joeswann
11/23/2010 - 3:18 PM

nginx+passenger (real production config)

nginx+passenger (real production config)

server {
    listen       80;
    server_name  *.host.com;
    rewrite ^(.*) https://$host$1 permanent;

    location ~ \.(php|html)$ {
            deny  all;
    }

    access_log /dev/null;
    error_log /dev/null;
}


# HTTPS server
server {
  ssl          on;
  listen       443 default ssl;
  server_name  *.host.com;

  root /home/app/public_html/host_production/current/public;
  try_files $uri /system/maintenance.html @passenger;

  location @passenger {
    passenger_enabled on;
    passenger_min_instances 5;
    rails_env production;
    passenger_set_cgi_param HTTP_X_FORWARDED_PROTO https;
    limit_req zone=one burst=5;
  }


  error_page   500 502 504  /500.html;
  error_page   503 @503;

  location = /50x.html {
    root   html;
  }

  location = /404.html {
    root   html;
  }

  location @503 {
    error_page 405 = /system/maintenance.html;
    if (-f $document_root/system/maintenance.html) {
      rewrite ^(.*)$ /system/maintenance.html break;
    }
    rewrite ^(.*)$ /503.html break;
  }

  if ($request_method !~ ^(GET|HEAD|PUT|POST|DELETE|OPTIONS)$ ){
    return 405;
  }

  if (-f $document_root/system/maintenance.html) {
    return 503;
  }


  location ~ ^/(assets|images|javascripts|stylesheets|swfs|system)/ {
    gzip_static on;
    expires     max;
    add_header  Cache-Control public;
    add_header  Last-Modified "";
    add_header  ETag "";
    break;
  }


  location = /favicon.ico {
    expires    max;
    add_header Cache-Control public;
  }


  location ~ \.(php|html)$ {
    return 405;
  }


  access_log /dev/null;
  error_log /dev/null;
}
user                          app;
worker_processes              2;
worker_priority               -5;

error_log                     /home/app/logs/nginx.error.log  crit;

events {
    use                       epoll;
    worker_connections        1024;
}


http {
    client_max_body_size      25m;
    client_body_buffer_size   128k;
    client_body_temp_path     /tmp/client_body_temp;

    passenger_root            /usr/local/lib/ruby/gems/1.8/gems/passenger-3.0.12;
    passenger_ruby            /usr/local/bin/ruby;
    passenger_pool_idle_time  0;
    passenger_max_pool_size   15;
    passenger_pre_start       http://127.0.0.1/;

    include                   mime.types;
    default_type              application/octet-stream;
    server_tokens             off;
    sendfile                  on;
    keepalive_timeout         70;

    gzip                      on;
    gzip_http_version         1.1;
    gzip_disable              "msie6";
    gzip_vary                 on;
    gzip_min_length           1100;
    gzip_buffers              64 8k;
    gzip_comp_level           3;
    gzip_proxied              any;
    gzip_types                text/plain text/css application/x-javascript text/xml application/xml;

    ssl_certificate           /opt/nginx/ssl_certs/cert.crt;
    ssl_certificate_key       /opt/nginx/ssl_certs/server.key;
    ssl_session_timeout       15m;
    ssl_protocols             SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers               RC4:HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache         shared:SSL:10m;

    add_header                Strict-Transport-Security "max-age=16070400; includeSubdomains";
    add_header                X-Frame-Options DENY;

    limit_req_zone            $binary_remote_addr zone=one:10m rate=10r/s;

    include                   /opt/nginx/conf/nginx_host.conf;
}
# NOTICE: to get Nginx+Unicorn best-practices configuration see the gist https://gist.github.com/3052776

  $ cd /usr/src
  $ wget http://nginx.org/download/nginx-1.2.1.tar.gz
  $ tar xzvf ./nginx-1.2.1.tar.gz && rm -f ./nginx-1.2.1.tar.gz

  $ wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.30.tar.gz
  $ tar xzvf pcre-8.30.tar.gz && rm -f ./pcre-8.30.tar.gz

  $ wget http://www.openssl.org/source/openssl-1.0.1c.tar.gz
  $ tar xzvf openssl-1.0.1c.tar.gz && rm -f openssl-1.0.1c.tar.gz

  $ gem install passenger -v=3.0.12 --no-ri --no-rdoc
  $ passenger-install-nginx-module --nginx-source-dir=/usr/src/nginx-1.2.1 --extra-configure-flags="--with-pcre=/usr/src/pcre-8.30 --with-openssl-opt=no-krb5 --with-openssl=/usr/src/openssl-1.0.1c --with-http_gzip_static_module --with-http_stub_status_module --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module"

  $ mkdir /tmp/client_body_temp