Skip to content

Running Rails app with Puma and Nginx with SSL certificate

Jump to bottom Edit New page
Anusha Ranganathan edited this page May 1, 2018 · 14 revisions

Reference:
https://www.digitalocean.com/community/tutorials/how-to-deploy-a-rails-app-with-puma-and-nginx-on-ubuntu-14-04
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04
https://stackoverflow.com/questions/42217660/cannot-run-puma-upstart-script-on-ubuntu-16-04
https://github.com/puma/puma/blob/master/docs/systemd.md
All online sources and documents referred to in this document are detailed here

Install rbenv-vars Plugin

cd ~/.rbenv/plugins
git clone https://github.com/sstephenson/rbenv-vars.git

Create a rake secret

cd ~/data2paper
rake secret

Copy the secret key that is generated, then open the .rbenv-vars and paste it in there

vim .rbenv-vars

Add the line to the file, save and exit

SECRET_KEY_BASE=your_generated_secret_which_you_copied

Add the file .rbenv-vars to .gitignore

vim .gitignore

Add the line to the file, save and exit

.rbenv-vars

Install Nginx

Install Nginx
sudo apt-get install nginx

Configure the site
Create a file in /etc/nginx/sites-available/data2paper
An example site is available in docs/data2paper if using Puma
An example site is available in docs/data2paper-3000 if running the webserver on port 3000

Enable the site

ln -s /etc/nginx/sites-available/data2paper /etc/nginx/sites-enabled/data2paper

Disable the default site if it exists

rm /etc/nginx/sites-enabled/default

Restart Nginx to put the changes into effect

sudo service nginx restart

Enable UFW and setup a basic firewall

Reference:
https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-16-04#step-seven-%E2%80%94-set-up-a-basic-firewall

See what profile application are available

sudo ufw app list

Install OpenSSH and Nginx application profile

sudo ufw allow OpenSSH
sudo ufw allow 'Nginx Full'

Enable UFW

sudo ufw enable

Check the status

sudo ufw status

Configure Puma

Note: Puma is already installed in Hyrax See https://www.digitalocean.com/community/tutorials/how-to-deploy-a-rails-app-with-puma-and-nginx-on-ubuntu-14-04#configure-puma

The configuration file after all the changes, looks like https://github.com/anusharanganathan/data2paper/blob/master/config/puma.rb

Create the shared directories mentioned in the puma config

cd ~/data2paper
mkdir -p shared/pids shared/sockets shared/log

Create systemd scripts and enable the service

copy the files docs/puma.service and docs/puma.socket to /etc/systemd/system/

sudo cp docs/puma* /etc/systemd/system/

After installing or making changes to either puma.socket or puma.service, reload the systemctl daemon

sudo systemctl daemon-reload

Enable both socket and service so they start on boot.

sudo systemctl enable puma.socket puma.service

Initial start up. The Requires directive in puma.service ensures the socket is started before the service.

sudo systemctl start puma.socket puma.service

Check status of both socket and service.

sudo systemctl status puma.socket puma.service

Visit the web page http://data2paper_dev_ip_address

Add a DNS entry to the VM (for example dev.data2paper.org)

  1. Get the public IP address from the Azure portal.

  2. Visit Google domains and add a custom resource record for the data2paper domain.
    For example dev A 1h 52.166.126.144

  3. Edit the site in Ngnix, add the server name, save and exit
    sudo vim /etc/nginx/sites-enabled/data2paper
    Replace the line server_name localhost; with server_name dev.data2paper.org;

  4. Restart Nginx
    sudo systemctl restart nginx.service

  5. Visit http://dev.data2paper.org and test that the page is being served

Setup an SSL certificate with Nginx and LetsEncrypt

Secure Nginx with Let's Encrypt

Reference:
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04

  1. Enable port 80 and 443 outbound traffic in Azure portal
    data2paperdev - Networking - Add Outbound port

  2. Follow instructions in Step 1 — Installing Certbot

  3. Follow instructions in Step 2 — Setting up Nginx

  4. Follow instructions in Step 3 — Updating the Firewall

  5. IMPORTANT Obtaining a test ssl certificate
    Similar to the next step, but run with the additional argument --test-cert.
    Note: If there are errors, you may get locked out and so it is safe to first do this. I got locked out for an hour due to authz errors (port 80 was not opened in Azure portal for inbound traffic)
    sudo certbot --test-cert --nginx -d dev.data2paper.org
    Selected option to configured with http traffic redirected to https.

  6. Follow instructions in Step 4 — Obtaining an SSL Certificate
    Important You should get the message a certificate already exists. Select re-install
    sudo certbot --nginx -d dev.data2paper.org
    Selected option to configured with http traffic redirected to https.

  7. Follow instructions in Step 5 — Updating Diffie-Hellman Parameters
    Generate a strong Diffie-Hellman group to strengthen security. This command will generate a 2048-bit group

    sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

    Add or Replace the location of ssl_dhparam in the nginx site config. Edit the file /etc/nginx/sites-available/data2paper

    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    Test the configuration to make sure that there are no syntax errors in any of the Nginx files

    sudo nginx -t

    If no problems were found, restart Nginx to enable the changes

    sudo service nginx restart

  8. Test the SSL certificate
    Visit https://www.ssllabs.com/ssltest/analyze.html?d=dev.data2paper.org

  9. Follow instructions in Step 6 — Setting Up Auto Renewal

Add a custom footer
Add a custom sidebar

Clone this wiki locally