X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/91e029600c447d436e3d01246fb5b578dba4dc91..336837bd1b1dc0531faa2586a12be50710618ba2:/cookbooks/tilecache/templates/default/nginx_tile.conf.erb?ds=inline diff --git a/cookbooks/tilecache/templates/default/nginx_tile.conf.erb b/cookbooks/tilecache/templates/default/nginx_tile.conf.erb index d5d40405c..49cf412ff 100644 --- a/cookbooks/tilecache/templates/default/nginx_tile.conf.erb +++ b/cookbooks/tilecache/templates/default/nginx_tile.conf.erb @@ -15,7 +15,8 @@ upstream tile_cache_backend { <% end -%> <% end -%> - keepalive 256; + keepalive 1024; + keepalive_requests 1024; } # Geo Map of tile caches @@ -29,12 +30,12 @@ geo $tile_cache { } # Rates table based on current cookie value -map $cookie_qos_token $limit_rate_qos { +map $cookie__osm_totp_token $limit_rate_qos { include /etc/nginx/conf.d/tile_qos_rates.map; } # Set-Cookie table based on current cookie value -map $cookie_qos_token $cookie_qos_token_set { +map $cookie__osm_totp_token $cookie_qos_token_set { include /etc/nginx/conf.d/tile_qos_cookies.map; } @@ -53,7 +54,6 @@ map $http_user_agent $denied_scraper { '~^R$' 1; # Library Default '~^Java\/' 1; # Library Default '~^tiles$' 1; # Library Default - '~^Dalvik\/' 1; # Library Default '~^runtastic' 1; # App 'Mozilla/4.0' 1; # Fake 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)' 1; # Fake @@ -94,7 +94,84 @@ server { ssl_certificate /etc/ssl/certs/tile.openstreetmap.org.pem; ssl_certificate_key /etc/ssl/private/tile.openstreetmap.org.key; + # Requests sent within early data are subject to replay attacks. + # See: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data + ssl_early_data on; + + # Immediately 404 layers we do not support +<% for i in 20..99 do %> + location /<%= i %>/ { + set $limit_rate 512; + return 404; + } +<% end %> + + # Immediately 404 silly tile requests + location = /0/0/-1.png { + set $limit_rate 512; + return 404; + } + location = /1/0/-1.png { + set $limit_rate 512; + return 404; + } + location = /1/-1/0.png { + set $limit_rate 512; + return 404; + } + location = /1/-1/1.png { + set $limit_rate 512; + return 404; + } + location = /1/-1/-1.png { + set $limit_rate 512; + return 404; + } + location = /1/-1/2.png { + set $limit_rate 512; + return 404; + } + location = /1/1/-1.png { + set $limit_rate 512; + return 404; + } + location = /1/2/-1.png { + set $limit_rate 512; + return 404; + } + location = /2/0/-1.png { + set $limit_rate 512; + return 404; + } + location = /2/-1/0.png { + set $limit_rate 512; + return 404; + } + location = /2/-1/1.png { + set $limit_rate 512; + return 404; + } + location = /2/1/-1.png { + set $limit_rate 512; + return 404; + } + location = /2/-1/2.png { + set $limit_rate 512; + return 404; + } + location = /2/-1/3.png { + set $limit_rate 512; + return 404; + } + +<% for i in 0..14 do %> +<% if i == 0 -%> + # Default Fallback Location Handler (lowest) location / { +<% elsif -%> + # Dedicated zoom handler for caching + location /<%= i %>/ { +<% end %> proxy_pass http://tile_cache_backend; proxy_set_header X-Forwarded-For $remote_addr; proxy_http_version 1.1; @@ -113,6 +190,21 @@ server { proxy_ignore_headers Set-Cookie; proxy_hide_header Set-Cookie; +<% if i != 0 -%> + # Caching + proxy_cache "proxy_cache_zone"; + proxy_cache_lock on; + proxy_cache_valid 200 1d; + proxy_cache_valid 404 15m; + # Serve stale cache on errors or if updating + proxy_cache_use_stale error timeout updating http_500 http_503 http_504; + # If in cache as stale, serve stale and update in background + proxy_cache_background_update on; + proxy_cache_min_uses 8; + + add_header X-Nginx-Cache-Status $upstream_cache_status; +<% end -%> + # Set a QoS cookie if none presented (uses nginx Map) add_header Set-Cookie $cookie_qos_token_set; <% if node[:ssl][:strict_transport_security] -%> @@ -147,4 +239,5 @@ server { proxy_set_header Cache-Control $limit_http_cache_control; proxy_set_header Pragma $limit_http_pragma; } +<% end %> }