Develop Reference

How to set https to one nginx and one docker nginx on one server

I have one nginx and one docker nginx on one server.
I already setup a Https server (port is 80) at one nginx success,
I open https://subdomain1.domain, it will show web page success.
but I setup docker nginx https (port is 8080) fail.
I open https://subdomain2.domain:8080, it will show error below.
This site can’t provide a secure connection
subdomain2.domain sent an invalid response.
Try running Windows Network Diagnostics.
ERR_SSL_PROTOCOL_ERROR
This is my docker process information.
root#server:~/# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c798c72861fa 13b3 "/bin/bash /app/dock…" 13 days ago Up 16 minutes 443/tcp, 8000/tcp, 0.0.0.0:8080->8080/tcp nginx
And I have 4 nginx conf, I don't know how to adjust nginx conf to make docker https work.
in host /usr/local/nginx/conf/nginx.conf below.
user www www;
worker_processes auto;
worker_cpu_affinity auto;
error_log /home/wwwlogs/nginx_error.log crit;
pid /usr/local/nginx/logs/nginx.pid;
#Specifies the value for maximum file descriptors that can be opened by this process.
worker_rlimit_nofile 51200;
events
{
use epoll;
worker_connections 51200;
multi_accept off;
accept_mutex off;
}
http
{
include mime.types;
default_type application/octet-stream;
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 50m;
sendfile on;
sendfile_max_chunk 512k;
tcp_nopush on;
keepalive_timeout 60;
tcp_nodelay on;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 256k;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_types text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/xml+rss;
gzip_vary on;
gzip_proxied expired no-cache no-store private auth;
gzip_disable "MSIE [1-6]\.";
#limit_conn_zone $binary_remote_addr zone=perip:10m;
##If enable limit_conn_zone,add "limit_conn perip 10;" to server section.
server_tokens off;
access_log off;
include vhost/*.conf;
}
in host /usr/local/nginx/conf/vhost/subdomain1.domain.conf
server {
listen 80 default;
server_name _;
index index.php index.html index.htm;
return 301;
}
server {
listen 443 default ssl http2;
server_name _;
index index.php index.html index.htm;
ssl_certificate /usr/local/nginx/conf/vhost/server.crt;
ssl_certificate_key /usr/local/nginx/conf/vhost/server.key;
return 302;
}
server {
listen 443 ssl http2;
server_name subdomain1.domain;
ssl_certificate /usr/local/nginx/conf/vhost/server.crt;
ssl_certificate_key /usr/local/nginx/conf/vhost/server.key;
index index.html index.htm index.php default.html default.htm default.php;
root /home/wwwroot/default/[project name]/backstage;
include rewrite/other.conf;
include enable-php-pathinfo.conf;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
expires 30d;
}
location ~ .*\.(js|css)?$ {
expires 12h;
}
location ~ /.well-known {
allow all;
}
location ~ /\. {
deny all;
}
access_log /home/wwwlogs/www.xxxx.com.log;
error_log /home/wwwlogs/www.xxxx.error.log;
}
in docker /etc/nginx/conf.d/[appName].conf
server {
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_comp_level 2;
gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;
gzip_vary off;
gzip_disable "MSIE [1-6]\.";
client_max_body_size 200m;
root /app/dist;
index index.html;
location /api/ {
rewrite /api/(.*) /$1 break;
proxy_pass https://localhost:8000/;
}
listen 443 ssl http2;
server_name subdomain2.domain;
ssl_certificate /app/nginx/server.crt;
ssl_certificate_key /app/nginx/server.key;
#enable ssl
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
}
in docker /app/nginx/[appName].conf
server {
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_comp_level 2;
gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;
gzip_vary off;
gzip_disable "MSIE [1-6]\.";
client_max_body_size 200m;
root /app/dist;
index index.html;
location /api/ {
rewrite /api/(.*) /$1 break;
proxy_pass https://localhost:8000/;
}
listen 443 ssl http2;
server_name subdomain2.domain;
ssl_certificate /app/nginx/server.crt;
ssl_certificate_key /app/nginx/server.key;
#enable ssl
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
;
}
server {
listen 8080 ;
server_name subdomain2.domain;
return 308 https://$server_name$request_uri;
}
How to fix subdomain2.domain https setup?

You should:
Stop nginx service in host
Build new container nginx again and expose port 443 to the host.
docker run -d --name containter_name -p 8080:443 image
then access: https://subdomain2.domain:8080
You should copy ssl_certificate and key to the container

Unicorn + Rails Refused Connection on Nginx Server

My application is returning 502 error:
In the error.log:
2017/10/12 15:42:28 [error] 12727#12727: *415 connect() to unix:/var/www/autonomos/production/current/tmp/sockets/unicorn.sock failed (111: Connection refused) while connecting to upstream, client: 172.31.81.4, server: api.autonomosapp.com.br, request: "GET /v1/auth/validate_token HTTP/1.1", upstream: "http://unix:/var/www/autonomos/production/current/tmp/sockets/unicorn.sock:/v1/auth/validate_token", host: "api.autonomosapp.com.br"
My nginx/sites-enabled
upstream unicorn_autonomos_production {
server unix:/var/www/autonomos/production/current/tmp/sockets/unicorn.sock fail_timeout=0;
}
server {
listen 80;
#listen 443 ssl;
server_name api.autonomosapp.com.br;
root /var/www/autonomos/production/current/public;
access_log /var/www/autonomos/production/shared/log/access.log;
error_log /var/www/autonomos/production/shared/log/error.log;
client_max_body_size 500M;
keepalive_timeout 5;
gzip_types application/x-javascript text/css;
location /elb-status {
return 200;
}
location ~ /.well-known {
allow all;
root /var/www/autonomos/production/current/public;
}
location ~* ^/assets/ {
# Per RFC2616 - 1 year maximum expiry
# http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
expires 1y;
add_header Cache-Control public;
# Some browsers still send conditional-GET requests if there's a
# Last-Modified header or an ETag header even if they haven't
# reached the expiry date sent in the Expires header.
add_header Last-Modified "";
add_header ETag "";
break;
}
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
if (!-f $request_filename) {
proxy_pass http://unicorn_autonomos_production;
break;
}
}
error_page 500 502 503 504 /500.html;
location = /500.html {
root /var/www/autonomos/production/current/public;
}
}
nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
My etc/init/unicorn_autonomos_production
start on runlevel [2]
stop on runlevel [016]
console owner
setuid autonomos
pre-start exec /usr/local/rvm/bin/autonomos_production_unicorn_rails -E production -c /var/www/autonomos/production/current/config/unicorn.rb -D > /tmp/upstart_autonomos_production.log 2>&1
post-stop exec kill `cat /var/www/autonomos/production/current/tmp/pids/unicorn.pid`
respawn
unicorn.stderr.log
I, [2017-10-10T04:24:00.952787 #2245] INFO -- : reaped #<Process::Status: pid 2248 exit 0> worker=0
I, [2017-10-10T04:24:00.952946 #2245] INFO -- : master complete
My unicorn_autonomos_production not in init.d, it is a problem?
When I try:
service unicorn_autonomos_production start
The error is:
Failed to start unicorn_autonomos_production.service: Unit unicorn_autonomos_production.service not found.
I reload the nginx server today, I needed to initialize the unicorn too? How can I do?

I exec the command on terminal:
exec /usr/local/rvm/bin/autonomos_production_unicorn_rails -E production -c /var/www/autonomos/production/current/config/unicorn.rb -D > /tmp/upstart_autonomos_production.log 2>&1
and init unicorn

Multiple rails apps nginx passenger config

I used this guide to setup server.
Here are my configs:
nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json
application/javascript text/xml application/xml application/xml+rss
text/javascript;
##
# Phusion Passenger config
##
# Uncomment it if you installed passenger or passenger-enterprise
##
#include /etc/nginx/passenger.conf;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
nginx/mysite1
server {
listen 80;
listen [::]:80 ipv6only=on;
server_name mysite1.com;
client_max_body_size 75m;
access_log /var/log/nginx/mysite1.access.log;
error_log /var/log/nginx/mysite1.error.log;
root /home/deploy/www/mysite1/public;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
}
}
nginx/mysite2
server {
listen 80;
#listen [::]:80 ipv6only=on;
server_name mysite2.com;
client_max_body_size 100m;
access_log /var/log/nginx/mysite2.access.log;
error_log /var/log/nginx/mysite2.error.log;
root /home/deploy/www/mysite2/public;
location / {
proxy_pass https://127.0.0.1:8181;
proxy_set_header Host $host;
}
}
mysite1 is working fine, but when I go to mysite2, I see mysite1.
I think the passenger is ok, cause I have passenger.8080.pid and passenger.8181.pid in direcories mysite1 and mysite2, respectively.
Run out of ideas, so asking for help.

So, the reason why I stuck is ... comma!
Somehow I separated domains with a comma. That is it.

Unable to cache static contents with nginx for ruby on rails application

I am using Ruby On Rails application with Rails 4.1 in digitalocean droplet. I have installed nginx with passenger and my application working perfect over here.
Now I want to cache static content with nginx and I have did following configuration for nginx.conf file. I don't know what is wrong over here. Please give me suggestion for working the same.
My nginx.conf file:
user www-data;
worker_processes 4;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
log_format cache '***$time_local '
'$upstream_cache_status '
'Cache-Control: $upstream_http_cache_control '
'Expires: $upstream_http_expires '
'"$request" ($status) '
'"$http_user_agent" ';
access_log /var/log/nginx/cache.log cache;
proxy_cache_path /data/nginx/cache keys_zone=one:10m levels=1:2 loader_threshold=300 loader_files=200 max_size=200m;
proxy_temp_path /data/nginx/cache/tmp;
server {
listen 80;
proxy_cache one;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto http;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://api.xyz.com;
}
location ~ ^/(stylesheets|javascripts|images|system/avatars) {
expires 720h;
}
}
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
##
# set client body size to 20M #
client_max_body_size 20M;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
##
# nginx-naxsi config
##
# Uncomment it if you installed nginx-naxsi
##
# include /etc/nginx/naxsi_core.rules;
##
# Phusion Passenger config
##
# Uncomment it if you installed passenger or passenger-enterprise
##
passenger_root /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini;
passenger_ruby /usr/local/bin/ruby;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
Please let me know if you need anything else for caches static content with nginx.

Since Rails 3.1, it use assets precompile in production environment. I use this for my rails app in nginx:
location ~ ^/assets/ {
expires 1y;
add_header Cache-Control public;
add_header ETag "";
break;
}
Read about it here: http://guides.rubyonrails.org/v4.1.8/asset_pipeline.html

Ruby process running at max CPU usage and not serving any page - Ubuntu Nginx Unicorn Rails Configuration

I am following this guide to setup Rails service using Nginx and Unicorn http://ariejan.net/2011/09/14/lighting-fast-zero-downtime-deployments-with-git-capistrano-nginx-and-unicorn/
When I started Nginx without Unicorn I get 502 Bad Gateway error
and as soon as I start the Unicorn server using the following command unicorn_rails -c config/unicorn.rb -D the request times out and I get 504 Gateway Time-out error. The CPU usage for ruby process is 100% and seems like something is stuck in a loop but I do not understand what is happening
nginx/1.2.6 (Ubuntu)
This is my /etc/nginx/nginx.conf
user ubuntu staff;
# Change this depending on your hardware
worker_processes 4;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
multi_accept on;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay off;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
gzip_disable "msie6";
# gzip_vary on;
gzip_proxied any;
gzip_min_length 500;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml applicat
ion/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
and this is my /etc/nginx/sites-available/default
upstream home {
# fail_timeout=0 means we always retry an upstream even if it failed
# to return a good HTTP response (in case the Unicorn master nukes a
# single worker for timing out).
# for UNIX domain socket setups:
server unix:/tmp/home.socket fail_timeout=0;
}
server {
# if you're running multiple servers, instead of "default" you should
# put your main domain name here
listen 80;
# you could put a list of other domain names this application answers
server_name patellabs.com;
root /home/ubuntu/apps/home/current/public;
access_log /var/log/nginx/home_access.log;
rewrite_log on;
location / {
#all requests are sent to the UNIX socket
proxy_pass http://home;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
# if the request is for a static resource, nginx should serve it directly
# and add a far future expires header to it, making the browser
# cache the resource and navigate faster over the website
# this probably needs some work with Rails 3.1's asset pipe_line
location ~ ^/(images|javascripts|stylesheets|system)/ {
root /home/ubuntu/apps/home/current/public;
expires max;
break;
}
}