Skip to content

Commit 398e839

Browse files
mattayesmattayes
authored
installation.mdx: Add code markers, lint (Netflix#3863)
Add nginx and Apache markdown code block tags, as well as lint nginx configs.
1 parent 01ceadc commit 398e839

File tree

1 file changed

+53
-52
lines changed

1 file changed

+53
-52
lines changed

docs/docs/administration/installation.mdx

Lines changed: 53 additions & 52 deletions
Original file line numberDiff line numberDiff line change
@@ -115,38 +115,40 @@ proxy_pass passes the external request to the Python process. The port must matc
115115

116116
You can make some adjustments to get a better user experience:
117117

118+
```nginx
118119
server_tokens off;
119120
add_header X-Frame-Options DENY;
120121
add_header X-Content-Type-Options nosniff;
121122
add_header X-XSS-Protection "1; mode=block";
122123
123124
server {
124-
listen 80;
125-
return 301 https://$host$request_uri;
125+
listen 80;
126+
return 301 https://$host$request_uri;
126127
}
127128
128129
server {
129-
listen 443;
130-
access_log /var/log/nginx/log/dispatch.access.log;
131-
error_log /var/log/nginx/log/dispatch.error.log;
132-
133-
location /api {
134-
proxy_pass http://127.0.0.1:8000;
135-
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
136-
proxy_redirect off;
137-
proxy_buffering off;
138-
proxy_set_header Host $host;
139-
proxy_set_header X-Real-IP $remote_addr;
140-
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
141-
}
130+
listen 443;
131+
access_log /var/log/nginx/log/dispatch.access.log;
132+
error_log /var/log/nginx/log/dispatch.error.log;
133+
134+
location /api {
135+
proxy_pass http://127.0.0.1:8000;
136+
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
137+
proxy_redirect off;
138+
proxy_buffering off;
139+
proxy_set_header Host $host;
140+
proxy_set_header X-Real-IP $remote_addr;
141+
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
142+
}
142143
143144
location / {
144145
root /path/to/dispatch/static/dist;
145146
include mime.types;
146147
index index.html;
147148
}
148-
149149
}
150+
```
151+
150152
Nginx will serve the favicon and static files, which it is much better at than python.
151153

152154
We recommended that you deploy TLS when deploying Dispatch. It may be obvious given Dispatch’s purpose, but the sensitive nature of Dispatch and what it controls makes this essential. A sample config for Dispatch that also terminates TLS:
@@ -155,79 +157,78 @@ We recommended that you deploy TLS when deploying Dispatch. It may be obvious gi
155157
Some paths will have to be adjusted based on where you have chosen to install Dispatch.
156158
:::
157159

158-
```
160+
```nginx
159161
server_tokens off;
160162
add_header X-Frame-Options DENY;
161163
add_header X-Content-Type-Options nosniff;
162164
add_header X-XSS-Protection "1; mode=block";
163165
164166
server {
165-
listen 80;
166-
return 301 https://$host$request_uri;
167+
listen 80;
168+
return 301 https://$host$request_uri;
167169
}
168170
169171
server {
170-
listen 443;
171-
access_log /var/log/nginx/log/dispatch.access.log;
172-
error_log /var/log/nginx/log/dispatch.error.log;
172+
listen 443;
173+
access_log /var/log/nginx/log/dispatch.access.log;
174+
error_log /var/log/nginx/log/dispatch.error.log;
173175
174-
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
176+
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
175177
176-
ssl_certificate /path/to/signed_cert_plus_intermediates;
177-
ssl_certificate_key /path/to/private_key;
178-
ssl_session_timeout 1d;
179-
ssl_session_cache shared:SSL:50m;
178+
ssl_certificate /path/to/signed_cert_plus_intermediates;
179+
ssl_certificate_key /path/to/private_key;
180+
ssl_session_timeout 1d;
181+
ssl_session_cache shared:SSL:50m;
180182
181-
# Diffie-Hellman parameter for DHE cipher suites, recommended 2048 bits
183+
# Diffie-Hellman parameter for DHE cipher suites, recommended 2048 bits
182184
183-
ssl_dhparam /path/to/dhparam.pem;
185+
ssl_dhparam /path/to/dhparam.pem;
184186
185-
# modern configuration. tweak to your needs.
187+
# modern configuration. tweak to your needs.
186188
187-
ssl_protocols TLSv1.1 TLSv1.2;
188-
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
189-
ssl_prefer_server_ciphers on;
189+
ssl_protocols TLSv1.1 TLSv1.2;
190+
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
191+
ssl_prefer_server_ciphers on;
190192
191-
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
193+
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
192194
193-
add_header Strict-Transport-Security max-age=15768000;
195+
add_header Strict-Transport-Security max-age=15768000;
194196
195-
# OCSP Stapling ---
197+
# OCSP Stapling ---
196198
197-
# fetch OCSP records from URL in ssl_certificate and cache them
199+
# fetch OCSP records from URL in ssl_certificate and cache them
198200
199-
ssl_stapling on;
200-
ssl_stapling_verify on;
201+
ssl_stapling on;
202+
ssl_stapling_verify on;
201203
202-
## verify chain of trust of OCSP response using Root CA and Intermediate certs
204+
## verify chain of trust of OCSP response using Root CA and Intermediate certs
203205
204-
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
206+
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
205207
206-
resolver <IP DNS resolver>;
208+
resolver <IP DNS resolver>;
207209
208-
location /api {
209-
proxy_pass http://127.0.0.1:8000;
210-
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
211-
proxy_redirect off;
212-
proxy_buffering off;
213-
proxy_set_header Host $host;
210+
location /api {
211+
proxy_pass http://127.0.0.1:8000;
212+
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
213+
proxy_redirect off;
214+
proxy_buffering off;
215+
proxy_set_header Host $host;
214216
proxy_set_header X-Real-IP $remote_addr;
215-
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
216-
}
217+
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
218+
}
217219
218220
location / {
219221
root /path/to/dispatch/static/dist;
220222
include mime.types;
221223
index index.html;
222224
}
223-
224225
}
225226
```
226227

227228
Apache
228229
An example apache config:
229230

230-
```
231+
```apache
231232
<VirtualHost \*:443>
232233
...
233234
SSLEngine on

0 commit comments

Comments
 (0)