sysadmin/openfreemap
1
0
Fork 0
mirror of https://github.com/hyperknot/openfreemap.git synced 2026-05-21 14:02:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

work

Browse Source
This commit is contained in:
Zsolt Ero
2025-10-07 17:53:42 +02:00
parent 377dd7f334
commit 17d580023b
6 changed files with 20 additions and 637 deletions
Download Patch File Download Diff File Expand all files Collapse all files

618
docs/assets/nginx.conf
View File

@@ -1,618 +0,0 @@
user nginx;
pid /var/run/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 300000; # needs to be < ulimit -n
error_log /data/nginx/logs/nginx-error.log warn;
events {
worker_connections 40000;
multi_accept off; # very important, otherwise one worker might get all the connections
}
http {
# aggressive caching for read-only sources
open_file_cache max=1000000 inactive=60m;
open_file_cache_valid 60m;
open_file_cache_min_uses 1;
open_file_cache_errors on;
server_tokens off;
include /etc/nginx/mime.types;
types {
application/x-protobuf pbf;
}
default_type application/octet-stream;
charset utf-8;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
reset_timedout_connection on;
send_timeout 20;
max_ranges 0;
gzip on;
gzip_comp_level 1;
gzip_types application/json application/x-protobuf;
log_format access_json '{'
# general
'"time": "$time_iso8601", '
'"status": $status, '
#'"request_method": "$request_method", '
#'"uri": "$uri", '
#'"request": "$request", '
#'"request_time": $request_time, '
'"body_bytes_sent": $body_bytes_sent, '
'"http_referrer": "$http_referer", '
'"http_user_agent": "$http_user_agent", '
#'"scheme": "$scheme", '
#'"host": "$host", '
#'"http_host": "$http_host", '
# IP address related
# IP address logging is disabled
#'"remote_addr": "$remote_addr", '
#'"http_x_forwarded_for": "$http_x_forwarded_for", '
# CF related
#'"http_cf_ray": "$http_cf_ray", '
#'"http_cf_ipcountry": "$http_cf_ipcountry", '
#'"http_cf_connecting_ip": "$http_cf_connecting_ip", '
'"_": "_"' # helper for no trailing comma
'}';
access_log off;
#access_log /data/nginx/logs/nginx-access.log access_json buffer=128k;
include /data/nginx/config/*;
include /data/nginx/sites/*;
}
# configuration file /etc/nginx/mime.types:
types {
# Data interchange
application/atom+xml atom;
application/json json map topojson;
application/ld+json jsonld;
application/rss+xml rss;
# Normalize to standard type.
# https://tools.ietf.org/html/rfc7946#section-12
application/geo+json geojson;
application/xml xml;
# Normalize to standard type.
# https://tools.ietf.org/html/rfc3870#section-2
application/rdf+xml rdf;
# JavaScript
# Servers should use text/javascript for JavaScript resources.
# https://html.spec.whatwg.org/multipage/scripting.html#scriptingLanguages
text/javascript js mjs;
application/wasm wasm;
# Manifest files
application/manifest+json webmanifest;
application/x-web-app-manifest+json webapp;
text/cache-manifest appcache;
# Media files
audio/midi mid midi kar;
audio/mp4 aac f4a f4b m4a;
audio/mpeg mp3;
audio/ogg oga ogg opus;
audio/x-realaudio ra;
audio/x-wav wav;
image/apng apng;
image/avif avif avifs;
image/bmp bmp;
image/gif gif;
image/jpeg jpeg jpg;
image/jxl jxl;
image/jxr jxr hdp wdp;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-jng jng;
video/3gpp 3gp 3gpp;
video/mp4 f4p f4v m4v mp4;
video/mpeg mpeg mpg;
video/ogg ogv;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-mng mng;
video/x-ms-asf asf asx;
video/x-msvideo avi;
# Serving `.ico` image files with a different media type
# prevents Internet Explorer from displaying then as images:
# https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcddcb205aadf8ee
image/x-icon cur ico;
# Microsoft Office
application/msword doc;
application/vnd.ms-excel xls;
application/vnd.ms-powerpoint ppt;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
# Web fonts
font/woff woff;
font/woff2 woff2;
application/vnd.ms-fontobject eot;
font/ttf ttf;
font/collection ttc;
font/otf otf;
# Other
application/java-archive ear jar war;
application/mac-binhex40 hqx;
application/octet-stream bin deb dll dmg exe img iso msi msm msp safariextz;
application/pdf pdf;
application/postscript ai eps ps;
application/rtf rtf;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.wap.wmlc wmlc;
application/x-7z-compressed 7z;
application/x-bb-appworld bbaw;
application/x-bittorrent torrent;
application/x-chrome-extension crx;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-opera-extension oex;
application/x-perl pl pm;
application/x-pilot pdb prc;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert crt der pem;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xslt+xml xsl;
application/zip zip;
text/calendar ics;
text/css css;
text/csv csv;
text/html htm html shtml;
text/markdown md markdown;
text/mathml mml;
text/plain txt;
text/vcard vcard vcf;
text/vnd.rim.location.xloc xloc;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/vtt vtt;
text/x-component htc;
}
# configuration file /data/nginx/sites/default_disable.conf:
map "" $empty {
default "";
}
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
http2 on;
server_name _;
ssl_ciphers aNULL;
ssl_certificate /etc/nginx/ssl/dummy.crt;
ssl_certificate_key /etc/nginx/ssl/dummy.key;
return 444;
}
# configuration file /data/nginx/sites/ofm_roundrobin.conf:
server {
server_name ofm_roundrobin tiles.openfreemap.org;
# ssl: https://ssl-config.mozilla.org / intermediate config
listen 80;
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
ssl_certificate /data/nginx/certs/ofm_roundrobin.cert;
ssl_certificate_key /data/nginx/certs/ofm_roundrobin.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_dhparam /etc/nginx/ffdhe2048.txt;
# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
# access log doesn't contain IP address
access_log off;
#access_log /data/ofm/http_host/logs_nginx/roundrobin-access.jsonl access_json buffer=128k;
error_log /data/ofm/http_host/logs_nginx/roundrobin-error.log;
add_header X-Robots-Tag "noindex, nofollow" always;
# specific JSON monaco 20250806_231001_pt
location = /monaco/20250806_231001_pt {
# no trailing slash
alias /data/ofm/http_host/runs/monaco/20250806_231001_pt/tilejson-ofm_roundrobin.json; # no trailing slash
expires 1w;
default_type application/json;
add_header 'Access-Control-Allow-Origin' '*' always;
add_header Cache-Control public;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header x-ofm-debug 'specific JSON monaco 20250806_231001_pt';
}
# specific PBF monaco 20250806_231001_pt
location ^~ /monaco/20250806_231001_pt/ {
# trailing slash
alias /mnt/ofm/monaco-20250806_231001_pt/tiles/; # trailing slash
try_files $uri @empty_tile;
add_header Content-Encoding gzip;
expires 10y;
types {
application/vnd.mapbox-vector-tile pbf;
}
add_header 'Access-Control-Allow-Origin' '*' always;
add_header Cache-Control public;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header x-ofm-debug 'specific PBF monaco 20250806_231001_pt';
}
# specific JSON planet 20250806_001001_pt
location = /planet/20250806_001001_pt {
# no trailing slash
alias /data/ofm/http_host/runs/planet/20250806_001001_pt/tilejson-ofm_roundrobin.json; # no trailing slash
expires 1w;
default_type application/json;
add_header 'Access-Control-Allow-Origin' '*' always;
add_header Cache-Control public;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header x-ofm-debug 'specific JSON planet 20250806_001001_pt';
}
# specific PBF planet 20250806_001001_pt
location ^~ /planet/20250806_001001_pt/ {
# trailing slash
alias /mnt/ofm/planet-20250806_001001_pt/tiles/; # trailing slash
try_files $uri @empty_tile;
add_header Content-Encoding gzip;
expires 10y;
types {
application/vnd.mapbox-vector-tile pbf;
}
add_header 'Access-Control-Allow-Origin' '*' always;
add_header Cache-Control public;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header x-ofm-debug 'specific PBF planet 20250806_001001_pt';
}
# specific JSON monaco 20250805_231001_pt
location = /monaco/20250805_231001_pt {
# no trailing slash
alias /data/ofm/http_host/runs/monaco/20250805_231001_pt/tilejson-ofm_roundrobin.json; # no trailing slash
expires 1w;
default_type application/json;
add_header 'Access-Control-Allow-Origin' '*' always;
add_header Cache-Control public;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header x-ofm-debug 'specific JSON monaco 20250805_231001_pt';
}
# specific PBF monaco 20250805_231001_pt
location ^~ /monaco/20250805_231001_pt/ {
# trailing slash
alias /mnt/ofm/monaco-20250805_231001_pt/tiles/; # trailing slash
try_files $uri @empty_tile;
add_header Content-Encoding gzip;
expires 10y;
types {
application/vnd.mapbox-vector-tile pbf;
}
add_header 'Access-Control-Allow-Origin' '*' always;
add_header Cache-Control public;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header x-ofm-debug 'specific PBF monaco 20250805_231001_pt';
}
# specific JSON planet 20250730_001001_pt
location = /planet/20250730_001001_pt {
# no trailing slash
alias /data/ofm/http_host/runs/planet/20250730_001001_pt/tilejson-ofm_roundrobin.json; # no trailing slash
expires 1w;
default_type application/json;
add_header 'Access-Control-Allow-Origin' '*' always;
add_header Cache-Control public;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header x-ofm-debug 'specific JSON planet 20250730_001001_pt';
}
# specific PBF planet 20250730_001001_pt
location ^~ /planet/20250730_001001_pt/ {
# trailing slash
alias /mnt/ofm/planet-20250730_001001_pt/tiles/; # trailing slash
try_files $uri @empty_tile;
add_header Content-Encoding gzip;
expires 10y;
types {
application/vnd.mapbox-vector-tile pbf;
}
add_header 'Access-Control-Allow-Origin' '*' always;
add_header Cache-Control public;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header x-ofm-debug 'specific PBF planet 20250730_001001_pt';
}
# latest JSON monaco
location = /monaco {
# no trailing slash
alias /data/ofm/http_host/runs/monaco/20250806_231001_pt/tilejson-ofm_roundrobin.json; # no trailing slash
expires 1d;
default_type application/json;
add_header 'Access-Control-Allow-Origin' '*' always;
add_header Cache-Control public;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header x-ofm-debug 'latest JSON monaco';
}
# wildcard JSON monaco
location ~ ^/monaco/([^/]+)$ {
# regex location is unreliable with alias, only root is reliable
root /data/ofm/http_host/runs/monaco/20250806_231001_pt; # no trailing slash
try_files /tilejson-ofm_roundrobin.json =404;
expires 1w;
default_type application/json;
add_header 'Access-Control-Allow-Origin' '*' always;
add_header Cache-Control public;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header x-ofm-debug 'wildcard JSON monaco';
}
# wildcard PBF monaco
location ~ ^/monaco/([^/]+)/(.+)$ {
# regex location is unreliable with alias, only root is reliable
root /mnt/ofm/monaco-20250806_231001_pt/tiles/; # trailing slash
try_files /$2 @empty_tile;
add_header Content-Encoding gzip;
expires 10y;
types {
application/vnd.mapbox-vector-tile pbf;
}
add_header 'Access-Control-Allow-Origin' '*' always;
add_header Cache-Control public;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header x-ofm-debug 'wildcard PBF monaco';
}
# latest JSON planet
location = /planet {
# no trailing slash
alias /data/ofm/http_host/runs/planet/20250806_001001_pt/tilejson-ofm_roundrobin.json; # no trailing slash
expires 1d;
default_type application/json;
add_header 'Access-Control-Allow-Origin' '*' always;
add_header Cache-Control public;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header x-ofm-debug 'latest JSON planet';
}
# wildcard JSON planet
location ~ ^/planet/([^/]+)$ {
# regex location is unreliable with alias, only root is reliable
root /data/ofm/http_host/runs/planet/20250806_001001_pt; # no trailing slash
try_files /tilejson-ofm_roundrobin.json =404;
expires 1w;
default_type application/json;
add_header 'Access-Control-Allow-Origin' '*' always;
add_header Cache-Control public;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header x-ofm-debug 'wildcard JSON planet';
}
# wildcard PBF planet
location ~ ^/planet/([^/]+)/(.+)$ {
# regex location is unreliable with alias, only root is reliable
root /mnt/ofm/planet-20250806_001001_pt/tiles/; # trailing slash
try_files /$2 @empty_tile;
add_header Content-Encoding gzip;
expires 10y;
types {
application/vnd.mapbox-vector-tile pbf;
}
add_header 'Access-Control-Allow-Origin' '*' always;
add_header Cache-Control public;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header x-ofm-debug 'wildcard PBF planet';
}
location /fonts/ {
# trailing slash
alias /data/ofm/http_host/assets/fonts/ofm/; # trailing slash
try_files $uri =404;
expires 1w;
add_header 'Access-Control-Allow-Origin' '*' always;
add_header Cache-Control public;
add_header X-Robots-Tag "noindex, nofollow" always;
}
location /natural_earth/ {
# trailing slash
alias /data/ofm/http_host/assets/natural_earth/ofm/; # trailing slash
try_files $uri =404;
expires 10y;
add_header 'Access-Control-Allow-Origin' '*' always;
add_header Cache-Control public;
add_header X-Robots-Tag "noindex, nofollow" always;
}
location /sprites/ {
# trailing slash
alias /data/ofm/http_host/assets/sprites/; # trailing slash
try_files $uri =404;
expires 10y;
add_header 'Access-Control-Allow-Origin' '*' always;
add_header Cache-Control public;
add_header X-Robots-Tag "noindex, nofollow" always;
}
# we need to handle missing tiles as valid request returning empty string
location @empty_tile {
return 200 '';
expires 10y;
types {
application/vnd.mapbox-vector-tile pbf;
}
add_header 'Access-Control-Allow-Origin' '*' always;
add_header Cache-Control public;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header x-ofm-debug 'empty tile';
}
location = / {
return 302 https://openfreemap.org;
}
location /styles/ {
# trailing slash
alias /data/ofm/http_host/assets/styles/ofm/; # trailing slash
try_files $uri.json =404;
expires 1d;
default_type application/json;
# substitute the domain in the TileJSON
sub_filter '__TILEJSON_DOMAIN__' 'tiles.openfreemap.org';
sub_filter_once off;
sub_filter_types '*';
add_header 'Access-Control-Allow-Origin' '*' always;
add_header Cache-Control public;
add_header X-Robots-Tag "noindex, nofollow" always;
}
# catch-all block to deny all other requests
location / {
deny all;
error_log /data/ofm/http_host/logs_nginx/roundrobin-deny.log error;
}
}

6
modules/http_host/http_host_lib/config.py
View File

@@ -17,8 +17,10 @@ class Configuration:
mnt_dir = Path('/mnt/ofm') mnt_dir = Path('/mnt/ofm')
certs_dir = Path('/data/nginx/certs') nginx_templates = Path(__file__).parent / 'nginx_templates'
nginx_confs_templates = Path(__file__).parent / 'nginx_conf_templates'
nginx_certs_dir = Path('/data/nginx/certs')
nginx_sites_dir = Path('/data/nginx/sites')
if Path('/data/ofm').exists(): if Path('/data/ofm').exists():
ofm_config_dir = Path('/data/ofm/config') ofm_config_dir = Path('/data/ofm/config')

25
modules/http_host/http_host_lib/nginx_config_gen.py
View File

@@ -14,10 +14,10 @@ def write_nginx_config():
sys.exit(' mount needs to be run first') sys.exit(' mount needs to be run first')
# remove old configs and certs # remove old configs and certs
for file in Path('/data/nginx/sites').glob('ofm_*.conf'): for file in config.nginx_sites_dir.glob('ofm-*.conf'):
file.unlink() file.unlink()
for file in Path('/data/nginx/certs').glob('ofm_*'): for file in config.nginx_certs_dir.glob('ofm-*'):
file.unlink() file.unlink()
conf = config.jsonc_config conf = config.jsonc_config
@@ -44,8 +44,8 @@ def process_domain(domain_data):
domain_data['slug'] = domain_slug domain_data['slug'] = domain_slug
if domain_data['cert'] == 'upload': if domain_data['cert'] == 'upload':
domain_data['cert_file'] = config.certs_dir / f'{domain_slug}.cert' domain_data['cert_file'] = config.nginx_certs_dir / f'{domain_slug}.cert'
domain_data['key_file'] = config.certs_dir / f'{domain_slug}.key' domain_data['key_file'] = config.nginx_certs_dir / f'{domain_slug}.key'
if not domain_data['cert_file'].is_file() or not domain_data['key_file'].is_file(): if not domain_data['cert_file'].is_file() or not domain_data['key_file'].is_file():
sys.exit( sys.exit(
@@ -56,23 +56,22 @@ def process_domain(domain_data):
def create_nginx_conf(domain_data: dict): def create_nginx_conf(domain_data: dict):
dynamic_block_lines, curl_text = dynamic_blocks(domain_data) dynamic_block_lines, curl_help = dynamic_blocks(domain_data)
template = (config.nginx_confs_templates / 'common.conf').read_text() template = (config.nginx_templates / 'common.conf').read_text()
template = template.replace('__DYNAMIC_BLOCKS__', dynamic_block_lines) template = template.replace('__DYNAMIC_BLOCKS__', dynamic_block_lines)
template = template.replace('__DOMAIN_SLUG__', domain_data['slug']) template = template.replace('__DOMAIN_SLUG__', domain_data['slug'])
template = template.replace('__DOMAIN__', domain_data['domain']) template = template.replace('__DOMAIN__', domain_data['domain'])
curl_text = curl_text.replace('__DOMAIN_SLUG__', domain_data['slug']) curl_help = curl_help.replace('__DOMAIN_SLUG__', domain_data['slug'])
curl_text = curl_text.replace('__DOMAIN__', domain_data['domain']) curl_help = curl_help.replace('__DOMAIN__', domain_data['domain'])
with open(f'/data/nginx/sites/{domain_data["slug"]}.conf', 'w') as fp: (config.nginx_sites_dir / f'ofm-{domain_data["slug"]}.conf').write_text(template)
fp.write(template) print(f' nginx config written: {domain_data["domain"]} {domain_data["slug"]}')
print(f' nginx config written: {domain_data["domain"]} {domain_data["slug"]}')
return curl_text return curl_help
def dynamic_blocks(domain_data: dict): def dynamic_blocks(domain_data: dict):
@@ -112,7 +111,7 @@ def dynamic_blocks(domain_data: dict):
f'curl -sI https://__DOMAIN__{path} | sort', f'curl -sI https://__DOMAIN__{path} | sort',
] ]
nginx_conf_lines += '\n' + (config.nginx_confs_templates / 'static_blocks.conf').read_text() nginx_conf_lines += '\n' + (config.nginx_templates / 'static_blocks.conf').read_text()
return nginx_conf_lines, curl_help_lines return nginx_conf_lines, curl_help_lines

8
modules/http_host/http_host_lib/nginx_conf_templates/common.conf → modules/http_host/http_host_lib/nginx_templates/common.conf
View File

@@ -8,8 +8,8 @@ server {
listen [::]:443 ssl; listen [::]:443 ssl;
http2 on; http2 on;
ssl_certificate /data/nginx/certs/ofm_roundrobin.cert; ssl_certificate /data/nginx/certs/ofm-__DOMAIN_SLUG__.cert;
ssl_certificate_key /data/nginx/certs/ofm_roundrobin.key; ssl_certificate_key /data/nginx/certs/ofm-__DOMAIN_SLUG__.key;
ssl_session_timeout 1d; ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
@@ -24,9 +24,9 @@ server {
# access log doesn't contain IP address # access log doesn't contain IP address
access_log off; access_log off;
#access_log /data/ofm/http_host/logs_nginx/roundrobin-access.jsonl access_json buffer=128k; #access_log /data/ofm/http_host/logs_nginx/__DOMAIN_SLUG__-access.jsonl access_json buffer=128k;
error_log /data/ofm/http_host/logs_nginx/roundrobin-error.log; error_log /data/ofm/http_host/logs_nginx/__DOMAIN_SLUG__-error.log;
add_header X-Robots-Tag "noindex, nofollow" always; add_header X-Robots-Tag "noindex, nofollow" always;

0
modules/http_host/http_host_lib/nginx_conf_templates/letsencrypt.conf → modules/http_host/http_host_lib/nginx_templates/letsencrypt.conf
View File

0
modules/http_host/http_host_lib/nginx_conf_templates/static_blocks.conf → modules/http_host/http_host_lib/nginx_templates/static_blocks.conf
View File