Add liquor-cabinet proxy recipe

site-cookbooks/kosmos_liquor-cabinet/attributes/default.rb

@@ -0,0 +1,4 @@
+node.default['liquor-cabinet']['app_server_role'] = 'liquor_cabinet'
+node.default['liquor-cabinet']['max_upload_size'] = 100 # MB
+node.default['liquor-cabinet']['server_name'] = 'storage.example.com'
+node.default['liquor-cabinet']['root_redirect_url'] = 'https://example.com/storage'

site-cookbooks/kosmos_liquor-cabinet/recipes/nginx.rb

@@ -0,0 +1,30 @@
+#
+# Cookbook:: kosmos_liquor-cabinet
+# Recipe:: nginx
+#
+
+app_name = node['liquor-cabinet']['app_name']
+domain   = node[app_name]['domain']
+
+tls_cert_for domain do
+  auth "gandi_dns"
+  action :create
+end
+
+upstream_hosts = []
+search(:node, "role:#{node[app_name]['app_server_role']}").each do |node|
+  upstream_hosts << node["knife_zero"]["host"]
+end
+upstream_hosts.push("localhost") if upstream_hosts.empty?
+
+openresty_site domain do
+  template "nginx_conf_liquor-cabinet.erb"
+  variables app_name: app_name,
+            server_name: domain,
+            root_redirect_url: node[app_name]['root_redirect_url'],
+            max_upload_size: node['liquor-cabinet']['max_upload_size'],
+            upstream_hosts: upstream_hosts,
+            upstream_port: node[app_name]['rainbows']['port'],
+            ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
+            ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
+end

site-cookbooks/kosmos_liquor-cabinet/templates/nginx_conf_liquor-cabinet.erb

@@ -0,0 +1,79 @@
+#
+# Generated by Chef
+#
+upstream _<%= @app_name %> {
+<% @upstream_hosts.each do |host| -%>
+  server <%= host %>:<%= @upstream_port %>;
+<% end -%>
+}
+
+# TODO use cookbook attribute when enabling
+# variables_hash_max_size 2048;
+
+server {
+  listen 80;
+  listen [::]:80;
+  server_name <%= @server_name %>;
+  # Redirect to https
+  location / {
+    return 301 https://<%= @server_name %>$request_uri;
+  }
+}
+
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  server_name <%= @server_name %>;
+
+  access_log <%= node[:nginx][:log_dir] %>/<%= @app_name %>.access.log; # TODO json_liquor_cabinet;
+  error_log <%= node[:nginx][:log_dir] %>/<%= @app_name %>.error.log warn;
+
+  add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload";
+
+  # TODO
+  # log_by_lua_file "<%= @log_by_lua_file %>";
+
+  # We need strong ETags, disable compression
+  gzip off;
+  # brotli off;
+  # pagespeed off;
+
+  # Set a large maximum upload size
+  client_max_body_size <%= @max_upload_size %>m;
+
+  # TODO
+  # Use rate limiting (the zone is defined in
+  # /etc/nginx/conf.d/rate_limiting.conf)
+  # limit_req zone=per_ip burst=5000;
+
+  location = / {
+    return 301 <%= @root_redirect_url %>;
+  }
+
+  location / {
+    try_files $uri @proxy;
+  }
+
+  location @proxy {
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto https;
+    proxy_set_header Host $http_host;
+
+    proxy_redirect off;
+
+    proxy_buffering on;
+    # Increase number of buffers. Default is 8
+    proxy_buffers 1024 8k;
+
+    # Needed for big uploads
+    proxy_read_timeout 180s;
+    proxy_send_timeout 180s;
+
+    proxy_pass http://_<%= @app_name %>;
+
+    proxy_next_upstream error timeout http_502 http_500;
+  }
+
+  ssl_certificate <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
+}