sw-vhw
Last Updated: February 25, 2016
·
2.861K
· devatotech
Avatar square

Rails Nginx SSL Default Config

It took a while to find the right settings to run SSL on a Rails 4 app, so here they are:

Unicorn:

upstream unicorn {
  server unix:/home/deploy/apps/rrp/shared/system/unicorn.sock fail_timeout=0;
}

Non-SSL:

server {
  listen 80 default deferred; # for Linux
  keepalive_timeout 5;
  rewrite ^(.*) https://$http_host$1 permanent;
  root /home/deploy/apps/rrp/current/public;

  # Far-future expires and gzip for fingerprinted assets
  location ^~ /assets/ {
    gzip_static on;
    expires max;
    add_header Cache-Control public;
  }

  # Prefer to serve static files directly from nginx to avoid unnecessary
  # data copies from the application server.
  try_files $uri/index.html $uri @unicorn;

  location @unicorn {
    # an HTTP header important enough to have its own Wikipedia entry:
    #   http://en.wikipedia.org/wiki/X-Forwarded-For
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    # this helps Rack set the proper URL scheme for doing HTTPS redirects:
    proxy_set_header X-Forwarded-Proto $scheme;

    # pass the Host: header from the client right along so redirects
    # can be set properly within the Rack application
    proxy_set_header Host $http_host;

    # we don't want nginx trying to do something clever with
    # redirects, we set the Host: header above already.
    proxy_redirect off;

    proxy_pass http://unicorn;
  }

  # Rails error pages
  error_page 500 502 503 504 /500.html;
  location = /500.html {
    root /home/deploy/apps/rrp/current/public;
  }

}

SSL:

server {
  listen 443 default deferred; # for Linux

  keepalive_timeout 5;
  ssl on;
  ssl_ciphers RC4:HIGH:!aNULL:!MD5;
  ssl_prefer_server_ciphers on;
  ssl_certificate /etc/ssl/<ssl_domain>.crt;
  ssl_certificate_key /etc/ssl/<ssl_domain>.key;
  add_header Strict-Transport-Security "max-age=631138519";
  root /home/deploy/apps/rrp/current/public;

  # Far-future expires and gzip for fingerprinted assets
  location ^~ /assets/ {
    gzip_static on;
    expires max;
    add_header Cache-Control public;
  }

  # Prefer to serve static files directly from nginx to avoid unnecessary
  # data copies from the application server.
  try_files $uri/index.html $uri @unicorn;


  location @unicorn {
    # an HTTP header important enough to have its own Wikipedia entry:
    #   http://en.wikipedia.org/wiki/X-Forwarded-For
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    # this helps Rack set the proper URL scheme for doing HTTPS redirects:
    proxy_set_header X-Forwarded-Proto $scheme;

    # pass the Host: header from the client right along so redirects
    # can be set properly within the Rack application
    proxy_set_header Host $http_host;

    # we don't want nginx trying to do something clever with
    # redirects, we set the Host: header above already.
    proxy_redirect off;

    proxy_pass http://unicorn;
  }

  # Rails error pages
  error_page 500 502 503 504 /500.html;
  location = /500.html {
    root /home/deploy/apps/rrp/current/public;
  }
}