The ship has sailed... to Rails 4, Nginx, SSL, and DigitalOcean

Published: 2013-06-24
Tagged: rails

I learned a lot at my job and I wanted my personal site to reflect some of that newly gleaned knowledge. I'm still working on integrating d3.js, but that might have to wait until the next weekend.

I'm writing this primarily as a note to myself but maybe, just maybe, it'll help out anyone who goes down a similar path as I did.

I chanced upon DigitalOcean whilst reading Hacker News. They offer VPS running on SSD's, which is pretty cool in it's own right, but the thing that caught my eye was the price. 5$ a month for a VPS? That's the perfect price for someone to play around with a VPS or set up their personal site that gets just a handful of traffic. Five bucks for a single core, 20gb SSD, 512mb instance is a pretty damn good price.

Signing up and getting my Debian flavored instance took all of five minutes. Setting up rvm and rails took about an hour, which was mostly waiting for stuff to download (fast) and compile (pretty fast, but had to add some ppa's).

The first small hurdle came when it turned out that there was a type in my ruby code in a file I never made. That's when I discovered concerns. Migrations were throwing errors and I couldn't fire up the rails console in production mode. I've never fired up anything in production mode, so it irked me that things would work in development, but fall apart in production. Lesson learned, typo fixed and on I went.

Next, I setup Nginx, which was a breeze thanks to the tutorials available on DigitalOcean.

A little further down I got stuck a bit when it came to assets. asset_path wasn't working for my .scss file, so I switched to .scss.erb and while that worked fine in development, it completely failed in production. After some going back and forth and reading up more on the asset pipeline, I settled down for font-url. It still didn't work after precompiling assets as rails wasn't inserting the precompiled file names into the .scss file, so I manually copied them over to public/assets. I'll have to investigate this later on.

Next I set up godaddy's nameservers to point to DigitalOcean nameservers along with a CNAME to get the www. part working. I forgot to setup the MX records on DigitalOcean, which came back to bite me in the ass as soon as I wanted to get a free SSL certificate from StartSSL.

Khaja Minhajuddin's post was a huge help in getting SSL up and running. I had no clue that you had to "unlock" the ssl.key file provided by StartSSL like this:

  openssl rsa -in ssl.key -out server.key

Then download the StartSSL certificate like so:

 wget http://www.startssl.com/certs/sub.class1.server.ca.pem

And concatenate them (the StartSSL certificate and the OTHER certificate you get from StartSSL by going to your control panel and clicking "retrieve certificate"):

 cat sub.class1.server.ca.pem >> server.crt

I then setup my nginx.conf http portion to look like this:

server {
    listen       80;
    server_name  mattscodecave.com;
    passenger_enabled on;
    rewrite ^ https://$server_name$request_uri? permanent;

The last line is a command to redirect all traffic from port 80 to port 443 so that everything is encrypted. Then, the portion of my nginx.conf responsible for SSL looks like this:

server { passengerenabled on; listen 443; servername mattscodecave.com; root (path)blog/public;

    ssl                  on;
    ssl_certificate      server.crt;
    ssl_certificate_key  server.key;

I also had a run-in with the location keyword, but after commenting it out in both the http and https portion of the conf file, I was up and running.

In conclusion, it was a fruitful weekend. I learned a bunch about working with a server and deploying a rails application. There's a lot more to learn, especially regarding load balancing and such, but I'm glad to have gotten the basics.

As a side note, the reason I spent time getting SSL for my blog is because of the recent events pertaining to blanket surveillance of the Internet. I believe that such actions go against the right to free speech and that it's too big of a concentration of power topped with secrecy. It's not a question of if someone will abuse that power, but rather when. I see the way to ensure freedom of speech is to preserve privacy and anonymity. One way to do that is good strong cryptography. The more Internet traffic is encrypted, the higher the cost to effectively monitor it, which should dissuade wiretappers and promote freedom of speech.

HTTPS Everywhere, GPG, PixelPrivacy's guide to encrypting your traffic, SSL, getting off of social media and quite possibly DuckDuckGo are just some of the ways to help fight the good fight.

Comments

There aren't any comments here.

Add new comment