Question

How do I configure SSL on Nginx for Rails application?

Posted February 15, 2015 21.1k views

I used the 1-click Ubuntu-Nginx-Unicorn-Rails install option and have my app up and running. I’m trying to configure my server to support SSL on a couple of things like sign-in and registration. I have my certificate installed in /etc/nginx/ssl. I’ve read a lot about adding certain code to the server block but being new to this, no one defines where it is for someone like me.

I’m assuming it is adding code to nginx.conf. If that is correct, is this the proper way to add support for SSL to my Rails app or should this be somewhere else in another file?
I’m making this guess after reading about SSL configuration on Nginx.org

user www-data;
worker_processes 4;
pid /var/run/nginx.pid;

events { worker_connections 1024; }

http {

server {
listen 443;
servername mydomain.com;
ssl on;
sslcertificate /etc/nginx/ssl/www.mydomain.com.crt;
sslcertificatekey /etc/nginx/ssl/www.mydomain.com.key;
sslprotocols SSLv2 SSLv3 TLSv1;
sslciphers ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP;
sslsessioncache shared:SSL:10m;

root /home/rails/app/public;

location ^~ /assets/ {
gzipstatic on;
expires max;
addheader Cache-Control public;
}

tryfiles $uri/index.html $uri @unicorn;
location @unicorn {
proxysetheader X-Real-IP $remoteaddr;
proxysetheader X-Forwarded-For $proxyaddxforwardedfor;
proxysetheader X-Forwarded-Proto https;
proxysetheader Host $httphost;
proxyredirect off;
proxy_pass http://unicorn;
}

errorpage 500 502 503 504 /500.html;
clientmaxbodysize 4G;
keepalive_timeout 10;
}

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    gzip on;
    gzip_disable "msie6";
    gzip_types text/plain text/xml text/css text/comma-separated-values;
    upstream app_server { server 127.0.0.1:8080 fail_timeout=0; }

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;

}

Add a comment
RedMagnum30
By:
RedMagnum30
Add a comment
2 comments
  • RedMagnum30 February 15, 2015
    Reply Report

    I’m updating my post with a solution to my problem. Hopefully it will help another server admin beginner like myself.

    1. The file I needed to edit for the server block is located in /etc/nginx/sites-enabled/defaults

    2.This fixed my SSL problem but discovered a redirect issue with Rails and Unicorn. My non-SSL pages displayed fine but my SSL pages were caught in a redirect loop. The error was documented in my unicorn.log file. After digging and trial and error, here is what I can up with that resolved my redirect problem, with SSL working.

    server {
    listen 80;
    listen 443 default ssl;
    server_name www.myapp.com;

    ssl on;

    sslcertificate /etc/nginx/ssl/myappcom.crt;
    sslcertificatekey /etc/nginx/ssl/myapp.com.key;
    sslprotocols SSLv2 SSLv3 TLSv1;
    ssl    ciphers ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP;
    sslsessioncache shared:SSL:10m;

        root /home/rails/public;
    server_name _;
    index index.htm index.html;

    location / {
            try_files $uri/index.html $uri.html $uri @app;
    }

location ~* ^.+\.(jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|mp3|flv|mpeg|avi)$ {
                    try_files $uri @app;
            }

     location @app {
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme; (THIS SOLVED THE REDIRECT LOOPING PROBLEM)
            proxy_set_header Host $http_host;
            proxy_redirect off;
            proxy_pass http://app_server;
}

    }

    I found my solution at https://github.com/spree/spree/issues/1728. Hopefully it will help someone else.

  • nitramwerdna April 13, 2019
    Reply Report

    Just wanted to say thank you for posting your solution.

    Adding this saved my life:

    proxy_set_header X-Forwarded-Proto $scheme;

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
1 answer
BrookDO June 3, 2016

This question was answered by @RedMagnum30:

I’m updating my post with a solution to my problem. Hopefully it will help another server admin beginner like myself.

  1. The file I needed to edit for the server block is located in /etc/nginx/sites-enabled/defaults

2.This fixed my SSL problem but discovered a redirect issue with Rails and Unicorn. My non-SSL pages displayed fine but my SSL pages were caught in a redirect loop. The error was documented in my unicorn.log file. After digging and trial and error, here is what I can up with that resolved my redirect problem, with SSL working.

server {
listen 80;
listen 443 default ssl;
server_name www.myapp.com;

ssl on;

sslcertificate /etc/nginx/ssl/myappcom.crt;
sslcertificatekey /etc/nginx/ssl/myapp.com.key;
sslprotocols SSLv2 SSLv3 TLSv1;
sslciphers ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP;
sslsessioncache shared:SSL:10m;

   root /home/rails/public;
   server_name _;
   index index.htm index.html;

   location / {
           try_files $uri/index.html $uri.html $uri @app;
   }

location ~* ^.+.(jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|mp3|flv|mpeg|avi)$ {
try_files $uri @app;
}

    location @app {
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $scheme; (THIS SOLVED THE REDIRECT LOOPING PROBLEM)
           proxy_set_header Host $http_host;
           proxy_redirect off;
           proxy_pass http://app_server;

}

}

I found my solution at https://github.com/spree/spree/issues/1728. Hopefully it will help someone else.

You can see the comment here.

Reply Report
Submit an Answer

Looking for something else?

Ask a new question Search for more help