1
0

production.rb 7.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173
  1. # frozen_string_literal: true
  2. require 'active_support/core_ext/integer/time'
  3. Rails.application.configure do
  4. # Settings specified here will take precedence over those in config/application.rb.
  5. # Code is not reloaded between requests.
  6. config.enable_reloading = false
  7. # Eager load code on boot. This eager loads most of Rails and
  8. # your application in memory, allowing both threaded web servers
  9. # and those relying on copy on write to perform better.
  10. # Rake tasks automatically ignore this option for performance.
  11. config.eager_load = true
  12. # Full error reports are disabled and caching is turned on.
  13. config.consider_all_requests_local = false
  14. config.action_controller.perform_caching = true
  15. # Ensures that a master key has been made available in ENV["RAILS_MASTER_KEY"], config/master.key, or an environment
  16. # key such as config/credentials/production.key. This key is used to decrypt credentials (and other encrypted files).
  17. # config.require_master_key = true
  18. # Do not fallback to assets pipeline if a precompiled asset is missed.
  19. config.assets.compile = false
  20. # Disable serving static files from `public/`, relying on NGINX/Apache to do so instead.
  21. # config.public_file_server.enabled = false
  22. # Enable serving of images, stylesheets, and JavaScripts from an asset server.
  23. config.asset_host = ENV['CDN_HOST'] if ENV['CDN_HOST'].present?
  24. # Specifies the header that your server uses for sending files.
  25. config.action_dispatch.x_sendfile_header = ENV['SENDFILE_HEADER'] if ENV['SENDFILE_HEADER'].present?
  26. # config.action_dispatch.x_sendfile_header = "X-Sendfile" # for Apache
  27. # config.action_dispatch.x_sendfile_header = "X-Accel-Redirect" # for NGINX
  28. # Allow to specify public IP of reverse proxy if it's needed
  29. config.action_dispatch.trusted_proxies = ENV['TRUSTED_PROXY_IP'].split(/(?:\s*,\s*|\s+)/).map { |item| IPAddr.new(item) } if ENV['TRUSTED_PROXY_IP'].present?
  30. # Assume all access to the app is happening through a SSL-terminating reverse proxy.
  31. # Can be used together with config.force_ssl for Strict-Transport-Security and secure cookies.
  32. # config.assume_ssl = true
  33. # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
  34. config.force_ssl = true
  35. # Skip http-to-https redirect for the default health check endpoint.
  36. config.ssl_options = {
  37. redirect: {
  38. exclude: ->(request) { request.path.start_with?('/health') || request.headers['Host'].end_with?('.onion') || request.headers['Host'].end_with?('.i2p') },
  39. },
  40. }
  41. # Log to STDOUT by default
  42. config.logger = ActiveSupport::Logger.new($stdout)
  43. .tap { |logger| logger.formatter = ::Logger::Formatter.new }
  44. .then { |logger| ActiveSupport::TaggedLogging.new(logger) }
  45. # Prepend all log lines with the following tags.
  46. config.log_tags = [:request_id]
  47. # "info" includes generic and useful information about system operation, but avoids logging too much
  48. # information to avoid inadvertent exposure of personally identifiable information (PII). If you
  49. # want to log everything, set the level to "debug".
  50. config.log_level = ENV.fetch('RAILS_LOG_LEVEL', 'info')
  51. # Use a different cache store in production.
  52. config.cache_store = :redis_cache_store, REDIS_CONFIGURATION.cache
  53. # Use a real queuing backend for Active Job (and separate queues per environment).
  54. # config.active_job.queue_adapter = :resque
  55. # config.active_job.queue_name_prefix = "mastodon_production"
  56. # Disable caching for Action Mailer templates even if Action Controller
  57. # caching is enabled.
  58. config.action_mailer.perform_caching = false
  59. # Ignore bad email addresses and do not raise email delivery errors.
  60. # Set this to true and configure the email server for immediate delivery to raise delivery errors.
  61. # config.action_mailer.raise_delivery_errors = false
  62. # Enable locale fallbacks for I18n (makes lookups for any locale fall back to
  63. # the I18n.default_locale when a translation cannot be found).
  64. # This setting would typically be `true` to use the `I18n.default_locale`.
  65. # Some locales are missing translation entries and would have errors:
  66. # https://github.com/mastodon/mastodon/pull/24727
  67. config.i18n.fallbacks = [:en]
  68. # Don't log any deprecations.
  69. config.active_support.report_deprecations = false
  70. # Use default logging formatter so that PID and timestamp are not suppressed.
  71. config.log_formatter = ::Logger::Formatter.new
  72. # Better log formatting
  73. config.lograge.enabled = true
  74. config.lograge.custom_payload do |controller|
  75. { key: controller.signature_key_id } if controller.respond_to?(:signed_request?) && controller.signed_request?
  76. end
  77. # Do not dump schema after migrations.
  78. config.active_record.dump_schema_after_migration = false
  79. config.action_mailer.perform_caching = false
  80. # E-mails
  81. outgoing_email_address = ENV.fetch('SMTP_FROM_ADDRESS', 'notifications@localhost')
  82. outgoing_email_domain = Mail::Address.new(outgoing_email_address).domain
  83. config.action_mailer.default_options = {
  84. from: outgoing_email_address,
  85. message_id: -> { "<#{Mail.random_tag}@#{outgoing_email_domain}>" },
  86. }
  87. config.action_mailer.default_options[:reply_to] = ENV['SMTP_REPLY_TO'] if ENV['SMTP_REPLY_TO'].present?
  88. config.action_mailer.default_options[:return_path] = ENV['SMTP_RETURN_PATH'] if ENV['SMTP_RETURN_PATH'].present?
  89. enable_starttls = nil
  90. enable_starttls_auto = nil
  91. case ENV['SMTP_ENABLE_STARTTLS']
  92. when 'always'
  93. enable_starttls = true
  94. when 'never'
  95. enable_starttls = false
  96. when 'auto'
  97. enable_starttls_auto = true
  98. else
  99. enable_starttls_auto = ENV['SMTP_ENABLE_STARTTLS_AUTO'] != 'false'
  100. end
  101. config.action_mailer.smtp_settings = {
  102. port: ENV['SMTP_PORT'],
  103. address: ENV['SMTP_SERVER'],
  104. user_name: ENV['SMTP_LOGIN'].presence,
  105. password: ENV['SMTP_PASSWORD'].presence,
  106. domain: ENV['SMTP_DOMAIN'] || ENV['LOCAL_DOMAIN'],
  107. authentication: ENV['SMTP_AUTH_METHOD'] == 'none' ? nil : ENV['SMTP_AUTH_METHOD'] || :plain,
  108. ca_file: ENV['SMTP_CA_FILE'].presence || '/etc/ssl/certs/ca-certificates.crt',
  109. openssl_verify_mode: ENV['SMTP_OPENSSL_VERIFY_MODE'],
  110. enable_starttls: enable_starttls,
  111. enable_starttls_auto: enable_starttls_auto,
  112. tls: ENV['SMTP_TLS'].presence && ENV['SMTP_TLS'] == 'true',
  113. ssl: ENV['SMTP_SSL'].presence && ENV['SMTP_SSL'] == 'true',
  114. read_timeout: 20,
  115. }
  116. config.action_mailer.delivery_method = ENV.fetch('SMTP_DELIVERY_METHOD', 'smtp').to_sym
  117. config.action_dispatch.default_headers = {
  118. 'Server' => 'Mastodon',
  119. 'X-Frame-Options' => 'DENY',
  120. 'X-Content-Type-Options' => 'nosniff',
  121. 'X-XSS-Protection' => '0',
  122. 'Referrer-Policy' => 'same-origin',
  123. }
  124. # TODO: Remove once devise-two-factor data migration complete
  125. config.x.otp_secret = if ENV['SECRET_KEY_BASE_DUMMY']
  126. SecureRandom.hex(64)
  127. else
  128. ENV.fetch('OTP_SECRET')
  129. end
  130. # Enable DNS rebinding protection and other `Host` header attacks.
  131. # config.hosts = [
  132. # "example.com", # Allow requests from example.com
  133. # /.*\.example\.com/ # Allow requests from subdomains like `www.example.com`
  134. # ]
  135. # Skip DNS rebinding protection for the default health check endpoint.
  136. # config.host_authorization = { exclude: ->(request) { request.path == "/up" } }
  137. end