# DO NOT EDIT - This file is being maintained by Chef upstream tile_cache_backend { server 127.0.0.1:8080; <% @caches.each do |cache| -%> <% if cache[:hostname] != node[:hostname] -%> #Server <%= cache[:hostname] %> <% cache.ipaddresses(:family => :inet, :role => :external).sort.each do |address| -%> server <%= address %> backup; <% end -%> <% end -%> <% end -%> keepalive 32; } # Rates table based on current cookie value map $cookie_qos_token $limit_rate_qos { include /etc/nginx/conf.d/tile_qos_rates.map; } # Set-Cookie table based on current cookie value map $cookie_qos_token $cookie_qos_token_set { include /etc/nginx/conf.d/tile_qos_cookies.map; } map $http_user_agent $approved_scraper { default ''; # Not approved '~^JOSM\/' 'JOSM'; '~^Mozilla\/5\.0\ QGIS\/' 'QGIS'; } # Limit Cache-Control header to only approved User-Agents map $http_user_agent $limit_http_cache_control { default ''; # Unset Header '~^Mozilla\/5\.0\ QGIS\/' ''; # Unset Header '~^Mozilla\/5\.0\ ' $http_cache_control; # Pass Header } # Limit Pragma header to only approved User-Agents map $http_user_agent $limit_http_pragma { default ''; # Unset Header '~^Mozilla\/5\.0\ QGIS\/' ''; # Unset Header '~^Mozilla\/5\.0\ ' $http_pragma; # Pass Header } server { listen 443 ssl fastopen=2048 http2 default_server; server_name localhost; proxy_buffers 8 64k; ssl_certificate /etc/ssl/certs/tile.openstreetmap.org.pem; ssl_certificate_key /etc/ssl/private/tile.openstreetmap.org.key; location / { proxy_pass http://tile_cache_backend; proxy_set_header X-Forwarded-For $remote_addr; proxy_http_version 1.1; proxy_set_header Connection ''; proxy_connect_timeout 5s; # Do not pass cookies to backends. proxy_set_header Cookie ''; # Do not pass Accept-Encoding to backends. proxy_set_header Accept-Encoding ''; # Do not allow setting cookies from backends due to caching. proxy_ignore_headers Set-Cookie; proxy_hide_header Set-Cookie; # Set a QoS cookie if none presented (uses nginx Map) add_header Set-Cookie $cookie_qos_token_set; <% if node[:ssl][:strict_transport_security] -%> # Ensure Strict-Transport-Security header is removed from proxied server responses proxy_hide_header Strict-Transport-Security; # Enable HSTS add_header Strict-Transport-Security "<%= node[:ssl][:strict_transport_security] %>" always; <% end -%> # QoS Traffic Rate see $limit_rate on http://nginx.org/en/docs/http/ngx_http_core_module.html set $limit_rate $limit_rate_qos; # Allow Higher Traffic Rate from Approved User-Agents which do not support cookies (uses nginx Map) if ($approved_scraper) { set $limit_rate 32768; } # Strip any ?query parameters from urls set $args ''; # Allow cache purging headers only from select User-Agents (uses nginx Map) proxy_set_header Cache-Control $limit_http_cache_control; proxy_set_header Pragma $limit_http_pragma; } } # Convert all http requests to https server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 301 https://$host$request_uri; }