Skip to content

Instantly share code, notes, and snippets.

@jnx
Forked from konovalov-nk/nginx-config.conf
Created January 3, 2018 08:07
Show Gist options
  • Save jnx/fb0713b688290fe68186cdc75f7eaf52 to your computer and use it in GitHub Desktop.
Save jnx/fb0713b688290fe68186cdc75f7eaf52 to your computer and use it in GitHub Desktop.
Useful nginx SSL hardened (letsencrypt) config for setting up Rails application with Puma webserver
upstream myappdev {
server unix:///home/your_user/git/dev.your.website.com/shared/sockets/puma-dev.sock;
}
# don't forget to add this to server {..} block
# add_header X-Xss-Protection "1; mode=block";
server {
listen 80;
listen 443 ssl http2;
server_name dev.your.website.com;
ssl_protocols TLSv1.2;
ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers On;
ssl_certificate /etc/letsencrypt/live/your.website.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your.website.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/your.website.com/chain.pem;
ssl_session_cache shared:SSL:128m;
add_header Strict-Transport-Security "max-age=31557600; includeSubDomains";
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Content-Security-Policy "default-src 'self'; style-src 'self' *.googleapis.com; script-src 'self' *.google-analytics.com; font-src 'self' *.gstatic.com; img-src 'self' *.w3.org data:";
ssl_stapling on;
ssl_stapling_verify on;
# Your favorite resolver may be used instead of the Google one below
resolver 8.8.8.8;
# ~2 seconds is often enough for most folks to parse HTML/CSS and
# retrieve needed images/icons/frames, connections are cheap in
# nginx so increasing this is generally safe...
keepalive_timeout 5;
# path for static files
root /var/www/app-dev/public;
access_log /var/www/app-dev/logs/nginx.access.log;
error_log /var/www/app-dev/logs/nginx.error.log info;
# this rewrites all the requests to the maintenance.html
# page if it exists in the doc root. This is for capistrano's
# disable web task
if (-f $document_root/maintenance.html) {
rewrite ^(.*)$ /maintenance.html last;
break;
}
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
# If the file exists as a static file serve it directly without
# running all the other rewrite tests on it
if (-f $request_filename) {
break;
}
# check for index.html for directory index
# if it's there on the filesystem then rewrite
# the url to add /index.html to the end of it
# and then break to send it to the next config rules.
if (-f $request_filename/index.html) {
rewrite (.*) $1/index.html break;
}
# this is the meat of the rack page caching config
# it adds .html to the end of the url and then checks
# the filesystem for that file. If it exists, then we
# rewrite the url to have explicit .html on the end
# and then send it on its way to the next config rule.
# if there is no file on the fs then it sets all the
# necessary headers and proxies to our upstream pumas
if (-f $request_filename.html) {
rewrite (.*) $1.html break;
}
if (!-f $request_filename) {
proxy_pass http://myappdev;
break;
}
}
# Now this supposedly should work as it gets the filenames with querystrings that Rails provides.
# BUT there's a chance it could break the ajax calls.
#location ~* \.(ico|css|gif|jpe?g|png|js)(\?[0-9]+)?$ {
# expires max;
# break;
#}
# Error pages
# error_page 500 502 503 504 /500.html;
location = /500.html {
root /var/www/app-dev/public;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment