pragmaticivan · August 29, 2015 14:06
diff --git a/nginx-app-vhost.conf b/nginx-app-vhost.conf
 server {
    listen 80;
    server_name  example.com;
    rewrite ^/(.*) https://$server_name permanent;
 }

 server {
    # Your application host will be used as a convention for directories and other stuffs
    set $application_host "example.com";
    # Rails application server timeout (we have to match the value here to not display Gateway Timeout error)
    set $application_timeout 300; 
    
    listen 443 ssl spdy;
    server_name $application_host;
    server_tokens off;
    root /srv/$application_host/current;

    ssl on;
    ssl_certificate /srv/$application_host/shared/server-chain.pem;
    ssl_certificate_key /srv/$application_host/shared/server.key;
    
    # Não habilite SSLv3 é inseguro (foda-se o IE6)
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    
    # Não use RC4: https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
    
    ssl_prefer_server_ciphers on;

    # SSL Session Cache:
    ssl_session_cache    shared:SSL:10m;
    ssl_session_timeout  10m;
    
    # Habilita HSTS: http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
    add_header Strict-Transport-Security max-age=31536000;
    
    location / {
        # serve static files from defined root folder;.
        # @application is a named location for the upstream fallback, see below
        try_files $uri $uri/index.html $uri.html @application;
    }

    # if a file, which is not found in the root folder is requested,
    # then the proxy pass the request to the upsteam (rails application server)
    location @application {
        proxy_read_timeout    $application_timeout;
        proxy_connect_timeout $application_timeout;
        proxy_redirect        off;

        proxy_set_header  X-Forwarded-Proto https;
        proxy_set_header  X-Forwarded-Ssl   on;
        proxy_set_header  Host              $http_host;
        proxy_set_header  X-Real-IP         $remote_addr;
        proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;

        proxy_pass http://application;
    }

    # Enable gzip compression as per rails guide: http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression
    location ~ ^/(assets)/  {
        root /srv/$application_host/current/public;
        
        # check Accept header for webp, check if .webp is on disk
        if ($http_accept ~* "webp")    { set $webp_accept "true"; }
        if (-f $request_filename.webp) { set $webp_local  "true"; }
    
        # if WebP variant is available, serve Vary
        if ($webp_local = "true") {
            add_header Vary Accept;
        }
        
        # drop Vary for IE users, mark resource as private
        if ($http_user_agent ~* "(?i)(MSIE)") {
            proxy_hide_header Vary;
            add_header Cache-Control private;
        }
    
        # if WebP is supported by client, serve it
        if ($webp_accept = "true") {
            rewrite (.*) $1.webp break;
        }
  
        gzip_static on; # to serve pre-gzipped version
        expires max;
        add_header Cache-Control public;
    }
    error_page 502 /502.html;
 }
	server {
	listen 80;
	server_name example.com;
	rewrite ^/(.*) https://$server_name permanent;
	}

	server {
	# Your application host will be used as a convention for directories and other stuffs
	set $application_host "example.com";
	# Rails application server timeout (we have to match the value here to not display Gateway Timeout error)
	set $application_timeout 300;

	listen 443 ssl spdy;
	server_name $application_host;
	server_tokens off;
	root /srv/$application_host/current;

	ssl on;
	ssl_certificate /srv/$application_host/shared/server-chain.pem;
	ssl_certificate_key /srv/$application_host/shared/server.key;

	# Não habilite SSLv3 é inseguro (foda-se o IE6)
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

	# Não use RC4: https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
	ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

	ssl_prefer_server_ciphers on;

	# SSL Session Cache:
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 10m;

	# Habilita HSTS: http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
	add_header Strict-Transport-Security max-age=31536000;

	location / {
	# serve static files from defined root folder;.
	# @application is a named location for the upstream fallback, see below
	try_files $uri $uri/index.html $uri.html @application;
	}

	# if a file, which is not found in the root folder is requested,
	# then the proxy pass the request to the upsteam (rails application server)
	location @application {
	proxy_read_timeout $application_timeout;
	proxy_connect_timeout $application_timeout;
	proxy_redirect off;

	proxy_set_header X-Forwarded-Proto https;
	proxy_set_header X-Forwarded-Ssl on;
	proxy_set_header Host $http_host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

	proxy_pass http://application;
	}

	# Enable gzip compression as per rails guide: http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression
	location ~ ^/(assets)/ {
	root /srv/$application_host/current/public;

	# check Accept header for webp, check if .webp is on disk
	if ($http_accept ~* "webp") { set $webp_accept "true"; }
	if (-f $request_filename.webp) { set $webp_local "true"; }

	# if WebP variant is available, serve Vary
	if ($webp_local = "true") {
	add_header Vary Accept;
	}

	# drop Vary for IE users, mark resource as private
	if ($http_user_agent ~* "(?i)(MSIE)") {
	proxy_hide_header Vary;
	add_header Cache-Control private;
	}

	# if WebP is supported by client, serve it
	if ($webp_accept = "true") {
	rewrite (.*) $1.webp break;
	}

	gzip_static on; # to serve pre-gzipped version
	expires max;
	add_header Cache-Control public;
	}
	error_page 502 /502.html;
	}