adilsoncarvalho · August 29, 2015 14:06
diff --git a/logrotate_rails_application b/logrotate_rails_application
 # This file should be placed at /etc/logrotate.d/

 /srv/*/shared/log/*.log {
    daily
    missingok
    dateext
    rotate 30 # amount of days to keep compressed logs (you should backup it up externally)
    compress
    delaycompress
    notifempty
    copytruncate
 }
diff --git a/nginx-app-vhost.conf b/nginx-app-vhost.conf
 upstream application {
    # Your application host will be used as a convention for directories and other stuffs
    set $application_host "example.com";
    
    ## Uncomment if you have set up puma/unicorn to listen on a unix socket (recommended).
    # server unix:/srv/$application_host/shared/tmp/sockets/application.socket;

    ## Uncomment if puma/unicorn are configured to listen on a tcp port.
    ## Check the port number in your puma/unicorn config file
    # server 127.0.0.1:9292;
 }

 server {
    listen 80;
    server_name  example.com;
    rewrite ^/(.*) https://$server_name permanent;
 }

 server {
    # Your application host will be used as a convention for directories and other stuffs
    set $application_host "example.com";
    
    # Rails application server timeout (we have to match the value here in order to not display Gateway Timeout error)
    set $application_timeout 300; 
    
    listen 443 ssl spdy;
    server_name $application_host;
    server_tokens off;
    root /srv/$application_host/current;

    ssl on;
    ssl_certificate /srv/$application_host/shared/server-chain.pem;
    ssl_certificate_key /srv/$application_host/shared/server.key;
    
    # Do not enable SSLv3 or any lower version, it's UNSAFE (fuck you, IE6)
    # Advice: If you need to enforce the highest security possible, disable TLSv1.
    #         While IE8+ starting with Windows 7, supports TLSv1.1 and TLSv1.2, it's not enabled by default
    #         which means, no IE user, even thous using IE11 will not, by default, be able to use your application.
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    
    # Advice: DO NOT USE RC4, if you are thinking otherwhise please read: 
    # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
    
    ssl_prefer_server_ciphers on;

    # SSL Session Cache:
    ssl_session_cache    shared:SSL:10m;
    ssl_session_timeout  10m;
    
    # Enable HSTS, to let the browser know that we only accept HTTPS requests (prevents MITM attack)
    # http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
    add_header Strict-Transport-Security max-age=31536000;
    
    # individual nginx logs for this vhost
    access_log  /var/log/nginx/$application_host_access.log;
    error_log   /var/log/nginx/$application_host_error.log;
    
    location / {
        # serve static files from defined root folder;
        # @application is a named location for the upstream fallback, see below
        try_files $uri $uri/index.html $uri.html @application;
    }

    # if a file, which is not found in the root folder is requested,
    # then the proxy pass the request to the upsteam (rails application server)
    location @application {
        proxy_read_timeout    $application_timeout;
        proxy_connect_timeout $application_timeout;
        proxy_redirect        off;

        proxy_set_header  X-Forwarded-Proto https;
        proxy_set_header  X-Forwarded-Ssl   on;
        proxy_set_header  Host              $http_host;
        proxy_set_header  X-Real-IP         $remote_addr;
        proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;

        proxy_pass http://application;
    }

    location ~ ^/(assets)/  {
        root /srv/$application_host/current/public;
        
        # 
        # Webp support via Content Negotiation
        # https://www.igvita.com/2013/05/01/deploying-webp-via-accept-content-negotiation/
        #
        
        # check Accept header for webp, check if .webp is on disk
        if ($http_accept ~* "webp")    { set $webp_accept "true"; }
        if (-f $request_filename.webp) { set $webp_local  "true"; }
    
        # if WebP variant is available, serve Vary
        if ($webp_local = "true") {
            add_header Vary Accept;
        }
        
        # drop Vary for IE users, mark resource as private
        if ($http_user_agent ~* "(?i)(MSIE)") {
            proxy_hide_header Vary;
            add_header Cache-Control private;
        }
    
        # if WebP is supported by client, serve it
        if ($webp_accept = "true") {
            rewrite (.*) $1.webp break;
        }
  
        #
        # Gzip static assets and expiration control
        # 
  
        # Enable gzip compression as per rails guide: 
        # http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression
        gzip_static on;
        expires max;
        add_header Cache-Control public;
    }
    error_page 502 /502.html;
 }
	# This file should be placed at /etc/logrotate.d/

	/srv//shared/log/.log {
	daily
	missingok
	dateext
	rotate 30 # amount of days to keep compressed logs (you should backup it up externally)
	compress
	delaycompress
	notifempty
	copytruncate
	}
	upstream application {
	# Your application host will be used as a convention for directories and other stuffs
	set $application_host "example.com";

	## Uncomment if you have set up puma/unicorn to listen on a unix socket (recommended).
	# server unix:/srv/$application_host/shared/tmp/sockets/application.socket;

	## Uncomment if puma/unicorn are configured to listen on a tcp port.
	## Check the port number in your puma/unicorn config file
	# server 127.0.0.1:9292;
	}

	server {
	listen 80;
	server_name example.com;
	rewrite ^/(.*) https://$server_name permanent;
	}

	server {
	# Your application host will be used as a convention for directories and other stuffs
	set $application_host "example.com";

	# Rails application server timeout (we have to match the value here in order to not display Gateway Timeout error)
	set $application_timeout 300;

	listen 443 ssl spdy;
	server_name $application_host;
	server_tokens off;
	root /srv/$application_host/current;

	ssl on;
	ssl_certificate /srv/$application_host/shared/server-chain.pem;
	ssl_certificate_key /srv/$application_host/shared/server.key;

	# Do not enable SSLv3 or any lower version, it's UNSAFE (fuck you, IE6)
	# Advice: If you need to enforce the highest security possible, disable TLSv1.
	# While IE8+ starting with Windows 7, supports TLSv1.1 and TLSv1.2, it's not enabled by default
	# which means, no IE user, even thous using IE11 will not, by default, be able to use your application.
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

	# Advice: DO NOT USE RC4, if you are thinking otherwhise please read:
	# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
	ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

	ssl_prefer_server_ciphers on;

	# SSL Session Cache:
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 10m;

	# Enable HSTS, to let the browser know that we only accept HTTPS requests (prevents MITM attack)
	# http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
	add_header Strict-Transport-Security max-age=31536000;

	# individual nginx logs for this vhost
	access_log /var/log/nginx/$application_host_access.log;
	error_log /var/log/nginx/$application_host_error.log;

	location / {
	# serve static files from defined root folder;
	# @application is a named location for the upstream fallback, see below
	try_files $uri $uri/index.html $uri.html @application;
	}

	# if a file, which is not found in the root folder is requested,
	# then the proxy pass the request to the upsteam (rails application server)
	location @application {
	proxy_read_timeout $application_timeout;
	proxy_connect_timeout $application_timeout;
	proxy_redirect off;

	proxy_set_header X-Forwarded-Proto https;
	proxy_set_header X-Forwarded-Ssl on;
	proxy_set_header Host $http_host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

	proxy_pass http://application;
	}

	location ~ ^/(assets)/ {
	root /srv/$application_host/current/public;

	#
	# Webp support via Content Negotiation
	# https://www.igvita.com/2013/05/01/deploying-webp-via-accept-content-negotiation/
	#

	# check Accept header for webp, check if .webp is on disk
	if ($http_accept ~* "webp") { set $webp_accept "true"; }
	if (-f $request_filename.webp) { set $webp_local "true"; }

	# if WebP variant is available, serve Vary
	if ($webp_local = "true") {
	add_header Vary Accept;
	}

	# drop Vary for IE users, mark resource as private
	if ($http_user_agent ~* "(?i)(MSIE)") {
	proxy_hide_header Vary;
	add_header Cache-Control private;
	}

	# if WebP is supported by client, serve it
	if ($webp_accept = "true") {
	rewrite (.*) $1.webp break;
	}

	#
	# Gzip static assets and expiration control
	#

	# Enable gzip compression as per rails guide:
	# http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression
	gzip_static on;
	expires max;
	add_header Cache-Control public;
	}
	error_page 502 /502.html;
	}