lib/moonshine/manifest/rails/templates/passenger.vhost.erb

<VirtualHost *:80>
  ServerName <%= configuration[:domain] || (Facter.to_hash["hostname"] + '.' + Facter.to_hash["domain"]) %>
  <% if configuration[:domain_aliases] %>
  ServerAlias <%= configuration[:domain_aliases].to_a.join(' ') %>
  <% end %>
<% if configuration[:ssl] && configuration[:ssl][:only] %>
  RewriteEngine On
  RewriteCond %{HTTPS} !=on
  RewriteCond %{REQUEST_URI} !^/server-status
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
<% else %>
  DocumentRoot <%= configuration[:deploy_to] + "/current/public" %>

  <Directory <%= configuration[:deploy_to] + "/current/public" %>>
    <% if configuration[:passenger][:limit_except] %>
      <%= configuration[:passenger][:limit_except] %>
    <% end %>
    Options FollowSymLinks
    AllowOverride <%= if configuration[:apache]; configuration[:apache][:allow_override] || 'None'; else 'None'; end %>
    Order allow,deny
    Allow from all
    <%= "FileETag #{configuration[:apache][:file_etag]}" if configuration[:apache][:file_etag] %>
  </Directory>

  <% if configuration[:apache ] && (configuration[:apache][:users] || configuration[:apache][:allow] || configuration[:apache][:deny]) %>
  <Location / >
    <% if configuration[:apache][:users] %>
    authtype basic
    authuserfile <%= configuration[:apache][:htpasswd] || "#{configuration[:deploy_to]}/shared/config/htpasswd" %>
    authname "<%= configuration[:authname] || configuration[:domain] %>"
    <% end %>
    <Limit GET POST DELETE PUT>
      order deny,allow
      <% if configuration[:apache][:users] || configuration[:apache][:allow] %>
      deny from all
      <% end %>
      <% configuration[:apache][:deny].to_a.each do |deny| %>
      deny from <%= deny %>
      <% end %>
      <% configuration[:apache][:allow].to_a.each do |allow| %>
      allow from <%= allow %>
      <% end %>
      <% if configuration[:apache][:users] %>
      require valid-user
      <% end %>
      Satisfy <%= configuration[:apache][:satisfy] || 'Any' %>
    </Limit>
  </Location>
  <% end %>

  <% if asset_pipeline_enabled? %>
    # Recommendations for asset pipline: http://guides.rubyonrails.org/asset_pipeline.html#in-production
    <LocationMatch "^/assets/.*$">
      Header unset ETag
      FileETag None
      # RFC says only cache for 1 year
      ExpiresActive On
      ExpiresDefault "access plus 1 year"
    </LocationMatch>
  <% else %>
    # Using the Rails Asset pipeline? Enable it with:
    #
    #   :assets:
    #     :enabled: true
  <% end %>

  ##
  ## The following options are Rails specific options. They may occur
  ## here in your VirtualHost entry or in the global configuration.
  ##

<% if passenger_major_version < 4 %>

  ## RailsAutoDetect
  #
  # Set whether Phusion Passenger should automatically detect whether
  # a virtual host's document root is a Ruby on Rails application.
  # The default is on.
  # Options: <on|off>

  RailsAutoDetect <%= passenger_config_boolean(configuration[:passenger][:rails_auto_detect]) %>

<% end %>

  ## RailsBaseURI
  #
  # Specify that the given URI is a Rails application. It is allowed to
  # specify this option multiple times. Do this to deploy multiple
  # Rails applications in different sub-URIs under the same virtual host.
  <% if configuration[:passenger][:rails_base_uri] %>
  RailsBaseURI <%= configuration[:passenger][:rails_base_uri] %>
  <% else %>
  # RailsBaseURI <uri>
  <% end %>


  <% if configuration[:passenger][:allow_mod_rewrite] %>
  ## RailsAllowModRewrite
  #
  # Passenger will not override mod_rewrite rules if this option
  # is enabled. This option is deprecated and ignored in recent versions
  # of Passenger.
  # Options: <on|off>

  RailsAllowModRewrite <%= passenger_config_boolean(configuration[:passenger][:allow_mod_rewrite]) %>
  <% else %>
  # RailsAllowModRewrite is deprecated. Passenger supports mod_rewrite by default now. configure(:passenger => { :allow_mod_rewrite => true/false }) if you still wish to use it.
  <% end %>

  ## RackEnv
  #
  # Use this option to specify the default RACK_ENV value. The default
  # setting is production.

  RackEnv <%= configuration[:passenger][:rack_env] || configuration[:passenger][:rails_env] || ENV['RAILS_ENV'] || 'production' %>

  ## RailsEnv
  #
  # Use this option to specify the default RAILS_ENV value. The default
  # setting is production.

  RailsEnv <%= configuration[:passenger][:rails_env] || ENV['RAILS_ENV'] || 'production' %>

  ## RailsSpawnMethod
  #
  # Internally, Phusion Passenger spawns multiple Ruby on Rails processes
  # in order to handle requests. But there are multiple ways with which
  # processes can be spawned, each having its own set of pros and cons.
  # Supported spawn methods are:
  #  smart
  #    When this spawn method is used, Phusion Passenger will attempt
  #    to cache Ruby on Rails framework code and application code for
  #    a limited period of time.
  #
  #  conservative
  #    This spawning method is similar to the one used in Mongrel Cluster.
  #    It does not perform any code caching at all.

  RailsSpawnMethod <%= configuration[:passenger][:rails_spawn_method] || 'smart' %>

  ## PassengerMinInstances
  #
  # This specifies the minimum number of application instances that must be
  # kept around whenever Phusion Passenger cleans up idle instances. You should
  # set this option to a non-zero value if you want to avoid potentially long
  # startup times after a website has been idle for an extended period.
  #
  # Please note that this option does not pre-start application instances during
  # Apache startup. It just makes sure that when the application is first accessed:
  # - at least the given number of instances will be spawned.
  # - the given number of processes will be kept around even when instances are
  #   being idle cleaned (see PassengerPoolIdleTime).
  #
  # If you want to pre-start application instances during Apache startup, then you
  # should use the PassengerPreStart directive, possibly in combination with
  # PassengerMinInstances.

  <% if configuration[:passenger][:min_instances] %>
  PassengerMinInstances <%= configuration[:passenger][:min_instances] %>
  <% end %>

  ## PassengerPreStart
  #
  # By default, Phusion Passenger does not start any application instances
  # until said web application is first accessed. The result is that the
  # first visitor of said web application might experience a small delay as
  # Phusion Passenger is starting the web application on demand. If that is
  # undesirable, then this directive can be used to pre-started application
  # instances during Apache startup.
  #
  # This directive only accepts a URL that fits the following criteria:
  # - The domain part of the URL must be equal to the value of the ServerName
  #   directive of the VirtualHost block that defines the web application.
  # - Unless the web application is deployed on port 80, the URL should
  #   contain the web application's port number too.
  # - The path part of the URL must point to some URI that the web
  #   application handles.
  #
  # You probably want to combine this with PassengerMinInstances.
  #
  # Example URL: http://example.com/

  <% if configuration[:passenger][:pre_start_url] %>
  PassengerPreStart <%= configuration[:passenger][:pre_start_url] %>
  <% end %>

  ## PassengerAppGroupName
  #
  # By default, Passenger groups applications by the the path they are served out of,
  # ie /srv/yourapp/current.
  #
  # At times, it may be useful be serving the same app from multiple vhosts, but have
  # them be have different workers. For example, you may have a /ping URL that needs to
  # respond quickly, without being affected by the rest of the app. In this case, you can:
  #
  #  * create a new vhost pointing at the same app
  #  * set PassengerAppGroupName to ping
  #  * configure a proxy to forward /ping to the new vhost

  <% if configuration[:passenger][:app_group_name] %>
  PassengerAppGroupName <%= configuration[:passenger][:app_group_name] %>
  <% else %>
  #PassengerAppGroupName <%= configuration[:application] %>
  <% end %>

  # Deflate
  <IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE <%= configuration[:apache][:gzip_types].join(' ') %>
    BrowserMatch ^Mozilla/4 gzip-only-text/html
    BrowserMatch ^Mozilla/4\.0[678] no-gzip
    BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
  </IfModule>

  RequestHeader set X-Request-Start "%t"
  Header unset X-Powered-by
  Header unset Server
  
  <% if configuration[:passenger][:xss_protection] %>
  Header set X-XSS-Protection "1; mode=block"
  Header set X-Frame-Options "DENY"
  Header set X-Content-Type-Options "nosniff"
  <% end %>
  
  <% if configuration[:passenger][:strict_transport_security] %>
  Header set Strict-Transport-Security "max-age=16070400; includeSubDomain"
  <% end %>
  
  <% if configuration[:passenger][:content_security_policy] %>
  Header set Content-Security-Policy "<%= configuration[:passenger][:content_security_policy] %>"
  <% end %>
  
  RewriteEngine On

  <%= configuration[:passenger][:vhost_extra] %>

<% if configuration[:scm].to_s == 'subversion' %>
  # Prevent access to svn metadata
  RewriteRule ^(.*/)?\.svn/ - [F,L]
  ErrorDocument 403 "Access Forbidden"
<% end %>

<% if configuration[:passenger][:maintenance_rewrite] %>
	<%= configuration[:passenger][:maintenance_rewrite] %>
<% else %>
  # Check for maintenance file and redirect all requests
  ErrorDocument 503 /system/maintenance.html
  RewriteCond %{REQUEST_URI} !\.(css|jpg|png|gif)$
  RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f
  RewriteCond %{SCRIPT_FILENAME} !maintenance.html
  RewriteRule ^.*$ /system/maintenance.html [R=<%= configuration[:passenger][:maintenance_status_code] || 503 %>,L]
<% end %>

  # Rewrite index to check for static
  RewriteCond  %{THE_REQUEST} ^(GET|HEAD)
  RewriteCond  %{DOCUMENT_ROOT}<%= configuration[:passenger][:page_cache_directory] %>/index.html -f
  RewriteRule  ^/?$ <%= configuration[:passenger][:page_cache_directory] %>/index.html [QSA,L]

  # Rewrite to check for Rails non-html cached pages (i.e. xml, json, atom, etc)
  RewriteCond  %{THE_REQUEST} ^(GET|HEAD)
  RewriteCond  %{DOCUMENT_ROOT}<%= configuration[:passenger][:page_cache_directory] %>%{REQUEST_URI} -f
  RewriteRule  ^(.*)$ <%= configuration[:passenger][:page_cache_directory] %>$1 [QSA,L]

  # Rewrite to check for Rails cached html page
  RewriteCond  %{THE_REQUEST} ^(GET|HEAD)
  RewriteCond  %{DOCUMENT_ROOT}<%= configuration[:passenger][:page_cache_directory] %>%{REQUEST_URI}.html -f
  RewriteRule  ^(.*)$ <%= configuration[:passenger][:page_cache_directory] %>$1.html [QSA,L]

<% end %>
</VirtualHost>

<% if configuration[:ssl] %>
<VirtualHost <%= configuration[:ssl][:ip] || '_default_' %>:443>
  RequestHeader set X_FORWARDED_PROTO "https"

  SSLEngine on
  SSLCipherSuite <%= configuration[:ssl][:cipher_suite] || 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK' %>
  SSLCertificateFile    <%= configuration[:ssl][:certificate_file] || '/etc/ssl/certs/ssl-cert-snakeoil.pem' %>
  SSLCertificateKeyFile <%= configuration[:ssl][:certificate_key_file] || '/etc/ssl/private/ssl-cert-snakeoil.key' %>
  <% if configuration[:ssl][:certificate_chain_file] %>
  SSLCertificateChainFile <%= configuration[:ssl][:certificate_chain_file] %>
  <% else %>
  # SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
  <% end %>
  SSLProtocol <%= configuration[:ssl][:protocol] || 'ALL -SSLv2' %>
  SSLHonorCipherOrder <%= configuration[:ssl][:honor_cipher_order] || 'on' %>

  BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

  ServerName <%= configuration[:domain] || (Facter.to_hash["hostname"] + '.' + Facter.to_hash["domain"]) %>
  <% if configuration[:domain_aliases] %>
  ServerAlias <%= configuration[:domain_aliases].to_a.join(' ') %>
  <% end %>
  DocumentRoot <%= configuration[:deploy_to] + "/current/public" %>

  <Directory <%= configuration[:deploy_to] + "/current/public" %>>
    <% if configuration[:passenger][:limit_except] %>
      <%= configuration[:passenger][:limit_except] %>
    <% end %>
    Options FollowSymLinks
    AllowOverride <%= if configuration[:apache]; configuration[:apache][:allow_override] || 'None'; else 'None'; end %>
    Order allow,deny
    Allow from all
    <%= "FileETag #{configuration[:apache][:file_etag]}" if configuration[:apache][:file_etag] %>
  </Directory>

  <% if configuration[:apache ] and (configuration[:apache][:users] || configuration[:apache][:allow] || configuration[:apache][:deny]) %>
  <Location / >
    <% if configuration[:apache][:users] %>
    authtype basic
    authuserfile <%= configuration[:apache][:htpasswd] || "#{configuration[:deploy_to]}/shared/config/htpasswd" %>
    authname "<%= configuration[:authname] || configuration[:domain] %>"
    <% end %>
    <Limit GET POST DELETE PUT>
      order deny,allow
      <% if configuration[:apache][:users] || configuration[:apache][:allow] %>
      deny from all
      <% end %>
      <% configuration[:apache][:deny].to_a.each do |deny| %>
      deny from <%= deny %>
      <% end %>
      <% configuration[:apache][:allow].to_a.each do |allow| %>
      allow from <%= allow %>
      <% end %>
      <% if configuration[:apache][:users] %>
      require valid-user
      <% end %>
      Satisfy <%= configuration[:apache][:satisfy] || 'Any' %>
    </Limit>
  </Location>
  <% end %>

  <% if asset_pipeline_enabled? %>
    # Recommendations for asset pipline: http://guides.rubyonrails.org/asset_pipeline.html#in-production
    <LocationMatch "^/assets/.*$">
      Header unset ETag
      FileETag None
      # RFC says only cache for 1 year
      ExpiresActive On
      ExpiresDefault "access plus 1 year"
    </LocationMatch>
  <% else %>
    # Using the Rails Asset pipeline? Enable it with:
    #
    #   :assets:
    #     :enabled: true
  <% end %>

  ##
  ## The following options are Rails specific options. They may occur
  ## here in your VirtualHost entry or in the global configuration.
  ##
  
  <% if passenger_major_version < 4 %>

  ## RailsAutoDetect
  #
  # Set whether Phusion Passenger should automatically detect whether
  # a virtual host's document root is a Ruby on Rails application.
  # The default is on.
  # Options: <on|off>

  RailsAutoDetect <%= passenger_config_boolean(configuration[:passenger][:rails_auto_detect]) %>

  <% end %>
  
  ## RailsBaseURI
  #
  # Specify that the given URI is a Rails application. It is allowed to
  # specify this option multiple times. Do this to deploy multiple
  # Rails applications in different sub-URIs under the same virtual host.
  <% if configuration[:passenger][:rails_base_uri] %>
  RailsBaseURI <%= configuration[:passenger][:rails_base_uri] %>
  <% else %>
  # RailsBaseURI <uri>
  <% end %>

  <% if configuration[:passenger][:allow_mod_rewrite] %>
  ## RailsAllowModRewrite
  #
  # Passenger will not override mod_rewrite rules if this option
  # is enabled. This option is deprecated and ignored in recent versions
  # of Passenger.
  # Options: <on|off>

  RailsAllowModRewrite <%= passenger_config_boolean(configuration[:passenger][:allow_mod_rewrite]) %>
  <% else %>
  # RailsAllowModRewrite is deprecated. Passenger supports mod_rewrite by default now. configure(:passenger => { :allow_mod_rewrite => true/false }) if you still wish to use it.
  <% end %>

  ## RackEnv
  #
  # Use this option to specify the default RACK_ENV value. The default
  # setting is production.

  RackEnv <%= configuration[:passenger][:rack_env] || configuration[:passenger][:rails_env] || ENV['RAILS_ENV'] || 'production' %>

  ## RailsEnv
  #
  # Use this option to specify the default RAILS_ENV value. The default
  # setting is production.

  RailsEnv <%= configuration[:passenger][:rails_env] || ENV['RAILS_ENV'] || 'production' %>

  ## RailsSpawnMethod
  #
  # Internally, Phusion Passenger spawns multiple Ruby on Rails processes
  # in order to handle requests. But there are multiple ways with which
  # processes can be spawned, each having its own set of pros and cons.
  # Supported spawn methods are:
  #  smart
  #    When this spawn method is used, Phusion Passenger will attempt
  #    to cache Ruby on Rails framework code and application code for
  #    a limited period of time.
  #
  #  conservative
  #    This spawning method is similar to the one used in Mongrel Cluster.
  #    It does not perform any code caching at all.

  RailsSpawnMethod <%= configuration[:passenger][:rails_spawn_method] || 'smart' %>

  ## PassengerMinInstances
  #
  # This specifies the minimum number of application instances that must be
  # kept around whenever Phusion Passenger cleans up idle instances. You should
  # set this option to a non-zero value if you want to avoid potentially long
  # startup times after a website has been idle for an extended period.
  #
  # Please note that this option does not pre-start application instances during
  # Apache startup. It just makes sure that when the application is first accessed:
  # - at least the given number of instances will be spawned.
  # - the given number of processes will be kept around even when instances are
  #   being idle cleaned (see PassengerPoolIdleTime).
  #
  # If you want to pre-start application instances during Apache startup, then you
  # should use the PassengerPreStart directive, possibly in combination with
  # PassengerMinInstances.

  <% if configuration[:passenger][:min_instances] %>
  PassengerMinInstances <%= configuration[:passenger][:min_instances] %>
  <% end %>

  ## PassengerPreStart
  #
  # By default, Phusion Passenger does not start any application instances
  # until said web application is first accessed. The result is that the
  # first visitor of said web application might experience a small delay as
  # Phusion Passenger is starting the web application on demand. If that is
  # undesirable, then this directive can be used to pre-started application
  # instances during Apache startup.
  #
  # This directive only accepts a URL that fits the following criteria:
  # - The domain part of the URL must be equal to the value of the ServerName
  #   directive of the VirtualHost block that defines the web application.
  # - Unless the web application is deployed on port 80, the URL should
  #   contain the web application's port number too.
  # - The path part of the URL must point to some URI that the web
  #   application handles.
  #
  # You probably want to combine this with PassengerMinInstances.
  #
  # Example URL: http://example.com/

  <% if configuration[:passenger][:pre_start_url] %>
  PassengerPreStart <%= configuration[:passenger][:pre_start_url] %>
  <% end %>

  # Deflate
  <IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE <%= configuration[:apache][:gzip_types].join(' ') %>
    BrowserMatch ^Mozilla/4 gzip-only-text/html
    BrowserMatch ^Mozilla/4\.0[678] no-gzip
    BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
  </IfModule>

  RequestHeader set X-Request-Start "%t"
  Header unset X-Powered-by
  Header unset Server
  
  <% if configuration[:passenger][:xss_protection] %>
  Header set X-XSS-Protection "1; mode=block"
  Header set X-Frame-Options "DENY"
  Header set X-Content-Type-Options "nosniff"
  <% end %>
  
  <% if configuration[:passenger][:strict_transport_security] %>
  Header set Strict-Transport-Security "max-age=16070400; includeSubDomain"
  <% end %>
  
  <% if configuration[:passenger][:content_security_policy] %>
  Header set Content-Security-Policy "<%= configuration[:passenger][:content_security_policy] %>"
  <% end %>
  
  RewriteEngine On

<% if configuration[:ssl] %>
  <%= configuration[:ssl][:vhost_extra] %>
<% else %>
  <%= configuration[:passenger][:vhost_extra] %>
<% end %>

<% if configuration[:scm].to_s == 'subversion' %>
  # Prevent access to svn metadata
  RewriteRule ^(.*/)?\.svn/ - [F,L]
  ErrorDocument 403 "Access Forbidden"
<% end %>

<% if configuration[:passenger][:maintenance_rewrite] %>
	<%= configuration[:passenger][:maintenance_rewrite] %>
<% else %>
  # Check for maintenance file and redirect all requests
  ErrorDocument 503 /system/maintenance.html
  RewriteCond %{REQUEST_URI} !\.(css|jpg|png|gif)$
  RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f
  RewriteCond %{SCRIPT_FILENAME} !maintenance.html
  RewriteRule ^.*$ /system/maintenance.html [R=<%= configuration[:passenger][:maintenance_status_code] || 503 %>,L]
<% end %>

  # Rewrite index to check for static
  RewriteCond  %{THE_REQUEST} ^(GET|HEAD)
  RewriteCond  %{DOCUMENT_ROOT}<%= configuration[:passenger][:page_cache_directory] %>/index.html -f
  RewriteRule  ^/?$ <%= configuration[:passenger][:page_cache_directory] %>/index.html [QSA,L]

  # Rewrite to check for Rails non-html cached pages (i.e. xml, json, atom, etc)
  RewriteCond  %{THE_REQUEST} ^(GET|HEAD)
  RewriteCond  %{DOCUMENT_ROOT}<%= configuration[:passenger][:page_cache_directory] %>%{REQUEST_URI} -f
  RewriteRule  ^(.*)$ <%= configuration[:passenger][:page_cache_directory] %>$1 [QSA,L]

  # Rewrite to check for Rails cached html page
  RewriteCond  %{THE_REQUEST} ^(GET|HEAD)
  RewriteCond  %{DOCUMENT_ROOT}<%= configuration[:passenger][:page_cache_directory] %>%{REQUEST_URI}.html -f
  RewriteRule  ^(.*)$ <%= configuration[:passenger][:page_cache_directory] %>$1.html [QSA,L]

  </VirtualHost>
<% end %>