universal/nginx-rails-ssl.vhost

## nginx-rails-ssl.vhost
upstream dummy.us {
  server unix:/home/dummyus/deploy/dummyus/tmp/puma.sock;
}


server {
  listen 255.255.255.256:80;
  listen [1111:1111:1111:1111::256]:80;
  server_name dummy.us www.dummy.us;

  add_header   Strict-Transport-Security max-age=18144000;

  location / {
    return 301 https://dummy.us$request_uri;
  }
}

server {

  listen 255.255.255.256:443 ssl;
  listen [1111:1111:1111:1111::256::256]:443 ssl;
  server_name dummy.us www.dummy.us;

  add_header   Strict-Transport-Security max-age=31104000;

  ssl on;
  ssl_certificate /etc/letsencrypt/live/dummy.us/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/dummy.us/privkey.pem; # managed by Certbot

  ssl_session_cache       builtin:1000  shared:SSL:10m;
  ssl_session_timeout     5m;

  resolver 8.8.8.8 8.8.4.4 valid=300s;
  resolver_timeout 10s;
  ssl_stapling            on;
  ssl_stapling_verify     on;
  ssl_trusted_certificate /etc/nginx/ssl_certs/letsencrypt.pem;

  ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers       on;

  ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH;

  root /home/dummyus/deploy/dummyus/public;

  try_files $uri/index.html $uri.html $uri @app;

  location @app {
    proxy_redirect     off;

    proxy_set_header   Host             $host;
    proxy_set_header   X-Real-IP        $remote_addr;
    proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
    proxy_set_header   X-Forwarded-Proto https;

    #all requests are sent to the UNIX socket
    proxy_pass  http://dummy.us;
  }

  location ~ ^/(assets|uploads)/ {

    expires max;
    add_header Cache-Control public;

    add_header ETag "";
    break;
  }

}
	upstream dummy.us {
	server unix:/home/dummyus/deploy/dummyus/tmp/puma.sock;
	}


	server {
	listen 255.255.255.256:80;
	listen [1111:1111:1111:1111::256]:80;
	server_name dummy.us www.dummy.us;

	add_header Strict-Transport-Security max-age=18144000;

	location / {
	return 301 https://dummy.us$request_uri;
	}
	}

	server {

	listen 255.255.255.256:443 ssl;
	listen [1111:1111:1111:1111::256::256]:443 ssl;
	server_name dummy.us www.dummy.us;

	add_header Strict-Transport-Security max-age=31104000;

	ssl on;
	ssl_certificate /etc/letsencrypt/live/dummy.us/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/dummy.us/privkey.pem; # managed by Certbot

	ssl_session_cache builtin:1000 shared:SSL:10m;
	ssl_session_timeout 5m;

	resolver 8.8.8.8 8.8.4.4 valid=300s;
	resolver_timeout 10s;
	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_trusted_certificate /etc/nginx/ssl_certs/letsencrypt.pem;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;

	ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH;

	root /home/dummyus/deploy/dummyus/public;

	try_files $uri/index.html $uri.html $uri @app;

	location @app {
	proxy_redirect off;

	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto https;

	#all requests are sent to the UNIX socket
	proxy_pass http://dummy.us;
	}

	location ~ ^/(assets\|uploads)/ {

	expires max;
	add_header Cache-Control public;

	add_header ETag "";
	break;
	}

	}