feat: add nginx reverse proxy for Plausible and security filtering

mroderick · mroderick · commit ae07616fa69b · 2026-04-25T15:28:26.000+02:00
- Add nginx configuration with Plausible proxy routes and security filters
- Configure Puma to bind to Unix socket with restricted permissions
- Update Procfile to use bin/start-nginx wrapper
- Update Plausible snippet to use proxied endpoints (/js/script.js, /api/event)

Security features:
- Block malicious user agents (Nikto, sqlmap, etc.) with HTTP 444
- Block common attack paths (WP admin, .env, .git, etc.)
- Add security headers: X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Referrer-Policy
- Set proxy timeouts and request size limits
diff --git a/Procfile b/Procfile
@@ -1,2 +1,2 @@
 release: bundle exec rake db:migrate
-web: bundle exec puma -C config/puma.rb
+web: bin/start-nginx bundle exec puma -C config/puma.rb
diff --git a/app/views/layouts/application.html.haml b/app/views/layouts/application.html.haml
@@ -31,10 +31,10 @@
     = csp_meta_tag
 
     <!-- Privacy-friendly analytics by Plausible -->
-    %script{ async: true, src: 'https://plausible.io/js/pa-PFruVsE_br97UUCRXE_6f.js' }
+    %script{ async: true, src: '/js/script.js' }
     %script
       window.plausible = window.plausible || function() { (plausible.q = plausible.q || []).push(arguments) }, plausible.init = plausible.init || function(i) { plausible.o = i || {} };
-      plausible.init()
+      plausible.init({ endpoint: '/api/event' })
 
   %body.no-js{ 'class': "#{params[:controller]}-#{params[:action]}", 'data-bs-no-jquery': 'true' }
     #top
diff --git a/config/nginx.conf.erb b/config/nginx.conf.erb
@@ -0,0 +1,84 @@
+daemon off;
+worker_processes auto;
+
+events {
+  worker_connections 1024;
+}
+
+http {
+  charset utf-8;
+  server_tokens off;
+
+  # Security headers (set at http level to apply to all responses)
+  add_header X-Frame-Options "SAMEORIGIN" always;
+  add_header X-Content-Type-Options "nosniff" always;
+  add_header X-XSS-Protection "1; mode=block" always;
+  add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+
+  # Logs to stdout/stderr for Heroku
+  log_format custom '$http_x_forwarded_for - $remote_user [$time_local] '
+                    '"$request" $status $body_bytes_sent '
+                    '"$http_referer" "$http_user_agent"';
+  access_log /dev/stdout custom;
+  error_log /dev/stderr;
+
+  # Plausible endpoints
+  set $plausible_script_url https://plausible.io/js/pa-PFruVsE_br97UUCRXE_6f.js;
+  set $plausible_event_url https://plausible.io/api/event;
+
+  # Proxy settings
+  proxy_http_version 1.1;
+  proxy_buffering on;
+  proxy_connect_timeout 5s;
+  proxy_send_timeout 5s;
+  proxy_read_timeout 10s;
+
+  upstream app_server {
+    server unix:/tmp/nginx.socket fail_timeout=0;
+  }
+
+  server {
+    listen <%= ENV["PORT"] %>;
+    server_name _;
+    keepalive_timeout 5;
+    client_max_body_size 10m;
+
+    # Security: Block known bad user agents
+    if ($http_user_agent ~* (nikto|sqlmap|nessus|acunetix|masscan|zgrab|gobuster|dirbuster)) {
+      return 444;
+    }
+
+    # Security: Block common attack paths
+    location ~ ^/(\.env|\.git|\.htaccess|\.htpasswd|config\.js|wp-admin|wp-login|xmlrpc\.php|administrator|phpmyadmin|shell|cmd|backdoor|cgi-bin) {
+      return 444;
+    }
+
+    # Plausible: Proxy script.js
+    location = /js/script.js {
+      proxy_pass $plausible_script_url;
+      proxy_set_header Host plausible.io;
+      proxy_pass_header Cache-Control;
+      proxy_buffering on;
+    }
+
+    # Plausible: Proxy event API
+    location = /api/event {
+      client_max_body_size 1m;  # Analytics events are tiny
+      proxy_pass $plausible_event_url;
+      proxy_set_header Host plausible.io;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+      proxy_set_header X-Forwarded-Host $host;
+      proxy_buffering on;
+    }
+
+    # Rails: All other requests
+    location / {
+      proxy_pass http://app_server;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+      proxy_set_header Host $http_host;
+      proxy_redirect off;
+    }
+  }
+}
diff --git a/config/puma.rb b/config/puma.rb
@@ -29,7 +29,12 @@
 threads threads_count, threads_count
 
 # Specifies the `port` that Puma will listen on to receive requests; default is 3000.
-port ENV.fetch("PORT", 3000)
+# On Heroku with nginx buildpack, bind to Unix socket instead of port
+if ENV["DYNO"]
+  bind "unix:///tmp/nginx.socket?umask=0077"  # Restrict socket permissions to owner only
+else
+  port ENV.fetch("PORT", 3000)
+end
 
 # Allow puma to be restarted by `bin/rails restart` command.
 plugin :tmp_restart

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`release: bundle exec rake db:migrate`
`2`		`-web: bundle exec puma -C config/puma.rb`
	`2`	`+web: bin/start-nginx bundle exec puma -C config/puma.rb`