# HG changeset patch # User Marcin Kuzminski # Date 2018-12-22 09:24:14 # Node ID 6387bcdaeaf98217ac22e48380c8ca425dda53c2 # Parent 46ccc155dcc851fc725689b1873a5710cb6c8f4f docs: updated configuration for nginx and reverse proxy. diff --git a/docs/admin/nginx-config-example.rst b/docs/admin/nginx-config-example.rst --- a/docs/admin/nginx-config-example.rst +++ b/docs/admin/nginx-config-example.rst @@ -6,16 +6,16 @@ Use the following example to configure N .. code-block:: nginx - ## rate limiter for certain pages to prevent brute force attacks + ## Rate limiter for certain pages to prevent brute force attacks limit_req_zone $binary_remote_addr zone=req_limit:10m rate=1r/s; - ## custom log format + ## Custom log format log_format log_custom '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" ' '$request_time $upstream_response_time $pipe'; - ## define upstream (local RhodeCode instance) to connect to + ## Define one or more upstreams (local RhodeCode instance) to connect to upstream rc { # Url to running RhodeCode instance. # This is shown as `- URL: ` in output from rccontrol status. @@ -53,10 +53,10 @@ Use the following example to configure N ssl_prefer_server_ciphers on; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; - # strict http prevents from https -> http downgrade + ## Strict http prevents from https -> http downgrade add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; - # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits + ## Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits #ssl_dhparam /etc/nginx/ssl/dhparam.pem; rewrite ^/(.+)$ https://rhodecode.myserver.com/_admin/gists/$1; @@ -66,27 +66,37 @@ Use the following example to configure N ## MAIN SSL enabled server server { - listen 443 ssl; + listen 443 ssl http2; server_name rhodecode.myserver.com; access_log /var/log/nginx/rhodecode.access.log log_custom; error_log /var/log/nginx/rhodecode.error.log; - ssl on; ssl_certificate rhodecode.myserver.com.crt; ssl_certificate_key rhodecode.myserver.com.key; + # enable session resumption to improve https performance + # http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html + ssl_session_cache shared:SSL:50m; ssl_session_timeout 5m; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_prefer_server_ciphers on; - ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; - - # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits + ## Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits #ssl_dhparam /etc/nginx/ssl/dhparam.pem; - # example of proxy.conf can be found in our docs. - include /etc/nginx/proxy.conf; + # enables server-side protection from BEAST attacks + # http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html + ssl_prefer_server_ciphers on; + + # disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0 + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + + # ciphers chosen for forward secrecy and compatibility + # http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html + ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; + + client_body_buffer_size 128k; + # maximum number and size of buffers for large headers to read from client request + large_client_header_buffers 16 256k; ## uncomment to serve static files by Nginx, recommended for performance # location /_static/rhodecode { @@ -101,43 +111,48 @@ Use the following example to configure N # alias /path/to/.rccontrol/enterprise-1/static; # } - ## channelstream websocket handling + ## channelstream location handler, if channelstream live chat and notifications + ## are enable this will proxy the requests to channelstream websocket server location /_channelstream { rewrite /_channelstream/(.*) /$1 break; - - proxy_pass http://127.0.0.1:9800; + gzip off; + tcp_nodelay off; proxy_connect_timeout 10; proxy_send_timeout 10m; proxy_read_timeout 10m; - tcp_nodelay off; + proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Url-Scheme $scheme; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - gzip off; + proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; + + proxy_pass http://127.0.0.1:9800; } ## rate limit this endpoint to prevent login page brute-force attacks location /_admin/login { limit_req zone=req_limit burst=10 nodelay; - try_files $uri @rhode; + try_files $uri @rhodecode_http; } location / { - try_files $uri @rhode; + try_files $uri @rhodecode_http; } - location @rhode { - proxy_pass http://rc; + location @rhodecode_http { + # example of proxy.conf can be found in our docs. + include /etc/nginx/proxy.conf; + proxy_pass http://rc; } - ## custom 502 error page. Will be displayed while RhodeCode server - ## is turned off + ## Custom 502 error page. + ## Will be displayed while RhodeCode server is turned off error_page 502 /502.html; location = /502.html { #root /path/to/.rccontrol/community-1/static; diff --git a/docs/admin/nginx-proxy-conf.rst b/docs/admin/nginx-proxy-conf.rst --- a/docs/admin/nginx-proxy-conf.rst +++ b/docs/admin/nginx-proxy-conf.rst @@ -12,23 +12,36 @@ timeout during large pushes. proxy_redirect off; proxy_set_header Host $http_host; + ## If you use HTTPS make sure you disable gzip compression + ## to be safe against BREACH attack. + gzip off; + + # Don't buffer requests in NGINX stream them using chunked-encoding + proxy_buffering off; + + ## This is also required for later GIT to use streaming. + ## Works only for Nginx 1.7.11 and newer + proxy_request_buffering off; + proxy_http_version 1.1; + + ## Set this to a larger number if you experience timeouts + ## or 413 Request Entity Too Large, 10GB is enough for most cases + client_max_body_size 10240m; + ## needed for container auth - # proxy_set_header REMOTE_USER $remote_user; - # proxy_set_header X-Forwarded-User $remote_user; + # proxy_set_header REMOTE_USER $remote_user; + # proxy_set_header X-Forwarded-User $remote_user; proxy_set_header X-Url-Scheme $scheme; proxy_set_header X-Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Proxy-host $proxy_host; - proxy_buffering off; + proxy_connect_timeout 7200; proxy_send_timeout 7200; proxy_read_timeout 7200; proxy_buffers 8 32k; - # Set this to a larger number if you experience timeouts - client_max_body_size 1024m; - client_body_buffer_size 128k; - large_client_header_buffers 8 64k; + add_header X-Frame-Options SAMEORIGIN; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";