run nginx and haproxy via docker.

3 files changed, 110 insertions, 1 deletions

diff --git a/config/environments/development.rb b/config/environments/development.rb
index 697ad10..c25db67 100644
--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@@ -45,6 +45,7 @@ Rails.application.configure do
 
   # Suppress logger output for asset requests.
   config.assets.quiet = true
+  config.assets.prefix = "/dev-assets"
 
   # Raises error for missing translations
   # config.action_view.raise_on_missing_translations = true
@@ -57,5 +58,4 @@ Rails.application.configure do
     Bullet.enable = true
     Bullet.console = true
   end
-  config.web_console.whitelisted_ips = "172.16.0.0/16"
 end
diff --git a/config/haproxy.cfg b/config/haproxy.cfg
new file mode 100644
index 0000000..f9836c4
--- /dev/null
+++ b/config/haproxy.cfg
@@ -0,0 +1,31 @@
+global
+  maxconn 4096
+  tune.ssl.default-dh-param 2048
+
+defaults
+  mode http
+  timeout connect 5000ms
+  timeout client 50000ms
+  timeout server 50000ms
+  option forwardfor
+  option http-server-close
+  stats enable
+  stats uri /stats
+  stats realm Haproxy\ Statistics
+  stats auth username:password
+
+frontend www-http
+  bind *:80
+  reqadd X-Forwarded-Proto:\ http
+  default_backend www-backend
+
+frontend www-https
+  bind *:443 ssl crt /usr/local/etc/haproxy/server.pem
+  reqadd X-Forwarded-Proto:\ https
+  default_backend www-backend
+
+backend www-backend
+  redirect scheme https if !{ ssl_fc }
+  balance roundrobin
+  server www1 www1:443 check ssl verify none
+  server www2 www2:443 check ssl verify none
diff --git a/config/nginx.conf b/config/nginx.conf
new file mode 100644
index 0000000..029b0c4
--- /dev/null
+++ b/config/nginx.conf
@@ -0,0 +1,78 @@
+user  root;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+events {
+  worker_connections  8096;
+  multi_accept        on;
+  use                 epoll;
+}
+
+http {
+  include       /etc/nginx/mime.types;
+  default_type  application/octet-stream;
+
+  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+    '$status $body_bytes_sent "$http_referer" '
+    '"$http_user_agent" "$http_x_forwarded_for"';
+
+  access_log /var/log/nginx/access.log  main;
+
+  sendfile           on;
+  tcp_nopush         on;
+  tcp_nodelay        on;
+  keepalive_timeout  15;
+
+  upstream backend {
+    server web:3000 fail_timeout=0;
+  }
+
+  server {
+    listen 80 deferred;
+    add_header Strict-Transport-Security max-age=15768000;
+    server_tokens off;
+    rewrite ^ https://$server_name$request_uri? permanent;
+  }
+
+  server {
+    listen 443 default_server ssl;
+    server_tokens off;
+    root /var/www/public;
+    ssl_certificate /etc/nginx/server.crt;
+    ssl_certificate_key /etc/nginx/server.key;
+
+    ssl_session_timeout 5m;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
+    add_header X-Frame-Options "DENY";
+
+    try_files $uri/index.html $uri @application;
+    location ^~ /assets/ {
+      gzip_static on;
+      expires max;
+      add_header Cache-Control public;
+    }
+    location /cable {
+      proxy_pass https://backend;
+      proxy_set_header X_FORWARDED_PROTO https;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header HOST $http_host;
+      proxy_set_header X-Url-Scheme $scheme;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection "upgrade";
+    }
+    location @application {
+      proxy_set_header X_FORWARDED_PROTO https;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header HOST $http_host;
+      proxy_set_header X-Url-Scheme $scheme;
+      proxy_redirect off;
+      proxy_pass https://backend;
+    }
+
+    error_page 500 502 503 504 /500.html;
+    keepalive_timeout 10;
+  }
+}