GitHub User: mikhailov
I'd like to share Unicorn+Nginx configuration with preload_app and optimized deployment scripts: https://gist.github.com/3052776
SSL offload is a common practice to reduce load on non-edge servers
for non-heroku users: If you want to get an access all-site through HTTPS-only what is the reason to handle SSL detection through Rack and ActionDispatch? All that code can be simplified by using redirection through web-server 301 permanent redirect.
server_name host.com *.host.com;
rewrite ^(.*) https://$host$1 permanent;
Don't forget about scaling patterns such as SSL offload, so every application servers should not used an SSL, but edge load balancers only. So permanent redirection on web-server side only (not application) can help with scaling without any modifications of Rails codebase.
ssl_protocols SSLv2 SSLv3 TLSv1;
Ryan, are you sure about SSLv2? It's pretty unsecured protocol.
I spent a time on Nginx security and would like to share my config
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
add_header Strict-Transport-Security "max-age=16070400; includeSubdomains";
add_header X-Frame-Options DENY;
To enable TLS 1.1/1.2 protocols you need to compile Nginx with openssl > 1.0.x.
Some useful headers can help with interaction through HTTPS only (from all feature requests) and prevent an option to load your site into iframe.
$ wget http://www.openssl.org/source/openssl-1.0.1c.tar.gz
$ tar xzvf openssl-1.0.1c.tar.gz && rm -f openssl-1.0.1c.tar.gz
$ configure --with-openssl-opt=no-krb5 --with-openssl=/usr/src/openssl-1.0.1c
No-krb5 to disable Kerberos 5 authentication protocol which causes Nginx segfaults by Internet Explorer request (rarely bug)
Qualys SSL test can help in the search for vulnerabilities in web-server configuration.
I'm trying to use rack-pjax on the top div container and I can see the performance difference even the pushState reload whole body (header still loaded)
yes, I'm actually using Vagrant, so "config.ssh.max_tries = 150" can be helpful sometimes
Virtualbox has some bugs with SSH dhclient to get a proper IP address (https://github.com/mitchellh/vagrant/issues/455)
anyway, Vagrant is a pretty good interface to build distributed local environment and to provide production mirror servers setup
will wait for jquerymobile railscasts!
I'd like to use that Redis installation script:
$ cd /tmp
$ git clone --depth=1 git://github.com/defunkt/resque.git
$ cd resque
$ rake redis:install dtach:install
$ vim /etc/redis.conf
$ cd /tmp
$ wget https://gist.github.com/raw/892578/bf55748800e3ca812c5ad8233b933bd6283d3aff/redis.sh
$ adduser --system --no-create-home --disabled-login --disabled-password --group redis
$ mv /tmp/redis.sh /etc/init.d/redis
$ chmod +x /etc/init.d/redis
$ touch /var/log/redis.log
$ chown redis:redis /var/log/redis.log
$ update-rc.d -f redis defaults
$ /etc/init.d/redis start
Ryan, is the "force_ssl" needed if nginx setup with force ssl redirection?
why not to use retry within rescue block?