##// END OF EJS Templates
auth: don't break hashing in case of user with empty password....
auth: don't break hashing in case of user with empty password. In some cases such as LDAP user created via external scripts users might set the passwords to empty. The hashing uses the md5(password_hash) to store reference to detect password changes and forbid using the same password. In case of pure LDAP users this is not valid, and we shouldn't raise Errors in such case. This change makes it work for empty passwords now.

File last commit:

r2146:2d80515a default
r2203:8a18c3c3 default
Show More
nginx-config-example.rst
142 lines | 6.2 KiB | text/x-rst | RstLexer
/ docs / admin / nginx-config-example.rst

Nginx Configuration Example

Use the following example to configure Nginx as a your web server.

## rate limiter for certain pages to prevent brute force attacks
limit_req_zone  $binary_remote_addr  zone=dl_limit:10m   rate=1r/s;

## custom log format
log_format log_custom '$remote_addr - $remote_user [$time_local] '
                      '"$request" $status $body_bytes_sent '
                      '"$http_referer" "$http_user_agent" '
                      '$request_time $upstream_response_time $pipe';

## define upstream (local RhodeCode instance) to connect to
upstream rc {
    # Url to running RhodeCode instance.
    # This is shown as `- URL:` in output from rccontrol status.
    server 127.0.0.1:10002;

    # add more instances for load balancing
    # server 127.0.0.1:10003;
    # server 127.0.0.1:10004;
}

## HTTP to HTTPS rewrite
server {
    listen          80;
    server_name     rhodecode.myserver.com;

    if ($http_host = rhodecode.myserver.com) {
        rewrite  (.*)  https://rhodecode.myserver.com$1 permanent;
    }
}

## Optional gist alias server, for serving nicer GIST urls.
server {
    listen          443;
    server_name     gist.myserver.com;
    access_log      /var/log/nginx/gist.access.log log_custom;
    error_log       /var/log/nginx/gist.error.log;

    ssl on;
    ssl_certificate     gist.rhodecode.myserver.com.crt;
    ssl_certificate_key gist.rhodecode.myserver.com.key;

    ssl_session_timeout 5m;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

    # strict http prevents from https -> http downgrade
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    #ssl_dhparam /etc/nginx/ssl/dhparam.pem;

    rewrite ^/(.+)$ https://rhodecode.myserver.com/_admin/gists/$1;
    rewrite (.*)    https://rhodecode.myserver.com/_admin/gists;
}


## MAIN SSL enabled server
server {
    listen       443 ssl;
    server_name  rhodecode.myserver.com;

    access_log   /var/log/nginx/rhodecode.access.log log_custom;
    error_log    /var/log/nginx/rhodecode.error.log;

    ssl on;
    ssl_certificate     rhodecode.myserver.com.crt;
    ssl_certificate_key rhodecode.myserver.com.key;

    ssl_session_timeout 5m;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    #ssl_dhparam /etc/nginx/ssl/dhparam.pem;

    include     /etc/nginx/proxy.conf;

    ## serve static files by Nginx, recommended for performance
    # location /_static/rhodecode {
    #    gzip on;
    #    gzip_min_length  500;
    #    gzip_proxied     any;
    #    gzip_comp_level 4;
    #    gzip_types  text/css text/javascript text/xml text/plain text/x-component application/javascript application/json application/xml application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;
    #    gzip_vary on;
    #    gzip_disable     "msie6";
    #    alias /path/to/.rccontrol/enterprise-1/static;
    # }

    ## channelstream websocket handling
    location /_channelstream {
        rewrite /_channelstream/(.*) /$1 break;

        proxy_pass                  http://127.0.0.1:9800;

        proxy_connect_timeout        10;
        proxy_send_timeout           10m;
        proxy_read_timeout           10m;
        tcp_nodelay                  off;
        proxy_set_header             Host $host;
        proxy_set_header             X-Real-IP $remote_addr;
        proxy_set_header             X-Url-Scheme $scheme;
        proxy_set_header             X-Forwarded-Proto $scheme;
        proxy_set_header             X-Forwarded-For $proxy_add_x_forwarded_for;
        gzip                         off;
        proxy_http_version           1.1;
        proxy_set_header Upgrade     $http_upgrade;
        proxy_set_header Connection  "upgrade";
    }

    location /_admin/login {
        ## rate limit this endpoint
        limit_req  zone=dl_limit  burst=10  nodelay;
        try_files $uri @rhode;
    }

    location / {
        try_files $uri @rhode;
    }

    location @rhode {
        proxy_pass      http://rc;
    }

    ## custom 502 error page. Will be displayed while RhodeCode server
    ## is turned off
    error_page 502 /502.html;
    location = /502.html {
       root  /path/to/.rccontrol/enterprise-1/static;
    }
}