nginx.conf

# Modified from convox/rails:

worker_processes 1;

events { worker_connections 1024; }

error_log syslog:server=localhost;

pid /var/run/nginx.pid;

http {
  # Set VPC subnet as trusted
  set_real_ip_from 127.0.0.1/32;
  set_real_ip_from 10.10.0.0/16;
  set_real_ip_from 10.20.0.0/16;

  # Set CloudFront subnets as trusted
  set_real_ip_from 54.192.0.0/16;
  set_real_ip_from 54.230.0.0/16;
  set_real_ip_from 54.239.128.0/18;
  set_real_ip_from 54.239.192.0/19;
  set_real_ip_from 54.240.128.0/18;
  set_real_ip_from 204.246.164.0/22;
  set_real_ip_from 204.246.168.0/22;
  set_real_ip_from 204.246.174.0/23;
  set_real_ip_from 204.246.176.0/20;
  set_real_ip_from 205.251.192.0/19;
  set_real_ip_from 205.251.249.0/24;
  set_real_ip_from 205.251.250.0/23;
  set_real_ip_from 205.251.252.0/23;
  set_real_ip_from 205.251.254.0/24;
  set_real_ip_from 216.137.32.0/19;

  # always put the following 2 lines in the bottom of ip list
  # Look for client IP in the X-Forwarded-For header
  real_ip_header X-Forwarded-For;
  # Ignore trusted IPs (reverses the trust?)
  real_ip_recursive on;

  server {
    listen 4000;
    return 301 https://$host$request_uri;
  }

  upstream app {
    server localhost:5000 fail_timeout=0;
  }

  server {
    include /etc/nginx/mime.types;

    listen 4001 proxy_protocol;
    
    client_max_body_size 10m;

    error_log syslog:server=localhost;
    access_log syslog:server=localhost;

    root /app/public;

    location @app {
      proxy_set_header Host $http_host;
      proxy_set_header X-Remote-Addr $remote_addr;
      proxy_set_header X-Real-IP-Remote-Addr $realip_remote_addr;
      proxy_set_header X-Proxy-IP $proxy_protocol_addr;
      proxy_set_header X-Forwarded-Proto https;

      proxy_redirect off;

      if (!-f $request_filename) {
        proxy_pass http://app;
        break;
      }
    }

    try_files $uri/index.html $uri @app;
  }
}