feat: add nginx reverse proxy for Plausible analytics

- Proxy Plausible script and event API through nginx to bypass adblockers
- Add DNS resolver (Quad9 9.9.9.9) for upstream domain resolution
- Add proxy_cache in /dev/shm for Plausible script (5m TTL, 100m max)
- Add security headers (X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Referrer-Policy)
- Configure Puma to bind to Unix socket when nginx config exists
- Signal nginx buildpack readiness via /tmp/app-initialized file

## Lessons learned

Deviations from initial plan:
- Used /dev/shm (tmpfs) for proxy_cache instead of /tmp (limited space)
- Used ENV detection for nginx config file presence, not DYNO var (not available on all dynos)
- Moved nginx 'set' directives inside server block (required by nginx)
- Had to add DNS resolver manually (Heroku's resolver not automatically available in proxy_pass)

Key technical discoveries:
- heroku-buildpack-nginx waits for /tmp/app-initialized file before starting nginx
- nginx 'set' directive only works in server/location contexts, not http block
- Puma must bind to unix socket AND signal readiness for nginx to connect
- proxy_cache in /dev/shm persists across dyno restarts (vs /tmp which doesn't)

See: github.com//discussions/2580

Author: mroderick

Procfile

@@ -1,2 +1,2 @@
 release: bundle exec rake db:migrate
-web: bundle exec puma -C config/puma.rb
+web: bin/start-nginx bundle exec puma -C config/puma.rb

app/views/layouts/application.html.haml

@@ -31,10 +31,10 @@
     = csp_meta_tag
 
     <!-- Privacy-friendly analytics by Plausible -->
-    %script{ async: true, src: 'https://plausible.io/js/pa-PFruVsE_br97UUCRXE_6f.js' }
+    %script{ async: true, src: '/js/script.js' }
     %script
       window.plausible = window.plausible || function() { (plausible.q = plausible.q || []).push(arguments) }, plausible.init = plausible.init || function(i) { plausible.o = i || {} };
-      plausible.init()
+      plausible.init({ endpoint: '/api/event' })
 
   %body.no-js{ 'class': "#{params[:controller]}-#{params[:action]}", 'data-bs-no-jquery': 'true' }
     #top

config/nginx.conf.erb

@@ -0,0 +1,77 @@
+daemon off;
+worker_processes auto;
+
+events {
+  worker_connections 1024;
+}
+
+http {
+  charset utf-8;
+  server_tokens off;
+
+  # DNS resolver for proxy_pass
+  resolver 9.9.9.9 valid=30s;
+
+  # Proxy cache in /dev/shm (tmpfs, persists across dyno restarts)
+  proxy_cache_path /dev/shm/nginx_cache levels=1:2 keys_zone=plausible_cache:1m max_size=100m inactive=5m use_temp_path=off;
+
+  # Security headers
+  add_header X-Frame-Options "SAMEORIGIN" always;
+  add_header X-Content-Type-Options "nosniff" always;
+  add_header X-XSS-Protection "1; mode=block" always;
+  add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+
+  # Logs to stdout/stderr for Heroku
+  access_log /dev/stdout;
+  error_log /dev/stderr;
+
+  # Proxy settings
+  proxy_http_version 1.1;
+  proxy_buffering on;
+
+  upstream app_server {
+    server unix:/tmp/nginx.socket fail_timeout=0;
+  }
+
+  server {
+    listen <%= ENV["PORT"] %>;
+    server_name _;
+    keepalive_timeout 5;
+
+    # Plausible endpoints (set inside server context)
+    set $plausible_script_url https://plausible.io/js/pa-PFruVsE_br97UUCRXE_6f.js;
+    set $plausible_event_url https://plausible.io/api/event;
+
+    # Plausible: Proxy script.js (cached)
+    location = /js/script.js {
+      proxy_cache plausible_cache;
+      proxy_cache_valid 200 5m;
+      proxy_cache_key "$host$uri";
+      proxy_pass $plausible_script_url;
+      proxy_set_header Host plausible.io;
+      proxy_buffering on;
+
+      # Cache response headers
+      add_header X-Cache $upstream_cache_status;
+    }
+
+    # Plausible: Proxy event API
+    location = /api/event {
+      proxy_pass $plausible_event_url;
+      proxy_set_header Host plausible.io;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+      proxy_set_header X-Forwarded-Host $host;
+      proxy_buffering on;
+    }
+
+    # Rails: All other requests
+    location / {
+      proxy_pass http://app_server;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+      proxy_set_header Host $http_host;
+      proxy_redirect off;
+    }
+  }
+}

config/puma.rb

@@ -1,7 +1,9 @@
 # This configuration file will be evaluated by Puma. The top-level methods that
 # are invoked here are part of Puma's configuration DSL. For more information
 # about methods provided by the DSL, see https://puma.io/puma/Puma/DSL.html.
-#
+
+require 'fileutils'
+
 # Puma starts a configurable number of processes (workers) and each process
 # serves each request in a thread from an internal thread pool.
 #
@@ -29,7 +31,16 @@
 threads threads_count, threads_count
 
 # Specifies the `port` that Puma will listen on to receive requests; default is 3000.
-port ENV.fetch("PORT", 3000)
+# Use Unix socket when nginx config exists (from heroku-community/nginx buildpack)
+# Falls back to port if nginx config not present
+if File.exist?("config/nginx.conf.erb")
+  bind "unix:///tmp/nginx.socket?umask=0077"  # Restrict socket permissions to owner only
+  
+  # Signal to nginx buildpack that app is ready (required for nginx to start)
+  FileUtils.touch("/tmp/app-initialized")
+else
+  port ENV.fetch("PORT", 3000)
+end
 
 # Allow puma to be restarted by `bin/rails restart` command.
 plugin :tmp_restart