docs: add design specification for nginx Plausible proxy

mroderick · mroderick · commit 50f96fa23a6c · 2026-04-25T15:20:37.000+02:00
diff --git a/docs/superpowers/specs/2026-04-25-nginx-plausible-proxy-design.md b/docs/superpowers/specs/2026-04-25-nginx-plausible-proxy-design.md
@@ -0,0 +1,293 @@
+# Design: Nginx for Plausible Proxy + Security Filtering
+
+**Date:** 2026-04-25  
+**Author:** OpenCode (with user collaboration)  
+**Status:** Approved for Implementation  
+**Branch:** feature/nginx-plausible-proxy  
+
+---
+
+## Problem Statement
+
+Plausible analytics (currently loaded from `plausible.io/js/pa-PFruVsE_br97UUCRXE_6f.js` in `application.html.haml`) gets blocked by adblockers. Studies show 6-60% of users run adblockers, meaning we lose significant visibility into site usage.
+
+## Solution Overview
+
+Run **heroku/heroku-buildpack-nginx** as a reverse proxy in front of Rails. This enables:
+
+1. **Plausible proxy** — Serve Plausible script and API endpoints through our domain, bypassing adblockers
+2. **Security filtering** — Block obvious bad actors and common attack patterns before they reach Rails
+
+---
+
+## Architecture
+
+```
+┌─────────────────┐     ┌─────────────┐     ┌─────────────┐
+│   Client        │────▶│   Nginx     │────▶│   Puma      │
+│   (Browser)     │     │   (Heroku   │     │   (Rails)   │
+│                 │     │   buildpack)│     │             │
+└─────────────────┘     └─────────────┘     └─────────────┘
+                               │
+                               ├──▶ /js/script.js ──▶ Plausible CDN
+                               ├──▶ /api/event ────▶ Plausible API
+                               └──▶ 444 for bad actors (connection closed)
+```
+
+Nginx listens on `$PORT` (Heroku requirement), proxies valid requests to Puma via UNIX socket. Plausible routes are reverse-proxied to `plausible.io`. Malicious traffic is dropped with HTTP 444 (nginx closes connection without response).
+
+---
+
+## Configuration
+
+### 1. Heroku Buildpack
+
+Add nginx buildpack at index 1 (before Ruby buildpack):
+
+```bash
+heroku buildpacks:add --index 1 heroku-community/nginx
+```
+
+**Rationale:** Buildpacks run in order. Nginx must be installed before the app starts.
+
+### 2. Nginx Configuration (`config/nginx.conf.erb`)
+
+Heroku's nginx buildpack uses ERB templating for dynamic values:
+
+```nginx
+daemon off;
+worker_processes auto;
+
+events {
+  worker_connections 1024;
+}
+
+http {
+  charset utf-8;
+  server_tokens off;
+
+  # Logs to stdout/stderr for Heroku
+  log_format custom '$http_x_forwarded_for - $remote_user [$time_local] '
+                    '"$request" $status $body_bytes_sent '
+                    '"$http_referer" "$http_user_agent"';
+  access_log /dev/stdout custom;
+  error_log /dev/stderr;
+
+  # Plausible endpoints
+  set $plausible_script_url https://plausible.io/js/pa-PFruVsE_br97UUCRXE_6f.js;
+  set $plausible_event_url https://plausible.io/api/event;
+
+  # Proxy settings
+  proxy_http_version 1.1;
+  proxy_buffering on;
+
+  upstream app_server {
+    server unix:/tmp/nginx.socket fail_timeout=0;
+  }
+
+  server {
+    listen <%= ENV["PORT"] %>;
+    server_name _;
+    keepalive_timeout 5;
+    client_max_body_size 10m;
+
+    # Security: Block known bad user agents
+    if ($http_user_agent ~* (nikto|sqlmap|nessus|acunetix|masscan|zgrab|gobuster|dirbuster)) {
+      return 444;
+    }
+
+    # Security: Block common attack paths
+    location ~ ^/(\.env|\.git|\.htaccess|\.htpasswd|config\.js|wp-admin|wp-login|xmlrpc\.php|administrator|phpmyadmin|shell|cmd|backdoor|cgi-bin) {
+      return 444;
+    }
+
+    # Plausible: Proxy script.js
+    location = /js/script.js {
+      proxy_pass $plausible_script_url;
+      proxy_set_header Host plausible.io;
+      proxy_pass_header Cache-Control;
+      proxy_buffering on;
+    }
+
+    # Plausible: Proxy event API
+    location = /api/event {
+      proxy_pass $plausible_event_url;
+      proxy_set_header Host plausible.io;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+      proxy_set_header X-Forwarded-Host $host;
+      proxy_buffering on;
+    }
+
+    # Rails: All other requests
+    location / {
+      proxy_pass http://app_server;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+      proxy_set_header Host $http_host;
+      proxy_redirect off;
+    }
+  }
+}
+```
+
+**Key decisions:**
+- **UNIX socket** (`/tmp/nginx.socket`) for nginx → Puma communication (faster than TCP, no port conflicts)
+- **HTTP 444** for blocked requests — nginx closes connection immediately, no response body (saves bandwidth, frustrates attackers)
+- **`proxy_pass_header Cache-Control`** — Passes through Plausible's cache headers without modification
+- **`$http_x_forwarded_proto`** — Uses Heroku's forwarded proto header instead of `$scheme` (which would be incorrect behind Heroku's SSL termination)
+- **`server_tokens off`** — Hides nginx version from error pages
+
+### 3. Procfile Update
+
+```
+release: bundle exec rake db:migrate
+web: bin/start-nginx bundle exec puma -C config/puma.rb
+```
+
+The `bin/start-nginx` wrapper (provided by the buildpack):
+1. Starts nginx
+2. Waits for UNIX socket to be created
+3. Starts the specified command (Puma)
+4. Manages process lifecycle
+
+### 4. Application Layout Update (`app/views/layouts/application.html.haml`)
+
+Replace lines 33-37:
+
+```haml
+<!-- Privacy-friendly analytics by Plausible -->
+%script{ async: true, src: '/js/script.js' }
+%script
+  window.plausible = window.plausible || function() { (plausible.q = plausible.q || []).push(arguments) }, plausible.init = plausible.init || function(i) { plausible.o = i || {} };
+  plausible.init({ endpoint: '/api/event' })
+```
+
+---
+
+## Security Filters
+
+### Blocked User Agents
+Pattern match against known scanning tools:
+- `nikto` — Web vulnerability scanner
+- `sqlmap` — SQL injection tool
+- `nessus` — Vulnerability scanner
+- `acunetix` — Web app scanner
+- `masscan`, `zgrab` — Port scanners
+- `gobuster`, `dirbuster` — Directory brute-forcers
+
+### Blocked Paths
+Common attack targets that don't exist in this Rails app:
+- WordPress paths: `/wp-admin`, `/wp-login`, `/xmlrpc.php`
+- Config files: `/.env`, `/.git/`, `/config.js`, `/.htaccess`
+- Admin tools: `/administrator`, `/phpmyadmin`
+- Shell attempts: `/shell`, `/cmd`, `/backdoor`, `/cgi-bin`
+
+**Rationale:** These are automated attacks. Returning 444 immediately closes the connection without wasting Rails resources or revealing any information.
+
+---
+
+## Testing Strategy
+
+### Manual Testing Checklist
+
+**Plausible Proxy:**
+- [ ] `curl -I https://<staging>/js/script.js` returns 200 with JavaScript content-type
+- [ ] `curl -I https://<staging>/api/event` accepts POST requests
+- [ ] Plausible dashboard shows events from staging
+- [ ] Response headers include `Cache-Control` from Plausible
+
+**Security Filters:**
+- [ ] `curl -A "Nikto" https://<staging>/` returns 444 (no response)
+- [ ] `curl https://<staging>/.env` returns 444
+- [ ] `curl https://<staging>/wp-admin` returns 444
+
+**Rails Functionality:**
+- [ ] Homepage loads correctly
+- [ ] Login works
+- [ ] Workshop pages load
+- [ ] Admin area accessible (with auth)
+- [ ] Assets load (CSS, JS, images)
+- [ ] Forms submit correctly
+
+**Error Scenarios:**
+- [ ] 404 pages still work
+- [ ] 500 errors still render error page
+
+### Staging-First Deployment
+
+1. Deploy branch to staging
+2. Run full manual checklist
+3. Monitor for 24 hours
+4. Deploy to production
+
+---
+
+## Deployment Commands
+
+```bash
+# 1. Add buildpack (production)
+heroku buildpacks:add --index 1 heroku-community/nginx --app codebar-production
+
+# 2. Add buildpack (staging)
+heroku buildpacks:add --index 1 heroku-community/nginx --app codebar-staging
+
+# 3. Deploy branch to staging
+git push staging feature/nginx-plausible-proxy:main
+
+# 4. After testing, deploy to production
+git push production feature/nginx-plausible-proxy:main
+```
+
+---
+
+## Rollback Plan
+
+If issues arise:
+
+```bash
+# Quick rollback: Remove nginx from Procfile and redeploy
+git checkout master -- Procfile
+git commit -m "Rollback: Remove nginx proxy"
+git push production main
+
+# Or: Remove buildpack and revert to previous release
+heroku buildpacks:remove heroku-community/nginx --app codebar-production
+heroku rollback --app codebar-production
+```
+
+---
+
+## Future Enhancements (Out of Scope)
+
+These are documented but not implemented now:
+
+1. **Rate limiting** — `limit_req_zone` for login endpoints, API abuse prevention
+2. **Caching** — `proxy_cache` for Plausible script with 5-minute TTL
+3. **Additional security headers** — HSTS, CSP headers at nginx level
+4. **Geographic filtering** — Block high-risk countries if needed
+
+---
+
+## References
+
+- [Heroku Nginx Buildpack](https://github.com/heroku/heroku-buildpack-nginx)
+- [Plausible Proxy Overview](https://plausible.io/docs/proxy/introduction)
+- [Plausible Proxy Guide: Nginx](https://plausible.io/docs/proxy/guides/nginx)
+- [Nginx HTTP Proxy Module](https://nginx.org/en/docs/http/ngx_http_proxy_module.html)
+
+---
+
+## Decision Log
+
+| Decision | Rationale |
+|----------|-----------|
+| Skip nginx caching | Simpler config, can add later if needed |
+| No rate limiting yet | Not requested, easy to add later |
+| Pass through Cache-Control | Respect Plausible's intended caching |
+| Use 444 for blocked requests | Close connection immediately, save resources |
+| UNIX socket for Puma | Faster than TCP, no port management |
+| Manual testing only | Infrastructure change, hard to automate meaningfully |
+| Use `$http_x_forwarded_proto` | Heroku terminates SSL; `$scheme` would incorrectly report 'http' |
+| Socket path `/tmp/nginx.socket` | Heroku buildpack convention; Puma binds when `DYNO` env var present |
+| `server_tokens off` | Security: hide nginx version from error pages |
