From: Tom Hughes Date: Tue, 16 Jan 2018 09:15:14 +0000 (+0000) Subject: Move nginx SSL configuration to shared location in nginx cookbook X-Git-Url: https://git.openstreetmap.org./chef.git/commitdiff_plain/d02429561da1d3ad2b5bbe0ac1108e8fc7774922 Move nginx SSL configuration to shared location in nginx cookbook --- diff --git a/cookbooks/imagery/resources/site.rb b/cookbooks/imagery/resources/site.rb index 9cea98f0a..e4c2c6f86 100644 --- a/cookbooks/imagery/resources/site.rb +++ b/cookbooks/imagery/resources/site.rb @@ -95,15 +95,11 @@ action :create do domains tile_domains end - resolvers = node[:networking][:nameservers].map do |resolver| - IPAddr.new(resolver).ipv6? ? "[#{resolver}]" : resolver - end - nginx_site new_resource.site do template "nginx_imagery.conf.erb" directory "/srv/imagery/#{new_resource.site}" restart_nginx false - variables new_resource.to_hash.merge(:resolvers => resolvers) + variables new_resource.to_hash end end diff --git a/cookbooks/imagery/templates/default/nginx_imagery.conf.erb b/cookbooks/imagery/templates/default/nginx_imagery.conf.erb index b0fd86910..405949e24 100644 --- a/cookbooks/imagery/templates/default/nginx_imagery.conf.erb +++ b/cookbooks/imagery/templates/default/nginx_imagery.conf.erb @@ -15,16 +15,6 @@ server { ssl_certificate /etc/ssl/certs/<%= @name %>.pem; ssl_certificate_key /etc/ssl/private/<%= @name %>.key; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers <%= node[:ssl][:ciphers] -%>; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:50m; - ssl_session_timeout 30m; - ssl_stapling on; - ssl_dhparam /etc/ssl/certs/dhparam.pem; - resolver <%= @resolvers.join(" ") %>; - resolver_timeout 5s; - root "/srv/<%= @name %>"; gzip on; diff --git a/cookbooks/nginx/recipes/default.rb b/cookbooks/nginx/recipes/default.rb index 0c97546bd..6e3a60ff6 100644 --- a/cookbooks/nginx/recipes/default.rb +++ b/cookbooks/nginx/recipes/default.rb @@ -19,13 +19,16 @@ package "nginx" -# admins = data_bag_item("nginx", "admins") +resolvers = node[:networking][:nameservers].map do |resolver| + IPAddr.new(resolver).ipv6? ? "[#{resolver}]" : resolver +end template "/etc/nginx/nginx.conf" do source "nginx.conf.erb" owner "root" group "root" mode 0o644 + variables :resolvers => resolvers end directory "/var/cache/nginx/fastcgi-cache" do diff --git a/cookbooks/nginx/templates/default/nginx.conf.erb b/cookbooks/nginx/templates/default/nginx.conf.erb index 67b080bf1..7bf95a7fb 100644 --- a/cookbooks/nginx/templates/default/nginx.conf.erb +++ b/cookbooks/nginx/templates/default/nginx.conf.erb @@ -31,6 +31,16 @@ http { server_tokens off; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers <%= node[:ssl][:ciphers] -%>; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 30m; + ssl_stapling on; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + resolver <%= @resolvers.join(" ") %>; + resolver_timeout 5s; + <% if node['nginx']['cache']['fastcgi']['enable'] -%> fastcgi_cache_path /var/cache/nginx/fastcgi-cache levels=1:2 keys_zone=<%= node['nginx']['cache']['fastcgi']['keys_zone'] %> inactive=<%= node['nginx']['cache']['fastcgi']['inactive'] %> max_size=<%= node['nginx']['cache']['fastcgi']['max_size'] %>; <% end -%> diff --git a/cookbooks/tilecache/recipes/default.rb b/cookbooks/tilecache/recipes/default.rb index 728d26f49..994c6104a 100644 --- a/cookbooks/tilecache/recipes/default.rb +++ b/cookbooks/tilecache/recipes/default.rb @@ -88,10 +88,6 @@ nginx_site "default" do action [:delete] end -resolvers = node[:networking][:nameservers].map do |resolver| - IPAddr.new(resolver).ipv6? ? "[#{resolver}]" : resolver -end - template "/usr/local/bin/nginx_generate_tilecache_qos_map" do source "nginx_generate_tilecache_qos_map.erb" owner "root" @@ -123,7 +119,7 @@ end nginx_site "tile-ssl" do template "nginx_tile_ssl.conf.erb" - variables :resolvers => resolvers, :caches => tilecaches + variables :caches => tilecaches end template "/etc/logrotate.d/nginx" do diff --git a/cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb b/cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb index c441c039c..7024817ae 100644 --- a/cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb +++ b/cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb @@ -53,16 +53,6 @@ server { ssl_certificate /etc/ssl/certs/tile.openstreetmap.org.pem; ssl_certificate_key /etc/ssl/private/tile.openstreetmap.org.key; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers <%= node[:ssl][:ciphers] -%>; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:50m; - ssl_session_timeout 30m; - ssl_stapling on; - ssl_dhparam /etc/ssl/certs/dhparam.pem; - resolver <%= @resolvers.join(" ") %>; - resolver_timeout 5s; - location / { proxy_pass http://tile_cache_backend; proxy_set_header X-Forwarded-For $remote_addr;