Show More
| @@ -5,6 +5,11 b' Use the following example to configure N' | |||||
| 5 |
|
5 | |||
| 6 | .. code-block:: nginx |
|
6 | .. code-block:: nginx | |
| 7 |
|
7 | |||
|
|
8 | log_format log_custom '$remote_addr - $remote_user [$time_local] ' | |||
|
|
9 | '"$request" $status $body_bytes_sent ' | |||
|
|
10 | '"$http_referer" "$http_user_agent" ' | |||
|
|
11 | '$request_time $upstream_response_time $pipe'; | |||
|
|
12 | ||||
| 8 | upstream rc { |
|
13 | upstream rc { | |
| 9 |
|
14 | |||
| 10 | server 127.0.0.1:10002; |
|
15 | server 127.0.0.1:10002; | |
| @@ -14,12 +19,12 b' Use the following example to configure N' | |||||
| 14 | # server 127.0.0.1:10004; |
|
19 | # server 127.0.0.1:10004; | |
| 15 | } |
|
20 | } | |
| 16 |
|
21 | |||
| 17 | ## gist alias |
|
22 | ## gist alias server, for serving nicer GIST urls | |
| 18 |
|
23 | |||
| 19 | server { |
|
24 | server { | |
| 20 | listen 443; |
|
25 | listen 443; | |
| 21 | server_name gist.myserver.com; |
|
26 | server_name gist.myserver.com; | |
| 22 | access_log /var/log/nginx/gist.access.log; |
|
27 | access_log /var/log/nginx/gist.access.log log_custom; | |
| 23 | error_log /var/log/nginx/gist.error.log; |
|
28 | error_log /var/log/nginx/gist.error.log; | |
| 24 |
|
29 | |||
| 25 | ssl on; |
|
30 | ssl on; | |
| @@ -28,23 +33,36 b' Use the following example to configure N' | |||||
| 28 |
|
33 | |||
| 29 | ssl_session_timeout 5m; |
|
34 | ssl_session_timeout 5m; | |
| 30 |
|
35 | |||
| 31 |
ssl_protocols |
|
36 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| 32 | ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5; |
|
|||
| 33 | ssl_prefer_server_ciphers on; |
|
37 | ssl_prefer_server_ciphers on; | |
|
|
38 | ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; | |||
|
|
39 | ||||
| 34 | add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; |
|
40 | add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; | |
| 35 |
|
41 | |||
| 36 | # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits |
|
42 | # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits | |
| 37 | ssl_dhparam /etc/nginx/ssl/dhparam.pem; |
|
43 | #ssl_dhparam /etc/nginx/ssl/dhparam.pem; | |
| 38 |
|
44 | |||
| 39 | rewrite ^/(.+)$ https://rhodecode.myserver.com/_admin/gists/$1; |
|
45 | rewrite ^/(.+)$ https://rhodecode.myserver.com/_admin/gists/$1; | |
| 40 | rewrite (.*) https://rhodecode.myserver.com/_admin/gists; |
|
46 | rewrite (.*) https://rhodecode.myserver.com/_admin/gists; | |
| 41 | } |
|
47 | } | |
| 42 |
|
48 | |||
|
|
49 | ## HTTP to HTTPS rewrite | |||
| 43 | server { |
|
50 | server { | |
| 44 |
listen |
|
51 | listen 80; | |
| 45 | server_name rhodecode.myserver.com; |
|
52 | server_name rhodecode.myserver.com; | |
| 46 | access_log /var/log/nginx/rhodecode.access.log; |
|
53 | ||
| 47 | error_log /var/log/nginx/rhodecode.error.log; |
|
54 | if ($http_host = rhodecode.myserver.com) { | |
|
|
55 | rewrite (.*) https://rhodecode.myserver.com$1 permanent; | |||
|
|
56 | } | |||
|
|
57 | } | |||
|
|
58 | ||||
|
|
59 | ## MAIN SSL enabled server | |||
|
|
60 | server { | |||
|
|
61 | listen 443 ssl; | |||
|
|
62 | server_name rhodecode.myserver.com; | |||
|
|
63 | ||||
|
|
64 | access_log /var/log/nginx/rhodecode.access.log log_custom; | |||
|
|
65 | error_log /var/log/nginx/rhodecode.error.log; | |||
| 48 |
|
66 | |||
| 49 | ssl on; |
|
67 | ssl on; | |
| 50 | ssl_certificate rhodecode.myserver.com.crt; |
|
68 | ssl_certificate rhodecode.myserver.com.crt; | |
| @@ -52,13 +70,16 b' Use the following example to configure N' | |||||
| 52 |
|
70 | |||
| 53 | ssl_session_timeout 5m; |
|
71 | ssl_session_timeout 5m; | |
| 54 |
|
72 | |||
| 55 |
ssl_protocols |
|
73 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| 56 | ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5; |
|
|||
| 57 | ssl_prefer_server_ciphers on; |
|
74 | ssl_prefer_server_ciphers on; | |
|
|
75 | ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; | |||
| 58 |
|
76 | |||
| 59 | include /etc/nginx/proxy.conf; |
|
77 | # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits | |
|
|
78 | #ssl_dhparam /etc/nginx/ssl/dhparam.pem; | |||
| 60 |
|
79 | |||
| 61 | ## uncomment to serve static files by nginx |
|
80 | include /etc/nginx/proxy.conf; | |
|
|
81 | ||||
|
|
82 | ## serve static files by nginx, recommended | |||
| 62 | # location /_static/rhodecode { |
|
83 | # location /_static/rhodecode { | |
| 63 | # alias /path/to/.rccontrol/enterprise-1/static; |
|
84 | # alias /path/to/.rccontrol/enterprise-1/static; | |
| 64 | # } |
|
85 | # } | |
| @@ -66,16 +87,17 b' Use the following example to configure N' | |||||
| 66 | ## channel stream live components |
|
87 | ## channel stream live components | |
| 67 | location /_channelstream { |
|
88 | location /_channelstream { | |
| 68 | rewrite /_channelstream/(.*) /$1 break; |
|
89 | rewrite /_channelstream/(.*) /$1 break; | |
|
|
90 | proxy_pass http://127.0.0.1:9800; | |||
|
|
91 | ||||
| 69 | proxy_connect_timeout 10; |
|
92 | proxy_connect_timeout 10; | |
| 70 | proxy_send_timeout 10m; |
|
93 | proxy_send_timeout 10m; | |
| 71 | proxy_read_timeout 10m; |
|
94 | proxy_read_timeout 10m; | |
| 72 |
tcp_nodelay |
|
95 | tcp_nodelay off; | |
| 73 | proxy_pass http://127.0.0.1:9800; |
|
|||
| 74 | proxy_set_header Host $host; |
|
96 | proxy_set_header Host $host; | |
| 75 | proxy_set_header X-Real-IP $remote_addr; |
|
97 | proxy_set_header X-Real-IP $remote_addr; | |
| 76 |
proxy_set_header |
|
98 | proxy_set_header X-Url-Scheme $scheme; | |
| 77 |
proxy_set_header |
|
99 | proxy_set_header X-Forwarded-Proto $scheme; | |
| 78 |
proxy_set_header |
|
100 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| 79 | gzip off; |
|
101 | gzip off; | |
| 80 | proxy_http_version 1.1; |
|
102 | proxy_http_version 1.1; | |
| 81 | proxy_set_header Upgrade $http_upgrade; |
|
103 | proxy_set_header Upgrade $http_upgrade; | |
| @@ -89,4 +111,10 b' Use the following example to configure N' | |||||
| 89 | location @rhode { |
|
111 | location @rhode { | |
| 90 | proxy_pass http://rc; |
|
112 | proxy_pass http://rc; | |
| 91 | } |
|
113 | } | |
| 92 | } |
|
114 | ||
|
|
115 | ## custom 502 error page | |||
|
|
116 | error_page 502 /502.html; | |||
|
|
117 | location = /502.html { | |||
|
|
118 | root /path/to/.rccontrol/enterprise-1/static; | |||
|
|
119 | } | |||
|
|
120 | } No newline at end of file | |||
General Comments 0
You need to be logged in to leave comments.
Login now