Merge pull request #28 from plural/add-nisei-domain

Add nginx config for 2 serving domains in prod.
Project-NISEI · Dec 27, 2021 · 0bfcb91 · 0bfcb91
2 parents 1645ed7 + ec01374
commit 0bfcb91
Show file tree

Hide file tree

Showing 4 changed files with 94 additions and 6 deletions.
diff --git a/config/containers/Dockerfile-nginx b/config/containers/Dockerfile-nginx
@@ -8,6 +8,8 @@ RUN apt-get update -qq && apt-get -y install apache2-utils
 # TODO: make room for the tournaments.nisei.net name to aid the transition.
 ARG cobra_domain
 ENV COBRA_DOMAIN $cobra_domain
+ARG nisei_domain
+ENV NISEI_DOMAIN $nisei_domain
 
 # establish where Nginx should look for files
 ENV RAILS_ROOT /var/www/cobra
@@ -26,7 +28,7 @@ COPY config/containers/nginx.conf /tmp/cobra.nginx
 
 # substitute variable references in the Nginx config template for real values from the environment
 # put the final config in its place
-RUN envsubst '$RAILS_ROOT:$COBRA_DOMAIN' < /tmp/cobra.nginx > /etc/nginx/conf.d/default.conf
+RUN envsubst '$RAILS_ROOT:$COBRA_DOMAIN:$NISEI_DOMAIN' < /tmp/cobra.nginx > /etc/nginx/conf.d/default.conf
 
 # Use the "exec" form of CMD so Nginx shuts down gracefully on SIGTERM (i.e. `docker stop`)
 CMD [ "nginx", "-g", "daemon off;" ]
diff --git a/config/containers/nginx.conf b/config/containers/nginx.conf
@@ -3,6 +3,88 @@ upstream unicorn {
   server app:3000;
 }
 
+# NOTE: The HTTP and HTTPS domains must be duplicated identically for
+# $COBRA_DOMAIN and $NISEI_DOMAIN until $COBRA_DOMAIN is completely
+# turned down.
+server {
+  listen 80;
+  server_name $NISEI_DOMAIN;
+
+  # Listen for challenges from Let's Encrypt for our SSL certificates.
+  location ~ /\.well-known/acme-challenge/ {
+    allow all;
+    default_type "text/plain";
+    root /var/www/certbot;
+  }
+
+  # Send everything else to HTTPS.
+  location / {
+    return 301 https://$NISEI_DOMAIN$request_uri;
+  }
+}
+
+server {
+  listen 443 ssl http2;
+  server_name $NISEI_DOMAIN;
+
+  ssl_certificate /etc/letsencrypt/live/$NISEI_DOMAIN/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/$NISEI_DOMAIN/privkey.pem;
+
+  include /etc/letsencrypt/options-ssl-nginx.conf;
+  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+  # define the public application root
+  root   $RAILS_ROOT/public;
+  index  index.html;
+
+  # define where Nginx should write its logs
+  access_log $RAILS_ROOT/log/nginx.access.log;
+  error_log $RAILS_ROOT/log/nginx.error.log;
+
+  # deny requests for files that should never be accessed
+  location ~ /\. {
+    deny all;
+  }
+
+  location ~* ^.+\.(rb|log)$ {
+    deny all;
+  }
+
+  # serve static (compiled) assets directly if they exist (for rails production)
+  location ^~ /assets/ {
+    try_files $uri @rails;
+
+    access_log off;
+    gzip_static on; # to serve pre-gzipped version
+
+    expires max;
+    add_header Cache-Control public;
+
+    # Some browsers still send conditional-GET requests if there's a
+    # Last-Modified header or an ETag header even if they haven't
+    # reached the expiry date sent in the Expires header.
+    add_header Last-Modified "";
+    add_header ETag "";
+    break;
+  }
+
+  # send non-static file requests to the app server
+  location / {
+    try_files $uri @rails;
+  }
+
+  location @rails {
+    proxy_set_header  X-Real-IP  $remote_addr;
+    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header  Host $http_host;
+    proxy_set_header  X-Forwarded-Ssl on;
+    proxy_set_header  X-Forwarded-Port $server_port;
+    proxy_set_header  X-Forwarded-Proto $scheme;
+    proxy_redirect off;
+    proxy_pass http://unicorn;
+  }
+}
+
 server {
   listen 80;
   server_name $COBRA_DOMAIN;

diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
@@ -14,7 +14,7 @@ services:
       - "3000"
 
     volumes:
-      - cobra-logs:/var/www/cobra/log
+      - cobra:/var/www/cobra/log
 
   # service configuration for our web server
   web:
@@ -27,6 +27,7 @@ services:
       dockerfile: config/containers/Dockerfile-nginx
       args:
         cobra_domain: $COBRA_DOMAIN
+        nisei_domain: $NISEI_DOMAIN
 
     # makes the web container aware of the app container
     links:
@@ -38,7 +39,8 @@ services:
       - "443:443"
 
     volumes:
-      - cobra-logs:/var/www/cobra/log
+      - cobra:/var/www/cobra/log
+      - cobra:/var/www/cobra/public/assets
       - ./data/certbot/conf:/etc/letsencrypt
       - ./data/certbot/www:/var/www/certbot
 
@@ -50,4 +52,4 @@ services:
       - ./data/certbot/www:/var/www/certbot
 
 volumes:
-    cobra-logs:
+    cobra:
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -20,7 +20,9 @@ services:
 
     volumes:
       - .:/var/www/cobra/
-      - cobra-logs:/var/www/cobra/log
+      - cobra:/var/www/cobra/log
+      - cobra:/var/www/cobra/public/assets
+      - cobra:/var/www/cobra/tmp
 
   # service configuration for our database
   db:
@@ -33,5 +35,5 @@ services:
       - cobra-postgres:/var/lib/postgresql/data
 
 volumes:
-  cobra-logs:
+  cobra:
   cobra-postgres: