u/pc/rhodecode-enterprise-ce-fork-pc Commit - r3448:51bb9d9f

1

Nginx Configuration Example

1

Nginx Configuration Example

2

---------------------------

2

---------------------------

3

4

Use the following example to configure Nginx as a your web server.

4

Use the following example to configure Nginx as a your web server.

5

6

7

.. code-block:: nginx

7

.. code-block:: nginx

8

9

## Rate limiter for certain pages to prevent brute force attacks

9

## Rate limiter for certain pages to prevent brute force attacks

10

limit_req_zone $binary_remote_addr zone=req_limit:10m rate=1r/s;

10

limit_req_zone $binary_remote_addr zone=req_limit:10m rate=1r/s;

11

12

## cache zone

13

proxy_cache_path /etc/nginx/nginx_cache levels=1:2 use_temp_path=off keys_zone=cache_zone:10m inactive=720h max_size=10g;

14

12

## Custom log format

15

## Custom log format

13

log_format log_custom '$remote_addr - $remote_user [$time_local] '

16

log_format log_custom '$remote_addr - $remote_user [$time_local] '

14

'"$request" $status $body_bytes_sent '

17

'"$request" $status $body_bytes_sent '

15

'"$http_referer" "$http_user_agent" '

18

'"$http_referer" "$http_user_agent" '

16

'$request_time $upstream_response_time $pipe';

19

'$request_time $upstream_response_time $pipe';

17

20

18

## Define one or more upstreams (local RhodeCode instance) to connect to

21

## Define one or more upstreams (local RhodeCode instance) to connect to

19

upstream rc {

22

upstream rc {

20

# Url to running RhodeCode instance.

23

# Url to running RhodeCode instance.

21

# This is shown as `- URL: <host>` in output from rccontrol status.

24

# This is shown as `- URL: <host>` in output from rccontrol status.

22

server 127.0.0.1:10002;

25

server 127.0.0.1:10002;

23

26

24

# add more instances for load balancing

27

# add more instances for load balancing

25

# server 127.0.0.1:10003;

28

# server 127.0.0.1:10003;

26

# server 127.0.0.1:10004;

29

# server 127.0.0.1:10004;

27

}

30

}

28

31

29

## HTTP to HTTPS rewrite

32

## HTTP to HTTPS rewrite

30

server {

33

server {

31

listen 80;

34

listen 80;

32

server_name rhodecode.myserver.com;

35

server_name rhodecode.myserver.com;

33

36

34

if ($http_host = rhodecode.myserver.com) {

37

if ($http_host = rhodecode.myserver.com) {

35

rewrite (.*) https://rhodecode.myserver.com$1 permanent;

38

rewrite (.*) https://rhodecode.myserver.com$1 permanent;

36

}

39

}

37

}

40

}

38

41

39

## Optional gist alias server, for serving nicer GIST urls.

42

## Optional gist alias server, for serving nicer GIST urls.

40

server {

43

server {

41

listen 443;

44

listen 443;

42

server_name gist.myserver.com;

45

server_name gist.myserver.com;

43

access_log /var/log/nginx/gist.access.log log_custom;

46

access_log /var/log/nginx/gist.access.log log_custom;

44

error_log /var/log/nginx/gist.error.log;

47

error_log /var/log/nginx/gist.error.log;

45

48

46

ssl on;

49

ssl on;

47

ssl_certificate gist.rhodecode.myserver.com.crt;

50

ssl_certificate gist.rhodecode.myserver.com.crt;

48

ssl_certificate_key gist.rhodecode.myserver.com.key;

51

ssl_certificate_key gist.rhodecode.myserver.com.key;

49

52

50

ssl_session_timeout 5m;

53

ssl_session_timeout 5m;

51

54

52

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

55

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

53

ssl_prefer_server_ciphers on;

56

ssl_prefer_server_ciphers on;

54

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

57

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

55

58

56

## Strict http prevents from https -> http downgrade

59

## Strict http prevents from https -> http downgrade

57

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

60

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

58

61

59

## Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits

62

## Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits

60

#ssl_dhparam /etc/nginx/ssl/dhparam.pem;

63

#ssl_dhparam /etc/nginx/ssl/dhparam.pem;

61

64

62

rewrite ^/(.+)$ https://rhodecode.myserver.com/_admin/gists/$1;

65

rewrite ^/(.+)$ https://rhodecode.myserver.com/_admin/gists/$1;

63

rewrite (.*) https://rhodecode.myserver.com/_admin/gists;

66

rewrite (.*) https://rhodecode.myserver.com/_admin/gists;

64

}

67

}

65

68

66

69

67

## MAIN SSL enabled server

70

## MAIN SSL enabled server

68

server {

71

server {

69

listen 443 ssl http2;

72

listen 443 ssl http2;

70

server_name rhodecode.myserver.com;

73

server_name rhodecode.myserver.com;

71

74

72

access_log /var/log/nginx/rhodecode.access.log log_custom;

75

access_log /var/log/nginx/rhodecode.access.log log_custom;

73

error_log /var/log/nginx/rhodecode.error.log;

76

error_log /var/log/nginx/rhodecode.error.log;

74

77

75

ssl_certificate rhodecode.myserver.com.crt;

78

ssl_certificate rhodecode.myserver.com.crt;

76

ssl_certificate_key rhodecode.myserver.com.key;

79

ssl_certificate_key rhodecode.myserver.com.key;

77

80

78

# enable session resumption to improve https performance

81

# enable session resumption to improve https performance

79

# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html

82

# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html

80

ssl_session_cache shared:SSL:50m;

83

ssl_session_cache shared:SSL:50m;

81

ssl_session_timeout 5m;

84

ssl_session_timeout 5m;

82

85

83

## Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits

86

## Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits

84

#ssl_dhparam /etc/nginx/ssl/dhparam.pem;

87

#ssl_dhparam /etc/nginx/ssl/dhparam.pem;

85

88

86

# enables server-side protection from BEAST attacks

89

# enables server-side protection from BEAST attacks

87

# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html

90

# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html

88

ssl_prefer_server_ciphers on;

91

ssl_prefer_server_ciphers on;

89

92

90

# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0

93

# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0

91

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

94

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

92

95

93

# ciphers chosen for forward secrecy and compatibility

96

# ciphers chosen for forward secrecy and compatibility

94

# http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html

97

# http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html

95

ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

98

ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

96

99

97

client_body_buffer_size 128k;

100

client_body_buffer_size 128k;

98

# maximum number and size of buffers for large headers to read from client request

101

# maximum number and size of buffers for large headers to read from client request

99

large_client_header_buffers 16 256k;

102

large_client_header_buffers 16 256k;

100

103

101

## uncomment to serve static files by Nginx, recommended for performance

104

## uncomment to serve static files by Nginx, recommended for performance

102

# location /_static/rhodecode {

105

# location /_static/rhodecode {

103

# gzip on;

106

# gzip on;

104

# gzip_min_length 500;

107

# gzip_min_length 500;

105

# gzip_proxied any;

108

# gzip_proxied any;

106

# gzip_comp_level 4;

109

# gzip_comp_level 4;

107

# gzip_types text/css text/javascript text/xml text/plain text/x-component application/javascript application/json application/xml application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;

110

# gzip_types text/css text/javascript text/xml text/plain text/x-component application/javascript application/json application/xml application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;

108

# gzip_vary on;

111

# gzip_vary on;

109

# gzip_disable "msie6";

112

# gzip_disable "msie6";

110

# alias /path/to/.rccontrol/community-1/static;

113

# alias /path/to/.rccontrol/community-1/static;

111

# alias /path/to/.rccontrol/enterprise-1/static;

114

# alias /path/to/.rccontrol/enterprise-1/static;

112

# }

115

# }

113

116

114

## channelstream location handler, if channelstream live chat and notifications

117

## channelstream location handler, if channelstream live chat and notifications

115

## are enable this will proxy the requests to channelstream websocket server

118

## are enable this will proxy the requests to channelstream websocket server

116

location /_channelstream {

119

location /_channelstream {

117

rewrite /_channelstream/(.*) /$1 break;

120

rewrite /_channelstream/(.*) /$1 break;

118

gzip off;

121

gzip off;

119

tcp_nodelay off;

122

tcp_nodelay off;

120

123

121

proxy_connect_timeout 10;

124

proxy_connect_timeout 10;

122

proxy_send_timeout 10m;

125

proxy_send_timeout 10m;

123

proxy_read_timeout 10m;

126

proxy_read_timeout 10m;

124

127

125

proxy_set_header Host $host;

128

proxy_set_header Host $host;

126

proxy_set_header X-Real-IP $remote_addr;

129

proxy_set_header X-Real-IP $remote_addr;

127

proxy_set_header X-Url-Scheme $scheme;

130

proxy_set_header X-Url-Scheme $scheme;

128

proxy_set_header X-Forwarded-Proto $scheme;

131

proxy_set_header X-Forwarded-Proto $scheme;

129

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

132

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

130

133

131

proxy_http_version 1.1;

134

proxy_http_version 1.1;

132

proxy_set_header Upgrade $http_upgrade;

135

proxy_set_header Upgrade $http_upgrade;

133

proxy_set_header Connection "upgrade";

136

proxy_set_header Connection "upgrade";

134

137

135

proxy_pass http://127.0.0.1:9800;

138

proxy_pass http://127.0.0.1:9800;

136

}

139

}

137

140

138

## rate limit this endpoint to prevent login page brute-force attacks

141

## rate limit this endpoint to prevent login page brute-force attacks

139

location /_admin/login {

142

location /_admin/login {

140

limit_req zone=req_limit burst=10 nodelay;

143

limit_req zone=req_limit burst=10 nodelay;

141

try_files $uri @rhodecode_http;

144

try_files $uri @rhodecode_http;

142

}

145

}

143

146

147

## Special Cache for file store, make sure you enable this intentionally as

148

## it could bypass upload files permissions

149

# location /_file_store/download {

150

#

151

# proxy_cache cache_zone;

152

# # ignore Set-Cookie

153

# proxy_ignore_headers Set-Cookie;

154

# proxy_ignore_headers Cookie;

155

#

156

# proxy_cache_key $host$uri$is_args$args;

157

# proxy_cache_methods GET;

158

#

159

# proxy_cache_bypass $http_cache_control;

160

# proxy_cache_valid 200 302 720h;

161

#

162

# proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;

163

#

164

# # returns cache status in headers

165

# add_header X-Proxy-Cache $upstream_cache_status;

166

# add_header Cache-Control "public";

167

#

168

# proxy_cache_lock on;

169

# proxy_cache_lock_age 5m;

170

#

171

# proxy_pass http://rc;

172

#

173

# }

174

144

location / {

175

location / {

145

try_files $uri @rhodecode_http;

176

try_files $uri @rhodecode_http;

146

}

177

}

147

178

148

location @rhodecode_http {

179

location @rhodecode_http {

149

# example of proxy.conf can be found in our docs.

180

# example of proxy.conf can be found in our docs.

150

include /etc/nginx/proxy.conf;

181

include /etc/nginx/proxy.conf;

151

proxy_pass http://rc;

182

proxy_pass http://rc;

152

}

183

}

153

184

154

## Custom 502 error page.

185

## Custom 502 error page.

155

## Will be displayed while RhodeCode server is turned off

186

## Will be displayed while RhodeCode server is turned off

156

error_page 502 /502.html;

187

error_page 502 /502.html;

157

location = /502.html {

188

location = /502.html {

158

#root /path/to/.rccontrol/community-1/static;

189

#root /path/to/.rccontrol/community-1/static;

159

root /path/to/.rccontrol/enterprise-1/static;

190

root /path/to/.rccontrol/enterprise-1/static;

160

}

191

}

161

} No newline at end of file

192

}

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             Nginx Configuration Example
             ---------------------------
             Use the following example to configure Nginx as a your web server.
             .. code-block:: nginx
                 ## Rate limiter for certain pages to prevent brute force attacks
                 limit_req_zone  $binary_remote_addr  zone=req_limit:10m   rate=1r/s;
+                ## cache zone
+                proxy_cache_path /etc/nginx/nginx_cache levels=1:2 use_temp_path=off keys_zone=cache_zone:10m inactive=720h max_size=10g;
                 ## Custom log format
                 log_format log_custom '$remote_addr - $remote_user [$time_local] '
                                       '"$request" $status $body_bytes_sent '
                                       '"$http_referer" "$http_user_agent" '
                                       '$request_time $upstream_response_time $pipe';
                 ## Define one or more upstreams (local RhodeCode instance) to connect to
                 upstream rc {
                     # Url to running RhodeCode instance.
                     # This is shown as `- URL: <host>` in output from rccontrol status.
                     server 127.0.0.1:10002;
                     # add more instances for load balancing
                     # server 127.0.0.1:10003;
                     # server 127.0.0.1:10004;
                 }
                 ## HTTP to HTTPS rewrite
                 server {
                     listen          80;
                     server_name     rhodecode.myserver.com;
                     if ($http_host = rhodecode.myserver.com) {
                         rewrite  (.*)  https://rhodecode.myserver.com$1 permanent;
                     }
                 }
                 ## Optional gist alias server, for serving nicer GIST urls.
                 server {
                     listen          443;
                     server_name     gist.myserver.com;
                     access_log      /var/log/nginx/gist.access.log log_custom;
                     error_log       /var/log/nginx/gist.error.log;
                     ssl on;
                     ssl_certificate     gist.rhodecode.myserver.com.crt;
                     ssl_certificate_key gist.rhodecode.myserver.com.key;
                     ssl_session_timeout 5m;
                     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
                     ssl_prefer_server_ciphers on;
                     ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
                     ## Strict http prevents from https -> http downgrade
                     add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
                     ## Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
                     #ssl_dhparam /etc/nginx/ssl/dhparam.pem;
                     rewrite ^/(.+)$ https://rhodecode.myserver.com/_admin/gists/$1;
                     rewrite (.*)    https://rhodecode.myserver.com/_admin/gists;
                 }
                 ## MAIN SSL enabled server
                 server {
                     listen       443 ssl http2;
                     server_name  rhodecode.myserver.com;
                     access_log   /var/log/nginx/rhodecode.access.log log_custom;
                     error_log    /var/log/nginx/rhodecode.error.log;
                     ssl_certificate     rhodecode.myserver.com.crt;
                     ssl_certificate_key rhodecode.myserver.com.key;
                     # enable session resumption to improve https performance
                     # http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
                     ssl_session_cache shared:SSL:50m;
                     ssl_session_timeout 5m;
                     ## Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
                     #ssl_dhparam /etc/nginx/ssl/dhparam.pem;
                     # enables server-side protection from BEAST attacks
                     # http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
                     ssl_prefer_server_ciphers on;
                     # disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
                     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
                     # ciphers chosen for forward secrecy and compatibility
                     # http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
                     ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
                     client_body_buffer_size     128k;
                     # maximum number and size of buffers for large headers to read from client request
                     large_client_header_buffers 16 256k;
                     ## uncomment to serve static files by Nginx, recommended for performance
                     # location /_static/rhodecode {
                     #    gzip on;
                     #    gzip_min_length  500;
                     #    gzip_proxied     any;
                     #    gzip_comp_level 4;
                     #    gzip_types  text/css text/javascript text/xml text/plain text/x-component application/javascript application/json application/xml application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;
                     #    gzip_vary on;
                     #    gzip_disable     "msie6";
                     #    alias /path/to/.rccontrol/community-1/static;
                     #    alias /path/to/.rccontrol/enterprise-1/static;
                     # }
                     ## channelstream location handler, if channelstream live chat and notifications
                     ## are enable this will proxy the requests to channelstream websocket server
                     location /_channelstream {
                         rewrite /_channelstream/(.*) /$1 break;
                         gzip                         off;
                         tcp_nodelay                  off;
                         proxy_connect_timeout        10;
                         proxy_send_timeout           10m;
                         proxy_read_timeout           10m;
                         proxy_set_header             Host $host;
                         proxy_set_header             X-Real-IP $remote_addr;
                         proxy_set_header             X-Url-Scheme $scheme;
                         proxy_set_header             X-Forwarded-Proto $scheme;
                         proxy_set_header             X-Forwarded-For $proxy_add_x_forwarded_for;
                         proxy_http_version           1.1;
                         proxy_set_header Upgrade     $http_upgrade;
                         proxy_set_header Connection  "upgrade";
                         proxy_pass                  http://127.0.0.1:9800;
                     }
                     ## rate limit this endpoint to prevent login page brute-force attacks
                     location /_admin/login {
                         limit_req  zone=req_limit  burst=10  nodelay;
                         try_files $uri @rhodecode_http;
                     }
+                    ## Special Cache for file store, make sure you enable this intentionally as
+                    ## it could bypass upload files permissions
+                    # location /_file_store/download {
+                    #
+                    #    proxy_cache cache_zone;
+                    #    # ignore Set-Cookie
+                    #    proxy_ignore_headers Set-Cookie;
+                    #    proxy_ignore_headers Cookie;
+                    #
+                    #    proxy_cache_key $host$uri$is_args$args;
+                    #    proxy_cache_methods GET;
+                    #
+                    #    proxy_cache_bypass  $http_cache_control;
+                    #    proxy_cache_valid 200 302 720h;
+                    #
+                    #    proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
+                    #
+                    #    # returns cache status in headers
+                    #    add_header X-Proxy-Cache $upstream_cache_status;
+                    #    add_header Cache-Control "public";
+                    #
+                    #    proxy_cache_lock on;
+                    #    proxy_cache_lock_age 5m;
+                    #
+                    #    proxy_pass  http://rc;
+                    #
+                    # }
                     location / {
                         try_files $uri @rhodecode_http;
                     }
                     location @rhodecode_http {
                         # example of proxy.conf can be found in our docs.
                         include     /etc/nginx/proxy.conf;
                         proxy_pass  http://rc;
                     }
                     ## Custom 502 error page.
                     ## Will be displayed while RhodeCode server is turned off
                     error_page 502 /502.html;
                     location = /502.html {
                        #root  /path/to/.rccontrol/community-1/static;
                        root  /path/to/.rccontrol/enterprise-1/static;
                     }
                 }