Move nginx SSL configuration to shared location in nginx cookbook
authorTom Hughes <tom@compton.nu>
Tue, 16 Jan 2018 09:15:14 +0000 (09:15 +0000)
committerTom Hughes <tom@compton.nu>
Tue, 16 Jan 2018 09:15:14 +0000 (09:15 +0000)
cookbooks/imagery/resources/site.rb
cookbooks/imagery/templates/default/nginx_imagery.conf.erb
cookbooks/nginx/recipes/default.rb
cookbooks/nginx/templates/default/nginx.conf.erb
cookbooks/tilecache/recipes/default.rb
cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb

index 9cea98f..e4c2c6f 100644 (file)
@@ -95,15 +95,11 @@ action :create do
     domains tile_domains
   end
 
-  resolvers = node[:networking][:nameservers].map do |resolver|
-    IPAddr.new(resolver).ipv6? ? "[#{resolver}]" : resolver
-  end
-
   nginx_site new_resource.site do
     template "nginx_imagery.conf.erb"
     directory "/srv/imagery/#{new_resource.site}"
     restart_nginx false
-    variables new_resource.to_hash.merge(:resolvers => resolvers)
+    variables new_resource.to_hash
   end
 end
 
index b0fd869..405949e 100644 (file)
@@ -15,16 +15,6 @@ server {
     ssl_certificate /etc/ssl/certs/<%= @name %>.pem;
     ssl_certificate_key /etc/ssl/private/<%= @name %>.key;
 
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers <%= node[:ssl][:ciphers] -%>;
-    ssl_prefer_server_ciphers on;
-    ssl_session_cache shared:SSL:50m;
-    ssl_session_timeout 30m;
-    ssl_stapling on;
-    ssl_dhparam /etc/ssl/certs/dhparam.pem;
-    resolver <%= @resolvers.join(" ") %>;
-    resolver_timeout 5s;
-
     root "/srv/<%= @name %>";
 
     gzip on;
index 0c97546..6e3a60f 100644 (file)
 
 package "nginx"
 
-# admins = data_bag_item("nginx", "admins")
+resolvers = node[:networking][:nameservers].map do |resolver|
+  IPAddr.new(resolver).ipv6? ? "[#{resolver}]" : resolver
+end
 
 template "/etc/nginx/nginx.conf" do
   source "nginx.conf.erb"
   owner "root"
   group "root"
   mode 0o644
+  variables :resolvers => resolvers
 end
 
 directory "/var/cache/nginx/fastcgi-cache" do
index 67b080b..7bf95a7 100644 (file)
@@ -31,6 +31,16 @@ http {
 
     server_tokens off;
 
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers <%= node[:ssl][:ciphers] -%>;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_timeout 30m;
+    ssl_stapling on;
+    ssl_dhparam /etc/ssl/certs/dhparam.pem;
+    resolver <%= @resolvers.join(" ") %>;
+    resolver_timeout 5s;
+
     <% if node['nginx']['cache']['fastcgi']['enable'] -%>
     fastcgi_cache_path /var/cache/nginx/fastcgi-cache levels=1:2 keys_zone=<%= node['nginx']['cache']['fastcgi']['keys_zone'] %> inactive=<%= node['nginx']['cache']['fastcgi']['inactive'] %> max_size=<%= node['nginx']['cache']['fastcgi']['max_size'] %>;
     <% end -%>
index 728d26f..994c610 100644 (file)
@@ -88,10 +88,6 @@ nginx_site "default" do
   action [:delete]
 end
 
-resolvers = node[:networking][:nameservers].map do |resolver|
-  IPAddr.new(resolver).ipv6? ? "[#{resolver}]" : resolver
-end
-
 template "/usr/local/bin/nginx_generate_tilecache_qos_map" do
   source "nginx_generate_tilecache_qos_map.erb"
   owner "root"
@@ -123,7 +119,7 @@ end
 
 nginx_site "tile-ssl" do
   template "nginx_tile_ssl.conf.erb"
-  variables :resolvers => resolvers, :caches => tilecaches
+  variables :caches => tilecaches
 end
 
 template "/etc/logrotate.d/nginx" do
index c441c03..7024817 100644 (file)
@@ -53,16 +53,6 @@ server {
     ssl_certificate      /etc/ssl/certs/tile.openstreetmap.org.pem;
     ssl_certificate_key  /etc/ssl/private/tile.openstreetmap.org.key;
 
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers <%= node[:ssl][:ciphers] -%>;
-    ssl_prefer_server_ciphers on;
-    ssl_session_cache shared:SSL:50m;
-    ssl_session_timeout 30m;
-    ssl_stapling on;
-    ssl_dhparam /etc/ssl/certs/dhparam.pem;
-    resolver <%= @resolvers.join(" ") %>;
-    resolver_timeout 5s;
-
     location / {
       proxy_pass http://tile_cache_backend;
       proxy_set_header X-Forwarded-For $remote_addr;