capistrano-nuxt2 0.2.17

data/lib/capistrano/tasks/proxy_nginx.rake

@@ -0,0 +1,415 @@
+require 'capistrano/nuxt2/base_helpers'
+require 'capistrano/nuxt2/nginx_helpers'
+include Capistrano::Nuxt2::BaseHelpers
+include Capistrano::Nuxt2::NginxHelpers
+
+namespace :load do
+  task :defaults do
+    # === GENERAL NGINX SETTINGS (can be overridden or used by both) ===
+    set :nginx_user,              -> { 'www-data' } # User Nginx runs as (Debian/Ubuntu)
+    set :nginx_group,             -> { 'www-data' } # Group Nginx runs as (Debian/Ubuntu)
+
+    # === PROXY NGINX SETTINGS ===
+    set :nginx_proxy_roles,       -> { :proxy }
+    # Pfad relativ zur Rake-Datei (tasks/nginx.rake -> ../templates/)
+    set :nginx_proxy_template,    -> { :default }
+    set :nginx_proxy_site_name,   -> { "#{fetch(:application)}_#{fetch(:stage)}_proxy" }
+
+    # Domains and SSL settings are primarily for the proxy
+    set :nginx_domains,           -> { [] }
+    set :nginx_major_domain,      -> { false }
+    set :nginx_remove_www,        -> { true }
+    set :nginx_use_ssl,           -> { false } # Proxy handles SSL termination
+
+    set :nginx_ssl_cert,          -> { "/etc/letsencrypt/live/#{ cert_domain }/fullchain.pem" }
+    set :nginx_ssl_key,           -> { "/etc/letsencrypt/live/#{ cert_domain }/privkey.pem" }
+    set :nginx_ocsp_stapling,     -> { false } # let's encrypt does not support stapling since 2025
+    # For old domain certs if major_domain is set
+    set :nginx_other_ssl_cert,    -> { "/etc/letsencrypt/live/#{ cert_domain }/fullchain.pem" }
+    set :nginx_other_ssl_key,     -> { "/etc/letsencrypt/live/#{ cert_domain }/privkey.pem" }
+
+    set :nginx_strict_security,   -> { fetch(:nginx_use_ssl, false) } # For HSTS header
+    set :nginx_ssl_ciphers,       -> {
+      "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:" \
+      "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:" \
+      "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:" \
+      "ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305"
+    }
+    set :allow_well_known_proxy,  -> { true } # For Certbot on proxy
+    set :nginx_proxy_well_known_root, -> { "/var/www/html" } # Standard path for Certbot webroot on proxy
+
+    set :nginx_proxy_log_folder,  -> { "/var/log/nginx" } # Standard Nginx log folder for proxy
+    set :nginx_proxy_hooks,       -> { true }
+
+
+    # Upstream App Server (where the App-Nginx runs)
+    # WICHTIG: Diese in config/deploy/<stage>.rb setzen!
+    # z.B. set :nginx_upstream_host, '10.0.0.5'
+    #      set :nginx_upstream_port, 8080
+    # set :nginx_upstream_host, -> { nil }
+    # set :nginx_upstream_port, -> { 3500 } # Port App-Nginx is exposed on (e.g. Docker mapped port or direct)
+    ## new style: Use these variables to define the upstream app server, falling back to old style if not set
+    set :nginx_upstream_host,     -> { fetch(:nginx_upstream_app_host, nil) }
+    set :nginx_upstream_port,     -> { fetch(:nginx_upstream_app_port, 3500) } # Port App-Nginx is exposed on (e.g. Docker mapped port or direct)
+
+
+
+    # === APP NGINX SETTINGS ===
+    set :nginx_app_roles,         -> { :app }
+    set :nginx_app_template,      -> { :default }
+    set :nginx_app_site_name,     -> { "#{fetch(:application)}_#{fetch(:stage)}_app" }
+    set :nginx_app_fallback_site, -> { "404.html" } # Fallback: Nuxt.js default "404.html" page .. Vue default is "index.html"
+
+    # App specific paths (relative to shared_path for linked_dirs)
+    set :nginx_root_folder,       -> { "#{shared_path}/www" }    # JS app static files (Nuxt default: "dist")
+    set :nginx_log_folder,        -> { "log" }    # App Nginx logs
+
+    # This is from your original setup, relevant for the app server.
+    # append :linked_dirs, fetch(:nginx_root_folder), fetch(:nginx_log_folder)
+
+    set :nginx_app_hooks,         -> { true }
+    set :allow_well_known_app,    -> { false } # Usually handled by proxy
+  end
+end
+
+namespace :nginx do
+
+  # --- PROXY NGINX TASKS ---
+  namespace :proxy do
+    # Helper task to ensure upstream variables are set for the proxy
+    task :ensure_upstream_vars_set do
+      unless fetch(:nginx_upstream_host)
+        error "FEHLER: Bitte `:nginx_upstream_host` in deiner Stage-Konfiguration setzen (z.B. config/deploy/#{fetch(:stage)}.rb)."
+        info "Beispiel: set :nginx_upstream_host, 'interne.ip.des.app.servers'"
+        info "          set :nginx_upstream_port, 8080"
+        exit 1
+      end
+    end
+
+    namespace :site do
+      desc "Upload Proxy Nginx site configuration"
+      task :upload do
+        invoke "nginx:proxy:ensure_upstream_vars_set"
+        on roles fetch(:nginx_proxy_roles) do
+          config_file = fetch(:nginx_proxy_template)
+          target_config = fetch(:nginx_proxy_site_name)
+
+          puts "📤 [PROXY] Uploading Nginx config: #{target_config} from #{config_file}"
+          if config_file == :default
+            puts "📤 [PROXY] Using default template"
+            template2go("nginx_proxy_conf", "/tmp/#{target_config}")
+          else
+            puts "📤 [PROXY] Using custom template #{config_file}"
+            template2go(config_file, "/tmp/#{target_config}")
+          end
+          execute :sudo, :mv, "/tmp/#{target_config}", "/etc/nginx/sites-available/#{target_config}"
+        end
+      end
+
+      desc "Enable Proxy Nginx site"
+      task :enable do
+        on roles fetch(:nginx_proxy_roles) do
+          enabled_path = "/etc/nginx/sites-enabled/#{fetch(:nginx_proxy_site_name)}"
+          available_path = "/etc/nginx/sites-available/#{fetch(:nginx_proxy_site_name)}"
+          unless test "[ -h #{enabled_path} ]"
+            puts "🔗 [PROXY] Enabling Nginx site..."
+            execute :sudo, :ln, "-s", available_path, enabled_path
+            invoke "nginx:proxy:service:reload"
+          else
+            puts "✅ [PROXY] Nginx site is already enabled!"
+          end
+        end
+      end
+
+      desc "Disable Proxy Nginx site"
+      task :disable do
+        on roles fetch(:nginx_proxy_roles) do
+          enabled_path = "/etc/nginx/sites-enabled/#{fetch(:nginx_proxy_site_name)}"
+          if test "[ -h #{enabled_path} ]"
+            puts "🚫 [PROXY] Disabling Nginx site..."
+            execute :sudo, :rm, "-f", enabled_path
+            invoke "nginx:proxy:service:reload"
+          else
+            puts "⚠️  [PROXY] Nginx site is not enabled!"
+          end
+        end
+      end
+
+      desc "Remove Proxy Nginx site configuration"
+      task :remove do
+        on roles fetch(:nginx_proxy_roles) do
+          available_path = "/etc/nginx/sites-available/#{fetch(:nginx_proxy_site_name)}"
+          if test "[ -f #{available_path} ]"
+            puts "🗑 [PROXY] Removing Nginx site configuration..."
+            execute :sudo, :rm, "-f", available_path
+          else
+            puts "⚠️  [PROXY] Nginx site configuration does not exist!"
+          end
+        end
+      end
+
+      task :prepare do
+        on roles fetch(:nginx_proxy_roles) do
+          puts "⚙️  [PROXY] Ensuring Nginx directories exist..."
+          execute :sudo, "mkdir -p /etc/nginx/sites-available /etc/nginx/sites-enabled"
+          if fetch(:allow_well_known_proxy)
+            execute :sudo, "mkdir -p #{fetch(:nginx_proxy_well_known_root)}"
+            # Optional: set owner for nginx_proxy_well_known_root if certbot runs as different user
+            # execute :sudo, "chown #{fetch(:nginx_user)}:#{fetch(:nginx_group)} #{fetch(:nginx_proxy_well_known_root)}"
+          end
+          invoke "nginx:proxy:site:upload"
+          puts "✅ [PROXY] Nginx setup completed! Enable with `cap #{fetch(:stage)} nginx:proxy:site:enable`"
+        end
+      end
+    end # end site
+
+    namespace :service do
+      %w[start stop restart reload].each do |command|
+        desc "#{command.capitalize} Proxy Nginx service"
+        task command do
+          on roles fetch(:nginx_proxy_roles) do
+            puts "🔄 [PROXY] Running: systemctl #{command} nginx..."
+            execute :sudo, "systemctl #{command} nginx"
+          end
+        end
+      end
+      desc "Check Proxy Nginx configuration"
+      task :check_config do
+        on roles fetch(:nginx_proxy_roles) do
+          puts "🧐 [PROXY] Checking nginx configuration..."
+          execute :sudo, "nginx -t"
+        end
+      end
+      desc "Check Proxy Nginx status"
+      task :check_status do
+        on roles fetch(:nginx_proxy_roles) do
+          puts "🔍 [PROXY] Checking nginx status..."
+          execute :sudo, "systemctl status nginx --no-pager"
+        end
+      end
+    end # end service
+
+    desc "Update Proxy Nginx (Upload, Enable if needed, Reload/Restart)"
+    task :update do
+      on roles fetch(:nginx_proxy_roles) do
+        puts "🔄 [PROXY] Reconfiguring Nginx..."
+        invoke "nginx:proxy:site:upload"
+        enabled_path = "/etc/nginx/sites-enabled/#{fetch(:nginx_proxy_site_name)}"
+        if test "[ -h #{enabled_path} ]"
+          puts "🔗 [PROXY] Site already enabled, reloading."
+        else
+          invoke "nginx:proxy:site:enable" # This will also reload
+        end
+        invoke "nginx:proxy:service:restart" # Or :restart if significant changes
+        puts "✅ [PROXY] Nginx reconfiguration complete!"
+      end
+    end
+  end # end :proxy namespace
+
+
+## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## 
+## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## 
+
+
+  # --- APP NGINX TASKS ---
+  namespace :app do
+    namespace :site do
+      desc "Upload App Nginx site configuration"
+      task :upload do
+        on roles fetch(:nginx_app_roles) do
+          config_file = fetch(:nginx_app_template)
+          target_config = fetch(:nginx_app_site_name)
+
+          puts "📤 [APP] Uploading Nginx config: #{target_config} from #{config_file}"
+          if config_file == :default
+            template2go("nginx_app_conf", "/tmp/#{target_config}")
+          else
+            template2go(config_file, "/tmp/#{target_config}")
+          end
+          execute :sudo, :mv, "/tmp/#{target_config}", "/etc/nginx/sites-available/#{target_config}"
+        end
+      end
+
+      desc "Enable App Nginx site"
+      task :enable do
+        on roles fetch(:nginx_app_roles) do
+          enabled_path = "/etc/nginx/sites-enabled/#{fetch(:nginx_app_site_name)}"
+          available_path = "/etc/nginx/sites-available/#{fetch(:nginx_app_site_name)}"
+          unless test "[ -h #{enabled_path} ]"
+            puts "🔗 [APP] Enabling Nginx site..."
+            execute :sudo, :ln, "-s", available_path, enabled_path
+            invoke "nginx:app:service:reload" # Or :restart if it's a container
+          else
+            puts "✅ [APP] Nginx site is already enabled!"
+          end
+        end
+      end
+
+      desc "Disable App Nginx site"
+      task :disable do
+        on roles fetch(:nginx_app_roles) do
+          enabled_path = "/etc/nginx/sites-enabled/#{fetch(:nginx_app_site_name)}"
+          if test "[ -h #{enabled_path} ]"
+            puts "🚫 [APP] Disabling Nginx site..."
+            execute :sudo, :rm, "-f", enabled_path
+            invoke "nginx:app:service:reload" # Or :restart
+          else
+            puts "⚠️  [APP] Nginx site is not enabled!"
+          end
+        end
+      end
+
+      desc "Remove App Nginx site configuration"
+      task :remove do
+        on roles fetch(:nginx_app_roles) do
+          available_path = "/etc/nginx/sites-available/#{fetch(:nginx_app_site_name)}"
+          if test "[ -f #{available_path} ]"
+            puts "🗑 [APP] Removing Nginx site configuration..."
+            execute :sudo, :rm, "-f", available_path
+          else
+            puts "⚠️  [APP] Nginx site configuration does not exist!"
+          end
+        end
+      end
+
+      task :prepare do
+        on roles fetch(:nginx_app_roles) do
+          puts "⚙️  [APP] Ensuring Nginx directories exist..."
+          execute :sudo, "mkdir -p /etc/nginx/sites-available /etc/nginx/sites-enabled"
+          # Ensure shared directories for logs and app root exist and have Nginx access
+          # This is usually handled by Capistrano's deploy:check and linked_dirs setup
+          invoke "nginx:app:site:upload"
+          puts "✅ [APP] Nginx setup completed! Enable with `cap #{fetch(:stage)} nginx:app:site:enable`"
+        end
+      end
+    end # end site
+
+    namespace :service do
+      # Adjust commands if App Nginx is in a Docker container
+      # Example: set :nginx_app_cmd_prefix, "sudo docker exec my_nginx_container"
+      # execute "#{fetch(:nginx_app_cmd_prefix, 'sudo')} systemctl #{command} nginx"
+      %w[start stop restart reload].each do |command|
+        desc "#{command.capitalize} App Nginx service"
+        task command do
+          on roles fetch(:nginx_app_roles) do
+            # IF DOCKER: Replace with docker command e.g.
+            # execute :sudo, "docker restart #{fetch(:nginx_app_container_name)}" if command == 'restart'
+            # execute :sudo, "docker exec #{fetch(:nginx_app_container_name)} nginx -s #{command == 'restart' ? 'reload' : command}" # for reload, stop
+            puts "🔄 [APP] Running: systemctl #{command} nginx..."
+            execute :sudo, "systemctl #{command} nginx"
+          end
+        end
+      end
+      desc "Check App Nginx configuration"
+      task :check_config do
+        on roles fetch(:nginx_app_roles) do
+          # IF DOCKER: execute :sudo, "docker exec #{fetch(:nginx_app_container_name)} nginx -t"
+          puts "🧐 [APP] Checking nginx configuration..."
+          execute :sudo, "nginx -t"
+        end
+      end
+      desc "Check App Nginx status"
+      task :check_status do
+        on roles fetch(:nginx_app_roles) do
+          # IF DOCKER: execute :sudo, "docker ps -f name=#{fetch(:nginx_app_container_name)}"
+          puts "🔍 [APP] Checking nginx status..."
+          execute :sudo, "systemctl status nginx --no-pager"
+        end
+      end
+    end # end service
+
+    desc "Update App Nginx (Upload, Enable if needed, Reload/Restart)"
+    task :update do
+      on roles fetch(:nginx_app_roles) do
+        puts "🔄 [APP] Reconfiguring Nginx..."
+        invoke "nginx:app:site:upload"
+        enabled_path = "/etc/nginx/sites-enabled/#{fetch(:nginx_app_site_name)}"
+        if test "[ -h #{enabled_path} ]"
+          puts "🔗 [APP] Site already enabled, reloading."
+        else
+          invoke "nginx:app:site:enable"
+        end
+        invoke "nginx:app:service:restart" # Or :restart
+        puts "✅ [APP] Nginx reconfiguration complete!"
+      end
+    end
+
+    desc "Fix App Nginx folder rights (if permission problems occur)"
+    task :fix_folder_rights do
+      on roles fetch(:nginx_app_roles) do # Only on app servers
+        puts "🛡️  [APP] Fixing folder rights..."
+        execute :sudo, "chmod o+x /home/#{fetch(:user)}"
+        execute :sudo, "chmod o+x #{fetch(:deploy_to)}"
+        execute :sudo, "chmod o+x #{current_path}" # current_path might not be fully set if deploy failed
+        execute :sudo, "chmod o+x #{shared_path}"
+        # Nginx (user www-data) needs read access to app files and write to logs
+        # These commands assume nginx_root_folder and nginx_log_folder are under shared_path
+        execute :sudo, "chown -R #{fetch(:user)}:#{fetch(:nginx_group)} #{shared_path}/#{fetch(:nginx_root_folder)}"
+        execute :sudo, "chown -R #{fetch(:user)}:#{fetch(:nginx_group)} #{shared_path}/#{fetch(:nginx_log_folder)}"
+        execute :sudo, "chmod -R g+rX,o-rwx #{shared_path}/#{fetch(:nginx_root_folder)}" # Group read/execute
+        execute :sudo, "chmod -R g+rwX,o-rwx #{shared_path}/#{fetch(:nginx_log_folder)}" # Group read/write/execute
+        # If Nginx runs as www-data and deploy user is different, you might need to add www-data to deploy user's group or use ACLs.
+        # A simpler (but less secure for shared hosts) approach for www-data to read:
+        # execute :sudo, "chmod -R o+rX #{shared_path}/#{fetch(:nginx_root_folder)}"
+        # execute :sudo, "find #{shared_path}/#{fetch(:nginx_root_folder)} -type d -exec chmod o+x {} \\;" # Ensure directories are executable
+      end
+    end
+  end # end :app namespace
+
+
+  # --- COMBINED/UTILITY TASKS ---
+  desc "Setup Nginx for both Proxy and App roles defined in current stage"
+  task :setup_all do
+    if roles(fetch(:nginx_proxy_roles)).any?
+      invoke 'nginx:proxy:site:prepare'
+    else
+      puts "ℹ️ No :proxy roles defined for stage #{fetch(:stage)}, skipping proxy setup."
+    end
+    if roles(fetch(:nginx_app_roles)).any?
+      invoke 'nginx:app:site:prepare'
+    else
+      puts "ℹ️ No :app roles defined for stage #{fetch(:stage)}, skipping app Nginx setup."
+    end
+  end
+
+  desc "Update Nginx configurations for both Proxy and App roles defined in current stage"
+  task :update_all do
+    if roles(fetch(:nginx_proxy_roles)).any?
+      invoke 'nginx:proxy:update'
+    else
+      puts "ℹ️ No :proxy roles defined for stage #{fetch(:stage)}, skipping proxy update."
+    end
+    if roles(fetch(:nginx_app_roles)).any?
+      invoke 'nginx:app:update'
+    else
+      puts "ℹ️ No :app roles defined for stage #{fetch(:stage)}, skipping app Nginx update."
+    end
+  end
+
+end # end :nginx namespace
+
+
+# --- DEPLOY HOOKS ---
+# Your original global setup hook. You might want to make it more specific
+# or use the new `nginx:setup_all` task manually or hooked elsewhere.
+# task :setup do
+#   # invoke 'nginx:proxy:site:prepare' # If always proxy
+#   # invoke 'nginx:app:site:prepare'   # If always app
+#   invoke 'nginx:setup_all' # This will check roles
+# end
+
+namespace :deploy do
+  after 'deploy:finishing', :update_nginx_configurations do
+    # Update Proxy Nginx if hooks enabled and proxy roles exist for the stage
+    if fetch(:nginx_proxy_hooks) && roles(fetch(:nginx_proxy_roles)).any?
+      puts "훅: nginx:proxy:update wird aufgerufen"
+      invoke "nginx:proxy:update"
+    end
+
+    # Update App Nginx if hooks enabled and app roles exist for the stage
+    if fetch(:nginx_app_hooks) && roles(fetch(:nginx_app_roles)).any?
+      puts "훅: nginx:app:update wird aufgerufen"
+      invoke "nginx:app:update"
+    end
+  end
+end

data/lib/capistrano/tasks/vue.rake

@@ -0,0 +1,125 @@
+require 'capistrano/nuxt2/base_helpers'
+include Capistrano::Nuxt2::BaseHelpers
+
+namespace :load do
+  task :defaults do
+
+
+    set :vue_use_nvm,               -> { false }
+    set :vue_install_without_env,   -> { false }
+    set :vue_nvm_path,              -> { "~/.nvm" }
+    set :vue_nvm_version,           -> { "18.19.0" }
+    set :vue_nvm_script,            -> { "$HOME/.nvm/nvm.sh" }
+
+    set :vue_app_roles,             -> { :app }
+
+    ## Maybe nonsense .. builds `APP_NAME_STG_DEPLOY_MODE`
+    set :vue_stage_env_var,      -> { build_deploy_env_var }
+
+    append :linked_dirs, 'node_modules'  # , '.nuxt', 'dist'
+
+  end
+end
+
+
+namespace :vue do
+
+  desc "output env var and stage"
+  task :output_env do
+    on roles(fetch(:vue_app_roles)) do
+      puts "🔧 Vue.js stage: #{fetch(:stage)}"
+      puts "🔧 Vue.js deploy mode: #{fetch(:vue_stage_env_var)}"
+    end
+  end
+
+  desc "Install dependencies"
+  task :install_dependencies do
+    on roles(fetch(:vue_app_roles)) do
+      within release_path do
+        if fetch(:vue_use_nvm, false)
+          env_vars = fetch(:default_env).map { |k, v| "#{k}=#{v}" }.join(" ")
+          nvm_prefix = "source #{fetch(:vue_nvm_script)} && nvm use #{fetch(:vue_nvm_version)}"
+          if fetch(:vue_install_without_env, false)
+            execute %(bash -lc '#{nvm_prefix} && cd #{release_path} && npm install --production=false')
+          else
+            execute %(bash -lc '#{nvm_prefix} && cd #{release_path} && env #{env_vars} npm install')
+          end
+        else
+          execute :npm, "install"
+        end
+      end
+    end
+  end
+
+
+  desc "Build Vue.js app"
+  task :build do
+    on roles(fetch(:vue_app_roles)) do
+      within release_path do
+        if fetch(:vue_use_nvm, false)
+          env_vars = fetch(:default_env).map { |k, v| "#{k}=#{v}" }.join(" ")
+          nvm_prefix = "source #{fetch(:vue_nvm_script)} && nvm use #{fetch(:vue_nvm_version)}"
+          execute %(bash -lc '#{nvm_prefix} && cd #{release_path} && env #{env_vars} npm run build')
+        else
+          execute :npm, "run build"
+        end
+      end
+    end
+  end
+
+
+  desc "Sync the dist folder to the shared folder"
+  task :sync_dist do
+    on roles(fetch(:vue_app_roles)) do
+      execute :rsync, "-a --delete #{release_path}/dist/ #{shared_path}/www/"
+    end
+  end
+
+  desc "Setup defaults for Vue.js app"
+  task :setup_app do
+    on roles(fetch(:vue_app_roles)) do
+      ensure_shared_www_path
+      ensure_shared_log_path
+    end
+  end
+
+  desc "Fix permissions (just in case)"
+  task :fix_permissions do
+    on roles(fetch(:vue_app_roles)) do
+      execute :sudo, :chown, "-R #{fetch(:user)}:#{fetch(:user)} #{release_path}"
+    end
+  end
+
+
+
+  desc "Regenerate Vue.js app"
+  task :rebuild_app do
+    invoke "vue:install_dependencies"
+    invoke "vue:build"
+    invoke "vue:sync_dist"
+  end
+
+
+  desc "Install required node version with nvm"
+  task :install_nvm_node do
+    on roles(fetch(:vue_app_roles)) do
+      if fetch(:vue_use_nvm, false)
+        execute %(bash -lc 'source #{fetch(:vue_nvm_script)} && nvm install #{fetch(:vue_nvm_version)}')
+      end
+    end
+  end
+
+end
+
+namespace :deploy do
+  after 'deploy:published', :rebuild_nuxt_app do
+    invoke "vue:rebuild_app"
+  end
+end
+
+
+desc 'Server setup tasks'
+task :setup do
+  invoke 'vue:setup_app'
+end
+

data/lib/generators/capistrano/nuxt2/templates/nginx/https_ssl_options.erb

@@ -0,0 +1,29 @@
+
+  ## Modern TLS Security
+  ssl_protocols       TLSv1.2 TLSv1.3;
+  ssl_ciphers         <%= fetch(:nginx_ssl_ciphers) %>;
+  ssl_prefer_server_ciphers on;
+  ssl_ecdh_curve      X25519:secp384r1;
+
+  ssl_session_cache   shared:SSL_50:50m;
+  ssl_session_tickets off;
+
+  <% if fetch(:nginx_ocsp_stapling, false) %>
+  ## OCSP Stapling for Faster SSL Handshakes
+  ssl_stapling        on;
+  ssl_stapling_verify on;
+  # DNS für die OCSP-Abfrage
+  resolver            8.8.8.8 1.1.1.1 valid=300s;
+  resolver_timeout    5s;
+  <% end %>
+
+  ## Security Headers
+  add_header X-Frame-Options DENY;
+  add_header X-Content-Type-Options nosniff;
+  add_header Referrer-Policy "strict-origin-when-cross-origin";
+
+  ## Enable HTTP Strict Transport Security (HSTS)
+  <% if fetch(:nginx_strict_security) %>
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+  <% end %>
+