### ### HTTP-Config generated with magic_recipes_two at: <%= Time.now.strftime("%Y-%m-%d .. %H:%M .. %Z") %> ### <% joiner = "\n " %> upstream thin_<%= fetch(:application) %>_<%= fetch(:stage) %>_cluster { <% fetch(:app_instances).to_i.times do |i| %> server unix:/tmp/thin.<%= fetch(:application) %>.<%= fetch(:stage) %>.<%= i %>.sock max_fails=1 fail_timeout=15s; <% end %> } <% if fetch(:proxy_cache_rails) %> # Proxy-Caching - Rails - Sites proxy_cache_path <%= fetch(:proxy_cache_rails_directory) %> levels=<%= fetch(:proxy_cache_rails_levels) %> keys_zone=<%= fetch(:proxy_cache_rails_name) %>:<%= fetch(:proxy_cache_rails_size) %> inactive=<%= fetch(:proxy_cache_rails_time) %> max_size=<%= fetch(:proxy_cache_rails_max) %>; <% end %><% if fetch(:proxy_cache_media) %> # Proxy-Caching - Media (Dragonfly) - Files proxy_cache_path <%= fetch(:proxy_cache_media_directory) %> levels=<%= fetch(:proxy_cache_media_levels) %> keys_zone=<%= fetch(:proxy_cache_media_name) %>:<%= fetch(:proxy_cache_media_size) %> inactive=<%= fetch(:proxy_cache_media_time) %> max_size=<%= fetch(:proxy_cache_media_max) %>; <% end %> # HTTP Server <% if fetch(:nginx_use_ssl) %> <% if fetch(:nginx_major_domain) %> server { listen 80<%= ' default_server' if fetch(:default_site) %>; server_name <%= Array(fetch(:nginx_domains)).map{ |d| d.gsub(/^\*?\./, "") }.join(joiner) %> <%= ".#{fetch(:nginx_major_domain).gsub(/^\*?\./, "")}" %>; # return 301 https://<%= fetch(:nginx_major_domain).gsub(/^\*?\./, "") %>$request_uri; location ^~ /assets/ico/ { root <%= current_path %>/public; gzip_static on; expires max; add_header Cache-Control public; } location / { return 301 https://<%= fetch(:nginx_major_domain).gsub(/^\*?\./, "") %>$request_uri; } } server { listen 80; server_name <%= Array(fetch(:nginx_domains)).map{ |d| "~^(?\w+)#{ Regexp.escape( ".#{d.gsub(/^\*?\./, "")}" ) }" }.join(joiner) %> <%= "~^#{Regexp.escape("www.")}(?\w+)#{ Regexp.escape( ".#{fetch(:nginx_major_domain).gsub(/^\*?\./, "")}" ) }" %> <%= "~^(?\w+)#{ Regexp.escape( ".#{fetch(:nginx_major_domain).gsub(/^\*?\./, "")}" ) }" %>; # return 301 https://$sub.<%= fetch(:nginx_major_domain).gsub(/^\*?\./, "") %>$request_uri; location ^~ /assets/ico/ { root <%= current_path %>/public; gzip_static on; expires max; add_header Cache-Control public; } location / { return 301 https://$sub.<%= fetch(:nginx_major_domain).gsub(/^\*?\./, "") %>$request_uri; } } <% else %> server { listen 80; server_name <%= Array(fetch(:nginx_domains)).map{ |d| d[0] == "." ? d : ".#{d}"}.join(joiner) %>; # return 301 https://$host$request_uri; location ^~ /assets/ico/ { root <%= current_path %>/public; gzip_static on; expires max; add_header Cache-Control public; } location / { return 301 https://$host$request_uri; } } <% end %> <% elsif fetch(:nginx_remove_https) %> <% if fetch(:nginx_major_domain) %> server { listen 443; server_name <%= Array(fetch(:nginx_domains)).map{ |d| d.gsub(/^\*?\./, "") }.join(joiner) %> <%= ".#{fetch(:nginx_major_domain).gsub(/^\*?\./, "")}" %>; # return 301 http://<%= fetch(:nginx_major_domain).gsub(/^\*?\./, "") %>$request_uri; rewrite ^ http://<%= fetch(:nginx_major_domain).gsub(/^\*?\./, "") %>$request_uri? permanent; } server { listen 443; server_name <%= Array(fetch(:nginx_domains)).map{ |d| "~^(?\w+)#{ Regexp.escape( ".#{d.gsub(/^\*?\./, "")}" ) }" }.join(joiner) %> <%= "~^#{Regexp.escape("www.")}(?\w+)#{ Regexp.escape( ".#{fetch(:nginx_major_domain).gsub(/^\*?\./, "")}" ) }" %> <%= "~^(?\w+)#{ Regexp.escape( ".#{fetch(:nginx_major_domain).gsub(/^\*?\./, "")}" ) }" %>; # return 301 http://$sub.<%= fetch(:nginx_major_domain).gsub(/^\*?\./, "") %>$request_uri; rewrite ^ http://$sub.<%= fetch(:nginx_major_domain).gsub(/^\*?\./, "") %>$request_uri? permanent; } <% else %> server { listen 443; server_name <%= Array(fetch(:nginx_domains)).map{ |d| d[0] == "." ? d : ".#{d}"}.join(joiner) %>; # return 301 http://$host$request_uri; rewrite ^ http://$host$request_uri? permanent; } <% end %> <% end %> <% if fetch(:nginx_major_domain) %> <% if fetch(:nginx_use_ssl) %> # ssl-domain server { listen 443; server_name <%= Array(fetch(:nginx_domains)).map{ |d| d.gsub(/^\*?\./, "") }.join(joiner) %>; return 301 https://<%= fetch(:nginx_major_domain).gsub(/^\*?\./, "") %>$request_uri; ssl on; ssl_certificate <%= fetch(:nginx_ssl_certificate_path) %>/<%= fetch(:nginx_old_ssl_certificate) %>; ssl_certificate_key <%= fetch(:nginx_ssl_certificate_key_path) %>/<%= fetch(:nginx_old_ssl_certificate_key) %>; } # ssl-with-subdomain server { listen 443; server_name <%= Array(fetch(:nginx_domains)).map{ |d| "~^(?\w+)\.#{ Regexp.escape( d.gsub(/^\*?\./, "") ) }" }.join(joiner) %>; return 301 https://$sub.<%= fetch(:nginx_major_domain).gsub(/^\*?\./, "") %>$request_uri; ssl on; ssl_certificate <%= fetch(:nginx_ssl_certificate_path) %>/<%= fetch(:nginx_old_ssl_certificate) %>; ssl_certificate_key <%= fetch(:nginx_ssl_certificate_key_path) %>/<%= fetch(:nginx_old_ssl_certificate_key) %>; } <% else %> server { listen 80; server_name <%= Array(fetch(:nginx_domains)).map{ |d| d.gsub(/^\*?\./, "") }.join(joiner) %>; return 301 http://<%= fetch(:nginx_major_domain).gsub(/^\*?\./, "") %>$request_uri; } server { listen 80; server_name <%= Array(fetch(:nginx_domains)).map{ |d| "~^(?\w+)\.#{ Regexp.escape( d.gsub(/^\*?\./, "") ) }" }.join(joiner) %>; return 301 http://$sub.<%= fetch(:nginx_major_domain).gsub(/^\*?\./, "") %>$request_uri; } <% end %> <% end %> server { <% if fetch(:nginx_use_ssl) %> listen 443 ssl http2<%= ' default_server' if fetch(:default_site) %>; listen [::]:443 ssl http2<%= ' default_server' if fetch(:default_site) %>; ssl on; ssl_certificate <%= fetch(:nginx_ssl_certificate_path) %>/<%= fetch(:nginx_ssl_certificate) %>; ssl_certificate_key <%= fetch(:nginx_ssl_certificate_key_path) %>/<%= fetch(:nginx_ssl_certificate_key) %>; <% if fetch(:nginx_ssl_diffie_hellman, false) %> # https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04 # from https://cipherli.st/ # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; ssl_ecdh_curve secp384r1; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; ## Disable preloading HSTS for now. You can use the commented out header line that includes ## the "preload" directive if you understand the implications. # => add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; ssl_dhparam <%= fetch(:nginx_ssl_dh_path) %>/<%= fetch(:nginx_ssl_dh_file) %>; <% end %> <% else %> listen 80<%= ' default deferred' if fetch(:default_site) %>; listen [::]:80<%= ' default deferred' if fetch(:default_site) %>; <% end %> <% if fetch(:nginx_major_domain) %> server_name <%= ".#{fetch(:nginx_major_domain).gsub(/^\*?\./, "")}" %>; <% else %> server_name <%= Array( fetch(:nginx_domains) ).join(joiner) %>; <% end %> <% if fetch(:nginx_remove_www) %> if ($host ~* ^www\.(.*)) { set $host_without_www $1; rewrite ^(.*) http://$host_without_www$1 permanent; } <% end %> root <%= current_path %>/public; access_log <%= fetch(:nginx_log_path) %>/nginx-access.log; error_log <%= fetch(:nginx_log_path) %>/nginx-error.log; error_page 404 /404.html; location /404.html { root <%= fetch(:deploy_to) %>/current/<%= fetch(:nginx_static_dir) %>; } error_page 500 502 503 504 /500.html; location /500.html { root <%= fetch (:deploy_to) %>/current/<%= fetch(:nginx_static_dir) %>; } client_max_body_size 4G; keepalive_timeout 10; location ^~ /assets/ { gzip_static on; expires max; add_header Cache-Control public; } <% if fetch(:allow_well_known) %> location ~ /.well-known { allow all; } <% end %> <% if fetch(:proxy_cache_media) %> # Media-Path with NginX-Proxy-Cache location ^~ /<%= fetch(:proxy_cache_media_path) %>/ { # auth_basic off; proxy_cache <%= fetch(:proxy_cache_media_name) %>; # proxy_cache_lock on; # add_header X-Cache-Status $upstream_cache_status; # proxy_cache_bypass $http_bypass_proxy; proxy_pass $scheme://thin_<%= fetch(:application) %>_<%= fetch(:stage) %>_cluster; proxy_cache_valid 200 <%= fetch(:proxy_cache_media_time) %>; } <% end %> try_files $uri/index.html $uri @thin_<%= fetch(:application) %>_<%= fetch(:stage) %>; location @thin_<%= fetch(:application) %>_<%= fetch(:stage) %> { # rewrite Headers for correct behavior proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host:$server_port; proxy_redirect off; <% if fetch(:proxy_cache_rails) %> # cache rails actions (need public header) proxy_cache <%= fetch(:proxy_cache_rails_name) %>; proxy_cache_lock on; <% if fetch(:proxy_cache_rails_200) %> proxy_cache_valid 200 302 <%= fetch(:proxy_cache_rails_200) %>; <% end %> <% if fetch(:proxy_cache_rails_404) %> proxy_cache_valid 404 <%= fetch(:proxy_cache_rails_404) %>; <% end %> proxy_cache_use_stale <%= Array( fetch(:proxy_cache_rails_stale) ).join(" ") %>; proxy_ignore_headers Set-Cookie; proxy_cache_bypass $http_bypass_proxy; add_header X-Cache-Status $upstream_cache_status; <% end %> # pass request to thin upstream proxy_pass http://thin_<%= fetch(:application) %>_<%= fetch(:stage) %>_cluster; } }