Skip to content
nginx setup via chef
Latest commit f89a4e6 Apr 21, 2014 @gerhard gerhard Merge pull request #20 from yacn/feature/self_signed_certs
adds recipe to generate a self-signed ssl certificate

Installs nginx from package OR source code and sets up configuration handling similar to Debian's Apache2 scripts.


  • apt (for nginx::default)
  • build-essential (for nginx::source)


Debian or Ubuntu though may work where 'build-essential' works. Only tested on Ubuntu.


Take this SSL-only app being served by rainbows:

:nginx => {
  :distribution => 'precise',
  :components => ['main'],
  :apps => {
    :myapp_ssl => {
      :listen      => [443],
      :server_name => "",
      :public_path => "/home/myapp/app/public",
      :try_files   => [
        "$uri @myapp_ruby"
      :locations   => [
          :path => "@myapp_ruby",
          :directives => [
            "proxy_set_header X-Forwarded-Proto $scheme;",
            "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;",
            "proxy_set_header X-Real-IP $remote_addr;",
            "proxy_set_header Host $host;",
            "proxy_redirect off;",
            "proxy_http_version 1.1;",
            "proxy_set_header Connection '';",
            "proxy_pass http://myapp_ruby;"
      :upstreams => [
          :name => "myapp_ruby", # defaults to your apps name (eg. myapp_ssl)
          :servers => [
            "unix:/home/myapp/app/tmp/web.sock max_fails=3 fail_timeout=1s",
            "failover-host:5000 max_fails=3 fail_timeout=1s backup"
      :custom_directives => [
        "ssl on;",
        "ssl_certificate /var/certs/myapp.crt;",
        "ssl_certificate_key /var/certs/myapp.key;",
        "ssl_session_cache shared:SSL:10m;",
        "ssl_session_timeout 10m;"

We're running the ruby app on the local host and we're using a unix socket to connect to it. If for whatever reason the local app is inaccessible, we're falling back to a different host and connecting on TCP socket 5000.

In a horizontally scalable environment, your front-end servers will only run nginx (so no chance of proxying to a unix socket). You will have multiple back-end servers to which nginx will connect via TCP sockets.

The proxy_set_header Connection directive is a hint that this cookbook supports nginx upstream keepalive. Default is 4 connections. This can be easily adjusted via the nginx_app provider.

If you find yourself specifying the proxy_set_header directives for multiple nginx apps, you can extract them into a common config file, eg. /etc/nginx/conf.d/proxy.conf. Same is true for ssl directives.

More nginx load balancing and reverse proxying tips.


Tuning Nginx for Best Performance

Serving small static files

nginx for high traffic loads

Something went wrong with that request. Please try again.