ugened47 · March 26, 2017 08:53
diff --git a/nginx_conf.erb b/nginx_conf.erb
 upstream puma_<%= fetch(:nginx_config_name) %> { <%
  flags = 'fail_timeout=0'
  @backends = [fetch(:puma_bind)].flatten.map do |m|
  etype, address  = /(tcp|unix|ssl):\/{1,2}(.+)/.match(m).captures
  if etype =='unix'
    "server #{etype}:#{address} #{fetch(:nginx_socket_flags)};"
  else
    "server #{address.gsub(/0\.0\.0\.0(.+)/, "127.0.0.1\\1")} #{fetch(:nginx_http_flags)};"
  end
 end
 %><% @backends.each do |server|  %>
  <%= server %><% end %>
 }
 <% if fetch(:nginx_use_ssl) %>
 server {
  listen 80;
  rewrite ^(.*) https://$host$1 permanent;
 }
 <% end %>

 server {
 <% if fetch(:nginx_use_ssl) %>
  listen 443;
  ssl on;
  ssl_certificate /etc/letsencrypt/live/<%= DOMAIN_NAME %>/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/<%= DOMAIN_NAME %>/privkey.pem;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
  ssl_ecdh_curve secp384r1;
  ssl_session_cache shared:SSL:10m;
  ssl_session_tickets off;
  ssl_stapling on;
  ssl_stapling_verify on;
  resolver 8.8.8.8 8.8.4.4 valid=300s;
  resolver_timeout 5s;
  add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;
  ssl_dhparam /etc/ssl/certs/dhparam.pem;
 <% else %>
  listen 80;
 <% end %>

  client_max_body_size 4G;
  keepalive_timeout 10;

  error_page 500 502 504 /500.html;
  error_page 503 @503;

  server_name <%= fetch(:nginx_server_name) %>;
  root <%= current_path %>/public;
  try_files $uri/index.html $uri @puma_<%= fetch(:nginx_config_name) %>;

  location @puma_<%= fetch(:nginx_config_name) %> {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_redirect off;
 <% if fetch(:nginx_use_ssl) %>
    proxy_set_header X-Forwarded-Proto https;
 <% end %>
    proxy_pass http://puma_<%= fetch(:nginx_config_name) %>;
    # limit_req zone=one;
    access_log <%= shared_path %>/log/nginx.access.log;
    error_log <%= shared_path %>/log/nginx.error.log;
  }

  location ^~ /assets/ {
    gzip_static on;
    expires max;
    add_header Cache-Control public;
  }

  location = /50x.html {
    root html;
  }

  location = /404.html {
    root html;
  }

  location @503 {
    error_page 405 = /system/maintenance.html;
    if (-f $document_root/system/maintenance.html) {
      rewrite ^(.*)$ /system/maintenance.html break;
    }
    rewrite ^(.*)$ /503.html break;
  }

  if ($request_method !~ ^(GET|HEAD|PUT|PATCH|POST|DELETE|OPTIONS)$ ){
    return 405;
  }

  if (-f $document_root/system/maintenance.html) {
    return 503;
  }
  
  location ~ /.well-known {
    allow all;
  }

  location ~ \.(php|html)$ {
    return 405;
  }
 }
	upstream puma_<%= fetch(:nginx_config_name) %> { <%
	flags = 'fail_timeout=0'
	@backends = [fetch(:puma_bind)].flatten.map do \|m\|
	etype, address = /(tcp\|unix\|ssl):\/{1,2}(.+)/.match(m).captures
	if etype =='unix'
	"server #{etype}:#{address} #{fetch(:nginx_socket_flags)};"
	else
	"server #{address.gsub(/0\.0\.0\.0(.+)/, "127.0.0.1\\1")} #{fetch(:nginx_http_flags)};"
	end
	end
	%><% @backends.each do \|server\| %>
	<%= server %><% end %>
	}
	<% if fetch(:nginx_use_ssl) %>
	server {
	listen 80;
	rewrite ^(.*) https://$host$1 permanent;
	}
	<% end %>

	server {
	<% if fetch(:nginx_use_ssl) %>
	listen 443;
	ssl on;
	ssl_certificate /etc/letsencrypt/live/<%= DOMAIN_NAME %>/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/<%= DOMAIN_NAME %>/privkey.pem;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
	ssl_ecdh_curve secp384r1;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off;
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 8.8.8.8 8.8.4.4 valid=300s;
	resolver_timeout 5s;
	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;
	ssl_dhparam /etc/ssl/certs/dhparam.pem;
	<% else %>
	listen 80;
	<% end %>

	client_max_body_size 4G;
	keepalive_timeout 10;

	error_page 500 502 504 /500.html;
	error_page 503 @503;

	server_name <%= fetch(:nginx_server_name) %>;
	root <%= current_path %>/public;
	try_files $uri/index.html $uri @puma_<%= fetch(:nginx_config_name) %>;

	location @puma_<%= fetch(:nginx_config_name) %> {
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header Host $http_host;
	proxy_redirect off;
	<% if fetch(:nginx_use_ssl) %>
	proxy_set_header X-Forwarded-Proto https;
	<% end %>
	proxy_pass http://puma_<%= fetch(:nginx_config_name) %>;
	# limit_req zone=one;
	access_log <%= shared_path %>/log/nginx.access.log;
	error_log <%= shared_path %>/log/nginx.error.log;
	}

	location ^~ /assets/ {
	gzip_static on;
	expires max;
	add_header Cache-Control public;
	}

	location = /50x.html {
	root html;
	}

	location = /404.html {
	root html;
	}

	location @503 {
	error_page 405 = /system/maintenance.html;
	if (-f $document_root/system/maintenance.html) {
	rewrite ^(.*)$ /system/maintenance.html break;
	}
	rewrite ^(.*)$ /503.html break;
	}

	if ($request_method !~ ^(GET\|HEAD\|PUT\|PATCH\|POST\|DELETE\|OPTIONS)$ ){
	return 405;
	}

	if (-f $document_root/system/maintenance.html) {
	return 503;
	}

	location ~ /.well-known {
	allow all;
	}

	location ~ \.(php\|html)$ {
	return 405;
	}
	}