# PRODUCTION nginx conf # The point of this config file is to have near-identical setup in PRODUCTION. # Use it in production or copy it over upstream ensl_production { server web:$PRODUCTION_PUMA_PORT; # server unix:/var/tmp/puma.$RAILS_ENV.sock fail_timeout=0; } # root-level -> www redirect server { listen *:$PRODUCTION_PORT; listen *:$PRODUCTION_PORT_SSL ssl; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_certificate /etc/letsencrypt/live/ensl.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/ensl.org/privkey.pem; server_name $PRODUCTION_ROOT_DOMAIN; root $PRODUCTION_NGINX_PUBLIC; return 301 https://$PRODUCTION_DOMAIN$request_uri; } # HTTP -> HTTPS redirect #server { # listen *:$PRODUCTION_PORT; # server_name $PRODUCTION_DOMAIN; # return 301 https://$PRODUCTION_DOMAIN$request_uri; #} server { listen *:$PRODUCTION_PORT default_server; listen *:$PRODUCTION_PORT_SSL ssl default_server; # Redirect to HTTPS error_page 497 https://$host:$server_port$request_uri; server_name $PRODUCTION_DOMAIN; root $PRODUCTION_NGINX_PUBLIC; index index.html index.htm index.php; ssl_certificate /etc/letsencrypt/live/ensl.org-0001/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/ensl.org-0001/privkey.pem; # ssl-cert /etc/ssl/certs/ssl-cert-snakeoil.pem # ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; # ssl_session_timeout 1d; # ssl_session_cache shared:SSL:50m; # ssl_stapling on; # ssl_stapling_verify on; add_header Strict-Transport-Security max-age=0; # Fixme: add logs as volume access_log /var/log/nginx/ensl.production.access.log; error_log /var/log/nginx/ensl.production.error.log; rewrite_log on; client_max_body_size 20M; keepalive_timeout 10; location ~ /.well-known { allow all; autoindex on; } # FIXME: use env. var location ^~ /assets/ { gzip_static on; expires 1m; add_header Cache-Control public; } # FIXME: use env. var location /files/ { # try_files $uri $uri/ @puma; # alias root $APP_PATH_PUBLIC/files/; alias /srv/ensl_files/; autoindex on; } location @puma { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_pass http://ensl_production; } try_files $uri/index.html $uri @puma; }