artin/sourcegraph
1
0
Fork 0
mirror of https://github.com/sourcegraph/sourcegraph.git synced 2026-02-06 19:21:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: add pointer to caddy config for docker compose http/https (#9363)

Browse Source
This commit is contained in:
Geoffrey Gilmore 2020-03-30 10:01:14 -07:00 committed by GitHub
parent 8e340575ba
commit 6828dcb373
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 175 additions and 154 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/_resources/templates/document.html
View File

@ -212,7 +212,7 @@
</ul>
</li>
<li><a href="/admin/tls_ssl">Securing a Sourcegraph instance with TLS/SSL</a></li>
<li><a href="/admin/nginx">Sourcegraph NGINX HTTP and HTTPS/SSL configuration</a></li>
<li><a href="/admin/http_https_configuration">Sourcegraph HTTP and HTTPS/SSL configuration</a></li>
<li><a href="/admin/postgres">Upgrading PostgreSQL</a></li>
<li><a href="/admin/updates">Upgrading Sourcegraph</a></li>
<li><a href="/admin/auth">User authentication (SSO)</a></li>

2
doc/admin/auth/saml/microsoft_adfs.md
View File

@ -12,7 +12,7 @@ These instructions guide you through configuring Sourcegraph as a relying party
* Active Directory instance where all users have email and username attributes.
* An instance of ADFS running on Windows Server, joined to your Active Directory domain.
* Sourcegraph should be [configured to use HTTPS](../../nginx.md#nginx-ssl-https-configuration).
* Sourcegraph should be [configured to use HTTPS](../../http_https_configuration.md#nginx-ssl-https-configuration).
* Ensure that `externalURL` in [site config](../../config/site_config.md) meets the following
criteria:
* It is the URL used by end users (no trailing slash).

4
doc/admin/config/index.md
View File

@ -3,7 +3,7 @@
> NOTE: In Sourcegraph v3.11 the management console and critical configuration were removed and all properties moved into the site configuration. If you are using an older version of Sourcegraph, consider looking at the [critical configuration](critical_config.md). See the [migration notes for Sourcegraph v3.11+](../migration/3_11.md) for more information.
- [Site configuration](site_config.md)
- [Code host configuration](../external_service/index.md) (GitHub, GitLab, and the [Nginx HTTP server](../nginx.md).)
- [Code host configuration](../external_service/index.md) (GitHub, GitLab, and the [Nginx HTTP server](../http_https_configuration.md).)
- [Search configuration](../search.md)
## Common tasks
@ -13,7 +13,7 @@
- [Configure search scopes](../../user/search/scopes.md)
- [Integrate with Phabricator](../../integration/phabricator.md)
- [Add organizations](../../user/organizations/index.md)
- [Set up HTTPS](../nginx.md)
- [Set up HTTPS](../http_https_configuration.md)
- [Use a custom domain](../url.md)
- [Update Sourcegraph](../updates.md)

150
doc/admin/http_https_configuration.md Normal file
View File

@ -0,0 +1,150 @@
# Sourcegraph HTTP and HTTPS/SSL configuration
## Sourcegraph single Docker image and Sourcegraph Cluster (Kubernetes): NGINX
Sourcegraph's single Docker image and Kubernetes deployments use [NGINX](https://www.nginx.com/resources/glossary/nginx/) as a [reverse proxy](https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/) for the Sourcegraph front-end server, meaning NGINX proxies external HTTP (and [HTTPS](#nginx-ssl-https-configuration)) requests to the Sourcegraph front-end.
![NGINX and Sourcegraph architecture](img/sourcegraph-nginx.svg)
**Note**: Non-sighted users can view a [text-representation of this diagram](sourcegraph-nginx-mermaid.md).
### Sourcegraph single instance (Docker)
<!-- TODO(ryan): Change heading to ## The default `nginx.conf` file and how to extend/override default configuration and add section
on how to extend NGINX configuration without (in most cases), editing the `nginx.conf` file. -->
The first time Sourcegraph is run, it will create an [`nginx.conf`](https://github.com/sourcegraph/sourcegraph/blob/master/cmd/server/shared/assets/nginx.conf) file at:
- `~/.sourcegraph/config/nginx.conf` on the Docker/Sourcegraph host (presuming you're using the [quickstart `docker run` command](../index.md#quickstart))
- `/etc/sourcegraph/nginx.conf` inside the container
[SSL support requires manual editing](#nginx-ssl-https-configuration) of the NGINX configuration file if using the [quickstart docker run command](../index.md#quickstart) as it presumes local or internal usage.
### Sourcegraph Cluster (Kubernetes)
We use the [ingress-nginx](https://kubernetes.github.io/ingress-nginx/) for Sourcegraph Cluster running on Kubernetes. Refer to the [deploy-sourcegraph Configuration](https://github.com/sourcegraph/deploy-sourcegraph/blob/master/docs/configure.md) documentation for more information.
### NGINX SSL/HTTPS configuration
#### If you have a valid SSL certificate
**1.** Copy your SSL certificate and key to `~/.sourcegraph/config` (where the `nginx.conf` file is).
**2.** Edit `nginx.conf` so that port `7080` redirects to `7443` and `7443` is served with SSL. It should look like this:
```nginx
...
http {
...
server {
listen 7080;
return 301 https://$host:7433$request_uri;
}
server {
# Do not remove. The contents of sourcegraph_server.conf can change
# between versions and may include improvements to the configuration.
include nginx/sourcegraph_server.conf;
listen 7443 ssl;
server_name sourcegraph.example.com; # change to your URL
ssl_certificate sourcegraph.crt;
ssl_certificate_key sourcegraph.key;
location / {
...
}
}
}
```
#### If you need an SSL certificate
There are a few options:
**[1. Generate a browser-trusted certificate using Let's Encrypt (Certbot)](https://certbot.eff.org/)**<br />
1. On the Certbot homepage, select "Nginx" and the operating system of the machine hosting Sourcegraph.
1. Follow the instructions to install and run Certbot.
1. If there is currently a process (e.g., Sourcegraph) listening on port 80, you'll
need to stop it before running Certbot:
```
docker stop $(docker ps | grep sourcegraph/server | awk '{ print $1 }')
```
1. When you get to the step describing how to run Certbot, use the "certonly" command: `sudo certbot certonly --nginx`.
1. When Certbot runs successfully, it will emit the key file `privkey.pem` and cert file
`fullchain.pem`. These should be renamed to `sourcegraph.key` and `sourcegraph.crt`,
respectively, if you are using the `nginx.conf` template mentioned in this doc.
1. Kill the NGINX server that Certbot started: `killall nginx`. Restart Sourcegraph:
```
docker start $(docker ps -a | grep sourcegraph/server | awk '{ print $1 }')
```
1. Now visit your Sourcegraph instance at `https://${YOUR_URL}`. If there are issues, debug by examining the Docker logs:
```
docker logs $(docker ps | grep sourcegraph/server | awk '{ print $1 }')
```
**[2. Generate a self-signed certificate](ssl_https_self_signed_cert_nginx.md)**<br />
For instances that don't yet have a certificate from a [globally trusted Certificate Authority (CA) provider](https://en.wikipedia.org/wiki/Certificate_authority#Providers).
**3. Use your CDN's HTTPS proxy feature**<br />
Some CDNs such as
[Cloudflare](https://support.cloudflare.com/hc/en-us/articles/200170416-End-to-end-HTTPS-with-Cloudflare-Part-3-SSL-options)
can handle the HTTPS connection from the user's browser while allowing the underlying service to
continue serving HTTP (or HTTPS with a self-signed certificate). View your CDN's documentation for
more details.
### Redirect to external HTTPS URL
The URL that clients should use to access Sourcegraph is defined in the `externalURL` property in [site configuration](config/site_config.md). To enforce that clients access Sourcegraph via this URL (and not some other URL, such as an IP address or other non-`https` URL), add the following to `nginx.conf` (replacing `https://sourcegraph.example.com` with your external URL):
``` nginx
# Redirect non-HTTPS traffic to HTTPS.
server {
listen 80;
server_name _;
location / {
return 301 https://sourcegraph.example.com$request_uri;
}
}
```
### HTTP Strict Transport Security
[HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) instructs web clients to only communicate with the server over HTTPS. To configure it, add the following to `nginx.conf` (in the `server` block):
``` nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
```
See [`add_header` documentation](https://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header) and "[Configuring HSTS in nginx](https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/)" for more details.
### Additional NGINX SSL configuration
See the [NGINX SSL Termination](https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/) guide and [Configuring HTTPS Servers](https://nginx.org/en/docs/http/configuring_https_servers.html).
### Next steps
You should configure Sourcegraph's `externalURL` in the [site configuration](config/site_config.md) (and restart the frontend instances) so that Sourcegraph knows its URL.
## Sourcegraph via Docker Compose: Caddy 2
Sourcegraph's [Docker Compose deployment](../admin/install/docker-compose/index.md) uses [Caddy 2](https://caddyserver.com/) as its reverse proxy. The Docker Compose deployment ships with a few builtin templates that cover common scenarios for exposing Sourcegraph:
- plain HTTP
- HTTPS with automatically provisioned Let's Encrypt certificates
- HTTPS with custom certificates that you provide
Usage instructions are provided via [the `caddy` service's inline comments inside the `docker-compose.yaml` definition](https://github.com/sourcegraph/deploy-sourcegraph-docker/blob/3.14/docker-compose/docker-compose.yaml#L3:L58).
## Other Sourcegraph clusters (e.g. pure-Docker)
NGINX is not included in the ([pure-Docker deployment](https://github.com/sourcegraph/deploy-sourcegraph-docker) as it's designed to be minimal and not tied to any specific reverse proxy.
If NGINX is your preferred reverse proxy, we suggest using [the official NGINX docker images](https://hub.docker.com/_/nginx) and following their instructions for [securing HTTP traffic with a proxied server](https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/).

2
doc/admin/index.md
View File

@ -12,7 +12,7 @@ Site administrators are the admins responsible for deploying, managing, and conf
- [Configuration](config/index.md)
- [Adding Git repositories](repo/add.md) (from a code host or clone URL)
- [NGINX HTTP and HTTPS/SSL configuration](nginx.md)
- [HTTP and HTTPS/SSL configuration](http_https_configuration.md)
- [Management console (removed in v3.11)](management_console.md)
- [Repository webhooks](repo/webhooks.md)
- [User authentication](auth/index.md)

2
doc/admin/install/docker-compose/aws.md
View File

@ -114,7 +114,7 @@ docker-compose up -d
* Select **Next: ...** until you get to the **Configure Security Group** page. Then add the following rules:
* Default **HTTP** rule: port range `80`, source `0.0.0.0/0, ::/0`
* Default **HTTPS** rule: port range `443`, source `0.0.0.0/0, ::/0`<br>(NOTE: additional work will be required later on to [configure NGINX to support SSL](../../../admin/nginx.md#nginx-ssl-https-configuration))
* Default **HTTPS** rule: port range `443`, source `0.0.0.0/0, ::/0`<br>(NOTE: additional work will be required later on to [configure SSL in the Docker Compose deployment](../../../admin/http_https_configuration.md#sourcegraph-via-docker-compose-caddy-2))
* Launch your instance, then navigate to its public IP in your browser. (This can be found by navigating to the instance page on EC2 and looking in the "Description" panel for the "IPv4 Public IP" value.) You may have to wait a minute or two for the instance to finish initializing before Sourcegraph becomes accessible. You can monitor the status by SSHing into the instance and using the following diagnostic commands:

2
doc/admin/install/docker-compose/digitalocean.md
View File

@ -129,7 +129,7 @@ After initial setup, we recommend you do the following:
* Restrict the accessibility of ports other than `80` and `443` via [Cloud
Firewalls](https://www.digitalocean.com/docs/networking/firewalls/quickstart/).
* Set up [TLS/SSL](../../nginx.md#nginx-ssl-https-configuration) in the NGINX configuration.
* Set up [TLS/SSL](../../../admin/http_https_configuration.md#sourcegraph-via-docker-compose-caddy-2)) in the Docker Compose deployment
---

2
doc/admin/install/docker/aws.md
View File

@ -38,7 +38,7 @@ This tutorial shows you how to deploy Sourcegraph to a single EC2 instance on AW
- Select **Next: ...** until you get to the **Configure Security Group** page. Then add the following rules:
- Default **HTTP** rule: port range `80`, source `0.0.0.0/0, ::/0`
- Default **HTTPS** rule: port range `443`, source `0.0.0.0/0, ::/0`<br>(NOTE: additional work will be required later on to [configure NGINX to support SSL](../../../admin/nginx.md#nginx-ssl-https-configuration))
- Default **HTTPS** rule: port range `443`, source `0.0.0.0/0, ::/0`<br>(NOTE: additional work will be required later on to [configure NGINX to support SSL](../../../admin/http_https_configuration.md#nginx-ssl-https-configuration))
- Launch your instance, then navigate to its public IP in your browser. (This can be found by navigating to the instance page on EC2 and looking in the "Description" panel for the "IPv4 Public IP" value.) You may have to wait a minute or two for the instance to finish initializing before Sourcegraph becomes accessible. You can monitor the status by SSHing into the EC2 instance and viewing the logs:
```

2
doc/admin/install/docker/digitalocean.md
View File

@ -27,7 +27,7 @@ After initial setup, we recommend you do the following:
* Restrict the accessibility of ports other than `80` and `443` via [Cloud
Firewalls](https://www.digitalocean.com/docs/networking/firewalls/quickstart/).
* Set up [TLS/SSL](../../nginx.md#nginx-ssl-https-configuration) in the NGINX configuration.
* Set up [TLS/SSL](../../http_https_configuration.md#nginx-ssl-https-configuration) in the NGINX configuration.
---

2
doc/admin/migration/opengrok.md
View File

@ -84,7 +84,7 @@ Like Oracle OpenGrok, Sourcegraph is self-hosted. You control who can access it.
- [OpenID Connect user authentication](../auth/index.md#openid-connect) and [SAML user authentication](../auth/index.md#saml) (for Google/G Suite accounts, Okta, OneLogin, etc.)
- [HTTP user authentication proxies](../auth/index.md#http-authentication-proxies)
- [Builtin username-password authentication](../auth/index.md#builtin-authentication)
- [TLS/SSL and other HTTP/HTTPS configuration](../nginx.md)
- [TLS/SSL and other HTTP/HTTPS configuration](../http_https_configuration.md)
### Rolling out Sourcegraph organization-wide

141
doc/admin/nginx.md
View File

@ -1,138 +1,7 @@
# Sourcegraph NGINX HTTP and HTTPS/SSL configuration
---
ignoreDisconnectedPageCheck: true
---
In Sourcegraph, [NGINX](https://www.nginx.com/resources/glossary/nginx/) acts as a [reverse proxy](https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/) for the Sourcegraph front-end server, meaning NGINX proxies external HTTP (and [HTTPS](#nginx-ssl-https-configuration)) requests to the Sourcegraph front-end.
# Sourcegraph Nginx sHTTP and HTTPS/SSL configuration
![NGINX and Sourcegraph architecture](img/sourcegraph-nginx.svg)
**Note**: Non-sighted users can view a [text-representation of this diagram](sourcegraph-nginx-mermaid.md).
## NGINX for Sourcegraph single instance (Docker)
<!-- TODO(ryan): Change heading to ## The default `nginx.conf` file and how to extend/override default configuration and add section
on how to extend NGINX configuration without (in most cases), editing the `nginx.conf` file. -->
The first time Sourcegraph is run, it will create an [`nginx.conf`](https://github.com/sourcegraph/sourcegraph/blob/master/cmd/server/shared/assets/nginx.conf) file at:
- `~/.sourcegraph/config/nginx.conf` on the Docker/Sourcegraph host (presuming you're using the [quickstart `docker run` command](../index.md#quickstart))
- `/etc/sourcegraph/nginx.conf` inside the container
[SSL support requires manual editing](#nginx-ssl-https-configuration) of the NGINX configuration file if using the [quickstart docker run command](../index.md#quickstart) as it presumes local or internal usage.
## NGINX for Sourcegraph Cluster (Kubernetes)
We use the [ingress-nginx](https://kubernetes.github.io/ingress-nginx/) for Sourcegraph Cluster running on Kubernetes. Refer to the [deploy-sourcegraph Configuration](https://github.com/sourcegraph/deploy-sourcegraph/blob/master/docs/configure.md) documentation for more information.
## NGINX for other Sourcegraph clusters (e.g. pure-Docker)
NGINX is not included in the ([pure-Docker deployment](https://github.com/sourcegraph/deploy-sourcegraph-docker) as it's designed to be minimal and not tied to any specific reverse proxy.
If NGINX is your preferred reverse proxy, we suggest using [the official NGINX docker images](https://hub.docker.com/_/nginx) and following their instructions for [securing HTTP traffic with a proxied server](https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/).
## NGINX SSL/HTTPS configuration
### If you have a valid SSL certificate
**1.** Copy your SSL certificate and key to `~/.sourcegraph/config` (where the `nginx.conf` file is).
**2.** Edit `nginx.conf` so that port `7080` redirects to `7443` and `7443` is served with SSL. It should look like this:
```nginx
...
http {
...
server {
listen 7080;
return 301 https://$host:7433$request_uri;
}
server {
# Do not remove. The contents of sourcegraph_server.conf can change
# between versions and may include improvements to the configuration.
include nginx/sourcegraph_server.conf;
listen 7443 ssl;
server_name sourcegraph.example.com; # change to your URL
ssl_certificate sourcegraph.crt;
ssl_certificate_key sourcegraph.key;
location / {
...
}
}
}
```
### If you need an SSL certificate
There are a few options:
**[1. Generate a browser-trusted certificate using Let's Encrypt (Certbot)](https://certbot.eff.org/)**<br />
1. On the Certbot homepage, select "Nginx" and the operating system of the machine hosting Sourcegraph.
1. Follow the instructions to install and run Certbot.
1. If there is currently a process (e.g., Sourcegraph) listening on port 80, you'll
need to stop it before running Certbot:
```
docker stop $(docker ps | grep sourcegraph/server | awk '{ print $1 }')
```
1. When you get to the step describing how to run Certbot, use the "certonly" command: `sudo certbot certonly --nginx`.
1. When Certbot runs successfully, it will emit the key file `privkey.pem` and cert file
`fullchain.pem`. These should be renamed to `sourcegraph.key` and `sourcegraph.crt`,
respectively, if you are using the `nginx.conf` template mentioned in this doc.
1. Kill the NGINX server that Certbot started: `killall nginx`. Restart Sourcegraph:
```
docker start $(docker ps -a | grep sourcegraph/server | awk '{ print $1 }')
```
1. Now visit your Sourcegraph instance at `https://${YOUR_URL}`. If there are issues, debug by examining the Docker logs:
```
docker logs $(docker ps | grep sourcegraph/server | awk '{ print $1 }')
```
**[2. Generate a self-signed certificate](ssl_https_self_signed_cert_nginx.md)**<br />
For instances that don't yet have a certificate from a [globally trusted Certificate Authority (CA) provider](https://en.wikipedia.org/wiki/Certificate_authority#Providers).
**3. Use your CDN's HTTPS proxy feature**<br />
Some CDNs such as
[Cloudflare](https://support.cloudflare.com/hc/en-us/articles/200170416-End-to-end-HTTPS-with-Cloudflare-Part-3-SSL-options)
can handle the HTTPS connection from the user's browser while allowing the underlying service to
continue serving HTTP (or HTTPS with a self-signed certificate). View your CDN's documentation for
more details.
## Redirect to external HTTPS URL
The URL that clients should use to access Sourcegraph is defined in the `externalURL` property in [site configuration](config/site_config.md). To enforce that clients access Sourcegraph via this URL (and not some other URL, such as an IP address or other non-`https` URL), add the following to `nginx.conf` (replacing `https://sourcegraph.example.com` with your external URL):
``` nginx
# Redirect non-HTTPS traffic to HTTPS.
server {
listen 80;
server_name _;
location / {
return 301 https://sourcegraph.example.com$request_uri;
}
}
```
## HTTP Strict Transport Security
[HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) instructs web clients to only communicate with the server over HTTPS. To configure it, add the following to `nginx.conf` (in the `server` block):
``` nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
```
See [`add_header` documentation](https://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header) and "[Configuring HSTS in nginx](https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/)" for more details.
## Additional NGINX SSL configuration
See the [NGINX SSL Termination](https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/) guide and [Configuring HTTPS Servers](https://nginx.org/en/docs/http/configuring_https_servers.html).
## Next steps
You should configure Sourcegraph's `externalURL` in the [site configuration](config/site_config.md) (and restart the frontend instances) so that Sourcegraph knows its URL.
This documentation page has been moved to "[Sourcegraph HTTP and HTTPS/SSL configuration](http_https_configuration.md)".

16
doc/admin/ssl_https_self_signed_cert_nginx.md
View File

@ -6,11 +6,13 @@ This is for external Sourcegraph instances that need a self-signed certificate b
Configuring NGINX with a self-signed certificate to support SSL requires:
1. [Installing mkcert](#1-installing-mkcert).
1. [Creating the self-signed certificate](#2-creating-the-self-signed-certificate)
1. [Configuring NGINX for SSL](#3-adding-ssl-support-to-nginx)
1. [Changing the Sourcegraph container to listen on port 443](#4-changing-the-quickstart-command-to-listen-on-port-for-ssl)
1. [Getting the self-signed certificate to be trusted (valid) on external instances](#5-getting-the-self-signed-certificate-to-be-trusted-valid-on-external-instances)
- [Adding SSL (HTTPS) to Sourcegraph with a self-signed certificate](#adding-ssl-https-to-sourcegraph-with-a-self-signed-certificate)
- [1. Installing mkcert](#1-installing-mkcert)
- [2. Creating the self-signed certificate](#2-creating-the-self-signed-certificate)
- [3. Adding SSL support to NGINX](#3-adding-ssl-support-to-nginx)
- [4. Changing the Sourcegraph container to listen on port 443](#4-changing-the-sourcegraph-container-to-listen-on-port-443)
- [5. Getting the self-signed certificate to be trusted (valid) on external instances](#5-getting-the-self-signed-certificate-to-be-trusted-valid-on-external-instances)
- [Next steps](#next-steps)
## 1. Installing mkcert
@ -141,7 +143,7 @@ This is largely the same as step 5, except easier. For other developer machines
## Next steps
- [Configure Sourcegraph's `externalURL`](config/site_config.md)
- [Redirect to external HTTPS URL](nginx.md#redirect-to-external-https-url)
- [NGINX HTTP Strict Transport Security](nginx.md#redirect-to-external-https-url)
- [Redirect to external HTTPS URL](http_https_configuration.md#redirect-to-external-https-url)
- [NGINX HTTP Strict Transport Security](http_https_configuration.md#redirect-to-external-https-url)
- [NGINX SSL Termination guide](https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/)
- [NGINX HTTPS Servers guide](https://nginx.org/en/docs/http/configuring_https_servers.html).

2
doc/admin/tls_ssl.md
View File

@ -4,4 +4,4 @@ ignoreDisconnectedPageCheck: true
# Securing a Sourcegraph instance with TLS/SSL
This documentation page has been moved to "[nginx HTTP server settings](nginx.md)". All HTTP and HTTPS configuration options are now handled by nginx, which ships with Sourcegraph.
This documentation page has been moved to "[Sourcegraph HTTP and HTTPS/SSL configuration](http_https_configuration.md)". All HTTP and HTTPS configuration options are now handled by nginx or caddy, which ships with most Sourcegraph deployment types.