-
-
Save rkjha/d898e225266f6bbe75d8 to your computer and use it in GitHub Desktop.
| upstream myapp_puma { | |
| server unix:/tmp/myapp_puma.sock fail_timeout=0; | |
| } | |
| # for redirecting to https version of the site | |
| server { | |
| listen 80; | |
| rewrite ^(.*) https://$host$1 permanent; | |
| } | |
| # for redirecting to non-www version of the site | |
| server { | |
| listen 80; | |
| server_name www.example.com; | |
| rewrite ^(.*) http://example.com$1 permanent; | |
| } | |
| server { | |
| listen 443 default ssl; | |
| server_name example.com; | |
| root /home/username/example.com/current/public; | |
| ssl on; | |
| ssl_certificate /home/username/.comodo_certs/example.com.crt; | |
| ssl_certificate_key /home/username/.comodo_certs/example.com.key; | |
| ssl_session_timeout 5m; | |
| ssl_protocols SSLv2 SSLv3 TLSv1; | |
| ssl_ciphers HIGH:!aNULL:!MD5; | |
| ssl_prefer_server_ciphers on; | |
| location ^~ /assets/ { | |
| gzip_static on; | |
| expires max; | |
| add_header Cache-Control public; | |
| } | |
| try_files $uri/index.html $uri @myapp_puma; | |
| location @myapp_puma { | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header Host $host; | |
| proxy_set_header X-Forwarded-Proto https; | |
| proxy_redirect off; | |
| proxy_pass http://myapp_puma; | |
| } | |
| error_page 500 502 503 504 /500.html; | |
| client_max_body_size 4G; | |
| keepalive_timeout 10; | |
| } |
| upstream myapp_puma { | |
| server unix:/tmp/myapp_puma.sock fail_timeout=0; | |
| } | |
| # for redirecting to non-www version of the site | |
| server { | |
| listen 80; | |
| server_name www.example.com; | |
| rewrite ^(.*) http://example.com$1 permanent; | |
| } | |
| server { | |
| listen 80 default; | |
| server_name example.com; | |
| root /home/username/example.com/current/public; | |
| location ^~ /assets/ { | |
| gzip_static on; | |
| expires max; | |
| add_header Cache-Control public; | |
| } | |
| try_files $uri/index.html $uri @myapp_puma; | |
| location @myapp_puma { | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header Host $host; | |
| proxy_set_header X-Forwarded-Proto http; | |
| proxy_redirect off; | |
| proxy_pass http://myapp_puma; | |
| } | |
| error_page 500 502 503 504 /500.html; | |
| client_max_body_size 4G; | |
| keepalive_timeout 10; | |
| } | |
| ## Running puma | |
| # bundle exec puma -e production -d -b unix:///tmp/myapp_puma.sock |
Would you please elaborate as to what do you mean by stating not to use those ancient ssl_protocols in 2017 - can you offer an explanation there?
Referencing:
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
Thanks
@codewizardry I'm curious too
@codewizardry @fernandoaleman See the Mozilla SSL Nginx Configuration Generator for your answers.
I think the X-Forwarded-Proto https; could have fixed my issue but before I added that I tried proxy_set_header X-Forwarded-Ssl on; and that helped with a problem where devise would redirect to http after signup but chrome just wouldn't like that.
Thank you! This has helped me a lot!
I couldn't quite get SSL to work with NGINX, and puma until finding this with X-Forwarded-proto line. Thanks! Don't know why this line isn't in the many other examples and tutorials I browsed through.
Don't be using those ancient
ssl_protocolsin 2017