Add liquor-cabinet proxy recipe
This commit is contained in:
parent
a2ec41b68a
commit
6114f0f799
|
@ -0,0 +1,4 @@
|
|||
node.default['liquor-cabinet']['app_server_role'] = 'liquor_cabinet'
|
||||
node.default['liquor-cabinet']['max_upload_size'] = 100 # MB
|
||||
node.default['liquor-cabinet']['server_name'] = 'storage.example.com'
|
||||
node.default['liquor-cabinet']['root_redirect_url'] = 'https://example.com/storage'
|
|
@ -0,0 +1,30 @@
|
|||
#
|
||||
# Cookbook:: kosmos_liquor-cabinet
|
||||
# Recipe:: nginx
|
||||
#
|
||||
|
||||
app_name = node['liquor-cabinet']['app_name']
|
||||
domain = node[app_name]['domain']
|
||||
|
||||
tls_cert_for domain do
|
||||
auth "gandi_dns"
|
||||
action :create
|
||||
end
|
||||
|
||||
upstream_hosts = []
|
||||
search(:node, "role:#{node[app_name]['app_server_role']}").each do |node|
|
||||
upstream_hosts << node["knife_zero"]["host"]
|
||||
end
|
||||
upstream_hosts.push("localhost") if upstream_hosts.empty?
|
||||
|
||||
openresty_site domain do
|
||||
template "nginx_conf_liquor-cabinet.erb"
|
||||
variables app_name: app_name,
|
||||
server_name: domain,
|
||||
root_redirect_url: node[app_name]['root_redirect_url'],
|
||||
max_upload_size: node['liquor-cabinet']['max_upload_size'],
|
||||
upstream_hosts: upstream_hosts,
|
||||
upstream_port: node[app_name]['rainbows']['port'],
|
||||
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
|
||||
end
|
|
@ -0,0 +1,79 @@
|
|||
#
|
||||
# Generated by Chef
|
||||
#
|
||||
upstream _<%= @app_name %> {
|
||||
<% @upstream_hosts.each do |host| -%>
|
||||
server <%= host %>:<%= @upstream_port %>;
|
||||
<% end -%>
|
||||
}
|
||||
|
||||
# TODO use cookbook attribute when enabling
|
||||
# variables_hash_max_size 2048;
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name <%= @server_name %>;
|
||||
# Redirect to https
|
||||
location / {
|
||||
return 301 https://<%= @server_name %>$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name <%= @server_name %>;
|
||||
|
||||
access_log <%= node[:nginx][:log_dir] %>/<%= @app_name %>.access.log; # TODO json_liquor_cabinet;
|
||||
error_log <%= node[:nginx][:log_dir] %>/<%= @app_name %>.error.log warn;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload";
|
||||
|
||||
# TODO
|
||||
# log_by_lua_file "<%= @log_by_lua_file %>";
|
||||
|
||||
# We need strong ETags, disable compression
|
||||
gzip off;
|
||||
# brotli off;
|
||||
# pagespeed off;
|
||||
|
||||
# Set a large maximum upload size
|
||||
client_max_body_size <%= @max_upload_size %>m;
|
||||
|
||||
# TODO
|
||||
# Use rate limiting (the zone is defined in
|
||||
# /etc/nginx/conf.d/rate_limiting.conf)
|
||||
# limit_req zone=per_ip burst=5000;
|
||||
|
||||
location = / {
|
||||
return 301 <%= @root_redirect_url %>;
|
||||
}
|
||||
|
||||
location / {
|
||||
try_files $uri @proxy;
|
||||
}
|
||||
|
||||
location @proxy {
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header Host $http_host;
|
||||
|
||||
proxy_redirect off;
|
||||
|
||||
proxy_buffering on;
|
||||
# Increase number of buffers. Default is 8
|
||||
proxy_buffers 1024 8k;
|
||||
|
||||
# Needed for big uploads
|
||||
proxy_read_timeout 180s;
|
||||
proxy_send_timeout 180s;
|
||||
|
||||
proxy_pass http://_<%= @app_name %>;
|
||||
|
||||
proxy_next_upstream error timeout http_502 http_500;
|
||||
}
|
||||
|
||||
ssl_certificate <%= @ssl_cert %>;
|
||||
ssl_certificate_key <%= @ssl_key %>;
|
||||
}
|
Loading…
Reference in New Issue