Skip to content
This repository has been archived by the owner on Dec 31, 2022. It is now read-only.

How to customize nginx conf? #189

Closed
krzkrzkrz opened this issue Aug 25, 2018 · 2 comments
Closed

How to customize nginx conf? #189

krzkrzkrz opened this issue Aug 25, 2018 · 2 comments

Comments

@krzkrzkrz
Copy link

krzkrzkrz commented Aug 25, 2018

At opsworks_ruby/templates/default/appserver.nginx.conf.erb, I have the following:

  1. Ability for the load balancer to perform health checks:
location /ping {
  access_log off;
  return 200;
}
  1. My load balancer uses the SSL certificate to terminate the connection and then decrypt requests from clients before sending them to the instances (also known as SSL termination).

Further details at https://aws.amazon.com/blogs/aws/elastic-load-balancer-support-for-ssl-termination/

Which also means, anyone landing on the following domains, should be redirected to the https protocol. For example:

To achieve this. I have:

server {
  listen <%= @out[:port] %>; # Typically listens on port 80
  ...
  location @<%= @name %> {
    ...
    # Any request that did not originally come in to the ELB over HTTPS gets redirected
    if ($http_x_forwarded_proto != "https") {
      rewrite ^(.*)$ https://$server_name$1 permanent;
    }
    ...
  }
  ...
}
  1. To redirect the bare domain names to the https counterpart, i.e:

I have the following:

# If request is made to the bare domain (i.e. domain-name.com)
# Issue a redirect 301 response
server {
  listen 80;
  server_name domain-name.com;

  location /ping {
    access_log off;
    return 200;
  }

  location / {
    return 301 https://www.$server_name$request_uri;

    # Add HTTP Strict Transport Security for good measure
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;";
  }
}

All seems to work so far. However, what I had to do, was fork this repo, and manually edit appserver.nginx.conf.erb to include all 3 definitions above. And then have my Berkfile install the cookbook from the forked version. i.e. cookbook 'opsworks_ruby', :git => 'https://github.com/git-user-name/opsworks_ruby.git'

Wondering if there is a more dynamic way of including these definition so I wouldnt have to fork

@ajgon
Copy link
Owner

ajgon commented Sep 25, 2018

This is a good approach. The goal of this cookbook, is to provide most common, out-of-the box configuration set. However if requirements are more specific (like in this case) - it should be customisable by manual forking and editing necessary configuration files.

So if this solution works for you - go for it! 👍

The open question is - should we add a support of this to opsworks_ruby. I think, force-redirect http to https is a good approach and should be at least available as a configuration option. I'll keep this ticket open for now, and implement it as soon as I can.

Thank you!

@olbrich
Copy link
Contributor

olbrich commented Sep 26, 2018

It seems like a pretty common use case to force a redirect from http -> https. I'd like to see support for it.

ajgon added a commit that referenced this issue Oct 2, 2018
@ajgon ajgon closed this as completed in 6e23289 Oct 3, 2018
ajgon added a commit that referenced this issue Oct 3, 2018
ajgon added a commit that referenced this issue Oct 3, 2018
kpheasey pushed a commit to kpheasey/opsworks_ruby that referenced this issue Apr 11, 2019
kpheasey added a commit to kpheasey/opsworks_ruby that referenced this issue Apr 11, 2019
* add symlinks for node_modules and public/packs

* install node lts and yarn

* chore: Fixed broken docker build

Resolves ajgon#153

* fix(chef): Downgraded apt cookbook below version 7

The `ruby-ng` cookbook depends on the `apt` cookbook, which is not
compatible with Chef 12. The `apt` version needs to be set to <7.0.0 in
the metadata for now.

Unfortunately, berkshelf does not detect that the chef versions of the
cookbooks are incompatible.

Resolves ajgon#151

* install node lts and yarn

* fix(chef): Removed broken `deployer` cookbook

Resolves ajgon#155

* chore: Version bump

* feat(appserver): add additional puma configuration options

* Tell Puma to do a rolling restart instead of a stop/start on a deploy
* Allow Puma hooks to be defined in attributes
* Add default content to puma hooks
* stick with original stop/start cycle for puma and remove rolling restarts
* cleanup appserver.service script, allow after-deploy action to be configured
* handle default case for after_deploy properly
* feat(appserver): add additional puma configuration options

* fix(setup): Fixed `deployer` user setup

When setting up new user in Chef 12, a `manage_home true` setting is
required. This commit adds it back.

Fixes ajgon#159

* fix(appserver): moved env files creation to before_symlink phase

Fixes ajgon#157

* feat(ruby): introduced new `ruby-version` JSON parameter.

This removes a misleading `ruby-ng.ruby_version` paramater in favor of
new universal `ruby-version`. The problem was, that the old one was used
for both distributions (Ubuntu and Amazon Linux) while in fact,
`ruby-ng` was referring to Ubuntu-only cookbook.

The new parameter is distro-agnostic and cookbook-agnostic, clearly
speaking it's intention.

Resolves ajgon#156

BREAKING CHANGE: If you were using `ruby-ng.ruby_version` JSON
configuration parameter in your stack/layer configuration, please change
it to `ruby-version`. Since `ruby-version` is set by default to the
freshest version of ruby available, you may end up with unexpected
upgrade of ruby on your system.

* chore: added github issue template

* chore: Version bump

* feat(appserver): support rails restart command on puma.

* fix: do not read pidfile at each stop retry (prevent from early pidfile deletion)

Fixes ajgon#163

* feat(db): added postgis driver

Resolves ajgon#165

* fix(framework): added environment variables context to bundle install

Fixes ajgon#167

* chore: Version bump

* fix: add Apache 2.4's "Require all granted" to apache2+passenger config file (ajgon#171)

* fix(webserver): add `X-Content-Type-Options: nosniff` to assets served by rails for extra security

* feat(webserver): hardened security headers, disabled tls1.0 and tls1.1 for non-legacy SSL config

BREAKING CHANGE: If you are using SSL in your project, TLSv1.0 and
TLSv1.1 has been disabled for all responses - only TLSv1.2 is served. If
you still need older ciphers, consider using
`app['webserver']['ssl_for_legacy_browsers']` configuration option.

* chore: Version bump

* feat(database): added aurora-postgres as an accepted engine for Postgres RDS

* feat(appserver): add port configuration

* feat(webserver): add support for `force_ssl` attribute

Resolves ajgon#189

* chore: Version bump

* fix(db): Fix typo for aurora postgresql

* feat(worker): Support Shoryuken worker library

Add support for Shoryuken job runner implemented on Amazon SQS https://github.com/phstc/shoryuken

* chore: Version bump

* fix: Lock the windows cookbook dependency to maintain chef 12 compatibility (ajgon#196)

* chore: gems update

* fix: Ensure shared/system dir is created (ajgon#197)

This directory is symlinked by default here:

https://github.com/ajgon/opsworks_ruby/blob/6e2328941996d98316657d7a52c98de6982068a5/attributes/default.rb#L21

But the directory is never created and we're left with a broken symlink.

* fix: register gpg public key for nginx on ubuntu18.04LTS (ajgon#201)

* fix(setup): added support for bundler 2.x and rubygems 3.x

Resolves ajgon#203

* feat(ruby): Added support for ruby 2.6

* feat(appserver): re-establish database connections when preloading app

More info: https://www.speedshop.co/2017/10/12/appserver.html#copy-on-write-behavior

Resolves ajgon#198

* fix(apache): fix infinite redirect loop on apache, when rails `force_ssl` is enabled

Fixes ajgon#206

* fix(nginx): add missing `nosniff` header for SSL sessions in nginx

* test: fix broken converges for apache tests

* fix(appserver): fixed Puma config compatibility with older versions of Puma

Resolves ajgon#207

* fix(webserver): Align SSL directory between template & driver

Webserver templates now get the SSL certificate path from driver options.

Resolves ajgon#205

* chore: update copyright information

* chore: Version bump

* fix(apache): fix apache serving assets rather than proxying to app server (ajgon#210)

* feat(apache): apache configuration to use appserver’s port provided in custom json

* fix(appserver): Compare lockfiles instead of main Gemfile

* fix(worker): adapted monit config for sidekiq 6.x

Fixes ajgon#215
dotnofoolin pushed a commit to dotnofoolin/opsworks_ruby that referenced this issue Nov 23, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants