├── alpine-rails-nginx ├── etc │ ├── nginx │ │ ├── redirects.conf │ │ ├── static-content.conf │ │ ├── dynamic-content.conf │ │ ├── server.conf │ │ ├── ssl.conf │ │ └── nginx.conf │ ├── sv │ │ ├── nginx │ │ └── rails │ └── runit │ │ └── 1 ├── apk-packages ├── nginx.patch ├── Dockerfile ├── example-rails-template.rb └── install-nginx.sh ├── alpine-ruby ├── etc │ └── runit │ │ ├── 1 │ │ ├── 2 │ │ └── 3 ├── sbin │ ├── strict-mode.sh │ └── setup-directories.sh ├── apk-packages └── Dockerfile ├── .gitignore ├── alpine-aws └── Dockerfile └── README.md /alpine-rails-nginx/etc/nginx/redirects.conf: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /alpine-ruby/etc/runit/1: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | -------------------------------------------------------------------------------- /alpine-ruby/etc/runit/3: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | -------------------------------------------------------------------------------- /alpine-ruby/etc/runit/2: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | exec runsvdir -P /etc/service 4 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.sw[op] 2 | .DS_Store 3 | 4 | # Ignore example rails application 5 | /alpine-rails-nginx/example 6 | -------------------------------------------------------------------------------- /alpine-rails-nginx/etc/sv/nginx: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | exec chpst -u nginx nginx -c /etc/nginx/nginx.conf -g 'daemon off;' 4 | -------------------------------------------------------------------------------- /alpine-rails-nginx/etc/sv/rails: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | cd /opt/rails 4 | eval "exec chpst -u rails -- $(ruby -r yaml -e 'puts YAML.load_file("Procfile").fetch("web")')" 5 | -------------------------------------------------------------------------------- /alpine-rails-nginx/apk-packages: -------------------------------------------------------------------------------- 1 | # nginx build dependencies 2 | linux-headers = 4.4.6-r2 3 | pcre-dev = 8.40-r2 4 | 5 | # service runtime dependencies 6 | acl = 2.2.52-r3 7 | libffi-dev = 3.2.1-r3 8 | libxml2-dev = 2.9.4-r4 9 | libxslt-dev = 1.1.29-r3 10 | nodejs = 6.10.3-r0 11 | runit = 2.1.2-r3 12 | -------------------------------------------------------------------------------- /alpine-aws/Dockerfile: -------------------------------------------------------------------------------- 1 | # dkubb/alpine-aws 2 | 3 | FROM alpine:3.6 4 | MAINTAINER Dan Kubb 5 | 6 | # Upgrade system dependencies 7 | RUN apk upgrade --update-cache --available 8 | 9 | # Install system dependencies 10 | RUN apk add py2-pip=9.0.1-r1 11 | 12 | # Install aws cli 13 | RUN umask 022 && pip install awscli==1.11.109 14 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # dkubb Dockerfiles 2 | 3 | A collection of Dockerfile configurations. 4 | 5 | ## Requirements 6 | 7 | * [Ruby 2.2.4+](https://www.ruby-lang.org/en/downloads/) 8 | * [Rails 4.2.5+](https://rubygems.org/gems/rails) 9 | 10 | ## Quickstart 11 | 12 | ```bash 13 | # Build and run an example rails application 14 | ./build.sh && docker run --interactive --tty --rm --sig-proxy --publish 80:8080 dkubb/alpine-rails-nginx/example 15 | ``` 16 | -------------------------------------------------------------------------------- /alpine-rails-nginx/etc/nginx/static-content.conf: -------------------------------------------------------------------------------- 1 | # Default static content to be cached for 1 day 2 | expires 1d; 3 | add_header Cache-Control "public, must-revalidate, proxy-revalidate"; 4 | add_header Pragma "public"; 5 | 6 | if ($request_method !~ ^(GET|HEAD|OPTIONS)$) { 7 | more_set_headers 'Allow: GET,HEAD,OPTIONS'; 8 | return 405; 9 | } 10 | 11 | if ($request_method = OPTIONS) { 12 | more_set_headers 'Allow: GET,HEAD,OPTIONS'; 13 | return 204; 14 | } 15 | -------------------------------------------------------------------------------- /alpine-rails-nginx/etc/nginx/dynamic-content.conf: -------------------------------------------------------------------------------- 1 | # Disable caching for dynamic content 2 | expires off; 3 | 4 | # Rate Limit 5 | limit_req zone=dynamic burst=5 nodelay; 6 | 7 | # Cache all requests by default 8 | if ($no_cache = '') { 9 | set $no_cache 0; 10 | } 11 | 12 | # Do not cache non-GET requests 13 | if ($request_method != GET) { 14 | set $no_cache 1; 15 | } 16 | 17 | # Do not cache if it contains a query string 18 | if ($query_string != "") { 19 | set $no_cache 1; 20 | } 21 | -------------------------------------------------------------------------------- /alpine-rails-nginx/nginx.patch: -------------------------------------------------------------------------------- 1 | --- src/http/ngx_http_special_response.c 2 | +++ src/http/ngx_http_special_response.c 3 | @@ -19,21 +19,18 @@ 4 | 5 | 6 | static u_char ngx_http_error_full_tail[] = 7 | -"
" NGINX_VER "
" CRLF 8 | "" CRLF 9 | "" CRLF 10 | ; 11 | 12 | 13 | static u_char ngx_http_error_build_tail[] = 14 | -"
" NGINX_VER_BUILD "
" CRLF 15 | "" CRLF 16 | "" CRLF 17 | ; 18 | 19 | 20 | static u_char ngx_http_error_tail[] = 21 | -"
nginx
" CRLF 22 | "" CRLF 23 | "" CRLF 24 | ; 25 | -------------------------------------------------------------------------------- /alpine-rails-nginx/etc/runit/1: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Setup acl to allow nginx and user read-only access to /opt 4 | setfacl --modify u:nginx:rX,u:rails:rX /opt 5 | 6 | # Setup acl to allow nginx user read-only access to socket and content 7 | setfacl --modify u:nginx:rX /opt/rails 8 | setfacl --modify u:nginx:rX --recursive /opt/rails/public /var/run/rails 9 | 10 | # Setup acl to allow user to execute commands owned by root 11 | setfacl --modify u:rails:rX /usr/bin/bundle 12 | setfacl --modify u:nginx:rX /usr/local/sbin/nginx 13 | 14 | # Trigger acl update application in aufs 15 | find / >/dev/null 16 | -------------------------------------------------------------------------------- /alpine-ruby/sbin/strict-mode.sh: -------------------------------------------------------------------------------- 1 | # Reference: 2 | # http://www.davidpashley.com/articles/writing-robust-shell-scripts/ 3 | # http://kvz.io/blog/2013/11/21/bash-best-practices/ 4 | # http://redsymbol.net/articles/unofficial-bash-strict-mode/ 5 | 6 | set -o errexit # Exit when an expression fails 7 | set -o pipefail # Exit when a command in a pipeline fails 8 | set -o nounset # Exit when an undefined variable is used 9 | set -o noglob # Disable shell globbing 10 | set -o noclobber # Disable automatic file overwriting 11 | set -o posix # Ensure posix semantics 12 | 13 | IFS=$'\n\t' # Set default field separator to not split on spaces 14 | 15 | umask 0077 16 | -------------------------------------------------------------------------------- /alpine-ruby/apk-packages: -------------------------------------------------------------------------------- 1 | # system runtime dependencies 2 | alpine-base = 3.6.2-r0 3 | alpine-baselayout = 3.0.4-r0 4 | alpine-conf = 3.6.0-r0 5 | apk-tools = 2.7.1-r1 6 | busybox = 1.26.2-r5 7 | busybox-initscripts = 3.1-r1 8 | busybox-suid = 1.26.2-r5 9 | musl = 1.1.16-r9 10 | musl-utils = 1.1.16-r9 11 | openrc = 0.24.1-r2 12 | 13 | # dockerfile build dependencies 14 | alpine-sdk = 0.5-r0 15 | bash = 4.3.48-r1 16 | curl = 7.54.0-r0 17 | 18 | # service runtime dependencies 19 | libressl-dev = 2.5.4-r0 20 | ruby = 2.4.1-r3 21 | ruby-bigdecimal = 2.4.1-r3 22 | ruby-dev = 2.4.1-r3 23 | ruby-io-console = 2.4.1-r3 24 | ruby-irb = 2.4.1-r3 25 | -------------------------------------------------------------------------------- /alpine-ruby/sbin/setup-directories.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | user="$1" 4 | perms="$2" 5 | directories=("${@:3}") 6 | 7 | for directory in "${directories[@]}"; do 8 | # Create the directory if it does not exist 9 | [ -d "$directory" ] || mkdir -- "$directory" 10 | 11 | # Set the directory to be owned by user and default group 12 | chown --recursive "$user:" -- "$directory" 13 | 14 | # Remove read/write perms for all 15 | # Set the file specified perms by the owner 16 | # Set the file to be executable by the owner if any execute bit is set 17 | # Set the directory to be executable by the owner 18 | # Remove executable permissions for group and other 19 | chmod -R "a-rw,u+${perms}X,go-x" -- "$directory" 20 | 21 | # Set the directory sticky bit 22 | chmod +t -- "$directory" 23 | done 24 | -------------------------------------------------------------------------------- /alpine-rails-nginx/etc/nginx/server.conf: -------------------------------------------------------------------------------- 1 | # Set the document root 2 | root /opt/rails/public; 3 | 4 | # Prefer the static files before proxying to the app 5 | try_files $uri @rails; 6 | 7 | # Cache assets for 1 year 8 | location /assets/ { 9 | expires 1y; 10 | } 11 | 12 | # Serve opensearch.xml with special content type 13 | location = /opensearch.xml { 14 | more_set_headers 'Content-Type: application/opensearchdescription+xml'; 15 | include static-content.conf; 16 | } 17 | 18 | # Handle requests for dynamic content 19 | location ~ ^/(?:login|signup)/?$ { 20 | proxy_pass http://rails; 21 | include dynamic-content.conf; 22 | } 23 | 24 | # Handle requests for cacheable content 25 | location @rails { 26 | proxy_pass http://rails; 27 | proxy_cache cacheable; 28 | include static-content.conf; 29 | } 30 | 31 | # Handle nginx stub status 32 | location = /status { 33 | stub_status; 34 | allow 127.0.0.1; 35 | deny all; 36 | include static-content.conf; 37 | } 38 | 39 | # Deny access to paths with leading dots 40 | location ~ /\. { 41 | deny all; 42 | } 43 | 44 | include redirects.conf; 45 | -------------------------------------------------------------------------------- /alpine-rails-nginx/etc/nginx/ssl.conf: -------------------------------------------------------------------------------- 1 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 2 | ssl_ciphers 'ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; 3 | ssl_prefer_server_ciphers on; 4 | 5 | ssl_session_cache shared:SSL:10m; 6 | ssl_session_timeout 1d; 7 | 8 | ssl_buffer_size 1400; # 1400 bytes to fit in one MTU 9 | 10 | ssl_stapling on; 11 | ssl_stapling_verify on; 12 | 13 | resolver 8.8.8.8 8.8.4.4; 14 | 15 | # Enable Strict Transport Security (HSTS) (requires ngx_headers_more extension) 16 | more_set_headers "Strict-Transport-Security: max-age=31536000; includeSubDomains; preload"; 17 | 18 | # Work-around for BREACH attack: http://breachattack.com/ 19 | gzip off; 20 | -------------------------------------------------------------------------------- /alpine-rails-nginx/Dockerfile: -------------------------------------------------------------------------------- 1 | # dkubb/alpine-rails-nginx 2 | 3 | FROM dkubb/alpine-ruby 4 | MAINTAINER Dan Kubb 5 | 6 | ENV BUNDLE_GEMFILE=/opt/rails/Gemfile 7 | 8 | COPY etc /etc 9 | 10 | # Upgrade installed system dependencies 11 | COPY apk-packages /tmp/ 12 | RUN sed 's/#.*$//;/^$/d' /tmp/apk-packages \ 13 | | tr -d ' ' \ 14 | | xargs apk add --update-cache \ 15 | && rm /tmp/apk-packages 16 | 17 | # Create system users 18 | RUN adduser -DSH nginx \ 19 | && adduser -DS rails 20 | 21 | # Create system directories and service symlinks 22 | RUN setup-directories.sh root r /etc/service/nginx /etc/service/rails \ 23 | && setup-directories.sh nginx rw /var/run/nginx /var/cache/nginx /var/log/nginx \ 24 | && setup-directories.sh rails r /opt/rails \ 25 | && setup-directories.sh rails rw /var/run/rails /opt/rails/log /opt/rails/tmp \ 26 | && ln -s /etc/sv/nginx /etc/service/nginx/run \ 27 | && ln -s /etc/sv/rails /etc/service/rails/run 28 | 29 | # Install nginx 30 | COPY install-nginx.sh nginx.patch /usr/local/src/ 31 | RUN /usr/local/src/install-nginx.sh \ 32 | && setup-directories.sh nginx r /etc/nginx \ 33 | && rm -rf /usr/local/src 34 | 35 | # Setup bundler for application 36 | RUN cp --recursive ~/.bundle /opt/rails \ 37 | && setup-directories.sh rails r /opt/rails/.bundle 38 | -------------------------------------------------------------------------------- /alpine-ruby/Dockerfile: -------------------------------------------------------------------------------- 1 | # dkubb/alpine-ruby 2 | 3 | FROM alpine:3.6 4 | MAINTAINER Dan Kubb 5 | 6 | # Upgrade installed system dependencies 7 | COPY apk-packages /tmp/ 8 | RUN sed 's/#.*$//;/^$/d' /tmp/apk-packages \ 9 | | tr -d ' ' \ 10 | | xargs apk add --update-cache \ 11 | && rm /tmp/apk-packages 12 | 13 | COPY etc /etc 14 | COPY sbin /usr/local/sbin 15 | 16 | # Enable strict mode 17 | ENV BASH_ENV=/usr/local/sbin/strict-mode.sh 18 | 19 | # Replace default sh command 20 | RUN ln -sfv /bin/bash /bin/sh 21 | 22 | # Create system directories and service symlinks 23 | RUN setup-directories.sh root r /opt /etc/runit /etc/sv /etc/service \ 24 | && ln -s /etc/service /service 25 | 26 | # Upgrade rubygems and bundler 27 | RUN echo 'gem: --no-document' > ~/.gemrc \ 28 | && umask 0022 \ 29 | && gem update --system 2.6.12 \ 30 | && gem install bundler --version 1.15.0 31 | 32 | # Setup bundler for the root user 33 | RUN bundle config --global build.nokogiri '--use-system-libraries' \ 34 | && bundle config --global disable_shared_gems '1' \ 35 | && bundle config --global frozen '1' \ 36 | && bundle config --global jobs '8' \ 37 | && bundle config --global path 'vendor/bundle' \ 38 | && bundle config --global without 'development:test' 39 | 40 | # Set the entrypoint for children docker images 41 | ENTRYPOINT ["/sbin/runit"] 42 | -------------------------------------------------------------------------------- /alpine-rails-nginx/example-rails-template.rb: -------------------------------------------------------------------------------- 1 | gem 'json' 2 | gem 'nokogiri' 3 | gem 'puma' 4 | gem 'tzinfo-data' 5 | 6 | file 'config/puma.rb', <<-'PUMA_CONFIG' 7 | directory '/opt/rails' 8 | rackup '/opt/rails/config.ru' 9 | environment ENV.fetch('RAILS_ENV') 10 | 11 | bind 'unix:///var/run/rails/server.sock' 12 | 13 | workers 3 14 | threads 0, 4 15 | 16 | preload_app! 17 | 18 | on_worker_boot do 19 | ActiveSupport.on_load(:active_record) do 20 | ActiveRecord::Base.establish_connection 21 | end 22 | 23 | Rails.cache.try(:reset) 24 | end 25 | PUMA_CONFIG 26 | 27 | file 'Procfile', <<-'PROCFILE' 28 | web: bundle exec puma --quiet --config config/puma.rb 29 | PROCFILE 30 | 31 | file 'config/postgres.sh', <<-'POSTGRES' 32 | #!/usr/bin/env bash 33 | 34 | cd $PGDATA 35 | exec chpst -u postgres postgres 36 | POSTGRES 37 | 38 | file 'Dockerfile', <<-'DOCKERFILE' 39 | FROM dkubb/alpine-rails-nginx 40 | MAINTAINER Dan Kubb 41 | 42 | ENV RAILS_ENV=development \ 43 | PGDATA=/var/db/postgresql/data 44 | 45 | RUN apk add --update-cache --repository http://dl-4.alpinelinux.org/alpine/edge/main/ \ 46 | postgresql-dev=9.6.3-r0 \ 47 | postgresql=9.6.3-r0 \ 48 | && chown postgres: /usr/bin/postgres \ 49 | && chmod 0700 /usr/bin/postgres 50 | 51 | COPY config/postgres.sh /etc/sv/postgres 52 | RUN setup-directories.sh root r /etc/service/postgres \ 53 | && setup-directories.sh postgres rw "$(dirname "$PGDATA")" "$PGDATA" /run/postgresql \ 54 | && chmod u+x /etc/sv/postgres \ 55 | && ln -s /etc/sv/postgres /etc/service/postgres/run 56 | 57 | # Setup database and user 58 | USER postgres 59 | 60 | RUN pg_ctl initdb -o '--auth-host=reject --auth-local=trust --encoding=UTF-8 --no-locale' \ 61 | && pg_ctl start -w \ 62 | && createuser rails \ 63 | && createdb --owner rails example_development \ 64 | && pg_ctl stop 65 | 66 | USER root 67 | 68 | # Install gem dependencies 69 | COPY Gemfile* /opt/rails/ 70 | RUN until timeout -t 180 bundle; do :; done \ 71 | && setup-directories.sh rails r /opt/rails 72 | 73 | COPY . /opt/rails 74 | RUN setup-directories.sh rails r /opt/rails \ 75 | && setup-directories.sh rails rw /opt/rails/log /opt/rails/tmp 76 | DOCKERFILE 77 | -------------------------------------------------------------------------------- /alpine-rails-nginx/install-nginx.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | NGINX_VERSION=1.13.1 4 | NGINX_HASH=a5856c72a6609a4dc68c88a7f3c33b79e6693343b62952e021e043fe347b6776 5 | NGINX_HEADERS_MORE_VERSION=0.32 6 | NGINX_HEADERS_MORE_HASH=c6d9dab8ea1fc997031007e2e8f47cced01417e203cd88d53a9fe9f6ae138720 7 | LIBRESSL_VERSION=2.5.4 8 | LIBRESSL_HASH=107a5b522fbb8318d4c3be668075e5e607296f0a9255d71674caa94571336efa 9 | 10 | function verified_curl { 11 | url="$1" 12 | file="$2" 13 | sha256_hash="$3" 14 | curl --silent --fail --location "$url" >| "$file" \ 15 | && echo "$sha256_hash $file" | sha256sum -cs \ 16 | && tar xf "$file" 17 | } 18 | 19 | cd "$(dirname "$0")" || exit 1 20 | 21 | verified_curl \ 22 | "http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz" \ 23 | "nginx-$NGINX_VERSION.tar.gz" \ 24 | "$NGINX_HASH" 25 | 26 | verified_curl \ 27 | "https://github.com/openresty/headers-more-nginx-module/archive/v$NGINX_HEADERS_MORE_VERSION.tar.gz" \ 28 | "headers-more-nginx-module-$NGINX_HEADERS_MORE_VERSION.tar.gz" \ 29 | "$NGINX_HEADERS_MORE_HASH" 30 | 31 | verified_curl \ 32 | "http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-$LIBRESSL_VERSION.tar.gz" \ 33 | "libressl-$LIBRESSL_VERSION.tar.gz" \ 34 | "$LIBRESSL_HASH" 35 | 36 | cd nginx-$NGINX_VERSION || exit 1 37 | 38 | # Patch nginx source 39 | patch --strip 0 < "$(dirname "$0")/nginx.patch" 40 | 41 | # Configure nginx 42 | ./configure \ 43 | --with-cc-opt="-static -static-libgcc" \ 44 | --with-ld-opt="-static" \ 45 | --with-cpu-opt=generic \ 46 | --prefix=/usr/local/nginx \ 47 | --sbin-path=/usr/local/sbin/nginx \ 48 | --conf-path=/etc/nginx/nginx.conf \ 49 | --pid-path=/var/run/nginx/nginx.pid \ 50 | --lock-path=/var/lock/nginx.lock \ 51 | --error-log-path=/var/log/nginx/error.log \ 52 | --http-log-path=/var/log/nginx/access.log \ 53 | --http-client-body-temp-path=/var/cache/nginx/client_body_temp \ 54 | --http-proxy-temp-path=/var/cache/nginx/proxy_temp \ 55 | --user=nginx \ 56 | --group=nginx \ 57 | --add-module=/usr/local/src/headers-more-nginx-module-$NGINX_HEADERS_MORE_VERSION \ 58 | --with-http_gzip_static_module \ 59 | --with-http_realip_module \ 60 | --with-http_ssl_module \ 61 | --with-http_stub_status_module \ 62 | --with-http_v2_module \ 63 | --with-openssl=/usr/local/src/libressl-$LIBRESSL_VERSION \ 64 | --without-http_auth_basic_module \ 65 | --without-http_autoindex_module \ 66 | --without-http_browser_module \ 67 | --without-http_empty_gif_module \ 68 | --without-http_fastcgi_module \ 69 | --without-http_geo_module \ 70 | --without-http_map_module \ 71 | --without-http_memcached_module \ 72 | --without-http_referer_module \ 73 | --without-http_scgi_module \ 74 | --without-http_split_clients_module \ 75 | --without-http_ssi_module \ 76 | --without-http_upstream_ip_hash_module \ 77 | --without-http_upstream_least_conn_module \ 78 | --without-http_userid_module \ 79 | --without-http_uwsgi_module \ 80 | --without-mail_imap_module \ 81 | --without-mail_pop3_module \ 82 | --without-mail_smtp_module \ 83 | --without-select_module 84 | 85 | # Install nginx 86 | make install 87 | -------------------------------------------------------------------------------- /alpine-rails-nginx/etc/nginx/nginx.conf: -------------------------------------------------------------------------------- 1 | env PATH; 2 | env TZ=utc; 3 | 4 | worker_processes auto; 5 | 6 | events { 7 | worker_connections 1024; 8 | } 9 | 10 | http { 11 | # Do not leak application information 12 | server_tokens off; 13 | more_clear_headers Server X-Powered-By; 14 | 15 | sendfile on; 16 | tcp_nopush on; 17 | tcp_nodelay on; 18 | 19 | keepalive_timeout 300; 20 | 21 | include mime.types; 22 | default_type application/octet-stream; 23 | 24 | types { 25 | image/icns icns; 26 | application/font-sfnt ttf otf; 27 | } 28 | 29 | source_charset utf-8; 30 | charset utf-8; 31 | charset_types text/plain text/css application/javascript application/json text/xml application/xml application/xml+rss image/svg+xml; 32 | 33 | gzip on; 34 | gzip_vary on; 35 | gzip_static on; 36 | gzip_proxied any; 37 | gzip_comp_level 9; 38 | gzip_http_version 1.1; 39 | gzip_types text/plain text/css application/javascript application/json text/xml application/xml application/xml+rss image/svg+xml image/icns image/x-icon application/font-sfnt application/vnd.ms-fontobject; 40 | 41 | real_ip_header X-Forwarded-For; 42 | set_real_ip_from 10.0.0.0/8; 43 | set_real_ip_from 172.16.0.0/12; 44 | set_real_ip_from 192.168.0.0/16; 45 | real_ip_recursive on; 46 | 47 | limit_req_zone $binary_remote_addr zone=dynamic:10m rate=10r/s; 48 | 49 | proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504; 50 | proxy_cache_lock on; 51 | proxy_cache_revalidate on; 52 | proxy_intercept_errors on; 53 | proxy_http_version 1.1; 54 | proxy_set_header Host $http_host; 55 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 56 | proxy_set_header X-Forwarded-Proto $scheme; 57 | proxy_set_header X-Real-IP $remote_addr; 58 | proxy_set_header X-Request-Start "t=${msec}"; 59 | proxy_set_header Connection ""; 60 | 61 | proxy_cache_path /var/cache/nginx/proxy levels=1:2 keys_zone=cacheable:10m inactive=24h max_size=1g; 62 | 63 | merge_slashes off; 64 | 65 | if_modified_since before; 66 | 67 | more_set_headers "Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; font-src 'self'; frame-ancestors 'none'"; 68 | more_set_headers "X-Content-Type-Options: nosniff"; 69 | more_set_headers "X-Frame-Options: deny"; 70 | more_set_headers "X-XSS-Protection: 1; mode=block"; 71 | 72 | error_page 500 /500.html; 73 | error_page 502 /502.html; 74 | error_page 503 /503.html; 75 | error_page 504 /504.html; 76 | 77 | # Catch-all domain 78 | server { 79 | listen 8080 default_server; 80 | listen [::]:8080 default_server; 81 | 82 | return 301 $scheme://www.example.com$request_uri; 83 | } 84 | 85 | # http://www.example.com 86 | server { 87 | listen 8080; 88 | listen [::]:8080; 89 | 90 | server_name www.example.com; 91 | 92 | include server.conf; 93 | } 94 | 95 | upstream rails { 96 | server unix:///var/run/rails/server.sock; 97 | keepalive 12; 98 | } 99 | } 100 | --------------------------------------------------------------------------------