X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/724d624cb25f8324009ddd4f655b8e1c944f17a3..56da13fcc88a7d19d58451603c8632818deb7307:/cookbooks/imagery/templates/default/nginx_imagery.conf.erb diff --git a/cookbooks/imagery/templates/default/nginx_imagery.conf.erb b/cookbooks/imagery/templates/default/nginx_imagery.conf.erb index 30bcd0740..019b0a91b 100644 --- a/cookbooks/imagery/templates/default/nginx_imagery.conf.erb +++ b/cookbooks/imagery/templates/default/nginx_imagery.conf.erb @@ -1,6 +1,55 @@ server { - listen 80; - server_name <%= @name %> a.<%= @name %> b.<%= @name %> c.<%= @name %><% @aliases.each do |alias_name| %> <%= alias_name %><%- end -%>; + listen 80; + listen [::]:80; + server_name <%= @name %> a.<%= @name %> b.<%= @name %> c.<%= @name %><% @aliases.each do |alias_name| %> <%= alias_name %> a.<%= alias_name %> b.<%= alias_name %> c.<%= alias_name %><%- end -%>; + + rewrite ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 permanent; + return 301 https://$host$request_uri; +} + +<% if @uses_tiler -%> +upstream tiler_backend { + server 127.0.0.1:8080 max_fails=0; + + keepalive 32; +} +<% else -%> +upstream <%= @name %>_fastcgi { + server "unix:/var/run/mapserver-fastcgi/layer-<%= @name %>.socket" max_fails=0; + + # Use default round-robin to distribute requests, rather than pick "fast" but maybe faulty. + # Do not use keepalive +} +<% end -%> + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name <%= @name %> a.<%= @name %> b.<%= @name %> c.<%= @name %><% @aliases.each do |alias_name| %> <%= alias_name %> a.<%= alias_name %> b.<%= alias_name %> c.<%= alias_name %><%- end -%>; + + http2_max_concurrent_streams 512; + keepalive_timeout 30s; + + ssl_certificate /etc/ssl/certs/<%= @name %>.pem; + ssl_certificate_key /etc/ssl/private/<%= @name %>.key; +<% if node[:ssl][:strict_transport_security] -%> + + add_header Strict-Transport-Security "<%= node[:ssl][:strict_transport_security] %>" always; +<% end -%> + + # Requests sent within early data are subject to replay attacks. + # See: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data + ssl_early_data on; + + root "/srv/<%= @name %>"; + + gzip on; + gzip_types text/plain text/css application/json application/javascript application/x-javascript text/javascript text/xml application/xml application/rss+xml application/atom+xml application/rdf+xml image/svg+xml; # text/html is implicit + gzip_min_length 512; + gzip_http_version 1.0; + gzip_proxied any; + gzip_comp_level 9; + gzip_vary on; # Include site imagery layers include /srv/imagery/nginx/<%= @name %>/layer-*.conf;