With Rails & puma, you may want to use SSL in both development and production environments. In my case, I was thinking of using a self-signed certificate for the local and a formal certificate registered at the certificate authority for the production to make it SSL. For that purpose, the path of each certificate described in the Nginx conf file is different for development and production, so we decided to use only that part with environment variables. Make a note of the mounting procedure you performed at that time.
The method is to use a command called envsubst that generates a file converted from the file containing the environment variable name to the value assigned to the environment variable.
Environment variables are described as ``` $ {SSL_CERTIFICATE_PATH}` ``.
`$ {SSL_CERTIFICATE_PATH}` and `` `$ {SSL_CERTIFICATE_KEY_PATH} ``` are described.conf:docker/nginx/default.conf.template
upstream app {
server unix:///app/tmp/sockets/puma.sock;
}
server {
listen 80;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name localhost;
ssl_certificate ${SSL_CERTIFICATE_PATH}; #Environment variable
ssl_certificate_key ${SSL_CERTIFICATE_KEY_PATH}; #Environment variable
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
root /app/public;
location / {
proxy_pass http://app;
proxy_set_header X-Real-IP $remote_addr;
index index.html index.htm;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
}
client_max_body_size 100m;
error_page 404 /404.html;
error_page 505 502 503 504 /500.html;
try_files $uri/index.html $uri @app;
keepalive_timeout 5;
}
Place default.conf.template in Dockerfile.
Dockerfile
FROM nginx:1.16
RUN apt-get update && \
apt-get install -y apt-utils \
locales && \
echo "ja_JP.UTF-8 UTF-8" > /etc/locale.gen && \
locale-gen ja_JP.UTF-8
ENV LC_ALL ja_JP.UTF-8
#Initial state configuration file
ADD ./docker/nginx/nginx.conf /etc/nginx/nginx.conf
ADD ./docker/nginx/default.conf.template /etc/nginx/conf.d/default.conf.template
Specify the environment variable to be converted like the command key of the nginx service, and make envsubst work. The value to be assigned to the environment variable is set with the environment key.
docker-compose.yml
version: '2'
services:
app:
#···abridgement
db:
#···abridgement
nginx:
build:
context: .
dockerfile: ./docker/nginx/Dockerfile
ports:
- '80:80'
- '443:443'
volumes:
- sockets:/app/tmp/sockets
- ./docker/nginx/ssl:/etc/nginx/ssl
depends_on:
- app
command: /bin/sh -c "envsubst '$$SSL_CERTIFICATE_PATH $$SSL_CERTIFICATE_KEY_PATH'< /etc/nginx/conf.d/default.conf.template > /etc/nginx/conf.d/default.conf && nginx -g 'daemon off;'"
environment:
SSL_CERTIFICATE_PATH: /etc/nginx/ssl/server.crt
SSL_CERTIFICATE_KEY_PATH: /etc/nginx/ssl/server.key
#···abridgement
When the container is started with the following command, the envsubst command is executed, and a file (default.conf) converted to the value assigned to the environment variable is generated from the file (default.conf.template) that describes the environment variable name. it was done.
$ docker-compose up -d
If you don't make a mistake in the path and file name, you won't be stumbled. I will try it so that it will work even in a production environment.
Recommended Posts