X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/144c6c69cc3ac0ae376ec71c202e6fb6e07f5cda..c87a97890768b4427f078d7deda0d1edf4bb39ce:/cookbooks/imagery/templates/default/nginx_imagery.conf.erb diff --git a/cookbooks/imagery/templates/default/nginx_imagery.conf.erb b/cookbooks/imagery/templates/default/nginx_imagery.conf.erb index b0fd86910..b038071b7 100644 --- a/cookbooks/imagery/templates/default/nginx_imagery.conf.erb +++ b/cookbooks/imagery/templates/default/nginx_imagery.conf.erb @@ -1,29 +1,39 @@ server { - listen [::]:80; - listen *:80; + listen 80; server_name <%= @name %> a.<%= @name %> b.<%= @name %> c.<%= @name %><% @aliases.each do |alias_name| %> <%= alias_name %> a.<%= alias_name %> b.<%= alias_name %> c.<%= alias_name %><%- end -%>; rewrite ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 permanent; return 301 https://$host$request_uri; } +upstream <%= @name %>_fastcgi { + server "unix:/var/run/mapserver-fastcgi/layer-<%= @name %>-0.socket" max_fails=0; + server "unix:/var/run/mapserver-fastcgi/layer-<%= @name %>-1.socket" max_fails=0; + server "unix:/var/run/mapserver-fastcgi/layer-<%= @name %>-2.socket" max_fails=0; + server "unix:/var/run/mapserver-fastcgi/layer-<%= @name %>-3.socket" max_fails=0; + server "unix:/var/run/mapserver-fastcgi/layer-<%= @name %>-4.socket" max_fails=0; + server "unix:/var/run/mapserver-fastcgi/layer-<%= @name %>-5.socket" max_fails=0; + server "unix:/var/run/mapserver-fastcgi/layer-<%= @name %>-6.socket" max_fails=0; + server "unix:/var/run/mapserver-fastcgi/layer-<%= @name %>-7.socket" max_fails=0; + + # Use default round-robin to distribute requests, rather than pick "fast" but maybe faulty. + # Do not use keepalive +} + server { - listen [::]:443 ssl; - listen *:443 ssl; + listen 443 ssl http2; server_name <%= @name %> a.<%= @name %> b.<%= @name %> c.<%= @name %><% @aliases.each do |alias_name| %> <%= alias_name %> a.<%= alias_name %> b.<%= alias_name %> c.<%= alias_name %><%- end -%>; ssl_certificate /etc/ssl/certs/<%= @name %>.pem; ssl_certificate_key /etc/ssl/private/<%= @name %>.key; +<% if node[:ssl][:strict_transport_security] -%> - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers <%= node[:ssl][:ciphers] -%>; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:50m; - ssl_session_timeout 30m; - ssl_stapling on; - ssl_dhparam /etc/ssl/certs/dhparam.pem; - resolver <%= @resolvers.join(" ") %>; - resolver_timeout 5s; + add_header Strict-Transport-Security "<%= node[:ssl][:strict_transport_security] %>" always; +<% end -%> + + # Requests sent within early data are subject to replay attacks. + # See: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data + ssl_early_data on; root "/srv/<%= @name %>"; @@ -35,9 +45,6 @@ server { gzip_comp_level 9; gzip_vary on; - sendfile on; - tcp_nopush on; - # Include site imagery layers include /srv/imagery/nginx/<%= @name %>/layer-*.conf; }