Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Nginx config for rails 4 application using puma [ssl and non-ssl version]
upstream myapp_puma {
server unix:/tmp/myapp_puma.sock fail_timeout=0;
}
# for redirecting to https version of the site
server {
listen 80;
rewrite ^(.*) https://$host$1 permanent;
}
# for redirecting to non-www version of the site
server {
listen 80;
server_name www.example.com;
rewrite ^(.*) http://example.com$1 permanent;
}
server {
listen 443 default ssl;
server_name example.com;
root /home/username/example.com/current/public;
ssl on;
ssl_certificate /home/username/.comodo_certs/example.com.crt;
ssl_certificate_key /home/username/.comodo_certs/example.com.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location ^~ /assets/ {
gzip_static on;
expires max;
add_header Cache-Control public;
}
try_files $uri/index.html $uri @myapp_puma;
location @myapp_puma {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
proxy_pass http://myapp_puma;
}
error_page 500 502 503 504 /500.html;
client_max_body_size 4G;
keepalive_timeout 10;
}
upstream myapp_puma {
server unix:/tmp/myapp_puma.sock fail_timeout=0;
}
# for redirecting to non-www version of the site
server {
listen 80;
server_name www.example.com;
rewrite ^(.*) http://example.com$1 permanent;
}
server {
listen 80 default;
server_name example.com;
root /home/username/example.com/current/public;
location ^~ /assets/ {
gzip_static on;
expires max;
add_header Cache-Control public;
}
try_files $uri/index.html $uri @myapp_puma;
location @myapp_puma {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto http;
proxy_redirect off;
proxy_pass http://myapp_puma;
}
error_page 500 502 503 504 /500.html;
client_max_body_size 4G;
keepalive_timeout 10;
}
## Running puma
# bundle exec puma -e production -d -b unix:///tmp/myapp_puma.sock
@whitehat101

This comment has been minimized.

Copy link

whitehat101 commented Apr 3, 2017

  ssl_protocols  SSLv2 SSLv3 TLSv1;
  ssl_ciphers  HIGH:!aNULL:!MD5;
  ssl_prefer_server_ciphers   on;

Don't be using those ancient ssl_protocols in 2017

@codewizardry

This comment has been minimized.

Copy link

codewizardry commented Apr 4, 2017

@whitehat101

Would you please elaborate as to what do you mean by stating not to use those ancient ssl_protocols in 2017 - can you offer an explanation there?

Referencing:

ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

Thanks

@fernandoaleman

This comment has been minimized.

Copy link

fernandoaleman commented Apr 25, 2017

@codewizardry I'm curious too

@bramswenson

This comment has been minimized.

Copy link

bramswenson commented Jun 5, 2017

@TomK32

This comment has been minimized.

Copy link

TomK32 commented Jun 21, 2018

I think the X-Forwarded-Proto https; could have fixed my issue but before I added that I tried proxy_set_header X-Forwarded-Ssl on; and that helped with a problem where devise would redirect to http after signup but chrome just wouldn't like that.

@vivipoit

This comment has been minimized.

Copy link

vivipoit commented Jul 6, 2019

Thank you! This has helped me a lot!

@memeweb

This comment has been minimized.

Copy link

memeweb commented Feb 27, 2020

I couldn't quite get SSL to work with NGINX, and puma until finding this with X-Forwarded-proto line. Thanks! Don't know why this line isn't in the many other examples and tutorials I browsed through.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.