add nginx files for deployment behind servermanager

Dockerfile.prod

@@ -1,5 +1,5 @@
 # Base Ruby layer
-FROM ruby:2.3.0
+FROM ruby:2.3.3
 
 # Add system libraries layer
 RUN apt-get update -qq && apt-get install -y build-essential libpq-dev nodejs

docker-compose.production.yml

@@ -5,15 +5,20 @@ services:
     environment:
       - ENV_KEY=$ENV_KEY
       - DEPLOY_TAG=$DEPLOY_TAG
-    deploy:
-      replicas: 5
-      resources:
-        limits:
-          cpus: "0.1"
-          memory: 50M
-      restart_policy:
-        condition: on-failure
+      - REDIS_PASSWORD=$REDIS_PASSWORD
+  nginx:
+    ports:
+      - 80
     networks:
-      - webnet
+      default:
+      nginx_default:
+        aliases:
+          - SUMMONEREXPERT
+    volumes:
+      - logs:/etc/nginx/log/
+      - ./nginx.upstream.conf:/etc/nginx/conf.d/default.conf
+volumes:
+  logs:
 networks:
-  webnet:
+  nginx_default:
+    external: true

lib/tasks/deploy.rake

@@ -62,24 +62,12 @@ namespace :docker do
     end
   end
 
-  desc 'stops all Docker containers via Docker Compose and rebuild assets'
+  desc 'stops all Docker containers via Docker Compose'
   task stop: 'deploy:configs' do
     on server do
       within deploy_path do
         with rails_env: deploy_env, deploy_tag: deploy_tag do
           execute 'docker-compose', '-f', 'docker-compose.yml', '-f', 'docker-compose.production.yml', 'down'
-          execute 'docker', 'volume', 'rm', 'supermarkit_assets'
-        end
-      end
-    end
-  end
-
-  desc 'runs database migrations in application container via Docker Compose'
-  task migrate: 'deploy:configs' do
-    on server do
-      within deploy_path do
-        with rails_env: deploy_env, deploy_tag: deploy_tag do
-          execute 'docker-compose', '-f', 'docker-compose.yml', '-f', 'docker-compose.production.yml','run', 'app', 'bundle', 'exec', 'rake', 'db:migrate'
         end
       end
     end
@@ -100,6 +88,6 @@ namespace :docker do
     end
   end
 
-  desc 'pulls images, stops old containers, updates the database, and starts new containers'
-  task deploy: %w{docker:pull docker:decrypt docker:stop docker:migrate docker:start} # pull images manually to reduce down time
+  desc 'pulls images, stops old containers and starts new containers'
+  task deploy: %w{docker:pull docker:decrypt docker:stop docker:start} # pull images manually to reduce down time
 end

nginx.conf

@@ -0,0 +1,66 @@
+# [1] SSL Configuration according to Mozilla guidelines
+#     https://wiki.mozilla.org/Security/Server_Side_TLS
+#     https://mozilla.github.io/server-side-tls/ssl-config-generator/
+# [2] Security Procedures according to OWASP
+#     https://www.owasp.org/index.php/SCG_WS_nginx#SSL_Module
+# [3] https://unix.stackexchange.com/questions/94104/real-world-use-of-tcp-defer-accept
+# [4] OCSP fetch OCSP records from URL in ssl_certificate and cache them
+#     https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
+# [5] https://www.digitalocean.com/community/tutorials/understanding-nginx-http-proxying-load-balancing-buffering-and-caching
+# [6] http://reinout.vanrees.org/weblog/2015/11/19/nginx-proxy-gzip.html
+# [7] https://ma.ttias.be/enable-keepalive-connections-in-nginx-upstream-proxy-configurations/
+
+# This file is used by ServerManager to pass requests to SupermarKit container
+# over the shared bridge networks
+
+upstream summonerexpert {
+  # [7] The keepalive parameter sets the maximum number of idle keepalive connections
+  # to upstream servers that are preserved in the cache of each worker process. When
+  # this number is exceeded, the least recently used connections are closed.
+  keepalive 100;
+
+  # Alias used over the bridge network with ServerManager to pass to supermarkit
+  # container
+  server SUMMONEREXPERT:80;
+}
+
+# [1] HTTP Configuration
+server {
+  server_name api.summonerexpert.com;
+
+  # [3] Use deferred for performance optimization
+  listen 80;
+
+  # Enable IPv6
+  listen [::]:80;
+
+  # [2] HTTP Secure Headers
+  add_header Strict-Transport-Security  "max-age=63072000; includeSubdomains; preload";
+  add_header X-Frame-Options            SAMEORIGIN;
+  add_header X-Content-Type-Options     nosniff;
+
+  # [2]
+  server_tokens off;
+
+  location / {
+    # [5] Pass a host to upstream server equal to the request line if present or
+    # client request host header
+    proxy_set_header Host $host;
+
+    # [5] Must tell upstream server that the request was http or https
+    # if not present, then if rails force_ssl is on it will keep sending
+    # location header and instruct the browser to redirect to https
+    proxy_set_header X-Forwarded-Proto $scheme;
+
+    # [6] The gzip and proxy modules use different http module versions. In
+    # order for gzip compresion to work you need to set the proxy module
+    # http version to 1.1 same as the gzip module
+    proxy_http_version 1.1;
+
+    # [7] Remove the Connection header if the client sends it,
+    # it could be "close" to close a keepalive connection
+    proxy_set_header Connection "";
+
+    proxy_pass http://summonerexpert;
+  }
+}

nginx.upstream.conf

@@ -0,0 +1,21 @@
+upstream summonerexpert {
+  # Each service gets an entry in /etc/hosts with its name.
+  # the app service is used to run the app and starts the server on port 3000
+  server app:3000;
+}
+
+server {
+  listen 80 default_server deferred;
+  listen [::]:80 default_server deferred;
+
+  root /app/public;
+  access_log /etc/nginx/log/access.log;
+  error_log /etc/nginx/log/error.log info;
+
+  location @summonerexpert {
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-Proto $scheme;
+
+    proxy_pass http://summonerexpert;
+  }
+}