# HG changeset patch # User Marcin Kuzminski # Date 2016-08-09 22:42:16 # Node ID 546e87c2fe69c42bf20a250b9179f2d008129dbf # Parent 17699e6f860f16067b360ee00112f5780dd8d763 docs: updated nginx example - use A+ securit settings - added gist custom domain - added custom 502 page example - formtting cleanups diff --git a/docs/admin/nginx-config-example.rst b/docs/admin/nginx-config-example.rst --- a/docs/admin/nginx-config-example.rst +++ b/docs/admin/nginx-config-example.rst @@ -5,6 +5,11 @@ Use the following example to configure N .. code-block:: nginx + log_format log_custom '$remote_addr - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" ' + '$request_time $upstream_response_time $pipe'; + upstream rc { server 127.0.0.1:10002; @@ -14,12 +19,12 @@ Use the following example to configure N # server 127.0.0.1:10004; } - ## gist alias + ## gist alias server, for serving nicer GIST urls server { listen 443; server_name gist.myserver.com; - access_log /var/log/nginx/gist.access.log; + access_log /var/log/nginx/gist.access.log log_custom; error_log /var/log/nginx/gist.error.log; ssl on; @@ -28,23 +33,36 @@ Use the following example to configure N ssl_session_timeout 5m; - ssl_protocols SSLv3 TLSv1; - ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits - ssl_dhparam /etc/nginx/ssl/dhparam.pem; + #ssl_dhparam /etc/nginx/ssl/dhparam.pem; rewrite ^/(.+)$ https://rhodecode.myserver.com/_admin/gists/$1; rewrite (.*) https://rhodecode.myserver.com/_admin/gists; } + ## HTTP to HTTPS rewrite server { - listen 443; + listen 80; server_name rhodecode.myserver.com; - access_log /var/log/nginx/rhodecode.access.log; - error_log /var/log/nginx/rhodecode.error.log; + + if ($http_host = rhodecode.myserver.com) { + rewrite (.*) https://rhodecode.myserver.com$1 permanent; + } + } + + ## MAIN SSL enabled server + server { + listen 443 ssl; + server_name rhodecode.myserver.com; + + access_log /var/log/nginx/rhodecode.access.log log_custom; + error_log /var/log/nginx/rhodecode.error.log; ssl on; ssl_certificate rhodecode.myserver.com.crt; @@ -52,13 +70,16 @@ Use the following example to configure N ssl_session_timeout 5m; - ssl_protocols SSLv3 TLSv1; - ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; - include /etc/nginx/proxy.conf; + # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits + #ssl_dhparam /etc/nginx/ssl/dhparam.pem; - ## uncomment to serve static files by nginx + include /etc/nginx/proxy.conf; + + ## serve static files by nginx, recommended # location /_static/rhodecode { # alias /path/to/.rccontrol/enterprise-1/static; # } @@ -66,16 +87,17 @@ Use the following example to configure N ## channel stream live components location /_channelstream { rewrite /_channelstream/(.*) /$1 break; + proxy_pass http://127.0.0.1:9800; + proxy_connect_timeout 10; proxy_send_timeout 10m; proxy_read_timeout 10m; - tcp_nodelay off; - proxy_pass http://127.0.0.1:9800; + tcp_nodelay off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Url-Scheme $scheme; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Url-Scheme $scheme; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; gzip off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; @@ -89,4 +111,10 @@ Use the following example to configure N location @rhode { proxy_pass http://rc; } - } + + ## custom 502 error page + error_page 502 /502.html; + location = /502.html { + root /path/to/.rccontrol/enterprise-1/static; + } + } \ No newline at end of file