From: Tom Hughes <tom@compton.nu>
Date: Fri, 9 Feb 2018 19:04:44 +0000 (+0000)
Subject: Enable SSL on tile render servers
X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/93e92b84438ecf5422bdd9c685ae986be229068d?hp=2443cfc7684f070dac2dd89772db3a3db5e50a78

Enable SSL on tile render servers
---

diff --git a/cookbooks/tile/recipes/default.rb b/cookbooks/tile/recipes/default.rb
index 7befcdc20..74f011cc1 100644
--- a/cookbooks/tile/recipes/default.rb
+++ b/cookbooks/tile/recipes/default.rb
@@ -38,6 +38,11 @@ apache_module "tile" do
   conf "tile.conf.erb"
 end
 
+ssl_certificate node[:fqdn] do
+  domains [node[:fqdn], "render.openstreetmap.org"]
+  notifies :reload, "service[apache2]"
+end
+
 tilecaches = search(:node, "roles:tilecache").sort_by { |n| n[:hostname] }
 
 apache_site "default" do
diff --git a/cookbooks/tile/templates/default/apache.erb b/cookbooks/tile/templates/default/apache.erb
index f6364cc98..6588ab0b1 100644
--- a/cookbooks/tile/templates/default/apache.erb
+++ b/cookbooks/tile/templates/default/apache.erb
@@ -1,13 +1,22 @@
 # DO NOT EDIT - This file is being maintained by Chef
 
-<VirtualHost *:80>
+<% [80, 443].each do |port| -%>
+<VirtualHost *:<%= port %>>
   # Basic server configuration
   ServerName <%= node[:fqdn] %>
-  ServerAlias tile.openstreetmap.org
   ServerAlias render.openstreetmap.org
   ServerAlias *.render.openstreetmap.org
-  ServerAlias parent.tile.openstreetmap.org
   ServerAdmin webmaster@openstreetmap.org
+<% if port == 443 -%>
+
+  #
+  # Enable SSL
+  #
+  SSLEngine on
+  SSLProxyEngine on
+  SSLCertificateFile /etc/ssl/certs/<%= node[:fqdn] %>.pem
+  SSLCertificateKeyFile /etc/ssl/private/<%= node[:fqdn] %>.key
+<% end -%>
 
   # Configure location of static files and CGI scripts
   DocumentRoot /srv/tile.openstreetmap.org/html
@@ -51,6 +60,7 @@
   RedirectPermanent /.well-known/acme-challenge/ http://acme.openstreetmap.org/.well-known/acme-challenge/
 </VirtualHost>
 
+<% end -%>
 <Directory /srv/tile.openstreetmap.org/html>
   Options None
   AllowOverride None
diff --git a/cookbooks/tilecache/attributes/default.rb b/cookbooks/tilecache/attributes/default.rb
index b5023c3a7..6ef75527e 100644
--- a/cookbooks/tilecache/attributes/default.rb
+++ b/cookbooks/tilecache/attributes/default.rb
@@ -1,5 +1,5 @@
 
-default[:tilecache][:tile_parent] = "parent.tile.openstreetmap.org"
+default[:tilecache][:tile_parent] = "render.openstreetmap.org"
 default[:tilecache][:tile_siblings] = []
 
 # Per IP bucket refill rate