]> git.openstreetmap.org Git - chef.git/blobdiff - cookbooks/imagery/templates/default/nginx_titiler.conf.erb
community: Fix CSRF issue with monkey patch fix
[chef.git] / cookbooks / imagery / templates / default / nginx_titiler.conf.erb
index c0f7779768af4cca3edb27e348284eecf8b09f3b..155620949e425fe688692b5ee2a50a5c897e5c82 100644 (file)
@@ -4,7 +4,20 @@ server {
     server_name <%= @name %> <% @aliases.each do |alias_name| %> <%= alias_name %><%- end -%>;
 
     rewrite ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 permanent;
-    return 301 https://$host$request_uri;
+
+    location / {
+      return 301 https://$host$request_uri;
+    }
+
+    location /za-25cm {
+      root "/store/imagery/za";
+      expires max;
+    }
+}
+
+upstream titiler_api_backend {
+    server unix:/srv/imagery/sockets/titiler.sock max_fails=0;
+    server unix:/srv/./imagery/sockets/titiler.sock max_fails=0;
 }
 
 server {
@@ -12,6 +25,9 @@ server {
     listen [::]:443 ssl http2;
     server_name <%= @name %> <% @aliases.each do |alias_name| %> <%= alias_name %><%- end -%>;
 
+    http2_max_concurrent_streams 512;
+    keepalive_timeout 30s;
+
     ssl_certificate /etc/ssl/certs/<%= @name %>.pem;
     ssl_certificate_key /etc/ssl/private/<%= @name %>.key;
 <% if node[:ssl][:strict_transport_security] -%>
@@ -35,12 +51,17 @@ server {
 
     location /api/v1/titiler {
       rewrite ^/api/v1/titiler(.*)$ $1 break;
-      proxy_pass http://localhost:8080;
+      proxy_pass http://titiler_api_backend;
       proxy_set_header Host $host;
       proxy_set_header Referer $http_referer;
       proxy_set_header X-Forwarded-For $remote_addr;
       proxy_set_header X-Forwarded-Proto https;
       proxy_set_header X-Forwarded-SSL on;
+      proxy_http_version 1.1;
+      proxy_set_header Connection "";
       proxy_redirect off;
+
+      allow 127.0.0.1;
+      deny all;
     }
 }