server {
- listen [::]:80 ipv6only=on;
- listen *:80;
- listen [::]:443 ipv6only=on ssl;
- listen *:443 ssl;
- server_name <%= @name %> a.<%= @name %> b.<%= @name %> c.<%= @name %><% @aliases.each do |alias_name| %> <%= alias_name %> a.<%= alias_name %> b.<%= alias_name %> c.<%= alias_name %><%- end -%>;
+ listen 80;
+ listen [::]:80;
+ server_name <%= @name %> a.<%= @name %> b.<%= @name %> c.<%= @name %><% @aliases.each do |alias_name| %> <%= alias_name %> a.<%= alias_name %> b.<%= alias_name %> c.<%= alias_name %><%- end -%>;
+
+ rewrite ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 permanent;
+ return 301 https://$host$request_uri;
+}
+
+<% if @uses_tiler -%>
+upstream <%= @name %>_tiler_backend {
+ server unix:/srv/imagery/sockets/titiler.sock max_fails=0;
+ server unix:/srv/./imagery/sockets/titiler.sock max_fails=0;
+}
+<% else -%>
+upstream <%= @name %>_fastcgi {
+ server "unix:/var/run/mapserver-fastcgi/layer-<%= @name %>.socket" max_fails=0;
+
+ # Use default round-robin to distribute requests, rather than pick "fast" but maybe faulty.
+ # Do not use keepalive
+}
+<% end -%>
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name <%= @name %> a.<%= @name %> b.<%= @name %> c.<%= @name %><% @aliases.each do |alias_name| %> <%= alias_name %> a.<%= alias_name %> b.<%= alias_name %> c.<%= alias_name %><%- end -%>;
+
+ http2_max_concurrent_streams 512;
+ keepalive_timeout 30s;
ssl_certificate /etc/ssl/certs/<%= @name %>.pem;
ssl_certificate_key /etc/ssl/private/<%= @name %>.key;
+<% if node[:ssl][:strict_transport_security] -%>
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- ssl_ciphers <%= node[:ssl][:ciphers] -%>;
- ssl_prefer_server_ciphers on;
- ssl_session_cache shared:SSL:50m;
- ssl_session_timeout 30m;
- ssl_stapling on;
- ssl_dhparam /etc/ssl/certs/dhparam.pem;
- resolver <%= @resolvers.join(" ") %>;
- resolver_timeout 5s;
+ add_header Strict-Transport-Security "<%= node[:ssl][:strict_transport_security] %>" always;
+<% end -%>
+
+ # Requests sent within early data are subject to replay attacks.
+ # See: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data
+ ssl_early_data on;
root "/srv/<%= @name %>";
- rewrite ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 permanent;
gzip on;
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/javascript text/xml application/xml application/rss+xml application/atom+xml application/rdf+xml image/svg+xml; # text/html is implicit
gzip_comp_level 9;
gzip_vary on;
- sendfile on;
- tcp_nopush on;
-
# Include site imagery layers
include /srv/imagery/nginx/<%= @name %>/layer-*.conf;
}