diff --git a/site-cookbooks/kosmos_liquor-cabinet/attributes/default.rb b/site-cookbooks/kosmos_liquor-cabinet/attributes/default.rb index e69de29..6c4b547 100644 --- a/site-cookbooks/kosmos_liquor-cabinet/attributes/default.rb +++ b/site-cookbooks/kosmos_liquor-cabinet/attributes/default.rb @@ -0,0 +1,4 @@ +node.default['liquor-cabinet']['app_server_role'] = 'liquor_cabinet' +node.default['liquor-cabinet']['max_upload_size'] = 100 # MB +node.default['liquor-cabinet']['server_name'] = 'storage.example.com' +node.default['liquor-cabinet']['root_redirect_url'] = 'https://example.com/storage' diff --git a/site-cookbooks/kosmos_liquor-cabinet/recipes/nginx.rb b/site-cookbooks/kosmos_liquor-cabinet/recipes/nginx.rb new file mode 100644 index 0000000..e3c1b6b --- /dev/null +++ b/site-cookbooks/kosmos_liquor-cabinet/recipes/nginx.rb @@ -0,0 +1,30 @@ +# +# Cookbook:: kosmos_liquor-cabinet +# Recipe:: nginx +# + +app_name = node['liquor-cabinet']['app_name'] +domain = node[app_name]['domain'] + +tls_cert_for domain do + auth "gandi_dns" + action :create +end + +upstream_hosts = [] +search(:node, "role:#{node[app_name]['app_server_role']}").each do |node| + upstream_hosts << node["knife_zero"]["host"] +end +upstream_hosts.push("localhost") if upstream_hosts.empty? + +openresty_site domain do + template "nginx_conf_liquor-cabinet.erb" + variables app_name: app_name, + server_name: domain, + root_redirect_url: node[app_name]['root_redirect_url'], + max_upload_size: node['liquor-cabinet']['max_upload_size'], + upstream_hosts: upstream_hosts, + upstream_port: node[app_name]['rainbows']['port'], + ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem" +end diff --git a/site-cookbooks/kosmos_liquor-cabinet/templates/nginx_conf_liquor-cabinet.erb b/site-cookbooks/kosmos_liquor-cabinet/templates/nginx_conf_liquor-cabinet.erb new file mode 100644 index 0000000..870713b --- /dev/null +++ b/site-cookbooks/kosmos_liquor-cabinet/templates/nginx_conf_liquor-cabinet.erb @@ -0,0 +1,79 @@ +# +# Generated by Chef +# +upstream _<%= @app_name %> { +<% @upstream_hosts.each do |host| -%> + server <%= host %>:<%= @upstream_port %>; +<% end -%> +} + +# TODO use cookbook attribute when enabling +# variables_hash_max_size 2048; + +server { + listen 80; + listen [::]:80; + server_name <%= @server_name %>; + # Redirect to https + location / { + return 301 https://<%= @server_name %>$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name <%= @server_name %>; + + access_log <%= node[:nginx][:log_dir] %>/<%= @app_name %>.access.log; # TODO json_liquor_cabinet; + error_log <%= node[:nginx][:log_dir] %>/<%= @app_name %>.error.log warn; + + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"; + + # TODO + # log_by_lua_file "<%= @log_by_lua_file %>"; + + # We need strong ETags, disable compression + gzip off; + # brotli off; + # pagespeed off; + + # Set a large maximum upload size + client_max_body_size <%= @max_upload_size %>m; + + # TODO + # Use rate limiting (the zone is defined in + # /etc/nginx/conf.d/rate_limiting.conf) + # limit_req zone=per_ip burst=5000; + + location = / { + return 301 <%= @root_redirect_url %>; + } + + location / { + try_files $uri @proxy; + } + + location @proxy { + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Host $http_host; + + proxy_redirect off; + + proxy_buffering on; + # Increase number of buffers. Default is 8 + proxy_buffers 1024 8k; + + # Needed for big uploads + proxy_read_timeout 180s; + proxy_send_timeout 180s; + + proxy_pass http://_<%= @app_name %>; + + proxy_next_upstream error timeout http_502 http_500; + } + + ssl_certificate <%= @ssl_cert %>; + ssl_certificate_key <%= @ssl_key %>; +}