]> git.openstreetmap.org Git - chef.git/blob - cookbooks/imagery/templates/default/nginx_titiler.conf.erb
Merge remote-tracking branch 'github/pull/678'
[chef.git] / cookbooks / imagery / templates / default / nginx_titiler.conf.erb
1 server {
2     listen 80;
3     listen [::]:80;
4     server_name <%= @name %> <% @aliases.each do |alias_name| %> <%= alias_name %><%- end -%>;
5
6     rewrite ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 permanent;
7
8     location / {
9       return 301 https://$host$request_uri;
10     }
11
12     location /za-25cm {
13       root "/store/imagery/za";
14       expires max;
15     }
16 }
17
18 upstream titiler_api_backend {
19     server unix:/srv/imagery/sockets/titiler.sock max_fails=0;
20 }
21
22 server {
23     listen 443 ssl http2;
24     listen [::]:443 ssl http2;
25     server_name <%= @name %> <% @aliases.each do |alias_name| %> <%= alias_name %><%- end -%>;
26
27     http2_max_concurrent_streams 512;
28     keepalive_timeout 30s;
29
30     ssl_certificate /etc/ssl/certs/<%= @name %>.pem;
31     ssl_certificate_key /etc/ssl/private/<%= @name %>.key;
32 <% if node[:ssl][:strict_transport_security] -%>
33
34     add_header Strict-Transport-Security "<%= node[:ssl][:strict_transport_security] %>" always;
35 <% end -%>
36
37     # Requests sent within early data are subject to replay attacks.
38     # See: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data
39     ssl_early_data on;
40
41     # root "/srv/<%= @name %>";
42
43     gzip on;
44     gzip_types text/plain text/css application/json application/javascript application/x-javascript text/javascript text/xml application/xml application/rss+xml application/atom+xml application/rdf+xml image/svg+xml; # text/html is implicit
45     gzip_min_length 512;
46     gzip_http_version 1.0;
47     gzip_proxied any;
48     gzip_comp_level 9;
49     gzip_vary on;
50
51     location /api/v1/titiler {
52       rewrite ^/api/v1/titiler(.*)$ $1 break;
53       proxy_pass http://titiler_api_backend
54       proxy_set_header Host $host;
55       proxy_set_header Referer $http_referer;
56       proxy_set_header X-Forwarded-For $remote_addr;
57       proxy_set_header X-Forwarded-Proto https;
58       proxy_set_header X-Forwarded-SSL on;
59       proxy_http_version 1.1;
60       proxy_set_header Connection "";
61       proxy_redirect off;
62
63       allow 127.0.0.1;
64       deny all;
65     }
66 }