scicco · May 30, 2018 13:57
diff --git a/nginx_puma_rails_app.conf b/nginx_puma_rails_app.conf
 #
 #/etc/nginx/sites_available/rails_app
 #

 upstream rails_app {
  server unix:///home/deployer/apps/rails_app/shared/tmp/sockets/puma.sock fail_timeout=0;
 }

 server {
 	listen 80;
 	listen [::]:80;
 	server_name rails_app.example.com;

 	include /etc/nginx/snippets/letsencrypt.conf;

 	location / {
 		return 301 https://rails_app.example.com$request_uri;
 	}
 }

 server {
  listen 443 ssl default deferred;
  server_name rails_app.example.com;

  root /home/deployer/apps/rails_app/current/public;
  
  #ssl on;
  ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey-rsa.pem;
  ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
  
  access_log /home/deployer/apps/rails_app/shared/log/nginx.access.log;
  error_log /home/deployer/apps/rails_app/shared/log/nginx.error.log info;

  error_page 500 502 503 504 /500.html;
  client_max_body_size 4G;
  keepalive_timeout 10;

  if (-f $document_root/maintenance.html) {
 	  rewrite  ^(.*)$  /maintenance.html last;
 	  break;
  }

  include /etc/nginx/snippets/ssl.conf;

  location / {
 	  proxy_set_header Host $http_host;
 	  proxy_buffer_size  16k;
 	  proxy_buffers  	   32   16k;

    proxy_set_header   X-Real-IP         $remote_addr;
    proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header   X-Forwarded-Proto $scheme;
    proxy_max_temp_file_size 0;

    if (-f $request_filename) {
  		break;
    }

 	  if (-f $request_filename/index.html) {
  		rewrite (.*) $1/index.html break;
 	  }

 	  if (-f $request_filename.html) {
  		rewrite (.*) $1.html break;
 	  }

 	  if (!-f $request_filename) {
  		proxy_pass http://rails_app;
  		break;
 	  }
  }

  location ~* ^/assets/.*\.(ico|css|gif|jpe?g|png)(\?[0-9]+)?$ {
 	  expires max;
 	  break;
  }

  location ~ ^/javascripts/.*\.js(\?[0-9]+)?$ {
 	  expires max;
 	  break;
  }

  location = /500.html {
 	  root /home/deployer/apps/rails_app/current/public;
  }

 location /nginx_status {
    stub_status on;    # activate stub_status module
    access_log off;    
    allow 127.0.0.1;   # restrict access to local only
    deny all;
 }
 }

 #
 #/etc/nginx/snippets/ssl.conf
 #

 ssl_session_timeout 1d;
 ssl_session_cache shared:SSL:50m;

 ssl_protocols TLSv1.2;
 ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

 ssl_ecdh_curve secp384r1;
 ssl_prefer_server_ciphers on;
 ssl_session_tickets off;

 ssl_dhparam /etc/ssl/certs/dhparam.pem;

 ssl_stapling on;
 ssl_stapling_verify on;

 add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
 add_header X-Frame-Options DENY;
 add_header X-Content-Type-Options nosniff;

 #
 #/etc/nginx/snippets/letsencrypt.conf
 #

 location ^~ /.well-known/acme-challenge/ {
 	allow all;
        default_type "text/plain";
 	root /var/www/letsencrypt;
        autoindex on;
 }
	#
	#/etc/nginx/sites_available/rails_app
	#

	upstream rails_app {
	server unix:///home/deployer/apps/rails_app/shared/tmp/sockets/puma.sock fail_timeout=0;
	}

	server {
	listen 80;
	listen [::]:80;
	server_name rails_app.example.com;

	include /etc/nginx/snippets/letsencrypt.conf;

	location / {
	return 301 https://rails_app.example.com$request_uri;
	}
	}

	server {
	listen 443 ssl default deferred;
	server_name rails_app.example.com;

	root /home/deployer/apps/rails_app/current/public;

	#ssl on;
	ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/example.com/privkey-rsa.pem;
	ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem;

	access_log /home/deployer/apps/rails_app/shared/log/nginx.access.log;
	error_log /home/deployer/apps/rails_app/shared/log/nginx.error.log info;

	error_page 500 502 503 504 /500.html;
	client_max_body_size 4G;
	keepalive_timeout 10;

	if (-f $document_root/maintenance.html) {
	rewrite ^(.*)$ /maintenance.html last;
	break;
	}

	include /etc/nginx/snippets/ssl.conf;

	location / {
	proxy_set_header Host $http_host;
	proxy_buffer_size 16k;
	proxy_buffers 32 16k;

	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_max_temp_file_size 0;

	if (-f $request_filename) {
	break;
	}

	if (-f $request_filename/index.html) {
	rewrite (.*) $1/index.html break;
	}

	if (-f $request_filename.html) {
	rewrite (.*) $1.html break;
	}

	if (!-f $request_filename) {
	proxy_pass http://rails_app;
	break;
	}
	}

	location ~* ^/assets/.*\.(ico\|css\|gif\|jpe?g\|png)(\?[0-9]+)?$ {
	expires max;
	break;
	}

	location ~ ^/javascripts/.*\.js(\?[0-9]+)?$ {
	expires max;
	break;
	}

	location = /500.html {
	root /home/deployer/apps/rails_app/current/public;
	}

	location /nginx_status {
	stub_status on; # activate stub_status module
	access_log off;
	allow 127.0.0.1; # restrict access to local only
	deny all;
	}
	}

	#
	#/etc/nginx/snippets/ssl.conf
	#

	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:50m;

	ssl_protocols TLSv1.2;
	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

	ssl_ecdh_curve secp384r1;
	ssl_prefer_server_ciphers on;
	ssl_session_tickets off;

	ssl_dhparam /etc/ssl/certs/dhparam.pem;

	ssl_stapling on;
	ssl_stapling_verify on;

	add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;

	#
	#/etc/nginx/snippets/letsencrypt.conf
	#

	location ^~ /.well-known/acme-challenge/ {
	allow all;
	default_type "text/plain";
	root /var/www/letsencrypt;
	autoindex on;
	}
No results found