1 # DO NOT EDIT - This file is being maintained by Chef
3 upstream tile_cache_backend {
8 # Add the other caches to relieve pressure if local squid failing
9 # Balancer: round-robin
10 <% @caches.each do |cache| -%>
11 <% if cache[:hostname] != node[:hostname] -%>
12 <% if node[:tilecache][:tile_siblings].include? cache[:fqdn] -%>
13 <% cache.ipaddresses(:family => :inet, :role => :external).sort.each do |address| -%>
14 server <%= address %> backup; # Server <%= cache[:hostname] %>
21 keepalive_requests 1024;
24 # Geo Map of tile caches
27 <% @caches.each do |cache| -%>
28 <% cache.ipaddresses(:family => :inet, :role => :external).sort.each do |address| -%>
29 <%= address %> 1; # <%= cache[:hostname] %>
34 # Rates table based on current cookie value
35 map $cookie__osm_totp_token $limit_rate_qos {
36 include /etc/nginx/conf.d/tile_qos_rates.map;
39 # Set-Cookie table based on current cookie value
40 map $cookie__osm_totp_token $cookie_qos_token_set {
41 include /etc/nginx/conf.d/tile_qos_cookies.map;
44 map $http_user_agent $approved_scraper {
45 default 0; # Not approved
47 '~^Mozilla\/5\.0\ QGIS\/' 1; # QGIS
50 map $http_user_agent $denied_scraper {
51 default 0; # Not denied
52 '' 1; # No User-Agent Set
53 '~^Python\-urllib\/' 1; # Library Default
54 '~^python\-requests\/' 1; # Library Default
55 '~^node\-fetch\/' 1; # Library Default
56 '~^R$' 1; # Library Default
57 '~^Java\/' 1; # Library Default
58 '~^tiles$' 1; # Library Default
59 '~^runtastic' 1; # App
60 'Mozilla/4.0' 1; # Fake
61 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)' 1; # Fake
64 map $http_referer $denied_referer {
65 default 0; # Not denied
66 'http://www.openstreetmap.org/' 1; # Faked
67 'http://www.openstreetmap.org' 1; # Faked
68 'http://openstreetmap.org/' 1; # Faked
69 'http://openstreetmap.org' 1; # Faked
70 'http://www.osm.org/' 1; # Faked
71 'http://www.osm.org' 1; # Faked
72 'http://osm.org/' 1; # Faked
73 'http://osm.org' 1; # Faked
76 # Limit Cache-Control header to only approved User-Agents
77 map $http_user_agent $limit_http_cache_control {
78 default ''; # Unset Header
79 '~^Mozilla\/5\.0\ QGIS\/' ''; # Unset Header
80 '~^Mozilla\/5\.0\ ' $http_cache_control; # Pass Header
83 # Limit Pragma header to only approved User-Agents
84 map $http_user_agent $limit_http_pragma {
85 default ''; # Unset Header
86 '~^Mozilla\/5\.0\ QGIS\/' ''; # Unset Header
87 '~^Mozilla\/5\.0\ ' $http_pragma; # Pass Header
91 listen 443 ssl deferred backlog=16384 reuseport fastopen=2048 http2 default_server;
92 server_name localhost;
96 ssl_certificate /etc/ssl/certs/tile.openstreetmap.org.pem;
97 ssl_certificate_key /etc/ssl/private/tile.openstreetmap.org.key;
99 # Requests sent within early data are subject to replay attacks.
100 # See: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data
103 # Immediately 404 layers we do not support
104 <% for i in 20..99 do %>
105 location /<%= i %>/ {
111 # Immediately 404 silly tile requests
112 location = /0/0/-1.png {
116 location = /1/0/-1.png {
120 location = /1/-1/0.png {
124 location = /1/-1/1.png {
128 location = /1/-1/-1.png {
132 location = /1/-1/2.png {
136 location = /1/1/-1.png {
140 location = /1/2/-1.png {
144 location = /2/0/-1.png {
148 location = /2/-1/0.png {
152 location = /2/-1/1.png {
156 location = /2/1/-1.png {
160 location = /2/-1/2.png {
164 location = /2/-1/3.png {
169 <% for i in 0..14 do %>
171 # Default Fallback Location Handler (lowest)
174 # Dedicated zoom handler for caching
175 location /<%= i %>/ {
177 proxy_pass http://tile_cache_backend;
178 proxy_set_header X-Forwarded-For $remote_addr;
179 proxy_http_version 1.1;
180 proxy_set_header Connection '';
182 proxy_connect_timeout 10s;
184 # Replace host header.
185 proxy_set_header Host 'tile.openstreetmap.org';
186 # Do not pass cookies to backends.
187 proxy_set_header Cookie '';
188 # Do not pass Accept-Encoding to backends.
189 proxy_set_header Accept-Encoding '';
190 # Do not pass Accept to backends.
191 proxy_set_header Accept '';
192 # Do not pass Accept-Language to backends as unused.
193 proxy_set_header Accept-Language '';
194 proxy_set_header Accept-Charset '';
195 # Do not send origin, we allow all.
196 proxy_set_header origin '';
197 # Do not pass invalid headers to backend.
198 proxy_set_header X-Forwarded-Host '';
199 proxy_set_header X-Host '';
200 proxy_set_header Authorization '';
201 proxy_set_header Proxy-Authorization '';
203 # Drop partial requests
204 proxy_set_header range '';
206 # Do not allow setting cookies from backends due to caching.
207 proxy_ignore_headers Set-Cookie;
208 proxy_hide_header Set-Cookie;
212 proxy_cache "proxy_cache_zone";
214 proxy_cache_valid 200 1d;
215 proxy_cache_valid 404 15m;
216 # Serve stale cache on errors or if updating
217 proxy_cache_use_stale error timeout updating http_500 http_503 http_504;
218 # If in cache as stale, serve stale and update in background
219 proxy_cache_background_update on;
220 proxy_cache_min_uses 8;
222 add_header X-Nginx-Cache-Status $upstream_cache_status;
225 # Set a QoS cookie if none presented (uses nginx Map)
226 add_header Set-Cookie $cookie_qos_token_set;
227 <% if node[:ssl][:strict_transport_security] -%>
228 # Ensure Strict-Transport-Security header is removed from proxied server responses
229 proxy_hide_header Strict-Transport-Security;
232 add_header Strict-Transport-Security "<%= node[:ssl][:strict_transport_security] %>" always;
235 # QoS Traffic Rate see $limit_rate on http://nginx.org/en/docs/http/ngx_http_core_module.html
236 set $limit_rate $limit_rate_qos;
238 # Allow Higher Traffic Rate from Approved User-Agents which do not support cookies (uses nginx Map)
239 if ($approved_scraper) {
240 set $limit_rate 65536;
243 if ($denied_scraper) {
247 if ($denied_referer) {
252 # Strip any ?query parameters from urls
255 # Allow cache purging headers only from select User-Agents (uses nginx Map)
256 proxy_set_header Cache-Control $limit_http_cache_control;
257 proxy_set_header Pragma $limit_http_pragma;
projects / chef.git / blob