magic_recipes_two 0.0.66 → 0.0.67

checksums.yaml

@@ -1,15 +1,15 @@
 ---
 !binary "U0hBMQ==":
   metadata.gz: !binary |-
-    ZTEyOGIzYjAyZWJlY2E4ZmFhMzU1Mzk5ZjQ5NjkyM2ZhMjUwM2M3Ng==
+    OTlmYjBlNWY0NjdjNjhkZDkyODQxNTJmYWYyZjJhZTAyZjMwYThlOQ==
   data.tar.gz: !binary |-
-    N2RiZDc2N2JhYTcyYWJkMDY3NmRhZjc5ZWY2YjNkOTEwZDNkYjEyYQ==
+    M2EzODk3NjY0MjY0ZjdhOTc0ODdmZmRkOTVkYTliMWMxZGMzOTg2MQ==
 SHA512:
   metadata.gz: !binary |-
-    YTE0NDI2MTUzYzk1NzA4ZjRjZjhmYzU5ODRkOTMzMGRkZDFjNDY0NjkzM2I5
-    MjczYmMxMzdiMzQwOTQ2NmJmMTY1ZTY3OTA0NzBiMWZiZTFjNTZmOGI3Yzhj
-    ODFkNmE5NzJkNTMwMjFiY2E3ZTkxN2E5MjI3NmYzMDQ5ZTkyOTg=
+    ZTA3ZGM2MjMwNzlmNTIwYTA0ZTQ0ZWY4MDllODNhOTE0OTViZTlhZmY3NGZh
+    ZmU2NTAxZTY0ZGJjOTU1NDAyOGVmMDg0NjQyYmM3YzBmNWY3YmMyNTllNmYx
+    NWU3ZmE0MmVhNjVjNmM3MTFiNGM0OGVkZjA4ODNjNGNiOWZiN2I=
   data.tar.gz: !binary |-
-    ZGUwOGNlYzBmODFkODNmMWViMTMxOTliMjE4YTg3OTMwY2RhNWNkODExMzE4
-    ZDFiNWNhMTFlOGJlNDQ4NDQyYjc4NzM1YmE0ZDA2YTE2N2EyMzkxZDhkMGM5
-    NGQyMTg1MDY0NjUzYjdmYjE2YWJmM2JiZTQwMmM4ZmIxY2QxOWU=
+    MDBlNzE1NTgwNTZjYTVhYTdiNjA3MzY0YWVhMzA1ZjU3Njk2ZWIxYThiOTU3
+    ZTM3ZDE3YzVmM2ZiZmI0ZDRhYWYxMmJjNjlmMGM1NjAxNzEwM2RkNGU4MzY3
+    N2RkYzI4NTE1ZWE2NmJjYzk5N2Q4YmI0MDMyZmIwMWMzYTdhNzU=

data/lib/capistrano/magic_recipes/base_helpers.rb

@@ -23,6 +23,13 @@ module Capistrano
         upload! StringIO.new( ERB.new(erb).result(binding) ), to
       end
       
+      
+      def magic_render(tmpl)
+        erb = get_template_file(tmpl)
+        ERB.new(erb).result(binding)
+      end
+      
+      
       def generate_secrect_key
         SecureRandom.hex(82)
       end

data/lib/capistrano/magic_recipes/logs.rb

@@ -0,0 +1 @@
+load File.expand_path("../../tasks/logs.rake", __FILE__)

data/lib/capistrano/magic_recipes/version.rb

@@ -1,5 +1,5 @@
 module Capistrano
   module MagicRecipes
-    VERSION = "0.0.66"
+    VERSION = "0.0.67"
   end
 end

data/lib/capistrano/tasks/logs.rake

@@ -0,0 +1,47 @@
+
+namespace :load do
+  task :defaults do
+    set :logs_roles,        -> { :web }
+    set :logs_show_lines,   -> { 500 }
+  end
+end
+
+
+namespace :logs do
+  
+  ["rails", "sidekiq", "monit", "nginx-access", "nginx-error", "lets_encrypt_cron"].each do |that|
+    
+    desc "show #{that == 'lets_encrypt_cron' ? 'Lets Encrypt cron-job' : that} logs"
+    task that do
+      on release_roles fetch(:logs_roles, :web) do
+        within shared_path do
+          execute :tail, "-n #{ fetch(:logs_show_lines, 100) } log/#{ that == 'rails' ? 'production' : that }.log"
+        end
+      end
+    end
+    
+  end
+  
+  3.times do |x|
+    
+    desc "show thin instance-#{x} logs"
+    task "thin#{x}" do
+      on release_roles fetch(:logs_roles, :web) do
+        within shared_path do
+          begin
+            execute :tail, "-n #{ fetch(:logs_show_lines, 100) } log/thin_#{fetch(:application)}_#{fetch(:stage)}.#{x}.log"
+          rescue SSHKit::Command::Failed
+            # If gems are not installed eq(first deploy) and sidekiq_default_hooks as active
+            warn "thin_#{fetch(:application)}_#{fetch(:stage)}.#{x}.log => not found! .. (may not exist)"
+          end
+        end
+      end
+    end
+    
+  end
+  
+  
+end
+
+
+

data/lib/capistrano/tasks/nginx.rake

@@ -7,7 +7,6 @@ namespace :load do
     set :nginx_domains,               -> { [] }
     set :nginx_major_domain,          -> { false }
     set :nginx_remove_www,            -> { true }
-    set :nginx_remove_https,          -> { false }
     set :default_site,                -> { false }
     set :app_instances,               -> { 1 }
     set :nginx_service_path,          -> { 'service nginx' }
@@ -19,20 +18,38 @@ namespace :load do
     set :nginx_sites_available,       -> { "sites-available" }
     set :nginx_template,              -> { :default }
     set :nginx_use_ssl,               -> { false }
-    set :nginx_ssl_certificate,       -> { "#{fetch(:application)}.crt" }
-    set :nginx_ssl_certificate_path,  -> { '/etc/ssl/certs' }
-    set :nginx_ssl_certificate_key,   -> { "#{fetch(:application)}.key" }
-    set :nginx_ssl_certificate_key_path, -> { '/etc/ssl/private' }
+    
+    ##! depreacated!!!
+    set :nginx_ssl_certificate_path,      -> { '/etc/ssl/certs' }
+    set :nginx_ssl_certificate_key_path,  -> { '/etc/ssl/private' }
+    set :nginx_ssl_certificate,           -> { "#{fetch(:application)}.crt" }
+    set :nginx_ssl_certificate_key,       -> { "#{fetch(:application)}.key" }
+    set :nginx_old_ssl_certificate,       -> { "#{fetch(:application)}.crt" }
+    set :nginx_old_ssl_certificate_key,   -> { "#{fetch(:application)}.key" }
+    
+    ##! New-Style
+    set :nginx_ssl_cert,              -> { "#{fetch(:nginx_ssl_certificate_path)}/#{fetch(:nginx_ssl_certificate)}" }
+    set :nginx_ssl_key,               -> { "#{fetch(:nginx_ssl_certificate_key_path)}/#{fetch(:nginx_ssl_certificate_key)}" }
+    set :nginx_other_ssl_cert,        -> { "#{fetch(:nginx_ssl_cert)}" }
+    set :nginx_other_ssl_key,         -> { "#{fetch(:nginx_ssl_key)}" }
+    
     set :app_server_ip,               -> { "127.0.0.1" }
     set :nginx_hooks,                 -> { true }
     ## Lets Encrypt - Challenge Path
     set :allow_well_known,            -> { false }
     ## only turn on, when rails :force_ssl is false !
-    set :nginx_strict_transport_security_header, -> { false }
+    set :nginx_strict_security,       -> { false }
+    
     # Diffie-Hellman settings
+    set :nginx_use_diffie_hellman,    -> { false }
+    ##! depreacated!!!
     set :nginx_ssl_dh_path,           -> { "/etc/ssl/certs" }
     set :nginx_ssl_dh_file,           -> { "dhparam.pem" }
-    set :nginx_ssl_diffie_hellman,    -> { false }
+    ##! New-Style
+    set :nginx_diffie_hellman_param,  -> { "#{fetch(:nginx_ssl_dh_path)}/#{fetch(:nginx_ssl_dh_file)}" }
+    ## SSL Cipher
+    set :nginx_ssl_ciphers,           -> { "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" }
+    
     ## NginX Proxy-Caching
     # Cache Rails
     set :proxy_cache_rails,           -> { false }
@@ -58,12 +75,14 @@ namespace :load do
 end
 
 namespace :nginx do
+  
   task :load_vars do
-    set :sites_available, -> { File.join(fetch(:nginx_root_path), fetch(:nginx_sites_available)) }
-    set :sites_enabled, -> { File.join(fetch(:nginx_root_path), fetch(:nginx_sites_enabled)) }
-    set :enabled_application, -> { File.join(fetch(:sites_enabled), "#{fetch(:application)}_#{fetch(:stage)}") }
+    set :sites_available,       -> { File.join(fetch(:nginx_root_path), fetch(:nginx_sites_available)) }
+    set :sites_enabled,         -> { File.join(fetch(:nginx_root_path), fetch(:nginx_sites_enabled)) }
+    set :enabled_application,   -> { File.join(fetch(:sites_enabled), "#{fetch(:application)}_#{fetch(:stage)}") }
     set :available_application, -> { File.join(fetch(:sites_available), "#{fetch(:application)}_#{fetch(:stage)}") }
   end
+  
 
   %w[start stop restart reload].each do |command|
     desc "#{command.capitalize} nginx service"
@@ -111,6 +130,28 @@ namespace :nginx do
   end
 
   namespace :site do
+    
+    def joiner
+      "\n                        "
+    end
+    
+    def clear_domain( domain )
+      "#{ domain }".gsub(/^www\./, "").gsub(/^\*?\./, "")
+    end
+    
+    def subdomain_regex( domain )
+      "~^(www\.)?(?<sub>[\w-]+)#{ Regexp.escape(".#{ domain }") }"
+    end
+  
+    def nginx_domains
+      Array( fetch(:nginx_domains) ).map{ |d| clear_domain(d) }.uniq
+    end
+    
+    def nginx_major_domain
+      fetch(:nginx_major_domain, false) ? clear_domain( fetch(:nginx_major_domain) ) : false
+    end
+    
+    
     desc 'Creates the site configuration and upload it to the available folder'
     task :add => ['nginx:load_vars'] do
       on release_roles fetch(:nginx_roles) do

data/lib/capistrano/tasks/secrets.rake

@@ -34,9 +34,9 @@ namespace :secrets do
   task :profile do
     on release_roles fetch(:secrets_roles) do
       within fetch(:secrets_user_path) do
-        execute :sudo,  "echo 'export #{fetch(:secrets_key_name)}=#{fetch(:secrets_key_base)}' | cat >> .#{fetch(:secrets_profile)}"
+        execute :sudo,  "echo 'export #{fetch(:secrets_key_name)}=#{fetch(:secrets_key_base)}' >> .#{fetch(:secrets_profile)}"
         if fetch(:secrets_set_both, false)
-          execute :sudo,  "echo 'export SECRET_KEY_BASE=#{fetch(:secrets_key_base)}' | cat >> .#{fetch(:secrets_profile)}"
+          execute :sudo,  "echo 'export SECRET_KEY_BASE=#{fetch(:secrets_key_base)}' >> .#{fetch(:secrets_profile)}"
         end
       end
     end
@@ -46,9 +46,9 @@ namespace :secrets do
   task :environment do
     on release_roles fetch(:secrets_roles) do
       within "/etc" do
-        execute :sudo,  "echo 'export #{fetch(:secrets_key_name)}=#{fetch(:secrets_key_base)}' | cat >> environment"
+        execute :sudo,  "echo 'export #{fetch(:secrets_key_name)}=#{fetch(:secrets_key_base)}' >> environment"
         if fetch(:secrets_set_both, false)
-          execute :sudo,  "echo 'export SECRET_KEY_BASE=#{fetch(:secrets_key_base)}' | cat >> environment"
+          execute :sudo,  "echo 'export SECRET_KEY_BASE=#{fetch(:secrets_key_base)}' >> environment"
         end
       end
     end
@@ -58,9 +58,9 @@ namespace :secrets do
   task :etc_profile do
     on release_roles fetch(:secrets_roles) do
       within "/etc" do
-        execute :sudo,  "echo 'export #{fetch(:secrets_key_name)}=#{fetch(:secrets_key_base)}' | cat >> profile"
+        execute :sudo,  "echo 'export #{fetch(:secrets_key_name)}=#{fetch(:secrets_key_base)}' >> profile"
         if fetch(:secrets_set_both, false)
-          execute :sudo,  "echo 'export SECRET_KEY_BASE=#{fetch(:secrets_key_base)}' | cat >> profile"
+          execute :sudo,  "echo 'export SECRET_KEY_BASE=#{fetch(:secrets_key_base)}' >> profile"
         end
       end
     end

data/lib/generators/capistrano/magic_recipes/templates/monit/nginx_conf.erb

@@ -0,0 +1,14 @@
+server {
+    listen 80;
+    server_name <%= fetch(:monit_web_domain) %>;
+    
+    location ^~ /.well-known/ {
+      allow         all;
+      root          <%= fetch(:monit_well_known_path, "/tmp/monit/well_known") %>;
+    }
+    location / {
+        proxy_set_header   X-Real-IP $remote_addr;
+        proxy_set_header   Host      $http_host;
+        proxy_pass         http://127.0.0.1:<%= fetch(:monit_http_port) %>;
+    }
+}

data/lib/generators/capistrano/magic_recipes/templates/nginx/diffie_hellman.erb

@@ -0,0 +1,35 @@
+<% if fetch(:nginx_use_diffie_hellman, false) %>
+  <%# 
+      ## check this sites:
+      # https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04
+      # https://cipherli.st/
+      # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html 
+      # https://wiki.mozilla.org/Security/Server_Side_TLS
+  #%>
+  ## Diffie Hellman
+  ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
+  ssl_ciphers                 '<%= fetch(:nginx_ssl_ciphers) %>';
+  ssl_prefer_server_ciphers   on;
+  ssl_ecdh_curve              secp384r1;
+  ssl_session_cache           shared:SSL:10m;
+  ssl_session_tickets         off;
+  ssl_stapling                on;
+  ssl_stapling_verify         on;
+  resolver                    8.8.8.8 8.8.4.4 valid=300s;
+  resolver_timeout            5s;
+  <%#
+      ## Disable preloading HSTS for now.  You can use the commented out header line that includes
+      ## the "preload" directive if you understand the implications.
+      
+      # => add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
+  
+      ## don't add when rails config.force_ssl = true !!!
+  #%>
+  <% if fetch(:nginx_strict_security) %>
+  add_header                  Strict-Transport-Security "max-age=63072000; includeSubdomains";
+  <% end %>
+  add_header                  X-Frame-Options DENY;
+  add_header                  X-Content-Type-Options nosniff;
+  ssl_dhparam                 <%= fetch(:nginx_diffie_hellman_param) %>;
+  
+<% end %>

data/lib/generators/capistrano/magic_recipes/templates/nginx/media_cache_path.erb

@@ -0,0 +1,9 @@
+<% if fetch(:proxy_cache_media) %>
+# Proxy-Caching - Media - Files ( ie: dragonfly / paperclip )
+proxy_cache_path    <%= fetch(:proxy_cache_media_directory) %> 
+                    levels=<%= fetch(:proxy_cache_media_levels) %> 
+                    keys_zone=<%= fetch(:proxy_cache_media_name) %>:<%= fetch(:proxy_cache_media_size) %> 
+                    inactive=<%= fetch(:proxy_cache_media_time) %> 
+                    max_size=<%= fetch(:proxy_cache_media_max) %>;
+
+<% end %>

data/lib/generators/capistrano/magic_recipes/templates/nginx/media_cache_server.erb

@@ -0,0 +1,12 @@
+<% if fetch(:proxy_cache_media) %>
+  # Media-Path with NginX-Proxy-Cache
+  location ^~ /<%= fetch(:proxy_cache_media_path) %>/ {
+    # auth_basic          off;
+    proxy_cache           <%= fetch(:proxy_cache_media_name) %>;
+    # proxy_cache_lock    on;
+    # add_header          X-Cache-Status    $upstream_cache_status;
+    # proxy_cache_bypass  $http_bypass_proxy;
+    proxy_pass            $scheme://thin_<%= fetch(:application) %>_<%= fetch(:stage) %>_cluster;
+    proxy_cache_valid     200  <%= fetch(:proxy_cache_media_time) %>; 
+  }
+<% end %>

data/lib/generators/capistrano/magic_recipes/templates/nginx/rails_cache_path.erb

@@ -0,0 +1,9 @@
+<% if fetch(:proxy_cache_rails) %>
+# Proxy-Caching - Rails - Site
+proxy_cache_path    <%= fetch(:proxy_cache_rails_directory) %> 
+                    levels=<%= fetch(:proxy_cache_rails_levels) %> 
+                    keys_zone=<%= fetch(:proxy_cache_rails_name) %>:<%= fetch(:proxy_cache_rails_size) %> 
+                    inactive=<%= fetch(:proxy_cache_rails_time) %> 
+                    max_size=<%= fetch(:proxy_cache_rails_max) %>;
+
+<% end %>

data/lib/generators/capistrano/magic_recipes/templates/nginx/rails_cache_server.erb

@@ -0,0 +1,15 @@
+<% if fetch(:proxy_cache_rails) %>
+    # cache rails actions (need public header)
+    proxy_cache           <%= fetch(:proxy_cache_rails_name) %>;
+    proxy_cache_lock      on;
+  <% if fetch(:proxy_cache_rails_200) %>
+    proxy_cache_valid     200 302           <%= fetch(:proxy_cache_rails_200) %>;
+  <% end %>
+  <% if fetch(:proxy_cache_rails_404) %>
+    proxy_cache_valid     404               <%= fetch(:proxy_cache_rails_404) %>;
+  <% end %>
+    proxy_cache_use_stale <%= Array( fetch(:proxy_cache_rails_stale) ).join(" ") %>;
+    proxy_ignore_headers  Set-Cookie;
+    proxy_cache_bypass    $http_bypass_proxy;
+    add_header            X-Cache-Status    $upstream_cache_status;
+<% end %>

data/lib/generators/capistrano/magic_recipes/templates/nginx/remove_www.erb

@@ -0,0 +1,10 @@
+<% if fetch(:nginx_remove_www) %>
+  if ($host ~* ^www\.(.*)) {
+    set $host_without_www $1;
+    <% if fetch(:nginx_use_ssl) %>
+    rewrite ^(.*) https://$host_without_www$1 permanent;
+    <% else %>
+    rewrite ^(.*) http://$host_without_www$1 permanent;
+    <% end %>
+  }
+<% end %>

data/lib/generators/capistrano/magic_recipes/templates/nginx.conf.erb

@@ -1,7 +1,6 @@
 ###
 ### HTTP-Config generated with magic_recipes_two at: <%= Time.now.strftime("%Y-%m-%d .. %H:%M .. %Z") %>
 ###
-<% joiner = "\n                        " %>
 upstream thin_<%= fetch(:application) %>_<%= fetch(:stage) %>_cluster {
   <% fetch(:app_instances).to_i.times do |i| %>
   server            unix:/tmp/thin.<%= fetch(:application) %>.<%= fetch(:stage) %>.<%= i %>.sock 
@@ -10,108 +9,56 @@ upstream thin_<%= fetch(:application) %>_<%= fetch(:stage) %>_cluster {
   <% end %>
 }
 
-<% if fetch(:proxy_cache_rails) %>
-# Proxy-Caching - Rails - Sites
-proxy_cache_path    <%= fetch(:proxy_cache_rails_directory) %> 
-                    levels=<%= fetch(:proxy_cache_rails_levels) %> 
-                    keys_zone=<%= fetch(:proxy_cache_rails_name) %>:<%= fetch(:proxy_cache_rails_size) %> 
-                    inactive=<%= fetch(:proxy_cache_rails_time) %> 
-                    max_size=<%= fetch(:proxy_cache_rails_max) %>;
-
-<% end %><% if fetch(:proxy_cache_media) %>
-# Proxy-Caching - Media (Dragonfly) - Files
-proxy_cache_path    <%= fetch(:proxy_cache_media_directory) %> 
-                    levels=<%= fetch(:proxy_cache_media_levels) %> 
-                    keys_zone=<%= fetch(:proxy_cache_media_name) %>:<%= fetch(:proxy_cache_media_size) %> 
-                    inactive=<%= fetch(:proxy_cache_media_time) %> 
-                    max_size=<%= fetch(:proxy_cache_media_max) %>;
-
-<% end %>
+<%= magic_render("nginx/rails_cache_path") %>
+<%= magic_render("nginx/media_cache_path") %>
 
 # HTTP Server
 <% if fetch(:nginx_use_ssl) %>
 <% if fetch(:nginx_major_domain) %>
 server {
   listen                80<%= ' default_server' if fetch(:default_site) %>;
-  server_name           <%= Array(fetch(:nginx_domains)).map{ |d| d.gsub(/^\*?\./, "") }.join(joiner) %>
-                        <%= ".#{fetch(:nginx_major_domain).gsub(/^\*?\./, "")}" %>;
+  server_name           <%= nginx_domains.join(joiner) %>
+                        <%= nginx_major_domain %>;
   
-  # return 301 https://<%= fetch(:nginx_major_domain).gsub(/^\*?\./, "") %>$request_uri;
+  <%# 
+      ## https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#taxing-rewrites
+      # return 301 https://xxxxx$request_uri;
+      # rewrite ^ http://xxxxx$request_uri? permanent;
+      # location / {
+      #   return 301 https://xxxxx$request_uri;
+      # }
+  #%>
   
-  location ^~ /assets/ico/ {
-    root                <%= current_path %>/public;
-    gzip_static         on;
-    expires             max;
-    add_header          Cache-Control public;
-  }
-  location / {
-    return 301 https://<%= fetch(:nginx_major_domain).gsub(/^\*?\./, "") %>$request_uri;
-  }
+  return 301 https://<%= nginx_major_domain %>$request_uri;
   
 }
 server {
   listen 80;
-  server_name           <%= Array(fetch(:nginx_domains)).map{ |d| "~^(?<sub>\w+)#{ Regexp.escape( ".#{d.gsub(/^\*?\./, "")}" ) }" }.join(joiner) %>
-                        <%= "~^#{Regexp.escape("www.")}(?<sub>\w+)#{ Regexp.escape( ".#{fetch(:nginx_major_domain).gsub(/^\*?\./, "")}" ) }" %>
-                        <%= "~^(?<sub>\w+)#{ Regexp.escape( ".#{fetch(:nginx_major_domain).gsub(/^\*?\./, "")}" ) }" %>;
+  server_name           <%= nginx_domains.map{ |d| subdomain_regex(d) }.join(joiner) %>
+                        <%= subdomain_regex( nginx_major_domain ) %>;
   
-  # return 301 https://$sub.<%= fetch(:nginx_major_domain).gsub(/^\*?\./, "") %>$request_uri;
+  <%#
+      ## https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#taxing-rewrites
+      # return 301 https://$sub.xxxxx$request_uri;
+      # rewrite ^ http://$sub.xxxxx$request_uri? permanent;
+      # location / {
+      #   return 301 https://$sub.xxxxx$request_uri;
+      # }
+  #%>
   
-  location ^~ /assets/ico/ {
-    root                <%= current_path %>/public;
-    gzip_static         on;
-    expires             max;
-    add_header          Cache-Control public;
-  }
-  location / {
-    return 301 https://$sub.<%= fetch(:nginx_major_domain).gsub(/^\*?\./, "") %>$request_uri;
-  }
+  return 301 https://$sub.<%= nginx_major_domain %>$request_uri;
   
 }
 <% else %>
 server {
   listen                80;
-  server_name           <%= Array(fetch(:nginx_domains)).map{ |d| d[0] == "." ? d : ".#{d}"}.join(joiner) %>;
-  # return 301 https://$host$request_uri;
-  
-  location ^~ /assets/ico/ {
-    root                <%= current_path %>/public;
-    gzip_static         on;
-    expires             max;
-    add_header          Cache-Control public;
-  }
-  location / {
-    return 301 https://$host$request_uri;
-  }
-  
-}
-<% end %>
-<% elsif fetch(:nginx_remove_https) %>
-<% if fetch(:nginx_major_domain) %>
-server {
-  listen                443;
-  server_name           <%= Array(fetch(:nginx_domains)).map{ |d| d.gsub(/^\*?\./, "") }.join(joiner) %>
-                        <%= ".#{fetch(:nginx_major_domain).gsub(/^\*?\./, "")}" %>;
-  
-  # return 301 http://<%= fetch(:nginx_major_domain).gsub(/^\*?\./, "") %>$request_uri;
-  rewrite ^ http://<%= fetch(:nginx_major_domain).gsub(/^\*?\./, "") %>$request_uri? permanent;
+  server_name           <%= nginx_domains.join(joiner) %>;
+  return 301 https://$host$request_uri;
 }
 server {
-  listen                443;
-  server_name           <%= Array(fetch(:nginx_domains)).map{ |d| "~^(?<sub>\w+)#{ Regexp.escape( ".#{d.gsub(/^\*?\./, "")}" ) }" }.join(joiner) %>
-                        <%= "~^#{Regexp.escape("www.")}(?<sub>\w+)#{ Regexp.escape( ".#{fetch(:nginx_major_domain).gsub(/^\*?\./, "")}" ) }" %>
-                        <%= "~^(?<sub>\w+)#{ Regexp.escape( ".#{fetch(:nginx_major_domain).gsub(/^\*?\./, "")}" ) }" %>;
-  
-  # return 301 http://$sub.<%= fetch(:nginx_major_domain).gsub(/^\*?\./, "") %>$request_uri;
-  rewrite ^ http://$sub.<%= fetch(:nginx_major_domain).gsub(/^\*?\./, "") %>$request_uri? permanent;
-}
-<% else %>
-server {
-  listen                443;
-  server_name           <%= Array(fetch(:nginx_domains)).map{ |d| d[0] == "." ? d : ".#{d}"}.join(joiner) %>;
-  
-  # return 301 http://$host$request_uri;
-  rewrite ^ http://$host$request_uri? permanent;
+  listen                80;
+  server_name           <%= nginx_domains.map{ |d| subdomain_regex(d) }.join(joiner) %>
+  return 301 https://$sub.$host$request_uri;
 }
 <% end %>
 <% end %>
@@ -121,70 +68,48 @@ server {
 # ssl-domain
 server {
   listen                443;
-  server_name           <%= Array(fetch(:nginx_domains)).map{ |d| d.gsub(/^\*?\./, "") }.join(joiner) %>;
-  return 301 https://<%= fetch(:nginx_major_domain).gsub(/^\*?\./, "") %>$request_uri;
-  ssl on;
-  ssl_certificate       <%= fetch(:nginx_ssl_certificate_path) %>/<%= fetch(:nginx_old_ssl_certificate) %>;
-  ssl_certificate_key   <%= fetch(:nginx_ssl_certificate_key_path) %>/<%= fetch(:nginx_old_ssl_certificate_key) %>;
+  server_name           <%= nginx_domains.join(joiner) %>;
+  
+  ssl                   on;
+  ssl_certificate       <%= fetch(:nginx_other_ssl_cert) %>;
+  ssl_certificate_key   <%= fetch(:nginx_other_ssl_key) %>;
+  
+  return 301 https://<%= nginx_major_domain %>$request_uri;
 }
 # ssl-with-subdomain
 server {
   listen                443;
-  server_name           <%= Array(fetch(:nginx_domains)).map{ |d| "~^(?<sub>\w+)\.#{ Regexp.escape( d.gsub(/^\*?\./, "") ) }" }.join(joiner) %>;
-  return 301 https://$sub.<%= fetch(:nginx_major_domain).gsub(/^\*?\./, "") %>$request_uri;
-  ssl on;
-  ssl_certificate       <%= fetch(:nginx_ssl_certificate_path) %>/<%= fetch(:nginx_old_ssl_certificate) %>;
-  ssl_certificate_key   <%= fetch(:nginx_ssl_certificate_key_path) %>/<%= fetch(:nginx_old_ssl_certificate_key) %>;
+  server_name           <%= nginx_domains.map{ |d| subdomain_regex(d) }.join(joiner) %>;
+  
+  ssl                   on;
+  ssl_certificate       <%= fetch(:nginx_other_ssl_cert) %>;
+  ssl_certificate_key   <%= fetch(:nginx_other_ssl_key) %>;
+  
+  return 301 https://$sub.<%= nginx_major_domain %>$request_uri;
 }
 <% else %>
 server {
   listen                80;
-  server_name           <%= Array(fetch(:nginx_domains)).map{ |d| d.gsub(/^\*?\./, "") }.join(joiner) %>;
-  return 301 http://<%= fetch(:nginx_major_domain).gsub(/^\*?\./, "") %>$request_uri;
+  server_name           <%= nginx_domains.join(joiner) %>;
+  return 301 http://<%= nginx_major_domain %>$request_uri;
 }
 server {
   listen                80;
-  server_name           <%= Array(fetch(:nginx_domains)).map{ |d| "~^(?<sub>\w+)\.#{ Regexp.escape( d.gsub(/^\*?\./, "") ) }" }.join(joiner) %>;
-  return 301 http://$sub.<%= fetch(:nginx_major_domain).gsub(/^\*?\./, "") %>$request_uri;
+  server_name           <%= nginx_domains.map{ |d| subdomain_regex(d) }.join(joiner) %>;
+  return 301 http://$sub.<%= nginx_major_domain %>$request_uri;
 }
 <% end %>
 <% end %>
 
 
-
-
-
 server {
 <% if fetch(:nginx_use_ssl) %>
   listen                443 ssl http2<%= ' default_server' if fetch(:default_site) %>;
   listen                [::]:443 ssl http2<%= ' default_server' if fetch(:default_site) %>;
   ssl                   on;
-  ssl_certificate       <%= fetch(:nginx_ssl_certificate_path) %>/<%= fetch(:nginx_ssl_certificate) %>;
-  ssl_certificate_key   <%= fetch(:nginx_ssl_certificate_key_path) %>/<%= fetch(:nginx_ssl_certificate_key) %>;
-  <% if fetch(:nginx_ssl_diffie_hellman, false) %>
-  # https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04
-  # from https://cipherli.st/
-  # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
-  ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
-  ssl_ciphers               'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
-  ssl_prefer_server_ciphers   on;
-  ssl_ecdh_curve              secp384r1;
-  ssl_session_cache           shared:SSL:10m;
-  ssl_session_tickets         off;
-  ssl_stapling                on;
-  ssl_stapling_verify         on;
-  resolver                    8.8.8.8 8.8.4.4 valid=300s;
-  resolver_timeout            5s;
-  ## Disable preloading HSTS for now.  You can use the commented out header line that includes
-  ## the "preload" directive if you understand the implications.
-  # => add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
-  <% if fetch(:nginx_strict_transport_security_header) %>
-  add_header                  Strict-Transport-Security "max-age=63072000; includeSubdomains";
-  <% end %>
-  add_header                  X-Frame-Options DENY;
-  add_header                  X-Content-Type-Options nosniff;
-  ssl_dhparam                 <%= fetch(:nginx_ssl_dh_path) %>/<%= fetch(:nginx_ssl_dh_file) %>;
-  <% end %>
+  ssl_certificate       <%= fetch(:nginx_ssl_cert) %>;
+  ssl_certificate_key   <%= fetch(:nginx_ssl_key) %>;
+  <%= magic_render("nginx/diffie_hellman") %>
 <% else %>
   listen                80<%= ' default deferred' if fetch(:default_site) %>;
   listen                [::]:80<%= ' default deferred' if fetch(:default_site) %>;
@@ -192,15 +117,10 @@ server {
   <% if fetch(:nginx_major_domain) %>
   server_name           <%= ".#{fetch(:nginx_major_domain).gsub(/^\*?\./, "")}" %>;
   <% else %>
-  server_name           <%= Array( fetch(:nginx_domains) ).join(joiner) %>;
+  server_name           <%= nginx_domains.join(joiner) %>;
   <% end %>
   
-  <% if fetch(:nginx_remove_www) %>
-  if ($host ~* ^www\.(.*)) {
-    set $host_without_www $1;
-    rewrite ^(.*) http://$host_without_www$1 permanent;
-  }
-  <% end %>
+  <%= magic_render("nginx/remove_www") %>
 
   root                  <%= current_path %>/public;
 
@@ -223,23 +143,10 @@ server {
   }
   
 <% if fetch(:allow_well_known) %>
-  location ~ /.well-known {
-    allow all;
-  }
+  location ~ /.well-known { allow all; }
 <% end %>
   
-<% if fetch(:proxy_cache_media) %>
-  # Media-Path with NginX-Proxy-Cache
-  location ^~ /<%= fetch(:proxy_cache_media_path) %>/ {
-    # auth_basic          off;
-    proxy_cache         <%= fetch(:proxy_cache_media_name) %>;
-    # proxy_cache_lock    on;
-    # add_header          X-Cache-Status    $upstream_cache_status;
-    # proxy_cache_bypass  $http_bypass_proxy;
-    proxy_pass          $scheme://thin_<%= fetch(:application) %>_<%= fetch(:stage) %>_cluster;
-    proxy_cache_valid   200  <%= fetch(:proxy_cache_media_time) %>; 
-  }
-<% end %>
+  <%= magic_render("nginx/media_cache_server") %>
 
   try_files $uri/index.html $uri @thin_<%= fetch(:application) %>_<%= fetch(:stage) %>;
 
@@ -250,21 +157,7 @@ server {
     proxy_set_header      X-Forwarded-Proto  $scheme;
     proxy_set_header      Host               $host:$server_port;
     proxy_redirect        off;
-    <% if fetch(:proxy_cache_rails) %>
-    # cache rails actions (need public header)
-    proxy_cache           <%= fetch(:proxy_cache_rails_name) %>;
-    proxy_cache_lock      on;
-    <% if fetch(:proxy_cache_rails_200) %>
-    proxy_cache_valid     200 302           <%= fetch(:proxy_cache_rails_200) %>;
-    <% end %>
-    <% if fetch(:proxy_cache_rails_404) %>
-    proxy_cache_valid     404               <%= fetch(:proxy_cache_rails_404) %>;
-    <% end %>
-    proxy_cache_use_stale <%= Array( fetch(:proxy_cache_rails_stale) ).join(" ") %>;
-    proxy_ignore_headers  Set-Cookie;
-    proxy_cache_bypass    $http_bypass_proxy;
-    add_header            X-Cache-Status    $upstream_cache_status;
-    <% end %>
+    <%= magic_render("nginx/rails_cache_server") %>
     # pass request to thin upstream
     proxy_pass            http://thin_<%= fetch(:application) %>_<%= fetch(:stage) %>_cluster;
   }

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: magic_recipes_two
 version: !ruby/object:Gem::Version
-  version: 0.0.66
+  version: 0.0.67
 platform: ruby
 authors:
 - Torsten Wetzel
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-04-27 00:00:00.000000000 Z
+date: 2017-04-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -80,6 +80,20 @@ dependencies:
     - - ! '>='
       - !ruby/object:Gem::Version
         version: 1.4.0
+- !ruby/object:Gem::Dependency
+  name: capistrano-rvm
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 0.1.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 0.1.2
 - !ruby/object:Gem::Dependency
   name: capistrano-postgresql
   requirement: !ruby/object:Gem::Requirement
@@ -138,6 +152,7 @@ files:
 - lib/capistrano/magic_recipes/exception_pages.rb
 - lib/capistrano/magic_recipes/inform_slack.rb
 - lib/capistrano/magic_recipes/lets_encrypt.rb
+- lib/capistrano/magic_recipes/logs.rb
 - lib/capistrano/magic_recipes/monit.rb
 - lib/capistrano/magic_recipes/nginx.rb
 - lib/capistrano/magic_recipes/redis.rb
@@ -150,6 +165,7 @@ files:
 - lib/capistrano/tasks/exception_pages.rake
 - lib/capistrano/tasks/inform_slack.rake
 - lib/capistrano/tasks/lets_encrypt.rake
+- lib/capistrano/tasks/logs.rake
 - lib/capistrano/tasks/monit.rake
 - lib/capistrano/tasks/monit_sidekiq.rake
 - lib/capistrano/tasks/nginx.rake
@@ -160,12 +176,19 @@ files:
 - lib/generators/capistrano/magic_recipes/templates/capistrano3_nginx_conf.erb
 - lib/generators/capistrano/magic_recipes/templates/monit/monitrc.erb
 - lib/generators/capistrano/magic_recipes/templates/monit/nginx.erb
+- lib/generators/capistrano/magic_recipes/templates/monit/nginx_conf.erb
 - lib/generators/capistrano/magic_recipes/templates/monit/postgresql.erb
 - lib/generators/capistrano/magic_recipes/templates/monit/redis.erb
 - lib/generators/capistrano/magic_recipes/templates/monit/sidekiq.erb
 - lib/generators/capistrano/magic_recipes/templates/monit/thin.erb
 - lib/generators/capistrano/magic_recipes/templates/monit/website.erb
 - lib/generators/capistrano/magic_recipes/templates/nginx.conf.erb
+- lib/generators/capistrano/magic_recipes/templates/nginx/diffie_hellman.erb
+- lib/generators/capistrano/magic_recipes/templates/nginx/media_cache_path.erb
+- lib/generators/capistrano/magic_recipes/templates/nginx/media_cache_server.erb
+- lib/generators/capistrano/magic_recipes/templates/nginx/rails_cache_path.erb
+- lib/generators/capistrano/magic_recipes/templates/nginx/rails_cache_server.erb
+- lib/generators/capistrano/magic_recipes/templates/nginx/remove_www.erb
 - lib/generators/capistrano/magic_recipes/templates/postgresql.yml.erb
 - lib/generators/capistrano/magic_recipes/templates/secrets_yml.erb
 - lib/generators/capistrano/magic_recipes/templates/thin_app_yml.erb