u/pc/rhodecode-enterprise-ce-fork-pc Commit - r2146:2d80515a

1

Nginx Configuration Example

1

Nginx Configuration Example

2

---------------------------

2

---------------------------

3

4

Use the following example to configure Nginx as a your web server.

4

Use the following example to configure Nginx as a your web server.

5

6

7

.. code-block:: nginx

7

.. code-block:: nginx

8

9

## rate limiter for certain pages to prevent brute force attacks

9

## rate limiter for certain pages to prevent brute force attacks

10

limit_req_zone $binary_remote_addr zone=dl_limit:10m rate=1r/s;

10

limit_req_zone $binary_remote_addr zone=dl_limit:10m rate=1r/s;

11

12

## custom log format

12

## custom log format

13

log_format log_custom '$remote_addr - $remote_user [$time_local] '

13

log_format log_custom '$remote_addr - $remote_user [$time_local] '

14

'"$request" $status $body_bytes_sent '

14

'"$request" $status $body_bytes_sent '

15

'"$http_referer" "$http_user_agent" '

15

'"$http_referer" "$http_user_agent" '

16

'$request_time $upstream_response_time $pipe';

16

'$request_time $upstream_response_time $pipe';

17

18

## define upstream (local RhodeCode instance) to connect to

18

## define upstream (local RhodeCode instance) to connect to

19

upstream rc {

19

upstream rc {

20

# Url to running RhodeCode instance.

20

# Url to running RhodeCode instance.

21

# This is shown as `- URL:` in output from rccontrol status.

21

# This is shown as `- URL:` in output from rccontrol status.

22

server 127.0.0.1:10002;

22

server 127.0.0.1:10002;

23

24

# add more instances for load balancing

24

# add more instances for load balancing

25

# server 127.0.0.1:10003;

25

# server 127.0.0.1:10003;

26

# server 127.0.0.1:10004;

26

# server 127.0.0.1:10004;

27

}

27

}

28

29

## HTTP to HTTPS rewrite

29

## HTTP to HTTPS rewrite

30

server {

30

server {

31

listen 80;

31

listen 80;

32

server_name rhodecode.myserver.com;

32

server_name rhodecode.myserver.com;

33

34

if ($http_host = rhodecode.myserver.com) {

34

if ($http_host = rhodecode.myserver.com) {

35

rewrite (.*) https://rhodecode.myserver.com$1 permanent;

35

rewrite (.*) https://rhodecode.myserver.com$1 permanent;

36

}

36

}

37

}

37

}

38

39

## Optional gist alias server, for serving nicer GIST urls.

39

## Optional gist alias server, for serving nicer GIST urls.

40

server {

40

server {

41

listen 443;

41

listen 443;

42

server_name gist.myserver.com;

42

server_name gist.myserver.com;

43

access_log /var/log/nginx/gist.access.log log_custom;

43

access_log /var/log/nginx/gist.access.log log_custom;

44

error_log /var/log/nginx/gist.error.log;

44

error_log /var/log/nginx/gist.error.log;

45

46

ssl on;

46

ssl on;

47

ssl_certificate gist.rhodecode.myserver.com.crt;

47

ssl_certificate gist.rhodecode.myserver.com.crt;

48

ssl_certificate_key gist.rhodecode.myserver.com.key;

48

ssl_certificate_key gist.rhodecode.myserver.com.key;

49

50

ssl_session_timeout 5m;

50

ssl_session_timeout 5m;

51

52

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

52

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

53

ssl_prefer_server_ciphers on;

53

ssl_prefer_server_ciphers on;

54

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

54

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

55

56

# strict http prevents from https -> http downgrade

56

# strict http prevents from https -> http downgrade

57

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

57

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

58

59

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits

59

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits

60

#ssl_dhparam /etc/nginx/ssl/dhparam.pem;

60

#ssl_dhparam /etc/nginx/ssl/dhparam.pem;

61

62

rewrite ^/(.+)$ https://rhodecode.myserver.com/_admin/gists/$1;

62

rewrite ^/(.+)$ https://rhodecode.myserver.com/_admin/gists/$1;

63

rewrite (.*) https://rhodecode.myserver.com/_admin/gists;

63

rewrite (.*) https://rhodecode.myserver.com/_admin/gists;

64

}

64

}

65

66

67

## MAIN SSL enabled server

67

## MAIN SSL enabled server

68

server {

68

server {

69

listen 443 ssl;

69

listen 443 ssl;

70

server_name rhodecode.myserver.com;

70

server_name rhodecode.myserver.com;

71

72

access_log /var/log/nginx/rhodecode.access.log log_custom;

72

access_log /var/log/nginx/rhodecode.access.log log_custom;

73

error_log /var/log/nginx/rhodecode.error.log;

73

error_log /var/log/nginx/rhodecode.error.log;

74

75

ssl on;

75

ssl on;

76

ssl_certificate rhodecode.myserver.com.crt;

76

ssl_certificate rhodecode.myserver.com.crt;

77

ssl_certificate_key rhodecode.myserver.com.key;

77

ssl_certificate_key rhodecode.myserver.com.key;

78

79

ssl_session_timeout 5m;

79

ssl_session_timeout 5m;

80

81

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

81

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

82

ssl_prefer_server_ciphers on;

82

ssl_prefer_server_ciphers on;

83

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

83

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

84

85

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits

85

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits

86

#ssl_dhparam /etc/nginx/ssl/dhparam.pem;

86

#ssl_dhparam /etc/nginx/ssl/dhparam.pem;

87

88

include /etc/nginx/proxy.conf;

88

include /etc/nginx/proxy.conf;

89

90

## serve static files by Nginx, recommended for performance

90

## serve static files by Nginx, recommended for performance

91

# location /_static/rhodecode {

91

# location /_static/rhodecode {

92

# gzip on;

93

# gzip_min_length 500;

94

# gzip_proxied any;

95

# gzip_comp_level 4;

96

# gzip_types text/css text/javascript text/xml text/plain text/x-component application/javascript application/json application/xml application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;

97

# gzip_vary on;

98

# gzip_disable "msie6";

92

# alias /path/to/.rccontrol/enterprise-1/static;

99

# alias /path/to/.rccontrol/enterprise-1/static;

93

# }

100

# }

94

101

95

## channelstream websocket handling

102

## channelstream websocket handling

96

location /_channelstream {

103

location /_channelstream {

97

rewrite /_channelstream/(.*) /$1 break;

104

rewrite /_channelstream/(.*) /$1 break;

98

105

99

proxy_pass http://127.0.0.1:9800;

106

proxy_pass http://127.0.0.1:9800;

100

107

101

proxy_connect_timeout 10;

108

proxy_connect_timeout 10;

102

proxy_send_timeout 10m;

109

proxy_send_timeout 10m;

103

proxy_read_timeout 10m;

110

proxy_read_timeout 10m;

104

tcp_nodelay off;

111

tcp_nodelay off;

105

proxy_set_header Host $host;

112

proxy_set_header Host $host;

106

proxy_set_header X-Real-IP $remote_addr;

113

proxy_set_header X-Real-IP $remote_addr;

107

proxy_set_header X-Url-Scheme $scheme;

114

proxy_set_header X-Url-Scheme $scheme;

108

proxy_set_header X-Forwarded-Proto $scheme;

115

proxy_set_header X-Forwarded-Proto $scheme;

109

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

116

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

110

gzip off;

117

gzip off;

111

proxy_http_version 1.1;

118

proxy_http_version 1.1;

112

proxy_set_header Upgrade $http_upgrade;

119

proxy_set_header Upgrade $http_upgrade;

113

proxy_set_header Connection "upgrade";

120

proxy_set_header Connection "upgrade";

114

}

121

}

115

122

116

location /_admin/login {

123

location /_admin/login {

117

## rate limit this endpoint

124

## rate limit this endpoint

118

limit_req zone=dl_limit burst=10 nodelay;

125

limit_req zone=dl_limit burst=10 nodelay;

119

try_files $uri @rhode;

126

try_files $uri @rhode;

120

}

127

}

121

128

122

location / {

129

location / {

123

try_files $uri @rhode;

130

try_files $uri @rhode;

124

}

131

}

125

132

126

location @rhode {

133

location @rhode {

127

proxy_pass http://rc;

134

proxy_pass http://rc;

128

}

135

}

129

136

130

## custom 502 error page. Will be displayed while RhodeCode server

137

## custom 502 error page. Will be displayed while RhodeCode server

131

## is turned off

138

## is turned off

132

error_page 502 /502.html;

139

error_page 502 /502.html;

133

location = /502.html {

140

location = /502.html {

134

root /path/to/.rccontrol/enterprise-1/static;

141

root /path/to/.rccontrol/enterprise-1/static;

135

}

142

}

136

} No newline at end of file

143

}

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             Nginx Configuration Example
             ---------------------------
             Use the following example to configure Nginx as a your web server.
             .. code-block:: nginx
                 ## rate limiter for certain pages to prevent brute force attacks
                 limit_req_zone  $binary_remote_addr  zone=dl_limit:10m   rate=1r/s;
                 ## custom log format
                 log_format log_custom '$remote_addr - $remote_user [$time_local] '
                                       '"$request" $status $body_bytes_sent '
                                       '"$http_referer" "$http_user_agent" '
                                       '$request_time $upstream_response_time $pipe';
                 ## define upstream (local RhodeCode instance) to connect to
                 upstream rc {
                     # Url to running RhodeCode instance.
                     # This is shown as `- URL:` in output from rccontrol status.
                     server 127.0.0.1:10002;
                     # add more instances for load balancing
                     # server 127.0.0.1:10003;
                     # server 127.0.0.1:10004;
                 }
                 ## HTTP to HTTPS rewrite
                 server {
                     listen          80;
                     server_name     rhodecode.myserver.com;
                     if ($http_host = rhodecode.myserver.com) {
                         rewrite  (.*)  https://rhodecode.myserver.com$1 permanent;
                     }
                 }
                 ## Optional gist alias server, for serving nicer GIST urls.
                 server {
                     listen          443;
                     server_name     gist.myserver.com;
                     access_log      /var/log/nginx/gist.access.log log_custom;
                     error_log       /var/log/nginx/gist.error.log;
                     ssl on;
                     ssl_certificate     gist.rhodecode.myserver.com.crt;
                     ssl_certificate_key gist.rhodecode.myserver.com.key;
                     ssl_session_timeout 5m;
                     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
                     ssl_prefer_server_ciphers on;
                     ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
                     # strict http prevents from https -> http downgrade
                     add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
                     # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
                     #ssl_dhparam /etc/nginx/ssl/dhparam.pem;
                     rewrite ^/(.+)$ https://rhodecode.myserver.com/_admin/gists/$1;
                     rewrite (.*)    https://rhodecode.myserver.com/_admin/gists;
                 }
                 ## MAIN SSL enabled server
                 server {
                     listen       443 ssl;
                     server_name  rhodecode.myserver.com;
                     access_log   /var/log/nginx/rhodecode.access.log log_custom;
                     error_log    /var/log/nginx/rhodecode.error.log;
                     ssl on;
                     ssl_certificate     rhodecode.myserver.com.crt;
                     ssl_certificate_key rhodecode.myserver.com.key;
                     ssl_session_timeout 5m;
                     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
                     ssl_prefer_server_ciphers on;
                     ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
                     # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
                     #ssl_dhparam /etc/nginx/ssl/dhparam.pem;
                     include     /etc/nginx/proxy.conf;
                     ## serve static files by Nginx, recommended for performance
                     # location /_static/rhodecode {
+                    #    gzip on;
+                    #    gzip_min_length  500;
+                    #    gzip_proxied     any;
+                    #    gzip_comp_level 4;
+                    #    gzip_types  text/css text/javascript text/xml text/plain text/x-component application/javascript application/json application/xml application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;
+                    #    gzip_vary on;
+                    #    gzip_disable     "msie6";
                     #    alias /path/to/.rccontrol/enterprise-1/static;
                     # }
                     ## channelstream websocket handling
                     location /_channelstream {
                         rewrite /_channelstream/(.*) /$1 break;
                         proxy_pass                  http://127.0.0.1:9800;
                         proxy_connect_timeout        10;
                         proxy_send_timeout           10m;
                         proxy_read_timeout           10m;
                         tcp_nodelay                  off;
                         proxy_set_header             Host $host;
                         proxy_set_header             X-Real-IP $remote_addr;
                         proxy_set_header             X-Url-Scheme $scheme;
                         proxy_set_header             X-Forwarded-Proto $scheme;
                         proxy_set_header             X-Forwarded-For $proxy_add_x_forwarded_for;
                         gzip                         off;
                         proxy_http_version           1.1;
                         proxy_set_header Upgrade     $http_upgrade;
                         proxy_set_header Connection  "upgrade";
                     }
                     location /_admin/login {
                         ## rate limit this endpoint
                         limit_req  zone=dl_limit  burst=10  nodelay;
                         try_files $uri @rhode;
                     }
                     location / {
                         try_files $uri @rhode;
                     }
                     location @rhode {
                         proxy_pass      http://rc;
                     }
                     ## custom 502 error page. Will be displayed while RhodeCode server
                     ## is turned off
                     error_page 502 /502.html;
                     location = /502.html {
                        root  /path/to/.rccontrol/enterprise-1/static;
                     }
                 }