konovalov-nk/nginx-config.conf

## nginx-config.conf
upstream myappdev {
  server unix:///home/your_user/git/dev.your.website.com/shared/sockets/puma-dev.sock;
}

# don't forget to add this to server {..} block
# add_header X-Xss-Protection "1; mode=block";

server {
  listen 80;
  listen 443 ssl http2;
  server_name dev.your.website.com;

  ssl_protocols TLSv1.2;
  ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
  ssl_prefer_server_ciphers On;
  ssl_certificate /etc/letsencrypt/live/your.website.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/your.website.com/privkey.pem;
  ssl_trusted_certificate /etc/letsencrypt/live/your.website.com/chain.pem;

  ssl_session_cache shared:SSL:128m;
  add_header Strict-Transport-Security "max-age=31557600; includeSubDomains";
  add_header X-Frame-Options "SAMEORIGIN" always;
  add_header X-Content-Type-Options "nosniff" always;
  add_header Content-Security-Policy "default-src 'self'; style-src 'self' *.googleapis.com; script-src 'self' *.google-analytics.com; font-src 'self' *.gstatic.com; img-src 'self' *.w3.org data:";

  ssl_stapling on;
  ssl_stapling_verify on;
  # Your favorite resolver may be used instead of the Google one below
  resolver 8.8.8.8;

  # ~2 seconds is often enough for most folks to parse HTML/CSS and
  # retrieve needed images/icons/frames, connections are cheap in
  # nginx so increasing this is generally safe...
  keepalive_timeout 5;

  # path for static files
  root /var/www/app-dev/public;
  access_log /var/www/app-dev/logs/nginx.access.log;
  error_log /var/www/app-dev/logs/nginx.error.log info;

  # this rewrites all the requests to the maintenance.html
  # page if it exists in the doc root. This is for capistrano's
  # disable web task
  if (-f $document_root/maintenance.html) {
    rewrite  ^(.*)$  /maintenance.html last;
    break;
  }

  location / {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;

    # If the file exists as a static file serve it directly without
    # running all the other rewrite tests on it
    if (-f $request_filename) {
      break;
    }

    # check for index.html for directory index
    # if it's there on the filesystem then rewrite
    # the url to add /index.html to the end of it
    # and then break to send it to the next config rules.
    if (-f $request_filename/index.html) {
      rewrite (.*) $1/index.html break;
    }
    # this is the meat of the rack page caching config
    # it adds .html to the end of the url and then checks
    # the filesystem for that file. If it exists, then we
    # rewrite the url to have explicit .html on the end
    # and then send it on its way to the next config rule.
    # if there is no file on the fs then it sets all the
    # necessary headers and proxies to our upstream pumas
    if (-f $request_filename.html) {
      rewrite (.*) $1.html break;
    }

    if (!-f $request_filename) {
      proxy_pass http://myappdev;
      break;
    }
  }

  # Now this supposedly should work as it gets the filenames with querystrings that Rails provides.
  # BUT there's a chance it could break the ajax calls.
  #location ~* \.(ico|css|gif|jpe?g|png|js)(\?[0-9]+)?$ {
  #   expires max;
  #   break;
  #}

  # Error pages
  # error_page 500 502 503 504 /500.html;
  location = /500.html {
    root /var/www/app-dev/public;
  }
}
	upstream myappdev {
	server unix:///home/your_user/git/dev.your.website.com/shared/sockets/puma-dev.sock;
	}

	# don't forget to add this to server {..} block
	# add_header X-Xss-Protection "1; mode=block";

	server {
	listen 80;
	listen 443 ssl http2;
	server_name dev.your.website.com;

	ssl_protocols TLSv1.2;
	ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
	ssl_prefer_server_ciphers On;
	ssl_certificate /etc/letsencrypt/live/your.website.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/your.website.com/privkey.pem;
	ssl_trusted_certificate /etc/letsencrypt/live/your.website.com/chain.pem;

	ssl_session_cache shared:SSL:128m;
	add_header Strict-Transport-Security "max-age=31557600; includeSubDomains";
	add_header X-Frame-Options "SAMEORIGIN" always;
	add_header X-Content-Type-Options "nosniff" always;
	add_header Content-Security-Policy "default-src 'self'; style-src 'self' .googleapis.com; script-src 'self' .google-analytics.com; font-src 'self' .gstatic.com; img-src 'self' .w3.org data:";

	ssl_stapling on;
	ssl_stapling_verify on;
	# Your favorite resolver may be used instead of the Google one below
	resolver 8.8.8.8;

	# ~2 seconds is often enough for most folks to parse HTML/CSS and
	# retrieve needed images/icons/frames, connections are cheap in
	# nginx so increasing this is generally safe...
	keepalive_timeout 5;

	# path for static files
	root /var/www/app-dev/public;
	access_log /var/www/app-dev/logs/nginx.access.log;
	error_log /var/www/app-dev/logs/nginx.error.log info;

	# this rewrites all the requests to the maintenance.html
	# page if it exists in the doc root. This is for capistrano's
	# disable web task
	if (-f $document_root/maintenance.html) {
	rewrite ^(.*)$ /maintenance.html last;
	break;
	}

	location / {
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header Host $http_host;

	# If the file exists as a static file serve it directly without
	# running all the other rewrite tests on it
	if (-f $request_filename) {
	break;
	}

	# check for index.html for directory index
	# if it's there on the filesystem then rewrite
	# the url to add /index.html to the end of it
	# and then break to send it to the next config rules.
	if (-f $request_filename/index.html) {
	rewrite (.*) $1/index.html break;
	}
	# this is the meat of the rack page caching config
	# it adds .html to the end of the url and then checks
	# the filesystem for that file. If it exists, then we
	# rewrite the url to have explicit .html on the end
	# and then send it on its way to the next config rule.
	# if there is no file on the fs then it sets all the
	# necessary headers and proxies to our upstream pumas
	if (-f $request_filename.html) {
	rewrite (.*) $1.html break;
	}

	if (!-f $request_filename) {
	proxy_pass http://myappdev;
	break;
	}
	}

	# Now this supposedly should work as it gets the filenames with querystrings that Rails provides.
	# BUT there's a chance it could break the ajax calls.
	#location ~* \.(ico\|css\|gif\|jpe?g\|png\|js)(\?[0-9]+)?$ {
	# expires max;
	# break;
	#}

	# Error pages
	# error_page 500 502 503 504 /500.html;
	location = /500.html {
	root /var/www/app-dev/public;
	}
	}