Merge pull request #1245 from ruby-china/feat/use-caddy

Use Caddy for 3.8.x

Author: huacnlee

app/models/setting.rb

@@ -73,7 +73,6 @@ def legecy_envs
   # = System
   field :require_restart, default: false, type: :boolean
   field :domain, default: (ENV["domain"] || "localhost"), readonly: true
-  field :https, type: :boolean, default: (ENV["https"] || "true"), readonly: true
   field :asset_host, default: (ENV["asset_host"] || nil), readonly: true
 
   # = Basic
@@ -185,7 +184,7 @@ def legecy_envs
 
   class << self
     def protocol
-      self.https? ? "https" : "http"
+      Rails.env.production? ? "https" : "http"
     end
 
     def base_url

config/environments/production.rb

@@ -52,7 +52,7 @@
   config.action_cable.allowed_request_origins = [Setting.cable_allowed_request_origin]
 
   # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
-  config.force_ssl = Setting.https
+  config.force_ssl = false
 
   # Include generic and useful information about system operation, but avoid logging too much
   # information to avoid inadvertent exposure of personally identifiable information (PII).

config/nginx/homeland.conf.erb

@@ -15,14 +15,8 @@ log_format timed_combined '$remote_addr - $remote_user [$time_local] '
 server {
   listen 80 default_server;
 
-  <% if ENV['https'] == "true" || ENV["https"] == "1" %>
-  include /etc/nginx/ssl.conf;
-  <% end %>
-
   location /nginx_status {
-    allow 127.0.0.1;
-    deny all;
-    stub_status on;
+    return 200 "ok";
   }
 
   root /home/app/homeland/public;
@@ -146,7 +140,6 @@ server {
     proxy_http_version 1.1;
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection "Upgrade";
-    proxy_set_header X-Forwarded-Proto $scheme;
     proxy_pass http://app_backend;
     gzip on;
   }

config/nginx/nginx.conf.erb

@@ -3,7 +3,6 @@ worker_processes auto;
 pid /home/app/pids/nginx.pid;
 daemon off;
 load_module modules/ngx_http_image_filter_module.so;
-load_module modules/ngx_http_geoip_module.so;
 
 events {
     worker_connections <%= ENV["NGINX_WORKER_CONNECTIONS"] || "65535" %>;
@@ -21,10 +20,6 @@ http {
     types_hash_max_size 2048;
     include /etc/nginx/mime.types;
     default_type application/octet-stream;
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-    ssl_prefer_server_ciphers on;
-    # ref: https://wiki.mozilla.org/Security/Server_Side_TLS
-    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
     access_log /home/app/log/nginx-access.log;
     error_log /home/app/log/nginx-error.log;
     # DO NOT CHANGE THIS

config/nginx/ssl.conf

@@ -35,15 +35,14 @@ class SettingTest < ActiveSupport::TestCase
 
   test "protocol" do
     assert_equal "http", Setting.protocol
-    Setting.stub(:https, true) do
+    Rails.env.stub(:production?, true) do
       assert_equal "https", Setting.protocol
     end
   end
 
   test "base_url" do
     Setting.stubs(:domain).returns("homeland.io")
-    Setting.stubs(:https).returns(true)
-    Rails.env.stub(:development?, false) do
+    Setting.stub(:protocol, "https") do
       assert_equal "https://homeland.io", Setting.base_url
     end