Nginx passenger updates

nginx/passenger/README.md

@@ -0,0 +1,40 @@
+### Nginx Passenger
+
+* Installs nginx via ppa and configs it
+* Passenger related configuration
+
+* NO TLS/SSL config for nginx so far - we have another Router/Load Balancer in
+  front of our apps so we don't need that for this role. If you are interesting
+  in adding https than feel free to add a PR.
+* Various default configs for /etc/nginx/conf.d/*
+
+
+### USAGE
+
+This role is intended to run together with ansible-Rails' other provisioning roles. It does not need to run on deployment step, as it uses the default touch tmp/restart.txt method.
+
+```
+roles:
+  - ...
+  - role: dresden-weekly.Rails/nginx/passenger
+    app_name: 'myapp'
+    app_hosts: 'www.myapp.de myapp.de en.myapp.de'
+    passenger_enable_action_cable: true
+    passenger_enable_message_bus: true
+    passenger_max_pool_size: 10
+    nginx_max_body_size: 100M
+
+```
+
+Default config implements some common practices like:
+
+* Cache-Header for /assets, as well as /system /uploads/ /photos (var: nginx_public_folder_to_cache)
+* https requirement for Omniauth /auth route paths. Most Social networks now only allow callback domains via ssl only
+* optional: message-bus or ActionCable optimization. If you are using message_bus gem for "realtime" communication with frontend, you run into problems with passenger in default config. The messages sometimes take long time for delivery. The recommended fix is to run another passenger process in parallel that handles these. The same is true for ActionCable if you are running in the default Rails-moutend way.
+  YOU WILL ALSO NEED TO ADD A SNIPPET TO YOUR APPLICATION-CODE:  https://github.com/SamSaffron/message_bus#passenger. Enable with passenger_enable_action_cable / passenger_enable_message_bus
+
+
+
+
+
+

nginx/passenger/defaults/main.yml

@@ -1,20 +1,71 @@
+passenger_max_pool_size: 30
+# variables for all apps in /etc/nginx/conf.d/passenger.conf
 passenger_main_variables:
-  passenger_max_pool_size: 30
+  passenger_max_pool_size: "{{passenger_max_pool_size}}"
   passenger_pool_idle_time: 0
   passenger_root: "/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini"
   passenger_ruby: "/usr/bin/passenger_free_ruby"
 
+# variables for app /etc/nginx/sites_enabled/site
+passenger_variables:
+  passenger_enabled: "on"
+  passenger_ruby: "/home/{{app_user}}/.rvm/wrappers/ruby-{{ruby_version}}/ruby"
+  passenger_min_instances: 1
+  passenger_max_preloader_idle_time: 0
+
 # Remove identifing headers like Passenger + Nginx version
 passenger_cloak_headers: true
 
 # one or more hosts, like
 # app_hosts: "www.example.com example.com en.example.com de.example.de"
 app_hosts: "{{app_domain}}"
 
-passenger_variables:
-  passenger_enabled: "on"
-  passenger_ruby: "/home/{{app_user}}/.rvm/wrappers/ruby-{{ruby_version}}/ruby"
-  passenger_min_instances: 1
-  passenger_max_preloader_idle_time: 0
-
 nginx_config_file: "{{app_name}}.conf"
+
+# Nginx Regex for paths that should be cached by clients for 7 days
+nginx_public_folder_to_cache: '^/(system|uploads|video|packs)/'
+nginx_max_body_size: 200M
+
+# see: https://github.com/SamSaffron/message_bus#passenger
+passenger_enable_message_bus: false
+# https://www.phusionpassenger.com/library/config/nginx/action_cable_integration/#running-the-action-cable-server-on-the-same-host-and-port-under-a-sub-uri
+passenger_enable_action_cable: false
+
+nginx_gzip_types: 'text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/x-icon'
+
+nginx_install_from_passenger_repo: yes
+
+nginx_install_packages:
+- passenger
+
+nginx_worker_processes: 8
+nginx_worker_connections: 512
+nginx_keepalive: 65
+nginx_main_log_format: |
+  log_format main '$remote_addr - $http_x_forwarded_for - $remote_user [$time_local] '
+          '"$request_method $scheme://$host$request_uri $server_protocol" '
+          '$status $body_bytes_sent "$http_referer" '
+          '"$http_user_agent" $request_time';
+
+nginx_conf_d:
+  gzip:
+    - gzip on
+    - gzip_disable "msie6"
+    - gzip_vary on
+    - gzip_proxied any
+    - gzip_types {{nginx_gzip_types}}
+  privacy:
+    - "more_clear_headers 'X-Powered-By'"
+    - "more_clear_headers 'X-Request-Id'"
+    - "more_clear_headers 'X-Runtime'"
+    - "more_set_headers 'Server: nginx'"
+    - "server_tokens off"
+  proxy:
+    - proxy_set_header X-Real-IP  $remote_addr
+    - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for
+    - proxy_set_header Host $http_host
+    - proxy_set_header X-Forwarded-Proto $scheme
+  log:
+    - "{{nginx_main_log_format}}"
+
+nginx_conf_extra: {}

nginx/passenger/tasks/config.yml

@@ -1,9 +1,20 @@
+- name: Create the configurations for config.d file
+  template: src=config.conf.j2 dest=/etc/nginx/conf.d/{{ item }}.conf
+  with_flattened:
+    - "{{ nginx_conf_d.keys() | list }}"
+    - "{{ nginx_conf_extra.keys() | list }}"
+  notify: nginx reload
+
 - template: dest=/etc/nginx/conf.d/passenger.conf src=passenger.conf.j2
   notify: nginx reload
+  name: "Create /etc/nginx/conf.d/passenger.conf main config for serverwide settings"
 
 - template: dest=/etc/nginx/sites-available/{{nginx_config_file}} src=site.conf.j2
   notify: nginx reload
 
 - file: src=/etc/nginx/sites-available/{{nginx_config_file}} dest=/etc/nginx/sites-enabled/{{app_name}} state=link owner=root group=root
   notify: nginx reload
 
+- name: Create nginx default config
+  template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf
+  notify: nginx reload

nginx/passenger/templates/config.conf.j2

@@ -0,0 +1,11 @@
+#{{ ansible_managed }}
+
+{% set config = nginx_conf_d[item] or nginx_conf_extra[item] %}
+{% for v in config %}
+{% if v.find('\n') != -1 %}
+{{v}}
+{% else %}
+{% if v != "" %}{{ v.replace(";",";\n   ").replace(" {"," {\n    ").replace(" }"," \n}\n") }}{% if v.find('{') == -1%};
+{% endif %}{% endif %}{% endif %}
+{% endfor %}
+

nginx/passenger/templates/nginx.conf.j2

@@ -0,0 +1,25 @@
+# {{ ansible_managed }}
+user www-data www-data;
+worker_processes {{nginx_worker_processes}};
+pid /var/run/nginx.pid;
+worker_rlimit_nofile 1024;
+
+events {
+  worker_connections {{nginx_worker_connections}};
+}
+
+http {
+  include /etc/nginx/mime.types;
+  default_type application/octet-stream;
+  sendfile "on";
+  tcp_nopush "on";
+  tcp_nodelay "on";
+  keepalive_timeout "{{nginx_keepalive}}";
+  access_log "/var/log/nginx/access.log";
+  error_log "/var/log/nginx/error.log";
+  types_hash_max_size 2048;
+
+  include /etc/nginx/conf.d/*.conf;
+  include /etc/nginx/sites-enabled/*;
+}
+

nginx/passenger/templates/passenger.conf.j2

@@ -1,6 +1,6 @@
 # {{ ansible_managed }}
 
-{% for key,value in passenger_main_variables.iteritems() %}
+{% for key,value in passenger_main_variables.items() | list %}
 {{key}} {{value}};
 {% endfor %}
 
@@ -10,3 +10,5 @@ more_clear_headers 'X-Request-Id';
 more_clear_headers 'X-Runtime';
 more_set_headers 'Server: nginx';
 {% endif %}
+
+gzip_types {{nginx_gzip_types}};

nginx/passenger/templates/site.conf.j2

@@ -12,10 +12,10 @@ server {
   # {% endif %}
 
   gzip on;
-  client_max_body_size 200M;
+  client_max_body_size {{nginx_max_body_size}};
   root {{RAILS_APP_CURRENT_PATH}}/public;
 
-  {% for key,value in passenger_variables.iteritems() %}
+  {% for key,value in passenger_variables.items() | list %}
   {{key}} {{value}};
   {% endfor %}
 
@@ -24,9 +24,11 @@ server {
     add_header Pragma public;
     add_header Cache-Control "public, must-revalidate, proxy-revalidate";
     gzip on;
+    # enable delivery of prebuilt .gz files
+    gzip_static  on;
   }
 
-  location ~ ^/(system|uploads)/ {
+  location ~ {{nginx_public_folder_to_cache}} {
     expires 7d;
     add_header Pragma public;
     add_header Cache-Control "public";
@@ -49,5 +51,23 @@ server {
     passenger_enabled on;
   }
 
+  {% if passenger_enable_message_bus is defined and passenger_enable_message_bus %}
+  # improve message_bus performance https://github.com/SamSaffron/message_bus#passenger
+   location /message-bus {
+     passenger_app_group_name {{app_name}}_websocket;
+     passenger_force_max_concurrent_requests_per_process 0;
+   }
+  {% endif %}
 
+  {% if passenger_enable_action_cable is defined and passenger_enable_action_cable %}
+  location /cable {
+     passenger_app_group_name {{app_name}}_cable;
+     passenger_force_max_concurrent_requests_per_process 0;
+  }
+  {% endif %}
+
+  {% if nginx_site_config is defined %}
+  {{ nginx_site_config }}
+  {% endif %}
 }
+# vim: ft=nginx