Created
October 15, 2018 12:43
-
-
Save marvindanig/0bdd7d8768cbf5eab2fc4782803df87d to your computer and use it in GitHub Desktop.
nginx configuration for capistrano3-nginx ~> 3.0 gem with HSTS preload, ipv6 and http ~> https redirection
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| upstream puma_<%= fetch(:nginx_config_name) %> { <% | |
| @backends = [fetch(:puma_bind)].flatten.map do |m| | |
| etype, address = /(tcp|unix|ssl):\/{1,2}(.+)/.match(m).captures | |
| if etype == 'unix' | |
| "server #{etype}:#{address} #{fetch(:nginx_socket_flags)};" | |
| else | |
| "server #{address.gsub(/0\.0\.0\.0(.+)/, "127.0.0.1\\1")} #{fetch(:nginx_http_flags)};" | |
| end | |
| end | |
| %><% @backends.each do |server| %> | |
| <%= server %><% end %> | |
| } | |
| server { | |
| listen 80; | |
| listen [::]:80 ipv6only=on; | |
| server_name <%= fetch(:nginx_server_name) %> www.<%= fetch(:nginx_server_name) %>; | |
| rewrite ^(.*) https://$host$1$request_uri permanent; | |
| } | |
| server { | |
| listen 443 ssl http2; | |
| listen [::]:443 ssl http2; | |
| server_name www.<%= fetch(:nginx_server_name) %>; | |
| ssl_certificate /etc/letsencrypt/live/www.bubblin.io/fullchain.pem; # managed by Certbot | |
| ssl_certificate_key /etc/letsencrypt/live/www.bubblin.io/privkey.pem; # managed by Certbot | |
| include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot | |
| rewrite ^ https://bubblin.io$request_uri permanent; | |
| } | |
| server { | |
| server_name <%= fetch(:nginx_server_name) %>; | |
| root <%= current_path %>/public; | |
| try_files $uri/index.html $uri @puma_<%= fetch(:nginx_config_name) %>; | |
| client_max_body_size 4G; | |
| keepalive_timeout 10; | |
| error_page 500 502 504 /500.html; | |
| error_page 503 @503; | |
| location @puma_<%= fetch(:nginx_config_name) %> { | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header Host $host; | |
| proxy_redirect off; | |
| proxy_set_header Upgrade $http_upgrade; | |
| proxy_set_header Connection "Upgrade"; | |
| <% if fetch(:nginx_use_ssl) -%> | |
| proxy_set_header X-Forwarded-Proto https; | |
| <% else -%> | |
| proxy_set_header X-Forwarded-Proto http; | |
| <% end -%> | |
| proxy_pass http://puma_<%= fetch(:nginx_config_name) %>; | |
| # limit_req zone=one; | |
| access_log <%= shared_path %>/log/nginx.access.log; | |
| error_log <%= shared_path %>/log/nginx.error.log; | |
| } | |
| location ^~ /assets/ { | |
| gzip_static on; | |
| expires max; | |
| add_header Cache-Control public; | |
| } | |
| location = /50x.html { | |
| root html; | |
| } | |
| location = /404.html { | |
| root html; | |
| } | |
| location @503 { | |
| error_page 405 = /system/maintenance.html; | |
| if (-f $document_root/system/maintenance.html) { | |
| rewrite ^(.*)$ /system/maintenance.html break; | |
| } | |
| rewrite ^(.*)$ /503.html break; | |
| } | |
| if ($request_method !~ ^(GET|HEAD|PUT|PATCH|POST|DELETE|OPTIONS)$ ){ | |
| return 405; | |
| } | |
| if (-f $document_root/system/maintenance.html) { | |
| return 503; | |
| } | |
| listen 443 ssl http2; # managed by Certbot | |
| listen [::]:443 ssl http2; | |
| ssl_certificate /etc/letsencrypt/live/bubblin.io/fullchain.pem; # managed by Certbot | |
| ssl_certificate_key /etc/letsencrypt/live/bubblin.io/privkey.pem; # managed by Certbot | |
| include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot | |
| # Add HSTS header with preloads | |
| add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment