+upstream tile_cache_backend {
+ server 127.0.0.1;
+ <% @caches.each do |cache| -%>
+ <% if cache[:hostname] != node[:hostname] -%>
+ #Server <%= cache[:hostname] %>
+ <% cache.ipaddresses(:family => :inet, :role => :external).sort.each do |address| -%>
+ server <%= address %> backup;
+ <% end -%>
+ <% end -%>
+ <% end -%>
+
+ keepalive 32;
+}
+
+# Rates table based on cookie value
+map $cookie_qos_token $limit_rate_qos {
+ default 8192; # Default Rate
+ "test" 32768; # FIXME - Future TOTP Token
+}
+
+map $cookie_qos_token $cookie_qos_token_set {
+ # Cookie Domain per RFC 6265
+ default 'qos_token=test; Secure; httponly; Max-Age=3600; Domain=tile.openstreetmap.org; Path=/'; # FIXME - Future TOTP Token
+ "test" ''; # Do not Set-Cookie if current is valid
+}
+
+map $http_user_agent $approved_scraper {
+ default ''; # Not approved
+ '~^JOSM\/' 'JOSM';
+ '~^Mozilla\/5\.0\ QGIS\/' 'QGIS';
+}
+
+# Limit Cache-Control header to only approved User-Agents
+map $http_user_agent $limit_http_cache_control {
+ default ''; # Unset Header
+ '~^Mozilla\/5\.0\ QGIS\/' ''; # Unset Header
+ '~^Mozilla\/5\.0\ ' $http_cache_control; # Pass Header
+}
+
+# Limit Pragma header to only approved User-Agents
+map $http_user_agent $limit_http_pragma {
+ default ''; # Unset Header
+ '~^Mozilla\/5\.0\ QGIS\/' ''; # Unset Header
+ '~^Mozilla\/5\.0\ ' $http_pragma; # Pass Header
+}
+
server {
- listen 443 ssl;
+ listen 443 ssl fastopen=2048 http2 default_server;
server_name localhost;
- ssl_certificate /etc/ssl/certs/tile.openstreetmap.pem;
- ssl_certificate_key /etc/ssl/private/tile.openstreetmap.key;
+ proxy_buffers 8 64k;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2 SSLv3;
- ssl_ciphers aRSA+HIGH:+kEDH:+kRSA:!kSRP:!kPSK:+3DES:!MD5;
+ ssl_certificate /etc/ssl/certs/<%= @certificate %>.pem;
+ ssl_certificate_key /etc/ssl/private/<%= @certificate %>.key;
+
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ ssl_ciphers <%= node[:ssl][:ciphers] -%>;
ssl_prefer_server_ciphers on;
- ssl_session_cache shared:SSL:30m;
- ssl_session_timeout 15m;
+ ssl_session_cache shared:SSL:50m;
+ ssl_session_timeout 30m;
+ ssl_stapling on;
+ ssl_dhparam /etc/ssl/certs/dhparam.pem;
+ resolver <%= @resolvers.join(" ") %>;
+ resolver_timeout 5s;
+
+ location / {
+ proxy_pass http://tile_cache_backend;
+ proxy_set_header X-Forwarded-For $remote_addr;
+ proxy_http_version 1.1;
+ proxy_set_header Connection '';
+
+ proxy_connect_timeout 5s;
+
+ # Do not pass cookies to backends.
+ proxy_set_header Cookie '';
+ # Do not pass Accept-Encoding to backends.
+ proxy_set_header Accept-Encoding '';
+
+ # Do not allow setting cookies from backends due to caching.
+ proxy_ignore_headers Set-Cookie;
+ proxy_hide_header Set-Cookie;
+
+ # Set a QoS cookie if none presented (uses nginx Map)
+ add_header Set-Cookie $cookie_qos_token_set;
+
+ # QoS Traffic Rate see $limit_rate on http://nginx.org/en/docs/http/ngx_http_core_module.html
+ set $limit_rate $limit_rate_qos;
- location / { proxy_pass http://127.0.0.1; proxy_set_header X-Forwarded-For $remote_addr; }
+ # Allow Higher Traffic Rate from Approved User-Agents which do not support cookies (uses nginx Map)
+ if ($approved_scraper) {
+ set $limit_rate 16384;
+ }
+ # Allow cache purging headers only from select User-Agents (uses nginx Map)
+ proxy_set_header Cache-Control $limit_http_cache_control;
+ proxy_set_header Pragma $limit_http_pragma;
+ }
}
projects / chef.git / blobdiff