magic_recipes_two 0.0.66 → 0.0.67
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +8 -8
- data/lib/capistrano/magic_recipes/base_helpers.rb +7 -0
- data/lib/capistrano/magic_recipes/logs.rb +1 -0
- data/lib/capistrano/magic_recipes/version.rb +1 -1
- data/lib/capistrano/tasks/logs.rake +47 -0
- data/lib/capistrano/tasks/nginx.rake +51 -10
- data/lib/capistrano/tasks/secrets.rake +6 -6
- data/lib/generators/capistrano/magic_recipes/templates/monit/nginx_conf.erb +14 -0
- data/lib/generators/capistrano/magic_recipes/templates/nginx/diffie_hellman.erb +35 -0
- data/lib/generators/capistrano/magic_recipes/templates/nginx/media_cache_path.erb +9 -0
- data/lib/generators/capistrano/magic_recipes/templates/nginx/media_cache_server.erb +12 -0
- data/lib/generators/capistrano/magic_recipes/templates/nginx/rails_cache_path.erb +9 -0
- data/lib/generators/capistrano/magic_recipes/templates/nginx/rails_cache_server.erb +15 -0
- data/lib/generators/capistrano/magic_recipes/templates/nginx/remove_www.erb +10 -0
- data/lib/generators/capistrano/magic_recipes/templates/nginx.conf.erb +55 -162
- metadata +25 -2
checksums.yaml
CHANGED
@@ -1,15 +1,15 @@
|
|
1
1
|
---
|
2
2
|
!binary "U0hBMQ==":
|
3
3
|
metadata.gz: !binary |-
|
4
|
-
|
4
|
+
OTlmYjBlNWY0NjdjNjhkZDkyODQxNTJmYWYyZjJhZTAyZjMwYThlOQ==
|
5
5
|
data.tar.gz: !binary |-
|
6
|
-
|
6
|
+
M2EzODk3NjY0MjY0ZjdhOTc0ODdmZmRkOTVkYTliMWMxZGMzOTg2MQ==
|
7
7
|
SHA512:
|
8
8
|
metadata.gz: !binary |-
|
9
|
-
|
10
|
-
|
11
|
-
|
9
|
+
ZTA3ZGM2MjMwNzlmNTIwYTA0ZTQ0ZWY4MDllODNhOTE0OTViZTlhZmY3NGZh
|
10
|
+
ZmU2NTAxZTY0ZGJjOTU1NDAyOGVmMDg0NjQyYmM3YzBmNWY3YmMyNTllNmYx
|
11
|
+
NWU3ZmE0MmVhNjVjNmM3MTFiNGM0OGVkZjA4ODNjNGNiOWZiN2I=
|
12
12
|
data.tar.gz: !binary |-
|
13
|
-
|
14
|
-
|
15
|
-
|
13
|
+
MDBlNzE1NTgwNTZjYTVhYTdiNjA3MzY0YWVhMzA1ZjU3Njk2ZWIxYThiOTU3
|
14
|
+
ZTM3ZDE3YzVmM2ZiZmI0ZDRhYWYxMmJjNjlmMGM1NjAxNzEwM2RkNGU4MzY3
|
15
|
+
N2RkYzI4NTE1ZWE2NmJjYzk5N2Q4YmI0MDMyZmIwMWMzYTdhNzU=
|
@@ -23,6 +23,13 @@ module Capistrano
|
|
23
23
|
upload! StringIO.new( ERB.new(erb).result(binding) ), to
|
24
24
|
end
|
25
25
|
|
26
|
+
|
27
|
+
def magic_render(tmpl)
|
28
|
+
erb = get_template_file(tmpl)
|
29
|
+
ERB.new(erb).result(binding)
|
30
|
+
end
|
31
|
+
|
32
|
+
|
26
33
|
def generate_secrect_key
|
27
34
|
SecureRandom.hex(82)
|
28
35
|
end
|
@@ -0,0 +1 @@
|
|
1
|
+
load File.expand_path("../../tasks/logs.rake", __FILE__)
|
@@ -0,0 +1,47 @@
|
|
1
|
+
|
2
|
+
namespace :load do
|
3
|
+
task :defaults do
|
4
|
+
set :logs_roles, -> { :web }
|
5
|
+
set :logs_show_lines, -> { 500 }
|
6
|
+
end
|
7
|
+
end
|
8
|
+
|
9
|
+
|
10
|
+
namespace :logs do
|
11
|
+
|
12
|
+
["rails", "sidekiq", "monit", "nginx-access", "nginx-error", "lets_encrypt_cron"].each do |that|
|
13
|
+
|
14
|
+
desc "show #{that == 'lets_encrypt_cron' ? 'Lets Encrypt cron-job' : that} logs"
|
15
|
+
task that do
|
16
|
+
on release_roles fetch(:logs_roles, :web) do
|
17
|
+
within shared_path do
|
18
|
+
execute :tail, "-n #{ fetch(:logs_show_lines, 100) } log/#{ that == 'rails' ? 'production' : that }.log"
|
19
|
+
end
|
20
|
+
end
|
21
|
+
end
|
22
|
+
|
23
|
+
end
|
24
|
+
|
25
|
+
3.times do |x|
|
26
|
+
|
27
|
+
desc "show thin instance-#{x} logs"
|
28
|
+
task "thin#{x}" do
|
29
|
+
on release_roles fetch(:logs_roles, :web) do
|
30
|
+
within shared_path do
|
31
|
+
begin
|
32
|
+
execute :tail, "-n #{ fetch(:logs_show_lines, 100) } log/thin_#{fetch(:application)}_#{fetch(:stage)}.#{x}.log"
|
33
|
+
rescue SSHKit::Command::Failed
|
34
|
+
# If gems are not installed eq(first deploy) and sidekiq_default_hooks as active
|
35
|
+
warn "thin_#{fetch(:application)}_#{fetch(:stage)}.#{x}.log => not found! .. (may not exist)"
|
36
|
+
end
|
37
|
+
end
|
38
|
+
end
|
39
|
+
end
|
40
|
+
|
41
|
+
end
|
42
|
+
|
43
|
+
|
44
|
+
end
|
45
|
+
|
46
|
+
|
47
|
+
|
@@ -7,7 +7,6 @@ namespace :load do
|
|
7
7
|
set :nginx_domains, -> { [] }
|
8
8
|
set :nginx_major_domain, -> { false }
|
9
9
|
set :nginx_remove_www, -> { true }
|
10
|
-
set :nginx_remove_https, -> { false }
|
11
10
|
set :default_site, -> { false }
|
12
11
|
set :app_instances, -> { 1 }
|
13
12
|
set :nginx_service_path, -> { 'service nginx' }
|
@@ -19,20 +18,38 @@ namespace :load do
|
|
19
18
|
set :nginx_sites_available, -> { "sites-available" }
|
20
19
|
set :nginx_template, -> { :default }
|
21
20
|
set :nginx_use_ssl, -> { false }
|
22
|
-
|
23
|
-
|
24
|
-
set :
|
25
|
-
set :nginx_ssl_certificate_key_path,
|
21
|
+
|
22
|
+
##! depreacated!!!
|
23
|
+
set :nginx_ssl_certificate_path, -> { '/etc/ssl/certs' }
|
24
|
+
set :nginx_ssl_certificate_key_path, -> { '/etc/ssl/private' }
|
25
|
+
set :nginx_ssl_certificate, -> { "#{fetch(:application)}.crt" }
|
26
|
+
set :nginx_ssl_certificate_key, -> { "#{fetch(:application)}.key" }
|
27
|
+
set :nginx_old_ssl_certificate, -> { "#{fetch(:application)}.crt" }
|
28
|
+
set :nginx_old_ssl_certificate_key, -> { "#{fetch(:application)}.key" }
|
29
|
+
|
30
|
+
##! New-Style
|
31
|
+
set :nginx_ssl_cert, -> { "#{fetch(:nginx_ssl_certificate_path)}/#{fetch(:nginx_ssl_certificate)}" }
|
32
|
+
set :nginx_ssl_key, -> { "#{fetch(:nginx_ssl_certificate_key_path)}/#{fetch(:nginx_ssl_certificate_key)}" }
|
33
|
+
set :nginx_other_ssl_cert, -> { "#{fetch(:nginx_ssl_cert)}" }
|
34
|
+
set :nginx_other_ssl_key, -> { "#{fetch(:nginx_ssl_key)}" }
|
35
|
+
|
26
36
|
set :app_server_ip, -> { "127.0.0.1" }
|
27
37
|
set :nginx_hooks, -> { true }
|
28
38
|
## Lets Encrypt - Challenge Path
|
29
39
|
set :allow_well_known, -> { false }
|
30
40
|
## only turn on, when rails :force_ssl is false !
|
31
|
-
set :
|
41
|
+
set :nginx_strict_security, -> { false }
|
42
|
+
|
32
43
|
# Diffie-Hellman settings
|
44
|
+
set :nginx_use_diffie_hellman, -> { false }
|
45
|
+
##! depreacated!!!
|
33
46
|
set :nginx_ssl_dh_path, -> { "/etc/ssl/certs" }
|
34
47
|
set :nginx_ssl_dh_file, -> { "dhparam.pem" }
|
35
|
-
|
48
|
+
##! New-Style
|
49
|
+
set :nginx_diffie_hellman_param, -> { "#{fetch(:nginx_ssl_dh_path)}/#{fetch(:nginx_ssl_dh_file)}" }
|
50
|
+
## SSL Cipher
|
51
|
+
set :nginx_ssl_ciphers, -> { "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" }
|
52
|
+
|
36
53
|
## NginX Proxy-Caching
|
37
54
|
# Cache Rails
|
38
55
|
set :proxy_cache_rails, -> { false }
|
@@ -58,12 +75,14 @@ namespace :load do
|
|
58
75
|
end
|
59
76
|
|
60
77
|
namespace :nginx do
|
78
|
+
|
61
79
|
task :load_vars do
|
62
|
-
set :sites_available,
|
63
|
-
set :sites_enabled,
|
64
|
-
set :enabled_application,
|
80
|
+
set :sites_available, -> { File.join(fetch(:nginx_root_path), fetch(:nginx_sites_available)) }
|
81
|
+
set :sites_enabled, -> { File.join(fetch(:nginx_root_path), fetch(:nginx_sites_enabled)) }
|
82
|
+
set :enabled_application, -> { File.join(fetch(:sites_enabled), "#{fetch(:application)}_#{fetch(:stage)}") }
|
65
83
|
set :available_application, -> { File.join(fetch(:sites_available), "#{fetch(:application)}_#{fetch(:stage)}") }
|
66
84
|
end
|
85
|
+
|
67
86
|
|
68
87
|
%w[start stop restart reload].each do |command|
|
69
88
|
desc "#{command.capitalize} nginx service"
|
@@ -111,6 +130,28 @@ namespace :nginx do
|
|
111
130
|
end
|
112
131
|
|
113
132
|
namespace :site do
|
133
|
+
|
134
|
+
def joiner
|
135
|
+
"\n "
|
136
|
+
end
|
137
|
+
|
138
|
+
def clear_domain( domain )
|
139
|
+
"#{ domain }".gsub(/^www\./, "").gsub(/^\*?\./, "")
|
140
|
+
end
|
141
|
+
|
142
|
+
def subdomain_regex( domain )
|
143
|
+
"~^(www\.)?(?<sub>[\w-]+)#{ Regexp.escape(".#{ domain }") }"
|
144
|
+
end
|
145
|
+
|
146
|
+
def nginx_domains
|
147
|
+
Array( fetch(:nginx_domains) ).map{ |d| clear_domain(d) }.uniq
|
148
|
+
end
|
149
|
+
|
150
|
+
def nginx_major_domain
|
151
|
+
fetch(:nginx_major_domain, false) ? clear_domain( fetch(:nginx_major_domain) ) : false
|
152
|
+
end
|
153
|
+
|
154
|
+
|
114
155
|
desc 'Creates the site configuration and upload it to the available folder'
|
115
156
|
task :add => ['nginx:load_vars'] do
|
116
157
|
on release_roles fetch(:nginx_roles) do
|
@@ -34,9 +34,9 @@ namespace :secrets do
|
|
34
34
|
task :profile do
|
35
35
|
on release_roles fetch(:secrets_roles) do
|
36
36
|
within fetch(:secrets_user_path) do
|
37
|
-
execute :sudo, "echo 'export #{fetch(:secrets_key_name)}=#{fetch(:secrets_key_base)}'
|
37
|
+
execute :sudo, "echo 'export #{fetch(:secrets_key_name)}=#{fetch(:secrets_key_base)}' >> .#{fetch(:secrets_profile)}"
|
38
38
|
if fetch(:secrets_set_both, false)
|
39
|
-
execute :sudo, "echo 'export SECRET_KEY_BASE=#{fetch(:secrets_key_base)}'
|
39
|
+
execute :sudo, "echo 'export SECRET_KEY_BASE=#{fetch(:secrets_key_base)}' >> .#{fetch(:secrets_profile)}"
|
40
40
|
end
|
41
41
|
end
|
42
42
|
end
|
@@ -46,9 +46,9 @@ namespace :secrets do
|
|
46
46
|
task :environment do
|
47
47
|
on release_roles fetch(:secrets_roles) do
|
48
48
|
within "/etc" do
|
49
|
-
execute :sudo, "echo 'export #{fetch(:secrets_key_name)}=#{fetch(:secrets_key_base)}'
|
49
|
+
execute :sudo, "echo 'export #{fetch(:secrets_key_name)}=#{fetch(:secrets_key_base)}' >> environment"
|
50
50
|
if fetch(:secrets_set_both, false)
|
51
|
-
execute :sudo, "echo 'export SECRET_KEY_BASE=#{fetch(:secrets_key_base)}'
|
51
|
+
execute :sudo, "echo 'export SECRET_KEY_BASE=#{fetch(:secrets_key_base)}' >> environment"
|
52
52
|
end
|
53
53
|
end
|
54
54
|
end
|
@@ -58,9 +58,9 @@ namespace :secrets do
|
|
58
58
|
task :etc_profile do
|
59
59
|
on release_roles fetch(:secrets_roles) do
|
60
60
|
within "/etc" do
|
61
|
-
execute :sudo, "echo 'export #{fetch(:secrets_key_name)}=#{fetch(:secrets_key_base)}'
|
61
|
+
execute :sudo, "echo 'export #{fetch(:secrets_key_name)}=#{fetch(:secrets_key_base)}' >> profile"
|
62
62
|
if fetch(:secrets_set_both, false)
|
63
|
-
execute :sudo, "echo 'export SECRET_KEY_BASE=#{fetch(:secrets_key_base)}'
|
63
|
+
execute :sudo, "echo 'export SECRET_KEY_BASE=#{fetch(:secrets_key_base)}' >> profile"
|
64
64
|
end
|
65
65
|
end
|
66
66
|
end
|
@@ -0,0 +1,14 @@
|
|
1
|
+
server {
|
2
|
+
listen 80;
|
3
|
+
server_name <%= fetch(:monit_web_domain) %>;
|
4
|
+
|
5
|
+
location ^~ /.well-known/ {
|
6
|
+
allow all;
|
7
|
+
root <%= fetch(:monit_well_known_path, "/tmp/monit/well_known") %>;
|
8
|
+
}
|
9
|
+
location / {
|
10
|
+
proxy_set_header X-Real-IP $remote_addr;
|
11
|
+
proxy_set_header Host $http_host;
|
12
|
+
proxy_pass http://127.0.0.1:<%= fetch(:monit_http_port) %>;
|
13
|
+
}
|
14
|
+
}
|
@@ -0,0 +1,35 @@
|
|
1
|
+
<% if fetch(:nginx_use_diffie_hellman, false) %>
|
2
|
+
<%#
|
3
|
+
## check this sites:
|
4
|
+
# https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04
|
5
|
+
# https://cipherli.st/
|
6
|
+
# https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
|
7
|
+
# https://wiki.mozilla.org/Security/Server_Side_TLS
|
8
|
+
#%>
|
9
|
+
## Diffie Hellman
|
10
|
+
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
11
|
+
ssl_ciphers '<%= fetch(:nginx_ssl_ciphers) %>';
|
12
|
+
ssl_prefer_server_ciphers on;
|
13
|
+
ssl_ecdh_curve secp384r1;
|
14
|
+
ssl_session_cache shared:SSL:10m;
|
15
|
+
ssl_session_tickets off;
|
16
|
+
ssl_stapling on;
|
17
|
+
ssl_stapling_verify on;
|
18
|
+
resolver 8.8.8.8 8.8.4.4 valid=300s;
|
19
|
+
resolver_timeout 5s;
|
20
|
+
<%#
|
21
|
+
## Disable preloading HSTS for now. You can use the commented out header line that includes
|
22
|
+
## the "preload" directive if you understand the implications.
|
23
|
+
|
24
|
+
# => add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
|
25
|
+
|
26
|
+
## don't add when rails config.force_ssl = true !!!
|
27
|
+
#%>
|
28
|
+
<% if fetch(:nginx_strict_security) %>
|
29
|
+
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
|
30
|
+
<% end %>
|
31
|
+
add_header X-Frame-Options DENY;
|
32
|
+
add_header X-Content-Type-Options nosniff;
|
33
|
+
ssl_dhparam <%= fetch(:nginx_diffie_hellman_param) %>;
|
34
|
+
|
35
|
+
<% end %>
|
@@ -0,0 +1,9 @@
|
|
1
|
+
<% if fetch(:proxy_cache_media) %>
|
2
|
+
# Proxy-Caching - Media - Files ( ie: dragonfly / paperclip )
|
3
|
+
proxy_cache_path <%= fetch(:proxy_cache_media_directory) %>
|
4
|
+
levels=<%= fetch(:proxy_cache_media_levels) %>
|
5
|
+
keys_zone=<%= fetch(:proxy_cache_media_name) %>:<%= fetch(:proxy_cache_media_size) %>
|
6
|
+
inactive=<%= fetch(:proxy_cache_media_time) %>
|
7
|
+
max_size=<%= fetch(:proxy_cache_media_max) %>;
|
8
|
+
|
9
|
+
<% end %>
|
@@ -0,0 +1,12 @@
|
|
1
|
+
<% if fetch(:proxy_cache_media) %>
|
2
|
+
# Media-Path with NginX-Proxy-Cache
|
3
|
+
location ^~ /<%= fetch(:proxy_cache_media_path) %>/ {
|
4
|
+
# auth_basic off;
|
5
|
+
proxy_cache <%= fetch(:proxy_cache_media_name) %>;
|
6
|
+
# proxy_cache_lock on;
|
7
|
+
# add_header X-Cache-Status $upstream_cache_status;
|
8
|
+
# proxy_cache_bypass $http_bypass_proxy;
|
9
|
+
proxy_pass $scheme://thin_<%= fetch(:application) %>_<%= fetch(:stage) %>_cluster;
|
10
|
+
proxy_cache_valid 200 <%= fetch(:proxy_cache_media_time) %>;
|
11
|
+
}
|
12
|
+
<% end %>
|
@@ -0,0 +1,9 @@
|
|
1
|
+
<% if fetch(:proxy_cache_rails) %>
|
2
|
+
# Proxy-Caching - Rails - Site
|
3
|
+
proxy_cache_path <%= fetch(:proxy_cache_rails_directory) %>
|
4
|
+
levels=<%= fetch(:proxy_cache_rails_levels) %>
|
5
|
+
keys_zone=<%= fetch(:proxy_cache_rails_name) %>:<%= fetch(:proxy_cache_rails_size) %>
|
6
|
+
inactive=<%= fetch(:proxy_cache_rails_time) %>
|
7
|
+
max_size=<%= fetch(:proxy_cache_rails_max) %>;
|
8
|
+
|
9
|
+
<% end %>
|
@@ -0,0 +1,15 @@
|
|
1
|
+
<% if fetch(:proxy_cache_rails) %>
|
2
|
+
# cache rails actions (need public header)
|
3
|
+
proxy_cache <%= fetch(:proxy_cache_rails_name) %>;
|
4
|
+
proxy_cache_lock on;
|
5
|
+
<% if fetch(:proxy_cache_rails_200) %>
|
6
|
+
proxy_cache_valid 200 302 <%= fetch(:proxy_cache_rails_200) %>;
|
7
|
+
<% end %>
|
8
|
+
<% if fetch(:proxy_cache_rails_404) %>
|
9
|
+
proxy_cache_valid 404 <%= fetch(:proxy_cache_rails_404) %>;
|
10
|
+
<% end %>
|
11
|
+
proxy_cache_use_stale <%= Array( fetch(:proxy_cache_rails_stale) ).join(" ") %>;
|
12
|
+
proxy_ignore_headers Set-Cookie;
|
13
|
+
proxy_cache_bypass $http_bypass_proxy;
|
14
|
+
add_header X-Cache-Status $upstream_cache_status;
|
15
|
+
<% end %>
|
@@ -0,0 +1,10 @@
|
|
1
|
+
<% if fetch(:nginx_remove_www) %>
|
2
|
+
if ($host ~* ^www\.(.*)) {
|
3
|
+
set $host_without_www $1;
|
4
|
+
<% if fetch(:nginx_use_ssl) %>
|
5
|
+
rewrite ^(.*) https://$host_without_www$1 permanent;
|
6
|
+
<% else %>
|
7
|
+
rewrite ^(.*) http://$host_without_www$1 permanent;
|
8
|
+
<% end %>
|
9
|
+
}
|
10
|
+
<% end %>
|
@@ -1,7 +1,6 @@
|
|
1
1
|
###
|
2
2
|
### HTTP-Config generated with magic_recipes_two at: <%= Time.now.strftime("%Y-%m-%d .. %H:%M .. %Z") %>
|
3
3
|
###
|
4
|
-
<% joiner = "\n " %>
|
5
4
|
upstream thin_<%= fetch(:application) %>_<%= fetch(:stage) %>_cluster {
|
6
5
|
<% fetch(:app_instances).to_i.times do |i| %>
|
7
6
|
server unix:/tmp/thin.<%= fetch(:application) %>.<%= fetch(:stage) %>.<%= i %>.sock
|
@@ -10,108 +9,56 @@ upstream thin_<%= fetch(:application) %>_<%= fetch(:stage) %>_cluster {
|
|
10
9
|
<% end %>
|
11
10
|
}
|
12
11
|
|
13
|
-
|
14
|
-
|
15
|
-
proxy_cache_path <%= fetch(:proxy_cache_rails_directory) %>
|
16
|
-
levels=<%= fetch(:proxy_cache_rails_levels) %>
|
17
|
-
keys_zone=<%= fetch(:proxy_cache_rails_name) %>:<%= fetch(:proxy_cache_rails_size) %>
|
18
|
-
inactive=<%= fetch(:proxy_cache_rails_time) %>
|
19
|
-
max_size=<%= fetch(:proxy_cache_rails_max) %>;
|
20
|
-
|
21
|
-
<% end %><% if fetch(:proxy_cache_media) %>
|
22
|
-
# Proxy-Caching - Media (Dragonfly) - Files
|
23
|
-
proxy_cache_path <%= fetch(:proxy_cache_media_directory) %>
|
24
|
-
levels=<%= fetch(:proxy_cache_media_levels) %>
|
25
|
-
keys_zone=<%= fetch(:proxy_cache_media_name) %>:<%= fetch(:proxy_cache_media_size) %>
|
26
|
-
inactive=<%= fetch(:proxy_cache_media_time) %>
|
27
|
-
max_size=<%= fetch(:proxy_cache_media_max) %>;
|
28
|
-
|
29
|
-
<% end %>
|
12
|
+
<%= magic_render("nginx/rails_cache_path") %>
|
13
|
+
<%= magic_render("nginx/media_cache_path") %>
|
30
14
|
|
31
15
|
# HTTP Server
|
32
16
|
<% if fetch(:nginx_use_ssl) %>
|
33
17
|
<% if fetch(:nginx_major_domain) %>
|
34
18
|
server {
|
35
19
|
listen 80<%= ' default_server' if fetch(:default_site) %>;
|
36
|
-
server_name <%=
|
37
|
-
<%=
|
20
|
+
server_name <%= nginx_domains.join(joiner) %>
|
21
|
+
<%= nginx_major_domain %>;
|
38
22
|
|
39
|
-
|
23
|
+
<%#
|
24
|
+
## https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#taxing-rewrites
|
25
|
+
# return 301 https://xxxxx$request_uri;
|
26
|
+
# rewrite ^ http://xxxxx$request_uri? permanent;
|
27
|
+
# location / {
|
28
|
+
# return 301 https://xxxxx$request_uri;
|
29
|
+
# }
|
30
|
+
#%>
|
40
31
|
|
41
|
-
|
42
|
-
root <%= current_path %>/public;
|
43
|
-
gzip_static on;
|
44
|
-
expires max;
|
45
|
-
add_header Cache-Control public;
|
46
|
-
}
|
47
|
-
location / {
|
48
|
-
return 301 https://<%= fetch(:nginx_major_domain).gsub(/^\*?\./, "") %>$request_uri;
|
49
|
-
}
|
32
|
+
return 301 https://<%= nginx_major_domain %>$request_uri;
|
50
33
|
|
51
34
|
}
|
52
35
|
server {
|
53
36
|
listen 80;
|
54
|
-
server_name <%=
|
55
|
-
<%=
|
56
|
-
<%= "~^(?<sub>\w+)#{ Regexp.escape( ".#{fetch(:nginx_major_domain).gsub(/^\*?\./, "")}" ) }" %>;
|
37
|
+
server_name <%= nginx_domains.map{ |d| subdomain_regex(d) }.join(joiner) %>
|
38
|
+
<%= subdomain_regex( nginx_major_domain ) %>;
|
57
39
|
|
58
|
-
|
40
|
+
<%#
|
41
|
+
## https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#taxing-rewrites
|
42
|
+
# return 301 https://$sub.xxxxx$request_uri;
|
43
|
+
# rewrite ^ http://$sub.xxxxx$request_uri? permanent;
|
44
|
+
# location / {
|
45
|
+
# return 301 https://$sub.xxxxx$request_uri;
|
46
|
+
# }
|
47
|
+
#%>
|
59
48
|
|
60
|
-
|
61
|
-
root <%= current_path %>/public;
|
62
|
-
gzip_static on;
|
63
|
-
expires max;
|
64
|
-
add_header Cache-Control public;
|
65
|
-
}
|
66
|
-
location / {
|
67
|
-
return 301 https://$sub.<%= fetch(:nginx_major_domain).gsub(/^\*?\./, "") %>$request_uri;
|
68
|
-
}
|
49
|
+
return 301 https://$sub.<%= nginx_major_domain %>$request_uri;
|
69
50
|
|
70
51
|
}
|
71
52
|
<% else %>
|
72
53
|
server {
|
73
54
|
listen 80;
|
74
|
-
server_name <%=
|
75
|
-
|
76
|
-
|
77
|
-
location ^~ /assets/ico/ {
|
78
|
-
root <%= current_path %>/public;
|
79
|
-
gzip_static on;
|
80
|
-
expires max;
|
81
|
-
add_header Cache-Control public;
|
82
|
-
}
|
83
|
-
location / {
|
84
|
-
return 301 https://$host$request_uri;
|
85
|
-
}
|
86
|
-
|
87
|
-
}
|
88
|
-
<% end %>
|
89
|
-
<% elsif fetch(:nginx_remove_https) %>
|
90
|
-
<% if fetch(:nginx_major_domain) %>
|
91
|
-
server {
|
92
|
-
listen 443;
|
93
|
-
server_name <%= Array(fetch(:nginx_domains)).map{ |d| d.gsub(/^\*?\./, "") }.join(joiner) %>
|
94
|
-
<%= ".#{fetch(:nginx_major_domain).gsub(/^\*?\./, "")}" %>;
|
95
|
-
|
96
|
-
# return 301 http://<%= fetch(:nginx_major_domain).gsub(/^\*?\./, "") %>$request_uri;
|
97
|
-
rewrite ^ http://<%= fetch(:nginx_major_domain).gsub(/^\*?\./, "") %>$request_uri? permanent;
|
55
|
+
server_name <%= nginx_domains.join(joiner) %>;
|
56
|
+
return 301 https://$host$request_uri;
|
98
57
|
}
|
99
58
|
server {
|
100
|
-
listen
|
101
|
-
server_name <%=
|
102
|
-
|
103
|
-
<%= "~^(?<sub>\w+)#{ Regexp.escape( ".#{fetch(:nginx_major_domain).gsub(/^\*?\./, "")}" ) }" %>;
|
104
|
-
|
105
|
-
# return 301 http://$sub.<%= fetch(:nginx_major_domain).gsub(/^\*?\./, "") %>$request_uri;
|
106
|
-
rewrite ^ http://$sub.<%= fetch(:nginx_major_domain).gsub(/^\*?\./, "") %>$request_uri? permanent;
|
107
|
-
}
|
108
|
-
<% else %>
|
109
|
-
server {
|
110
|
-
listen 443;
|
111
|
-
server_name <%= Array(fetch(:nginx_domains)).map{ |d| d[0] == "." ? d : ".#{d}"}.join(joiner) %>;
|
112
|
-
|
113
|
-
# return 301 http://$host$request_uri;
|
114
|
-
rewrite ^ http://$host$request_uri? permanent;
|
59
|
+
listen 80;
|
60
|
+
server_name <%= nginx_domains.map{ |d| subdomain_regex(d) }.join(joiner) %>
|
61
|
+
return 301 https://$sub.$host$request_uri;
|
115
62
|
}
|
116
63
|
<% end %>
|
117
64
|
<% end %>
|
@@ -121,70 +68,48 @@ server {
|
|
121
68
|
# ssl-domain
|
122
69
|
server {
|
123
70
|
listen 443;
|
124
|
-
server_name <%=
|
125
|
-
|
126
|
-
ssl
|
127
|
-
ssl_certificate <%= fetch(:
|
128
|
-
ssl_certificate_key <%= fetch(:
|
71
|
+
server_name <%= nginx_domains.join(joiner) %>;
|
72
|
+
|
73
|
+
ssl on;
|
74
|
+
ssl_certificate <%= fetch(:nginx_other_ssl_cert) %>;
|
75
|
+
ssl_certificate_key <%= fetch(:nginx_other_ssl_key) %>;
|
76
|
+
|
77
|
+
return 301 https://<%= nginx_major_domain %>$request_uri;
|
129
78
|
}
|
130
79
|
# ssl-with-subdomain
|
131
80
|
server {
|
132
81
|
listen 443;
|
133
|
-
server_name <%=
|
134
|
-
|
135
|
-
ssl
|
136
|
-
ssl_certificate <%= fetch(:
|
137
|
-
ssl_certificate_key <%= fetch(:
|
82
|
+
server_name <%= nginx_domains.map{ |d| subdomain_regex(d) }.join(joiner) %>;
|
83
|
+
|
84
|
+
ssl on;
|
85
|
+
ssl_certificate <%= fetch(:nginx_other_ssl_cert) %>;
|
86
|
+
ssl_certificate_key <%= fetch(:nginx_other_ssl_key) %>;
|
87
|
+
|
88
|
+
return 301 https://$sub.<%= nginx_major_domain %>$request_uri;
|
138
89
|
}
|
139
90
|
<% else %>
|
140
91
|
server {
|
141
92
|
listen 80;
|
142
|
-
server_name <%=
|
143
|
-
return 301 http://<%=
|
93
|
+
server_name <%= nginx_domains.join(joiner) %>;
|
94
|
+
return 301 http://<%= nginx_major_domain %>$request_uri;
|
144
95
|
}
|
145
96
|
server {
|
146
97
|
listen 80;
|
147
|
-
server_name <%=
|
148
|
-
return 301 http://$sub.<%=
|
98
|
+
server_name <%= nginx_domains.map{ |d| subdomain_regex(d) }.join(joiner) %>;
|
99
|
+
return 301 http://$sub.<%= nginx_major_domain %>$request_uri;
|
149
100
|
}
|
150
101
|
<% end %>
|
151
102
|
<% end %>
|
152
103
|
|
153
104
|
|
154
|
-
|
155
|
-
|
156
|
-
|
157
105
|
server {
|
158
106
|
<% if fetch(:nginx_use_ssl) %>
|
159
107
|
listen 443 ssl http2<%= ' default_server' if fetch(:default_site) %>;
|
160
108
|
listen [::]:443 ssl http2<%= ' default_server' if fetch(:default_site) %>;
|
161
109
|
ssl on;
|
162
|
-
ssl_certificate <%= fetch(:
|
163
|
-
ssl_certificate_key <%= fetch(:
|
164
|
-
|
165
|
-
# https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04
|
166
|
-
# from https://cipherli.st/
|
167
|
-
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
|
168
|
-
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
169
|
-
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
|
170
|
-
ssl_prefer_server_ciphers on;
|
171
|
-
ssl_ecdh_curve secp384r1;
|
172
|
-
ssl_session_cache shared:SSL:10m;
|
173
|
-
ssl_session_tickets off;
|
174
|
-
ssl_stapling on;
|
175
|
-
ssl_stapling_verify on;
|
176
|
-
resolver 8.8.8.8 8.8.4.4 valid=300s;
|
177
|
-
resolver_timeout 5s;
|
178
|
-
## Disable preloading HSTS for now. You can use the commented out header line that includes
|
179
|
-
## the "preload" directive if you understand the implications.
|
180
|
-
# => add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
|
181
|
-
<% if fetch(:nginx_strict_transport_security_header) %>
|
182
|
-
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
|
183
|
-
<% end %>
|
184
|
-
add_header X-Frame-Options DENY;
|
185
|
-
add_header X-Content-Type-Options nosniff;
|
186
|
-
ssl_dhparam <%= fetch(:nginx_ssl_dh_path) %>/<%= fetch(:nginx_ssl_dh_file) %>;
|
187
|
-
<% end %>
|
110
|
+
ssl_certificate <%= fetch(:nginx_ssl_cert) %>;
|
111
|
+
ssl_certificate_key <%= fetch(:nginx_ssl_key) %>;
|
112
|
+
<%= magic_render("nginx/diffie_hellman") %>
|
188
113
|
<% else %>
|
189
114
|
listen 80<%= ' default deferred' if fetch(:default_site) %>;
|
190
115
|
listen [::]:80<%= ' default deferred' if fetch(:default_site) %>;
|
@@ -192,15 +117,10 @@ server {
|
|
192
117
|
<% if fetch(:nginx_major_domain) %>
|
193
118
|
server_name <%= ".#{fetch(:nginx_major_domain).gsub(/^\*?\./, "")}" %>;
|
194
119
|
<% else %>
|
195
|
-
server_name <%=
|
120
|
+
server_name <%= nginx_domains.join(joiner) %>;
|
196
121
|
<% end %>
|
197
122
|
|
198
|
-
|
199
|
-
if ($host ~* ^www\.(.*)) {
|
200
|
-
set $host_without_www $1;
|
201
|
-
rewrite ^(.*) http://$host_without_www$1 permanent;
|
202
|
-
}
|
203
|
-
<% end %>
|
123
|
+
<%= magic_render("nginx/remove_www") %>
|
204
124
|
|
205
125
|
root <%= current_path %>/public;
|
206
126
|
|
@@ -223,23 +143,10 @@ server {
|
|
223
143
|
}
|
224
144
|
|
225
145
|
<% if fetch(:allow_well_known) %>
|
226
|
-
location ~ /.well-known {
|
227
|
-
allow all;
|
228
|
-
}
|
146
|
+
location ~ /.well-known { allow all; }
|
229
147
|
<% end %>
|
230
148
|
|
231
|
-
|
232
|
-
# Media-Path with NginX-Proxy-Cache
|
233
|
-
location ^~ /<%= fetch(:proxy_cache_media_path) %>/ {
|
234
|
-
# auth_basic off;
|
235
|
-
proxy_cache <%= fetch(:proxy_cache_media_name) %>;
|
236
|
-
# proxy_cache_lock on;
|
237
|
-
# add_header X-Cache-Status $upstream_cache_status;
|
238
|
-
# proxy_cache_bypass $http_bypass_proxy;
|
239
|
-
proxy_pass $scheme://thin_<%= fetch(:application) %>_<%= fetch(:stage) %>_cluster;
|
240
|
-
proxy_cache_valid 200 <%= fetch(:proxy_cache_media_time) %>;
|
241
|
-
}
|
242
|
-
<% end %>
|
149
|
+
<%= magic_render("nginx/media_cache_server") %>
|
243
150
|
|
244
151
|
try_files $uri/index.html $uri @thin_<%= fetch(:application) %>_<%= fetch(:stage) %>;
|
245
152
|
|
@@ -250,21 +157,7 @@ server {
|
|
250
157
|
proxy_set_header X-Forwarded-Proto $scheme;
|
251
158
|
proxy_set_header Host $host:$server_port;
|
252
159
|
proxy_redirect off;
|
253
|
-
|
254
|
-
# cache rails actions (need public header)
|
255
|
-
proxy_cache <%= fetch(:proxy_cache_rails_name) %>;
|
256
|
-
proxy_cache_lock on;
|
257
|
-
<% if fetch(:proxy_cache_rails_200) %>
|
258
|
-
proxy_cache_valid 200 302 <%= fetch(:proxy_cache_rails_200) %>;
|
259
|
-
<% end %>
|
260
|
-
<% if fetch(:proxy_cache_rails_404) %>
|
261
|
-
proxy_cache_valid 404 <%= fetch(:proxy_cache_rails_404) %>;
|
262
|
-
<% end %>
|
263
|
-
proxy_cache_use_stale <%= Array( fetch(:proxy_cache_rails_stale) ).join(" ") %>;
|
264
|
-
proxy_ignore_headers Set-Cookie;
|
265
|
-
proxy_cache_bypass $http_bypass_proxy;
|
266
|
-
add_header X-Cache-Status $upstream_cache_status;
|
267
|
-
<% end %>
|
160
|
+
<%= magic_render("nginx/rails_cache_server") %>
|
268
161
|
# pass request to thin upstream
|
269
162
|
proxy_pass http://thin_<%= fetch(:application) %>_<%= fetch(:stage) %>_cluster;
|
270
163
|
}
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: magic_recipes_two
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0.
|
4
|
+
version: 0.0.67
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Torsten Wetzel
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-04-
|
11
|
+
date: 2017-04-28 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rails
|
@@ -80,6 +80,20 @@ dependencies:
|
|
80
80
|
- - ! '>='
|
81
81
|
- !ruby/object:Gem::Version
|
82
82
|
version: 1.4.0
|
83
|
+
- !ruby/object:Gem::Dependency
|
84
|
+
name: capistrano-rvm
|
85
|
+
requirement: !ruby/object:Gem::Requirement
|
86
|
+
requirements:
|
87
|
+
- - ! '>='
|
88
|
+
- !ruby/object:Gem::Version
|
89
|
+
version: 0.1.2
|
90
|
+
type: :runtime
|
91
|
+
prerelease: false
|
92
|
+
version_requirements: !ruby/object:Gem::Requirement
|
93
|
+
requirements:
|
94
|
+
- - ! '>='
|
95
|
+
- !ruby/object:Gem::Version
|
96
|
+
version: 0.1.2
|
83
97
|
- !ruby/object:Gem::Dependency
|
84
98
|
name: capistrano-postgresql
|
85
99
|
requirement: !ruby/object:Gem::Requirement
|
@@ -138,6 +152,7 @@ files:
|
|
138
152
|
- lib/capistrano/magic_recipes/exception_pages.rb
|
139
153
|
- lib/capistrano/magic_recipes/inform_slack.rb
|
140
154
|
- lib/capistrano/magic_recipes/lets_encrypt.rb
|
155
|
+
- lib/capistrano/magic_recipes/logs.rb
|
141
156
|
- lib/capistrano/magic_recipes/monit.rb
|
142
157
|
- lib/capistrano/magic_recipes/nginx.rb
|
143
158
|
- lib/capistrano/magic_recipes/redis.rb
|
@@ -150,6 +165,7 @@ files:
|
|
150
165
|
- lib/capistrano/tasks/exception_pages.rake
|
151
166
|
- lib/capistrano/tasks/inform_slack.rake
|
152
167
|
- lib/capistrano/tasks/lets_encrypt.rake
|
168
|
+
- lib/capistrano/tasks/logs.rake
|
153
169
|
- lib/capistrano/tasks/monit.rake
|
154
170
|
- lib/capistrano/tasks/monit_sidekiq.rake
|
155
171
|
- lib/capistrano/tasks/nginx.rake
|
@@ -160,12 +176,19 @@ files:
|
|
160
176
|
- lib/generators/capistrano/magic_recipes/templates/capistrano3_nginx_conf.erb
|
161
177
|
- lib/generators/capistrano/magic_recipes/templates/monit/monitrc.erb
|
162
178
|
- lib/generators/capistrano/magic_recipes/templates/monit/nginx.erb
|
179
|
+
- lib/generators/capistrano/magic_recipes/templates/monit/nginx_conf.erb
|
163
180
|
- lib/generators/capistrano/magic_recipes/templates/monit/postgresql.erb
|
164
181
|
- lib/generators/capistrano/magic_recipes/templates/monit/redis.erb
|
165
182
|
- lib/generators/capistrano/magic_recipes/templates/monit/sidekiq.erb
|
166
183
|
- lib/generators/capistrano/magic_recipes/templates/monit/thin.erb
|
167
184
|
- lib/generators/capistrano/magic_recipes/templates/monit/website.erb
|
168
185
|
- lib/generators/capistrano/magic_recipes/templates/nginx.conf.erb
|
186
|
+
- lib/generators/capistrano/magic_recipes/templates/nginx/diffie_hellman.erb
|
187
|
+
- lib/generators/capistrano/magic_recipes/templates/nginx/media_cache_path.erb
|
188
|
+
- lib/generators/capistrano/magic_recipes/templates/nginx/media_cache_server.erb
|
189
|
+
- lib/generators/capistrano/magic_recipes/templates/nginx/rails_cache_path.erb
|
190
|
+
- lib/generators/capistrano/magic_recipes/templates/nginx/rails_cache_server.erb
|
191
|
+
- lib/generators/capistrano/magic_recipes/templates/nginx/remove_www.erb
|
169
192
|
- lib/generators/capistrano/magic_recipes/templates/postgresql.yml.erb
|
170
193
|
- lib/generators/capistrano/magic_recipes/templates/secrets_yml.erb
|
171
194
|
- lib/generators/capistrano/magic_recipes/templates/thin_app_yml.erb
|