X-Git-Url: https://git.openstreetmap.org/chef.git/blobdiff_plain/4ae212e4720e6947570b24131fcc9dce825182db..faf7f77d947a16e3ef2afa84c1f89b54f5035b3e:/cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb diff --git a/cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb b/cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb index c27a531b3..14a13a0e7 100644 --- a/cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb +++ b/cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb @@ -1,16 +1,98 @@ +upstream tile_cache_backend { + server 127.0.0.1; + <% @caches.each do |cache| -%> + <% if cache[:hostname] != node[:hostname] -%> + #Server <%= cache[:hostname] %> + <% cache.ipaddresses(:family => :inet, :role => :external).sort.each do |address| -%> + server <%= address %> backup; + <% end -%> + <% end -%> + <% end -%> + + keepalive 32; +} + +# Rates table based on cookie value +map $cookie_qos_token $limit_rate_qos { + default 8192; # Default Rate + "test" 32768; # FIXME - Future TOTP Token +} + +map $cookie_qos_token $cookie_qos_token_set { + # Cookie Domain per RFC 6265 + default 'qos_token=test; Secure; httponly; Max-Age=3600; Domain=tile.openstreetmap.org; Path=/'; # FIXME - Future TOTP Token + "test" ''; # Do not Set-Cookie if current is valid +} + +map $http_user_agent $approved_scraper { + default ''; # Not approved + '~^JOSM\/' 'JOSM'; + '~^Mozilla\/5\.0\ QGIS\/' 'QGIS'; +} + +# Limit Cache-Control header to only approved User-Agents +map $http_user_agent $limit_http_cache_control { + default ''; # Unset Header + '~^Mozilla\/5\.0\ QGIS\/' ''; # Unset Header + '~^Mozilla\/5\.0\ ' $http_cache_control; # Pass Header +} + +# Limit Pragma header to only approved User-Agents +map $http_user_agent $limit_http_pragma { + default ''; # Unset Header + '~^Mozilla\/5\.0\ QGIS\/' ''; # Unset Header + '~^Mozilla\/5\.0\ ' $http_pragma; # Pass Header +} + server { - listen 443 ssl; + listen 443 ssl fastopen=2048 http2 default_server; server_name localhost; - ssl_certificate /etc/ssl/certs/tile.openstreetmap.pem; - ssl_certificate_key /etc/ssl/private/tile.openstreetmap.key; + proxy_buffers 8 64k; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 SSLv3; - ssl_ciphers aRSA+HIGH:+kEDH:+kRSA:!kSRP:!kPSK:+3DES:!MD5; + ssl_certificate /etc/ssl/certs/<%= @certificate %>.pem; + ssl_certificate_key /etc/ssl/private/<%= @certificate %>.key; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers <%= node[:ssl][:ciphers] -%>; ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:30m; - ssl_session_timeout 15m; + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 30m; + ssl_stapling on; + ssl_dhparam /etc/ssl/certs/dhparam.pem; + resolver <%= @resolvers.join(" ") %>; + resolver_timeout 5s; + + location / { + proxy_pass http://tile_cache_backend; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_http_version 1.1; + proxy_set_header Connection ''; + + proxy_connect_timeout 5s; + + # Do not pass cookies to backends. + proxy_set_header Cookie ''; + # Do not pass Accept-Encoding to backends. + proxy_set_header Accept-Encoding ''; + + # Do not allow setting cookies from backends due to caching. + proxy_ignore_headers Set-Cookie; + proxy_hide_header Set-Cookie; + + # Set a QoS cookie if none presented (uses nginx Map) + add_header Set-Cookie $cookie_qos_token_set; + + # QoS Traffic Rate see $limit_rate on http://nginx.org/en/docs/http/ngx_http_core_module.html + set $limit_rate $limit_rate_qos; - location / { proxy_pass http://127.0.0.1; proxy_set_header X-Forwarded-For $remote_addr; } + # Allow Higher Traffic Rate from Approved User-Agents which do not support cookies (uses nginx Map) + if ($approved_scraper) { + set $limit_rate 16384; + } + # Allow cache purging headers only from select User-Agents (uses nginx Map) + proxy_set_header Cache-Control $limit_http_cache_control; + proxy_set_header Pragma $limit_http_pragma; + } }