##// END OF EJS Templates
u » pc » rhodecode-enterprise-ce-fork-pc
RSS

Fork of rhodecode-enterprise-ce

docs: added example how to secure login page from brute force attacks.
dan -
r1808:e5a0601c default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,125 +1,134 b''
1 1 Nginx Configuration Example
2 2 ---------------------------
3 3
4 4 Use the following example to configure Nginx as a your web server.
5 5
6 6
7 7 .. code-block:: nginx
8 ## rate limiter for certain pages to prevent brute force attacks
9 limit_req_zone $binary_remote_addr zone=dl_limit:10m rate=1r/s;
8 10
11 ## custom log format
9 12 log_format log_custom '$remote_addr - $remote_user [$time_local] '
10 13 '"$request" $status $body_bytes_sent '
11 14 '"$http_referer" "$http_user_agent" '
12 15 '$request_time $upstream_response_time $pipe';
13 16
14 17 ## define upstream (local RhodeCode instance) to connect to
15 18 upstream rc {
16 19 # Url to running RhodeCode instance.
17 20 # This is shown as `- URL:` in output from rccontrol status.
18 21 server 127.0.0.1:10002;
19 22
20 23 # add more instances for load balancing
21 24 # server 127.0.0.1:10003;
22 25 # server 127.0.0.1:10004;
23 26 }
24 27
25 28 ## HTTP to HTTPS rewrite
26 29 server {
27 30 listen 80;
28 31 server_name rhodecode.myserver.com;
29 32
30 33 if ($http_host = rhodecode.myserver.com) {
31 34 rewrite (.*) https://rhodecode.myserver.com$1 permanent;
32 35 }
33 36 }
34 37
35 38 ## Optional gist alias server, for serving nicer GIST urls.
36 39 server {
37 40 listen 443;
38 41 server_name gist.myserver.com;
39 42 access_log /var/log/nginx/gist.access.log log_custom;
40 43 error_log /var/log/nginx/gist.error.log;
41 44
42 45 ssl on;
43 46 ssl_certificate gist.rhodecode.myserver.com.crt;
44 47 ssl_certificate_key gist.rhodecode.myserver.com.key;
45 48
46 49 ssl_session_timeout 5m;
47 50
48 51 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
49 52 ssl_prefer_server_ciphers on;
50 53 ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
51 54
52 55 # strict http prevents from https -> http downgrade
53 56 add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
54 57
55 58 # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
56 59 #ssl_dhparam /etc/nginx/ssl/dhparam.pem;
57 60
58 61 rewrite ^/(.+)$ https://rhodecode.myserver.com/_admin/gists/$1;
59 62 rewrite (.*) https://rhodecode.myserver.com/_admin/gists;
60 63 }
61 64
62 65
63 66 ## MAIN SSL enabled server
64 67 server {
65 68 listen 443 ssl;
66 69 server_name rhodecode.myserver.com;
67 70
68 71 access_log /var/log/nginx/rhodecode.access.log log_custom;
69 72 error_log /var/log/nginx/rhodecode.error.log;
70 73
71 74 ssl on;
72 75 ssl_certificate rhodecode.myserver.com.crt;
73 76 ssl_certificate_key rhodecode.myserver.com.key;
74 77
75 78 ssl_session_timeout 5m;
76 79
77 80 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
78 81 ssl_prefer_server_ciphers on;
79 82 ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
80 83
81 84 # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
82 85 #ssl_dhparam /etc/nginx/ssl/dhparam.pem;
83 86
84 87 include /etc/nginx/proxy.conf;
85 88
86 89 ## serve static files by Nginx, recommended for performance
87 90 # location /_static/rhodecode {
88 91 # alias /path/to/.rccontrol/enterprise-1/static;
89 92 # }
90 93
91 94 ## channelstream websocket handling
92 95 location /_channelstream {
93 96 rewrite /_channelstream/(.*) /$1 break;
94 97
95 98 proxy_pass http://127.0.0.1:9800;
96 99
97 100 proxy_connect_timeout 10;
98 101 proxy_send_timeout 10m;
99 102 proxy_read_timeout 10m;
100 103 tcp_nodelay off;
101 104 proxy_set_header Host $host;
102 105 proxy_set_header X-Real-IP $remote_addr;
103 106 proxy_set_header X-Url-Scheme $scheme;
104 107 proxy_set_header X-Forwarded-Proto $scheme;
105 108 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
106 109 gzip off;
107 110 proxy_http_version 1.1;
108 111 proxy_set_header Upgrade $http_upgrade;
109 112 proxy_set_header Connection "upgrade";
110 113 }
111 114
115 location /_admin/login {
116 ## rate limit this endpoint
117 limit_req zone=dl_limit burst=10 nodelay;
118 try_files $uri @rhode;
119 }
120
112 121 location / {
113 122 try_files $uri @rhode;
114 123 }
115 124
116 125 location @rhode {
117 126 proxy_pass http://rc;
118 127 }
119 128
120 129 ## custom 502 error page
121 130 error_page 502 /502.html;
122 131 location = /502.html {
123 132 root /path/to/.rccontrol/enterprise-1/static;
124 133 }
125 134 } No newline at end of file
General Comments 0
You need to be logged in to leave comments. Login now