add blog and action cable

skyderby · May 10, 2018 · d04aaa8 · d04aaa8
1 parent 75e7b5a
commit d04aaa8
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 68 deletions.
diff --git a/roles/application/files/app.env.example b/roles/application/files/app.env.example
@@ -28,3 +28,6 @@ HONEYBADGER_API_KEY=honey_badger_api_key
 SKYLIGHT_AUTHENTICATION=skylight_api_key
 
 TRACK_SCANNER_URL=http://track-scanner/
+
+ACTIONCABLE_ALLOWED_ORIGINS=https://skyderby.ru
+REDIS_CABLE_DB=11
diff --git a/roles/application/files/docker-compose.yml b/roles/application/files/docker-compose.yml
@@ -50,6 +50,7 @@ services:
       - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
       - ./nginx/dhparam.pem:/etc/pki/nginx/dhparam.pem:ro
       - /etc/letsencrypt:/etc/letsencrypt:ro
+      - /opt/app/skyderby/blog:/opt/blog:ro
     volumes_from:
       - app:ro
     ports:

diff --git a/roles/application/files/nginx/nginx.conf b/roles/application/files/nginx/nginx.conf
@@ -1,62 +1,27 @@
-# This is example contains the bare mininum to get nginx going with
-# unicorn servers.  Generally these configuration settings
-# are applicable to other HTTP application servers (and not just Ruby
-# ones), so if you have one working well for proxying another app
-# server, feel free to continue using it.
-#
-# The only setting we feel strongly about is the fail_timeout=0
-# directive in the "upstream" block.  max_fails=0 also has the same
-# effect as fail_timeout=0 for current versions of nginx and may be
-# used in its place.
-#
-# Users are strongly encouraged to refer to nginx documentation for more
-# details and search for other example configs.
-
-# you generally only need one nginx worker unless you're serving
-# large amounts of static files which require blocking disk reads
 worker_processes 1;
 
-# # drop privileges, root is needed on most systems for binding to port 80
-# # (or anything < 1024).  Capability-based security may be available for
-# # your system and worth checking out so you won't need to be root to
-# # start nginx to bind on 80
-user nobody nogroup; # for systems with a "nogroup"
-# user nobody nobody; # for systems with "nobody" as a group instead
+user nobody nogroup;
 
-# Feel free to change all paths to suite your needs here, of course
 pid /tmp/nginx.pid;
 error_log /var/log/nginx/error.log;
 
 events {
-  worker_connections 1024; # increase if you have lots of clients
+  worker_connections 1024;
   accept_mutex off; # "on" if nginx worker_processes > 1
-  # use epoll; # enable for Linux 2.6+
-  # use kqueue; # enable for FreeBSD, OSX
 }
 
 http {
-  # nginx will find this file in the config directory set at nginx build time
   include mime.types;
 
-  # fallback in case we can't determine a type
   default_type application/octet-stream;
 
-  # click tracking!
   access_log /var/log/nginx/access.log combined;
 
-  # you generally want to serve static files with nginx since
-  # unicorn is not and will never be optimized for it
   sendfile on;
 
   tcp_nopush on; # off may be better for *some* Comet/long-poll stuff
   tcp_nodelay off; # on may be better for some Comet/long-poll stuff
 
-  # we haven't checked to see if Rack::Deflate on the app server is
-  # faster or not than doing compression via nginx.  It's easier
-  # to configure it all in one place here for static files and also
-  # to disable gzip for clients who don't get gzip/deflate right.
-  # There are other gzip settings that may be needed used to deal with
-  # bad clients out there, see http://wiki.nginx.org/NginxHttpGzipModule
   gzip on;
   gzip_http_version 1.0;
   gzip_proxied any;
@@ -67,12 +32,7 @@ http {
              text/javascript application/x-javascript
              application/atom+xml;
 
-  # this can be any application server, not just unicorn
   upstream app_server {
-    # fail_timeout=0 means we always retry an upstream even if it failed
-    # to return a good HTTP response (in case the unicorn master nukes a
-    # single worker for timing out).
-
     server app:8000 fail_timeout=0;
   }
 
@@ -81,13 +41,13 @@ http {
   }
 
   server {
-    server_name skyderby.ru www.skyderby.ru;
+    server_name skyderby.ru www.skyderby.ru blog.skyderby.ru;
     listen 80;
-    return 301 https://skyderby.ru$request_uri;
+    return 301 https://$host$request_uri;
   }
 
   server {
-    listen 443 ssl default deferred http2; # for Linux
+    listen 443 ssl default deferred http2;
     server_name skyderby.ru;
     ssl_stapling on;
     ssl on;
@@ -99,7 +59,6 @@ http {
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
     ssl_ciphers kEECDH+AES128:kEECDH:kEDH:-3DES:kRSA+AES128:kEDH+3DES:DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!MD5:!EXPORT:!LOW:!SEED:!CAMELLIA:!IDEA:!PSK:!SRP:!SSLv2;
     ssl_prefer_server_ciphers on;
-    add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
 
     if ($http_user_agent ~* (AhrefsBot|SemrushBot|BaiduSpider|Jorgee|MJ12bot)) {
       return 444;
@@ -123,13 +82,6 @@ http {
     # path for static files
     root /opt/app/public;
 
-    # Prefer to serve static files directly from nginx to avoid unnecessary
-    # data copies from the application server.
-    #
-    # try_files directive appeared in in nginx 0.7.27 and has stabilized
-    # over time.  Older versions of nginx (e.g. 0.6.x) requires
-    # "if (!-f $request_filename)" which was less efficient:
-    # http://bogomips.org/unicorn.git/tree/examples/nginx.conf?id=v3.3.1#n127
     try_files $uri/index.html $uri.html $uri @app;
 
     location ^~ /assets/ {
@@ -155,10 +107,6 @@ http {
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header X-Forwarded-Proto $scheme;
 
-      # enable this if you forward HTTPS traffic to unicorn,
-      # this helps Rack set the proper URL scheme for doing redirects:
-      # proxy_set_header X-Forwarded-Proto $scheme;
-
       # pass the Host: header from the client right along so redirects
       # can be set properly within the Rack application
       proxy_set_header Host $http_host;
@@ -167,17 +115,6 @@ http {
       # redirects, we set the Host: header above already.
       proxy_redirect off;
 
-      # It's also safe to set if you're using only serving fast clients
-      # with unicorn + nginx, but not slow clients.  You normally want
-      # nginx to buffer responses to slow clients, even with Rails 3.1
-      # streaming because otherwise a slow client can become a bottleneck
-      # of unicorn.
-      #
-      # The Rack application may also set "X-Accel-Buffering (yes|no)"
-      # in the response headers do disable/enable buffering on a
-      # per-response basis.
-      # proxy_buffering off;
-
       proxy_pass http://app_server;
     }
 
@@ -187,4 +124,19 @@ http {
     #  root /opt/app/public;
     #}
   }
+
+  server {
+    listen 443;
+    server_name blog.skyderby.ru;
+
+    location ~ / {
+      root /opt/blog;
+      index index.html;
+    }
+
+    location ^~ /.well-known/acme-challenge/ {
+      default_type "text/plain";
+      root /opt/app/public;
+    }
+  }
 }