 | ## uncomment to serve static files by Nginx, recommended for performance | ||
| r522 | # location /_static/rhodecode { | ||
| r2146 | # gzip on; | ||
| # gzip_min_length 500; | |||
| # gzip_proxied any; | |||
| # gzip_comp_level 4; | |||
| # gzip_types text/css text/javascript text/xml text/plain text/x-component application/javascript application/json application/xml application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml; | |||
| # gzip_vary on; | |||
| # gzip_disable "msie6"; | |||
| r3018 | # alias /path/to/.rccontrol/community-1/static; | ||
| r457 | # alias /path/to/.rccontrol/enterprise-1/static; | ||
| r456 | # } | ||
| r120 | |||
| r3341 | ## channelstream location handler, if channelstream live chat and notifications | ||
| ## are enable this will proxy the requests to channelstream websocket server | |||
| r477 | location /_channelstream { | ||
| rewrite /_channelstream/(.*) /$1 break; | |||
| r3341 | gzip off; | ||
| tcp_nodelay off; | |||
| r636 | |||
| r477 | proxy_connect_timeout 10; | ||
| proxy_send_timeout 10m; | |||
| proxy_read_timeout 10m; | |||
| r3341 | |||
| r477 | proxy_set_header Host $host; | ||
| proxy_set_header X-Real-IP $remote_addr; | |||
| r636 | proxy_set_header X-Url-Scheme $scheme; | ||
| proxy_set_header X-Forwarded-Proto $scheme; | |||
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |||
| r3341 | |||
| r477 | proxy_http_version 1.1; | ||
| proxy_set_header Upgrade $http_upgrade; | |||
| proxy_set_header Connection "upgrade"; | |||
| r3341 | |||
| proxy_pass http://127.0.0.1:9800; | |||
| r477 | } | ||
| r3018 | ## rate limit this endpoint to prevent login page brute-force attacks | ||
| r1808 | location /_admin/login { | ||
| r3018 | limit_req zone=req_limit burst=10 nodelay; | ||
| r3341 | try_files $uri @rhodecode_http; | ||
| r1808 | } | ||
| r120 | location / { | ||
| r3341 | try_files $uri @rhodecode_http; | ||
| r120 | } | ||
| r1 | |||
| r3341 | location @rhodecode_http { | ||
| # example of proxy.conf can be found in our docs. | |||
| include /etc/nginx/proxy.conf; | |||
| proxy_pass http://rc; | |||
| r477 | } | ||
| r636 | |||
| r3341 | ## Custom 502 error page. | ||
| ## Will be displayed while RhodeCode server is turned off | |||
| r636 | error_page 502 /502.html; | ||
| location = /502.html { | |||
| r3018 | #root /path/to/.rccontrol/community-1/static; | ||
| r636 | root /path/to/.rccontrol/enterprise-1/static; | ||
| } | |||
| } |
