HowTo configure Nginx to run Redmine » History » Version 3
Deoren Moor, 2010-11-28 23:14
Excluding admin panel options from being redirected back to http. Otherwise 404 errors are given. The example URLs are correct, even though the 2nd example looks like it should be changed to match the other two.
| 1 | 1 | Jeff Mitchell | h1. HowTo configure Nginx to run Redmine |
|---|---|---|---|
| 2 | |||
| 3 | 2 | Jeff Mitchell | This has configurations for Nginx and Thin that are working well for me. It is *not* an exhaustive installation guide; it is assumed that you have read the installation instructions and installed the appropriate packages for your distribution. |
| 4 | |||
| 5 | This setup gives you four Thin processes for concurrent handling of requests, and forwards to SSL at appropriate places to keep logins secure. |
||
| 6 | |||
| 7 | First, Thin -- here's what is in my /etc/thin/redmine.yml: |
||
| 8 | |||
| 9 | <pre> |
||
| 10 | --- |
||
| 11 | pid: tmp/pids/thin.pid |
||
| 12 | group: redmine |
||
| 13 | wait: 30 |
||
| 14 | timeout: 30 |
||
| 15 | log: log/thin.log |
||
| 16 | max_conns: 1024 |
||
| 17 | require: [] |
||
| 18 | |||
| 19 | environment: production |
||
| 20 | max_persistent_conns: 512 |
||
| 21 | servers: 4 |
||
| 22 | daemonize: true |
||
| 23 | user: redmine |
||
| 24 | socket: /tmp/thin.sock |
||
| 25 | chdir: /var/lib/redmine/redmine |
||
| 26 | </pre> |
||
| 27 | |||
| 28 | You'll have to change the user/group/chdir to appropriate values for your setup. |
||
| 29 | |||
| 30 | Next, the nginx configuration. This isn't an exhaustive configuration, just the relevant server{} bits. First, my standard proxy include file proxy.include, which you'll see referenced in the Redmine-specific part: |
||
| 31 | |||
| 32 | <pre> |
||
| 33 | proxy_set_header Host $http_host; |
||
| 34 | proxy_set_header X-Real-IP $remote_addr; |
||
| 35 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
||
| 36 | proxy_set_header X-Forwarded-Proto $scheme; |
||
| 37 | |||
| 38 | client_max_body_size 10m; |
||
| 39 | client_body_buffer_size 128k; |
||
| 40 | |||
| 41 | proxy_connect_timeout 90; |
||
| 42 | proxy_send_timeout 90; |
||
| 43 | proxy_read_timeout 90; |
||
| 44 | |||
| 45 | proxy_buffer_size 4k; |
||
| 46 | proxy_buffers 4 32k; |
||
| 47 | proxy_busy_buffers_size 64k; |
||
| 48 | proxy_temp_file_write_size 64k; |
||
| 49 | </pre> |
||
| 50 | |||
| 51 | Next, the actual nginx configuration: |
||
| 52 | |||
| 53 | <pre> |
||
| 54 | # Upstream Ruby process cluster for load balancing |
||
| 55 | upstream thin_cluster { |
||
| 56 | server unix:/tmp/thin.0.sock; |
||
| 57 | server unix:/tmp/thin.1.sock; |
||
| 58 | server unix:/tmp/thin.2.sock; |
||
| 59 | server unix:/tmp/thin.3.sock; |
||
| 60 | } |
||
| 61 | |||
| 62 | server { |
||
| 63 | listen your.ip.address.here:80; |
||
| 64 | server_name your.domain.name; |
||
| 65 | |||
| 66 | access_log /var/log/nginx/redmine-proxy-access; |
||
| 67 | error_log /var/log/nginx/redmine-proxy-error; |
||
| 68 | |||
| 69 | include sites/proxy.include; |
||
| 70 | root /var/lib/redmine/redmine/public; |
||
| 71 | proxy_redirect off; |
||
| 72 | |||
| 73 | # Send sensitive stuff via https |
||
| 74 | rewrite ^/login(.*) https://your.domain.here$request_uri permanent; |
||
| 75 | rewrite ^/my/account(.*) https://your.domain.here$request_uri permanent; |
||
| 76 | rewrite ^/my/password(.*) https://your.domain.here$request_uri permanent; |
||
| 77 | rewrite ^/admin(.*) https://your.domain.here$request_uri permanent; |
||
| 78 | |||
| 79 | location / { |
||
| 80 | try_files $uri/index.html $uri.html $uri @cluster; |
||
| 81 | } |
||
| 82 | |||
| 83 | location @cluster { |
||
| 84 | proxy_pass http://thin_cluster; |
||
| 85 | } |
||
| 86 | } |
||
| 87 | |||
| 88 | server { |
||
| 89 | listen your.ip.address.here:443; |
||
| 90 | server_name your.domain.here; |
||
| 91 | |||
| 92 | access_log /var/log/nginx/redmine-ssl-proxy-access; |
||
| 93 | error_log /var/log/nginx/redmine-ssl-proxy-error; |
||
| 94 | |||
| 95 | ssl on; |
||
| 96 | |||
| 97 | ssl_certificate /etc/ssl/startssl/your.domain.here.pem.full; |
||
| 98 | ssl_certificate_key /etc/ssl/startssl/your.domain.here.key; |
||
| 99 | |||
| 100 | include sites/proxy.include; |
||
| 101 | proxy_redirect off; |
||
| 102 | root /var/lib/redmine/redmine/public; |
||
| 103 | |||
| 104 | # When we're back to non-sensitive things, send back to http |
||
| 105 | rewrite ^/$ http://your.domain.here$request_uri permanent; |
||
| 106 | 3 | Deoren Moor | |
| 107 | # Examples of URLs we don't want to rewrite (otherwise 404 errors occur): |
||
| 108 | # /projects/PROJECTNAME/archive?status= |
||
| 109 | # /projects/copy/PROJECTNAME |
||
| 110 | # /projects/PROJECTNAME/destroy |
||
| 111 | |||
| 112 | # This should exclude those (tested here: http://www.regextester.com/ ) |
||
| 113 | if ($uri !~* "^/projects/.*(copy|destroy|archive)") { |
||
| 114 | rewrite ^/projects(.*) http://your.domain.here$request_uri permanent; |
||
| 115 | } |
||
| 116 | |||
| 117 | 2 | Jeff Mitchell | rewrite ^/guide(.*) http://your.domain.here$request_uri permanent; |
| 118 | rewrite ^/users(.*) http://your.domain.here$request_uri permanent; |
||
| 119 | rewrite ^/my/page(.*) http://your.domain.here$request_uri permanent; |
||
| 120 | rewrite ^/logout(.*) http://your.domain.here$request_uri permanent; |
||
| 121 | |||
| 122 | location / { |
||
| 123 | try_files $uri/index.html $uri.html $uri @cluster; |
||
| 124 | } |
||
| 125 | |||
| 126 | location @cluster { |
||
| 127 | proxy_pass http://thin_cluster; |
||
| 128 | } |
||
| 129 | } |
||
| 130 | </pre> |