u/pc/rhodecode-enterprise-ce-fork-pc Files · docs/admin/nginx-config-example.rst

auth: don't break hashing in case of user with empty password....

auth: don't break hashing in case of user with empty password. In some cases such as LDAP user created via external scripts users might set the passwords to empty. The hashing uses the md5(password_hash) to store reference to detect password changes and forbid using the same password. In case of pure LDAP users this is not valid, and we shouldn't raise Errors in such case. This change makes it work for empty passwords now.

marcink - - Load All Authors

File last commit:

r2146:2d80515a default


                r2203:8a18c3c3

default

Download file

             nginx-config-example.rst
        
                    142 lines
            
             | 6.2 KiB
            
                | text/x-rst
            
             |
                RstLexer
            
             / docs / admin / nginx-config-example.rst
          
                    History
                
                 |
                  Source
                 | Raw
                 |Copy content
                 |Copy permalink

        marcink
    
project: added all source files and assets

              r1
            
      Nginx Configuration Example

      ---------------------------

      Use the following example to configure Nginx as a your web server.

        marcink
    
docs: updated nginx/apache configurations....

              r1263
            
        marcink
    
project: added all source files and assets

              r1
            
      .. code-block:: nginx

        marcink
    
docs: small rst fixes.

              r1856
            
        dan
    
docs: added example how to secure login page from brute force attacks.

              r1808
            
          ## rate limiter for certain pages to prevent brute force attacks

          limit_req_zone  $binary_remote_addr  zone=dl_limit:10m   rate=1r/s;

        marcink
    
project: added all source files and assets

              r1
            
        dan
    
docs: added example how to secure login page from brute force attacks.

              r1808
            
          ## custom log format

        marcink
    
docs: updated nginx example...

              r636
            
          log_format log_custom '$remote_addr - $remote_user [$time_local] '

                                '"$request" $status $body_bytes_sent '

                                '"$http_referer" "$http_user_agent" '

                                '$request_time $upstream_response_time $pipe';

        marcink
    
docs: updated nginx/apache configurations....

              r1263
            
          ## define upstream (local RhodeCode instance) to connect to

        marcink
    
project: added all source files and assets

              r1
            
          upstream rc {

        marcink
    
docs: updated nginx/apache configurations....

              r1263
            
              # Url to running RhodeCode instance.

              # This is shown as `- URL:` in output from rccontrol status.

        marcink
    
docs: updated apache/nginx configs

              r120
            
              server 127.0.0.1:10002;

        marcink
    
project: added all source files and assets

              r1
            
              # add more instances for load balancing

        marcink
    
docs: updated apache/nginx configs

              r120
            
              # server 127.0.0.1:10003;

              # server 127.0.0.1:10004;

        marcink
    
project: added all source files and assets

              r1
            
          }

        marcink
    
docs: updated nginx/apache configurations....

              r1263
            
          ## HTTP to HTTPS rewrite

          server {

              listen          80;

              server_name     rhodecode.myserver.com;

        marcink
    
project: added all source files and assets

              r1
            
        marcink
    
docs: updated nginx/apache configurations....

              r1263
            
              if ($http_host = rhodecode.myserver.com) {

                  rewrite  (.*)  https://rhodecode.myserver.com$1 permanent;

              }

          }

          ## Optional gist alias server, for serving nicer GIST urls.

        marcink
    
project: added all source files and assets

              r1
            
          server {

              listen          443;

              server_name     gist.myserver.com;

        marcink
    
docs: updated nginx example...

              r636
            
              access_log      /var/log/nginx/gist.access.log log_custom;

        marcink
    
project: added all source files and assets

              r1
            
              error_log       /var/log/nginx/gist.error.log;

              ssl on;

              ssl_certificate     gist.rhodecode.myserver.com.crt;

              ssl_certificate_key gist.rhodecode.myserver.com.key;

              ssl_session_timeout 5m;

        marcink
    
docs: updated nginx example...

              r636
            
              ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        marcink
    
project: added all source files and assets

              r1
            
              ssl_prefer_server_ciphers on;

        marcink
    
docs: updated nginx example...

              r636
            
              ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

        marcink
    
docs: updated nginx/apache configurations....

              r1263
            
              # strict http prevents from https -> http downgrade

        marcink
    
project: added all source files and assets

              r1
            
              add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

              # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits

        marcink
    
docs: updated nginx example...

              r636
            
              #ssl_dhparam /etc/nginx/ssl/dhparam.pem;

        marcink
    
project: added all source files and assets

              r1
            
              rewrite ^/(.+)$ https://rhodecode.myserver.com/_admin/gists/$1;

              rewrite (.*)    https://rhodecode.myserver.com/_admin/gists;

          }

        marcink
    
docs: updated nginx example...

              r636
            
          ## MAIN SSL enabled server

          server {

              listen       443 ssl;

              server_name  rhodecode.myserver.com;

              access_log   /var/log/nginx/rhodecode.access.log log_custom;

              error_log    /var/log/nginx/rhodecode.error.log;

        marcink
    
project: added all source files and assets

              r1
            
              ssl on;

              ssl_certificate     rhodecode.myserver.com.crt;

              ssl_certificate_key rhodecode.myserver.com.key;

              ssl_session_timeout 5m;

        marcink
    
docs: updated nginx example...

              r636
            
              ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        marcink
    
project: added all source files and assets

              r1
            
              ssl_prefer_server_ciphers on;

        marcink
    
docs: updated nginx example...

              r636
            
              ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

        marcink
    
project: added all source files and assets

              r1
            
        marcink
    
docs: updated nginx example...

              r636
            
              # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits

              #ssl_dhparam /etc/nginx/ssl/dhparam.pem;

        marcink
    
project: added all source files and assets

              r1
            
        marcink
    
docs: updated nginx example...

              r636
            
              include     /etc/nginx/proxy.conf;

        marcink
    
docs: updated nginx/apache configurations....

              r1263
            
              ## serve static files by Nginx, recommended for performance

        marcink
    
static: change static path to serve rhodecode static assets from...

              r522
            
              # location /_static/rhodecode {

        marcink
    
docs: added gzip into static files for nginx

              r2146
            
              #    gzip on;

              #    gzip_min_length  500;

              #    gzip_proxied     any;

              #    gzip_comp_level 4;

              #    gzip_types  text/css text/javascript text/xml text/plain text/x-component application/javascript application/json application/xml application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;

              #    gzip_vary on;

              #    gzip_disable     "msie6";

        dan
    
docs: update example nginx/apache configs to use .rccontrol static path

              r457
            
              #    alias /path/to/.rccontrol/enterprise-1/static;

        dan
    
config: update ini/config files to account for /_static path

              r456
            
              # }

        marcink
    
docs: updated apache/nginx configs

              r120
            
        marcink
    
docs: updated nginx/apache configurations....

              r1263
            
              ## channelstream websocket handling

        marcink
    
docs: added channelstream example

              r477
            
              location /_channelstream {

                  rewrite /_channelstream/(.*) /$1 break;

        marcink
    
docs: updated nginx/apache configurations....

              r1263
            
        marcink
    
docs: updated nginx example...

              r636
            
                  proxy_pass                  http://127.0.0.1:9800;

        marcink
    
docs: added channelstream example

              r477
            
                  proxy_connect_timeout        10;

                  proxy_send_timeout           10m;

                  proxy_read_timeout           10m;

        marcink
    
docs: updated nginx example...

              r636
            
                  tcp_nodelay                  off;

        marcink
    
docs: added channelstream example

              r477
            
                  proxy_set_header             Host $host;

                  proxy_set_header             X-Real-IP $remote_addr;

        marcink
    
docs: updated nginx example...

              r636
            
                  proxy_set_header             X-Url-Scheme $scheme;

                  proxy_set_header             X-Forwarded-Proto $scheme;

                  proxy_set_header             X-Forwarded-For $proxy_add_x_forwarded_for;

        marcink
    
docs: added channelstream example

              r477
            
                  gzip                         off;

                  proxy_http_version           1.1;

                  proxy_set_header Upgrade     $http_upgrade;

                  proxy_set_header Connection  "upgrade";

              }

        dan
    
docs: added example how to secure login page from brute force attacks.

              r1808
            
              location /_admin/login {

                  ## rate limit this endpoint

                  limit_req  zone=dl_limit  burst=10  nodelay;

                  try_files $uri @rhode;

              }

        marcink
    
docs: updated apache/nginx configs

              r120
            
              location / {

                  try_files $uri @rhode;

              }

        marcink
    
project: added all source files and assets

              r1
            
        marcink
    
docs: added channelstream example

              r477
            
              location @rhode {

                  proxy_pass      http://rc;

              }

        marcink
    
docs: updated nginx example...

              r636
            
        marcink
    
docs: added 502 page instructions for nginx and apache

              r2145
            
              ## custom 502 error page. Will be displayed while RhodeCode server

              ## is turned off

        marcink
    
docs: updated nginx example...

              r636
            
              error_page 502 /502.html;

              location = /502.html {

                 root  /path/to/.rccontrol/enterprise-1/static;

              }

          }

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

marcink project: added all source files and assets	r1	Nginx Configuration Example
		---------------------------

		Use the following example to configure Nginx as a your web server.

marcink docs: updated nginx/apache configurations....	r1263
marcink project: added all source files and assets	r1	.. code-block:: nginx
marcink docs: small rst fixes.	r1856
dan docs: added example how to secure login page from brute force attacks.	r1808	## rate limiter for certain pages to prevent brute force attacks
		limit_req_zone $binary_remote_addr zone=dl_limit:10m rate=1r/s;
marcink project: added all source files and assets	r1
dan docs: added example how to secure login page from brute force attacks.	r1808	## custom log format
marcink docs: updated nginx example...	r636	log_format log_custom '$remote_addr - $remote_user [$time_local] '
		'"$request" $status $body_bytes_sent '
		'"$http_referer" "$http_user_agent" '
		'$request_time $upstream_response_time $pipe';

marcink docs: updated nginx/apache configurations....	r1263	## define upstream (local RhodeCode instance) to connect to
marcink project: added all source files and assets	r1	upstream rc {
marcink docs: updated nginx/apache configurations....	r1263	# Url to running RhodeCode instance.
		# This is shown as `- URL:` in output from rccontrol status.
marcink docs: updated apache/nginx configs	r120	server 127.0.0.1:10002;
marcink project: added all source files and assets	r1
		# add more instances for load balancing
marcink docs: updated apache/nginx configs	r120	# server 127.0.0.1:10003;
		# server 127.0.0.1:10004;
marcink project: added all source files and assets	r1	}

marcink docs: updated nginx/apache configurations....	r1263	## HTTP to HTTPS rewrite
		server {
		listen 80;
		server_name rhodecode.myserver.com;
marcink project: added all source files and assets	r1
marcink docs: updated nginx/apache configurations....	r1263	if ($http_host = rhodecode.myserver.com) {
		rewrite (.*) https://rhodecode.myserver.com$1 permanent;
		}
		}

		## Optional gist alias server, for serving nicer GIST urls.
marcink project: added all source files and assets	r1	server {
		listen 443;
		server_name gist.myserver.com;
marcink docs: updated nginx example...	r636	access_log /var/log/nginx/gist.access.log log_custom;
marcink project: added all source files and assets	r1	error_log /var/log/nginx/gist.error.log;

		ssl on;
		ssl_certificate gist.rhodecode.myserver.com.crt;
		ssl_certificate_key gist.rhodecode.myserver.com.key;

		ssl_session_timeout 5m;

marcink docs: updated nginx example...	r636	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
marcink project: added all source files and assets	r1	ssl_prefer_server_ciphers on;
marcink docs: updated nginx example...	r636	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

marcink docs: updated nginx/apache configurations....	r1263	# strict http prevents from https -> http downgrade
marcink project: added all source files and assets	r1	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

		# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
marcink docs: updated nginx example...	r636	#ssl_dhparam /etc/nginx/ssl/dhparam.pem;
marcink project: added all source files and assets	r1
		rewrite ^/(.+)$ https://rhodecode.myserver.com/_admin/gists/$1;
		rewrite (.*) https://rhodecode.myserver.com/_admin/gists;
		}

marcink docs: updated nginx example...	r636
		## MAIN SSL enabled server
		server {
		listen 443 ssl;
		server_name rhodecode.myserver.com;

		access_log /var/log/nginx/rhodecode.access.log log_custom;
		error_log /var/log/nginx/rhodecode.error.log;
marcink project: added all source files and assets	r1
		ssl on;
		ssl_certificate rhodecode.myserver.com.crt;
		ssl_certificate_key rhodecode.myserver.com.key;

		ssl_session_timeout 5m;

marcink docs: updated nginx example...	r636	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
marcink project: added all source files and assets	r1	ssl_prefer_server_ciphers on;
marcink docs: updated nginx example...	r636	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
marcink project: added all source files and assets	r1
marcink docs: updated nginx example...	r636	# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
		#ssl_dhparam /etc/nginx/ssl/dhparam.pem;
marcink project: added all source files and assets	r1
marcink docs: updated nginx example...	r636	include /etc/nginx/proxy.conf;

marcink docs: updated nginx/apache configurations....	r1263	## serve static files by Nginx, recommended for performance
marcink static: change static path to serve rhodecode static assets from...	r522	# location /_static/rhodecode {
marcink docs: added gzip into static files for nginx	r2146	# gzip on;
		# gzip_min_length 500;
		# gzip_proxied any;
		# gzip_comp_level 4;
		# gzip_types text/css text/javascript text/xml text/plain text/x-component application/javascript application/json application/xml application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;
		# gzip_vary on;
		# gzip_disable "msie6";
dan docs: update example nginx/apache configs to use .rccontrol static path	r457	# alias /path/to/.rccontrol/enterprise-1/static;
dan config: update ini/config files to account for /_static path	r456	# }
marcink docs: updated apache/nginx configs	r120
marcink docs: updated nginx/apache configurations....	r1263	## channelstream websocket handling
marcink docs: added channelstream example	r477	location /_channelstream {
		rewrite /_channelstream/(.*) /$1 break;
marcink docs: updated nginx/apache configurations....	r1263
marcink docs: updated nginx example...	r636	proxy_pass http://127.0.0.1:9800;

marcink docs: added channelstream example	r477	proxy_connect_timeout 10;
		proxy_send_timeout 10m;
		proxy_read_timeout 10m;
marcink docs: updated nginx example...	r636	tcp_nodelay off;
marcink docs: added channelstream example	r477	proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
marcink docs: updated nginx example...	r636	proxy_set_header X-Url-Scheme $scheme;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
marcink docs: added channelstream example	r477	gzip off;
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";
		}

dan docs: added example how to secure login page from brute force attacks.	r1808	location /_admin/login {
		## rate limit this endpoint
		limit_req zone=dl_limit burst=10 nodelay;
		try_files $uri @rhode;
		}

marcink docs: updated apache/nginx configs	r120	location / {
		try_files $uri @rhode;
		}
marcink project: added all source files and assets	r1
marcink docs: added channelstream example	r477	location @rhode {
		proxy_pass http://rc;
		}
marcink docs: updated nginx example...	r636
marcink docs: added 502 page instructions for nginx and apache	r2145	## custom 502 error page. Will be displayed while RhodeCode server
		## is turned off
marcink docs: updated nginx example...	r636	error_page 502 /502.html;
		location = /502.html {
		root /path/to/.rccontrol/enterprise-1/static;
		}
		}