# DO NOT EDIT - This file is being maintained by Chef
upstream tile_cache_backend {
- server 127.0.0.1;
+ server 127.0.0.1:8080;
+ server 127.0.0.2:8080;
# Add the other caches to relieve pressure if local squid failing
# Balancer: round-robin
<% @caches.each do |cache| -%>
<% if cache[:hostname] != node[:hostname] -%>
-<% if node[:tilecache][:tile_siblings].include? cache[:fqdn] -%>
<% cache.ipaddresses(:family => :inet, :role => :external).sort.each do |address| -%>
- server <%= address %> backup; # Server <%= cache[:hostname] %>
-<% end -%>
+ server <%= address %>:80 backup; # Server <%= cache[:hostname] %>
<% end -%>
<% end -%>
<% end -%>
- keepalive 256;
+ keepalive 512;
+ keepalive_requests 1024;
}
# Geo Map of tile caches
'http://osm.org' 1; # Faked
}
+map $http_referer $osm_referer {
+ default ''; # False
+ '~^https:\/\/www\.openstreetmap\.org\/' 'osm'; # True
+}
+
# Limit Cache-Control header to only approved User-Agents
-map $http_user_agent $limit_http_cache_control {
- default ''; # Unset Header
- '~^Mozilla\/5\.0\ QGIS\/' ''; # Unset Header
- '~^Mozilla\/5\.0\ ' $http_cache_control; # Pass Header
+map $osm_referer$http_user_agent $limit_http_cache_control {
+ default ''; # Unset Header
+ '~^osmMozilla\/5\.0\ QGIS\/' ''; # Unset Header
+ '~^osmMozilla\/5\.0\ ' $http_cache_control; # Pass Header
}
# Limit Pragma header to only approved User-Agents
-map $http_user_agent $limit_http_pragma {
- default ''; # Unset Header
- '~^Mozilla\/5\.0\ QGIS\/' ''; # Unset Header
- '~^Mozilla\/5\.0\ ' $http_pragma; # Pass Header
+map $osm_referer$http_user_agent $limit_http_pragma {
+ default ''; # Unset Header
+ '~^osmMozilla\/5\.0\ QGIS\/' ''; # Unset Header
+ '~^osmMozilla\/5\.0\ ' $http_pragma; # Pass Header
}
server {
+ # IPv4
+ listen 80 deferred backlog=16384 reuseport fastopen=2048 default_server;
listen 443 ssl deferred backlog=16384 reuseport fastopen=2048 http2 default_server;
+ # IPv6
+ listen [::]:80 deferred backlog=16384 reuseport fastopen=2048 default_server;
+ listen [::]:443 ssl deferred backlog=16384 reuseport fastopen=2048 http2 default_server;
server_name localhost;
proxy_buffers 8 64k;
+ proxy_busy_buffers_size 64k;
ssl_certificate /etc/ssl/certs/tile.openstreetmap.org.pem;
ssl_certificate_key /etc/ssl/private/tile.openstreetmap.org.key;
+ # Requests sent within early data are subject to replay attacks.
+ # See: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data
+ ssl_early_data on;
+
# Immediately 404 layers we do not support
<% for i in 20..99 do %>
location /<%= i %>/ {
return 404;
}
+<% for i in 0..14 do %>
+<% if i == 0 -%>
+ # Default Fallback Location Handler (lowest)
location / {
+<% elsif -%>
+ # Dedicated zoom handler for caching
+ location /<%= i %>/ {
+<% end %>
+ # Only allow GET / HEAD / OPTIONS (CORS) requests
+ limit_except GET HEAD OPTIONS {
+ deny all;
+ }
+
proxy_pass http://tile_cache_backend;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_http_version 1.1;
proxy_set_header Connection '';
- proxy_connect_timeout 5s;
+ proxy_connect_timeout 10s;
- # Preserve host header.
- proxy_set_header Host $host;
+ # Replace host header.
+ proxy_set_header Host 'tile.openstreetmap.org';
# Do not pass cookies to backends.
proxy_set_header Cookie '';
# Do not pass Accept-Encoding to backends.
proxy_set_header Accept-Encoding '';
+ # Do not pass Accept to backends.
+ proxy_set_header Accept '';
+ # Do not pass Accept-Language to backends as unused.
+ proxy_set_header Accept-Language '';
+ proxy_set_header Accept-Charset '';
+ # Do not send origin, we allow all.
+ proxy_set_header origin '';
+ # Do not pass invalid headers to backend.
+ proxy_set_header X-Forwarded-Host '';
+ proxy_set_header X-Host '';
+ proxy_set_header Authorization '';
+ proxy_set_header Proxy-Authorization '';
+
+ # Drop partial requests
+ proxy_set_header range '';
# Do not allow setting cookies from backends due to caching.
proxy_ignore_headers Set-Cookie;
proxy_hide_header Set-Cookie;
+<% if i != 0 -%>
+ # Caching
+ proxy_cache "proxy_cache_zone";
+ proxy_cache_lock on;
+ proxy_cache_valid 200 1d;
+ proxy_cache_valid 404 15m;
+ # Serve stale cache on errors or if updating
+ proxy_cache_use_stale error timeout updating http_404 http_500 http_503 http_504;
+ # If in cache as stale, serve stale and update in background
+ proxy_cache_background_update on;
+ # Enable revalidation using If-Modified-Since and If-None-Match for stale items
+ proxy_cache_revalidate on;
+ proxy_cache_min_uses 8;
+
+ add_header x-cache-status $upstream_cache_status;
+<% end -%>
+
# Set a QoS cookie if none presented (uses nginx Map)
add_header Set-Cookie $cookie_qos_token_set;
<% if node[:ssl][:strict_transport_security] -%>
proxy_set_header Cache-Control $limit_http_cache_control;
proxy_set_header Pragma $limit_http_pragma;
}
+<% end %>
}
projects / chef.git / blobdiff