server { listen 80; listen [::]:80; server_name <%= @name %> <% @aliases.each do |alias_name| %> <%= alias_name %><%- end -%>; rewrite ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 permanent; location / { return 301 https://$host$request_uri; } location /za-25cm { root "/store/imagery/za"; expires max; } } upstream titiler_api_backend { server unix:/srv/imagery/sockets/titiler.sock max_fails=0; server unix:/srv/./imagery/sockets/titiler.sock max_fails=0; } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name <%= @name %> <% @aliases.each do |alias_name| %> <%= alias_name %><%- end -%>; http2_max_concurrent_streams 512; keepalive_timeout 30s; ssl_certificate /etc/ssl/certs/<%= @name %>.pem; ssl_certificate_key /etc/ssl/private/<%= @name %>.key; <% if node[:ssl][:strict_transport_security] -%> add_header Strict-Transport-Security "<%= node[:ssl][:strict_transport_security] %>" always; <% end -%> # Requests sent within early data are subject to replay attacks. # See: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data ssl_early_data on; # root "/srv/<%= @name %>"; gzip on; gzip_types text/plain text/css application/json application/javascript application/x-javascript text/javascript text/xml application/xml application/rss+xml application/atom+xml application/rdf+xml image/svg+xml; # text/html is implicit gzip_min_length 512; gzip_http_version 1.0; gzip_proxied any; gzip_comp_level 9; gzip_vary on; location /api/v1/titiler { rewrite ^/api/v1/titiler(.*)$ $1 break; proxy_pass http://titiler_api_backend; proxy_set_header Host $host; proxy_set_header Referer $http_referer; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-SSL on; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_redirect off; allow 127.0.0.1; deny all; } }