Commit bf1c0c2

mo khan <mo@mokhan.ca>
2017-01-17 05:12:58
run nginx and haproxy via docker.
master
1 parent 1977d2b
Changed files (5)
config
environments
development.rb
haproxy.cfg
nginx.conf
docker-compose.yml
Procfile
config/environments/development.rb
@@ -45,6 +45,7 @@ Rails.application.configure do
 
   # Suppress logger output for asset requests.
   config.assets.quiet = true
+  config.assets.prefix = "/dev-assets"
 
   # Raises error for missing translations
   # config.action_view.raise_on_missing_translations = true
@@ -57,5 +58,4 @@ Rails.application.configure do
     Bullet.enable = true
     Bullet.console = true
   end
-  config.web_console.whitelisted_ips = "172.16.0.0/16"
 end
config/haproxy.cfg
@@ -0,0 +1,31 @@
+global
+  maxconn 4096
+  tune.ssl.default-dh-param 2048
+
+defaults
+  mode http
+  timeout connect 5000ms
+  timeout client 50000ms
+  timeout server 50000ms
+  option forwardfor
+  option http-server-close
+  stats enable
+  stats uri /stats
+  stats realm Haproxy\ Statistics
+  stats auth username:password
+
+frontend www-http
+  bind *:80
+  reqadd X-Forwarded-Proto:\ http
+  default_backend www-backend
+
+frontend www-https
+  bind *:443 ssl crt /usr/local/etc/haproxy/server.pem
+  reqadd X-Forwarded-Proto:\ https
+  default_backend www-backend
+
+backend www-backend
+  redirect scheme https if !{ ssl_fc }
+  balance roundrobin
+  server www1 www1:443 check ssl verify none
+  server www2 www2:443 check ssl verify none
config/nginx.conf
@@ -0,0 +1,78 @@
+user  root;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+events {
+  worker_connections  8096;
+  multi_accept        on;
+  use                 epoll;
+}
+
+http {
+  include       /etc/nginx/mime.types;
+  default_type  application/octet-stream;
+
+  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+    '$status $body_bytes_sent "$http_referer" '
+    '"$http_user_agent" "$http_x_forwarded_for"';
+
+  access_log /var/log/nginx/access.log  main;
+
+  sendfile           on;
+  tcp_nopush         on;
+  tcp_nodelay        on;
+  keepalive_timeout  15;
+
+  upstream backend {
+    server web:3000 fail_timeout=0;
+  }
+
+  server {
+    listen 80 deferred;
+    add_header Strict-Transport-Security max-age=15768000;
+    server_tokens off;
+    rewrite ^ https://$server_name$request_uri? permanent;
+  }
+
+  server {
+    listen 443 default_server ssl;
+    server_tokens off;
+    root /var/www/public;
+    ssl_certificate /etc/nginx/server.crt;
+    ssl_certificate_key /etc/nginx/server.key;
+
+    ssl_session_timeout 5m;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
+    add_header X-Frame-Options "DENY";
+
+    try_files $uri/index.html $uri @application;
+    location ^~ /assets/ {
+      gzip_static on;
+      expires max;
+      add_header Cache-Control public;
+    }
+    location /cable {
+      proxy_pass https://backend;
+      proxy_set_header X_FORWARDED_PROTO https;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header HOST $http_host;
+      proxy_set_header X-Url-Scheme $scheme;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection "upgrade";
+    }
+    location @application {
+      proxy_set_header X_FORWARDED_PROTO https;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header HOST $http_host;
+      proxy_set_header X-Url-Scheme $scheme;
+      proxy_redirect off;
+      proxy_pass https://backend;
+    }
+
+    error_page 500 502 503 504 /500.html;
+    keepalive_timeout 10;
+  }
+}
docker-compose.yml
@@ -1,12 +1,53 @@
 version: '2'
 services:
-  app:
+  haproxy:
+    image: haproxy:latest
+    volumes:
+      - ./config/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg
+      - ./config/server.pem:/usr/local/etc/haproxy/server.pem
+    links:
+      - www1
+      - www2
+    ports:
+      - "80:80"
+      - "443:443"
+  www1:
+    image: nginx:latest
+    volumes:
+      - ./config/nginx.conf:/etc/nginx/nginx.conf
+      - ./public:/var/www/public
+      - ./config/server.crt:/etc/nginx/server.crt
+      - ./config/server.key:/etc/nginx/server.key
+    links:
+      - web
+  www2:
+    image: nginx:latest
+    volumes:
+      - ./config/nginx.conf:/etc/nginx/nginx.conf
+      - ./public:/var/www/public
+      - ./config/server.crt:/etc/nginx/server.crt
+      - ./config/server.key:/etc/nginx/server.key
+    links:
+      - web
+  web:
     build: .
-    command: foreman start
+    command: bundle exec foreman start web
+    volumes:
+      - .:/app
+    links:
+      - redis
+      - db
+    depends_on:
+      - redis
+      - db
+    environment:
+      - REDIS_URL=redis://redis:6379/12
+      - RAILS_LOG_TO_STDOUT=true
+  worker:
+    build: .
+    command: bundle exec sidekiq
     volumes:
       - .:/app
-    ports:
-      - "3000:3000"
     links:
       - redis
       - db
Procfile
@@ -1,2 +1,2 @@
-web: bin/rails s -p 3000 -b 0.0.0.0
+web: bundle exec puma -b 'ssl://0.0.0.0:3000?key=config/server.key&cert=config/server.crt' config.ru
 worker: bundle exec sidekiq