From d04aaa8cbd4e94f3446ac85c773ca0789614a053 Mon Sep 17 00:00:00 2001 From: Aleksandr Kunin Date: Thu, 10 May 2018 11:06:14 +0300 Subject: [PATCH] add blog and action cable --- roles/application/files/app.env.example | 3 + roles/application/files/docker-compose.yml | 1 + roles/application/files/nginx/nginx.conf | 88 +++++----------------- 3 files changed, 24 insertions(+), 68 deletions(-) diff --git a/roles/application/files/app.env.example b/roles/application/files/app.env.example index 59467a0..35280c2 100644 --- a/roles/application/files/app.env.example +++ b/roles/application/files/app.env.example @@ -28,3 +28,6 @@ HONEYBADGER_API_KEY=honey_badger_api_key SKYLIGHT_AUTHENTICATION=skylight_api_key TRACK_SCANNER_URL=http://track-scanner/ + +ACTIONCABLE_ALLOWED_ORIGINS=https://skyderby.ru +REDIS_CABLE_DB=11 diff --git a/roles/application/files/docker-compose.yml b/roles/application/files/docker-compose.yml index bafdf26..450ac66 100644 --- a/roles/application/files/docker-compose.yml +++ b/roles/application/files/docker-compose.yml @@ -50,6 +50,7 @@ services: - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro - ./nginx/dhparam.pem:/etc/pki/nginx/dhparam.pem:ro - /etc/letsencrypt:/etc/letsencrypt:ro + - /opt/app/skyderby/blog:/opt/blog:ro volumes_from: - app:ro ports: diff --git a/roles/application/files/nginx/nginx.conf b/roles/application/files/nginx/nginx.conf index 88c6ef6..57cd925 100644 --- a/roles/application/files/nginx/nginx.conf +++ b/roles/application/files/nginx/nginx.conf @@ -1,62 +1,27 @@ -# This is example contains the bare mininum to get nginx going with -# unicorn servers. Generally these configuration settings -# are applicable to other HTTP application servers (and not just Ruby -# ones), so if you have one working well for proxying another app -# server, feel free to continue using it. -# -# The only setting we feel strongly about is the fail_timeout=0 -# directive in the "upstream" block. max_fails=0 also has the same -# effect as fail_timeout=0 for current versions of nginx and may be -# used in its place. -# -# Users are strongly encouraged to refer to nginx documentation for more -# details and search for other example configs. - -# you generally only need one nginx worker unless you're serving -# large amounts of static files which require blocking disk reads worker_processes 1; -# # drop privileges, root is needed on most systems for binding to port 80 -# # (or anything < 1024). Capability-based security may be available for -# # your system and worth checking out so you won't need to be root to -# # start nginx to bind on 80 -user nobody nogroup; # for systems with a "nogroup" -# user nobody nobody; # for systems with "nobody" as a group instead +user nobody nogroup; -# Feel free to change all paths to suite your needs here, of course pid /tmp/nginx.pid; error_log /var/log/nginx/error.log; events { - worker_connections 1024; # increase if you have lots of clients + worker_connections 1024; accept_mutex off; # "on" if nginx worker_processes > 1 - # use epoll; # enable for Linux 2.6+ - # use kqueue; # enable for FreeBSD, OSX } http { - # nginx will find this file in the config directory set at nginx build time include mime.types; - # fallback in case we can't determine a type default_type application/octet-stream; - # click tracking! access_log /var/log/nginx/access.log combined; - # you generally want to serve static files with nginx since - # unicorn is not and will never be optimized for it sendfile on; tcp_nopush on; # off may be better for *some* Comet/long-poll stuff tcp_nodelay off; # on may be better for some Comet/long-poll stuff - # we haven't checked to see if Rack::Deflate on the app server is - # faster or not than doing compression via nginx. It's easier - # to configure it all in one place here for static files and also - # to disable gzip for clients who don't get gzip/deflate right. - # There are other gzip settings that may be needed used to deal with - # bad clients out there, see http://wiki.nginx.org/NginxHttpGzipModule gzip on; gzip_http_version 1.0; gzip_proxied any; @@ -67,12 +32,7 @@ http { text/javascript application/x-javascript application/atom+xml; - # this can be any application server, not just unicorn upstream app_server { - # fail_timeout=0 means we always retry an upstream even if it failed - # to return a good HTTP response (in case the unicorn master nukes a - # single worker for timing out). - server app:8000 fail_timeout=0; } @@ -81,13 +41,13 @@ http { } server { - server_name skyderby.ru www.skyderby.ru; + server_name skyderby.ru www.skyderby.ru blog.skyderby.ru; listen 80; - return 301 https://skyderby.ru$request_uri; + return 301 https://$host$request_uri; } server { - listen 443 ssl default deferred http2; # for Linux + listen 443 ssl default deferred http2; server_name skyderby.ru; ssl_stapling on; ssl on; @@ -99,7 +59,6 @@ http { ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers kEECDH+AES128:kEECDH:kEDH:-3DES:kRSA+AES128:kEDH+3DES:DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!MD5:!EXPORT:!LOW:!SEED:!CAMELLIA:!IDEA:!PSK:!SRP:!SSLv2; ssl_prefer_server_ciphers on; - add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report"; if ($http_user_agent ~* (AhrefsBot|SemrushBot|BaiduSpider|Jorgee|MJ12bot)) { return 444; @@ -123,13 +82,6 @@ http { # path for static files root /opt/app/public; - # Prefer to serve static files directly from nginx to avoid unnecessary - # data copies from the application server. - # - # try_files directive appeared in in nginx 0.7.27 and has stabilized - # over time. Older versions of nginx (e.g. 0.6.x) requires - # "if (!-f $request_filename)" which was less efficient: - # http://bogomips.org/unicorn.git/tree/examples/nginx.conf?id=v3.3.1#n127 try_files $uri/index.html $uri.html $uri @app; location ^~ /assets/ { @@ -155,10 +107,6 @@ http { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; - # enable this if you forward HTTPS traffic to unicorn, - # this helps Rack set the proper URL scheme for doing redirects: - # proxy_set_header X-Forwarded-Proto $scheme; - # pass the Host: header from the client right along so redirects # can be set properly within the Rack application proxy_set_header Host $http_host; @@ -167,17 +115,6 @@ http { # redirects, we set the Host: header above already. proxy_redirect off; - # It's also safe to set if you're using only serving fast clients - # with unicorn + nginx, but not slow clients. You normally want - # nginx to buffer responses to slow clients, even with Rails 3.1 - # streaming because otherwise a slow client can become a bottleneck - # of unicorn. - # - # The Rack application may also set "X-Accel-Buffering (yes|no)" - # in the response headers do disable/enable buffering on a - # per-response basis. - # proxy_buffering off; - proxy_pass http://app_server; } @@ -187,4 +124,19 @@ http { # root /opt/app/public; #} } + + server { + listen 443; + server_name blog.skyderby.ru; + + location ~ / { + root /opt/blog; + index index.html; + } + + location ^~ /.well-known/acme-challenge/ { + default_type "text/plain"; + root /opt/app/public; + } + } }