How do I setup ssl on a rails 4 app? (nginx + passenger)

Question

I have a staging rails app running with passenger on nginx. I want to secure the connections with SSL. I have read a lot of resources online but I have yet to make it run on SSL.

So far, my server block on nginx.conf is:

server {
     listen 80;
     listen 443 default deferred;
     server_name example.com;
     root /home/deploy/app/public;
     passenger_enabled on;

     passenger_set_cgi_param HTTP_X_FORWARDED_PROTO https;

     ssl on;
     ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:RSA+3DES:!ADH:!AECDH:!MD5;
     ssl_prefer_server_ciphers on;
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
     ssl_certificate     /etc/ssl/server.crt;
     ssl_certificate_key /etc/ssl/server.key;
 }

The site is running but not on HTTPS.

Answer 1

I've just made the decission to go with SSL myself and found an article on the DigitalOcean site on how to do this. It might be the listen 443 default deferred;, which according to that article should be ssl not deferred.

Here's the nginx block they use;

server {
  listen 80 default_server;
  listen [::]:80 default_server ipv6only=on;

  listen 443 ssl;

  root /usr/share/nginx/html;
  index index.html index.htm;

  server_name your_domain.com;
  ssl_certificate /etc/nginx/ssl/nginx.crt;
  ssl_certificate_key /etc/nginx/ssl/nginx.key;

  location / {
    try_files $uri $uri/ =404;
  }
}

UPDATE:

I now have my own site running on SSL. Along with the above I just told Rails to force SSL. In your production environment config;

# ./config/environments/production.rb
config.force_ssl = true

Optionally, you can add these setting in the nginx.conf;

http {
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 10m;
  keepalive_timeout 70;
}

UPDATE: 2015-09

Since I wrote this answer I've added a few of extra things to my nginx config, which I believe everyone should also include. Add the following to your server block;

server {
  ssl_prefer_server_ciphers On;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

  add_header X-Frame-Options DENY;
}

The first three lines (ssl_prefer_server_ciphers, ssl_protocols, ssl_ciphers) are the most import as they make sure you have a good strong SSL settings.

The X-Frame-Options prevents your site from being included via the <iframe> tags. I expect most people will benefit from including this setting.