From ae91fe58dcb96f983c7940d236f418b0ab98b32c Mon Sep 17 00:00:00 2001 From: Zsolt Ero Date: Sun, 31 Dec 2023 02:25:48 +0100 Subject: [PATCH] nginx work --- init-server.py | 55 ++++++++++--------- scripts/http_host/nginx_sync/nginx_sync.py | 13 +++-- .../http_host/nginx_sync/nginx_template.conf | 21 ------- .../nginx_sync/nginx_template_cf.conf | 37 +++++++++++++ ssh_lib/assets/nginx/nginx.conf | 18 +++--- ssh_lib/nginx.py | 1 + 6 files changed, 82 insertions(+), 63 deletions(-) delete mode 100644 scripts/http_host/nginx_sync/nginx_template.conf create mode 100644 scripts/http_host/nginx_sync/nginx_template_cf.conf diff --git a/init-server.py b/init-server.py index 228d886..bf20c12 100755 --- a/init-server.py +++ b/init-server.py @@ -89,13 +89,21 @@ def prepare_tile_gen(c): def prepare_http_host(c): + c.sudo('rm -rf /data/ofm/http_host/logs_nginx') + c.sudo('mkdir -p /data/ofm/http_host/logs_nginx') + c.sudo('chown nginx:nginx /data/ofm/http_host/logs_nginx') + nginx(c) certbot(c) c1000k(c) prepare_venv(c) - c.sudo('mkdir -p /data/ofm/http_host/logs_nginx') + upload_https_host_files(c) + upload_certificates(c) + + +def upload_https_host_files(c): c.sudo(f'mkdir -p {HTTP_HOST_BIN}') for file in [ @@ -110,32 +118,10 @@ def prepare_http_host(c): permissions='755', ) - for file in ['nginx_template.conf', 'nginx_sync.py']: - put( - c, - SCRIPTS_DIR / 'http_host' / 'nginx_sync' / file, - f'{HTTP_HOST_BIN}/nginx_sync/{file}', - create_parent_dir=True, - ) - - c.sudo('chown -R ofm:ofm /data/ofm/http_host') - c.sudo('chown -R nginx:nginx /data/ofm/http_host/logs_nginx') - - -def debug_tmp(c): for file in [ - 'downloader.py', - 'mounter.py', - 'metadata_to_tilejson.py', + 'nginx_sync.py', + 'nginx_template_cf.conf', ]: - put( - c, - SCRIPTS_DIR / 'http_host' / file, - HTTP_HOST_BIN, - permissions='755', - ) - - for file in ['nginx_template.conf', 'nginx_sync.py']: put( c, SCRIPTS_DIR / 'http_host' / 'nginx_sync' / file, @@ -144,7 +130,24 @@ def debug_tmp(c): ) c.sudo('chown -R ofm:ofm /data/ofm/http_host') - c.sudo('chown -R nginx:nginx /data/ofm/http_host/logs_nginx') + + +def upload_certificates(c): + for file in (CONFIG_DIR / 'certs').iterdir(): + if file.name == '.gitignore': + continue + put( + c, + file, + f'/data/nginx/certs/{file.name}', + create_parent_dir=True, + permissions='400', + ) + c.sudo('chown -R nginx:nginx /data/nginx') + + +def debug_tmp(c): + upload_https_host_files(c) @click.command() diff --git a/scripts/http_host/nginx_sync/nginx_sync.py b/scripts/http_host/nginx_sync/nginx_sync.py index 5c67c5f..bce6940 100755 --- a/scripts/http_host/nginx_sync/nginx_sync.py +++ b/scripts/http_host/nginx_sync/nginx_sync.py @@ -21,11 +21,11 @@ def cli(): if not Path('/mnt/ofm').exists(): sys.exit('mounter.py needs to be run first') - with open(Path(__file__).parent / 'nginx_template.conf') as fp: + with open(Path(__file__).parent / 'nginx_template_cf.conf') as fp: nginx_template = fp.read() location_block_str = '' - help_text = '' + curl_text = '' for subdir in Path('/mnt/ofm').iterdir(): if not subdir.is_dir(): @@ -83,10 +83,11 @@ def cli(): location_block_str += version_str - if not help_text: - help_text = ( + if not curl_text: + curl_text = ( '\ntest with:\n' - f'curl -H "Host: ofm" -I http://localhost/{area}/{version}/14/8529/5975.pbf' + f'curl -H "Host: ofm" -I http://localhost/{area}/{version}/14/8529/5975.pbf\n' + f'curl -I https://tiles.openfreemap.com/{area}/{version}/14/8529/5975.pbf' ) nginx_template = nginx_template.replace('___LOCATION_BLOCKS___', location_block_str) @@ -98,7 +99,7 @@ def cli(): subprocess.run(['nginx', '-t'], check=True) subprocess.run(['systemctl', 'reload', 'nginx'], check=True) - print(help_text) + print(curl_text) if __name__ == '__main__': diff --git a/scripts/http_host/nginx_sync/nginx_template.conf b/scripts/http_host/nginx_sync/nginx_template.conf deleted file mode 100644 index d2b3c14..0000000 --- a/scripts/http_host/nginx_sync/nginx_template.conf +++ /dev/null @@ -1,21 +0,0 @@ -server { - server_name ofm tiles.openfreemap.com; - - # disabling access log by default - # access_log /data/ofm/http_host/logs_nginx/nginx-access.log access_json buffer=32k; - access_log off; - - error_log /data/ofm/http_host/logs_nginx/nginx-error.log; - - ___LOCATION_BLOCKS___ - - # we need to handle missing tiles as valid request returning empty string - location @empty { - default_type application/vnd.mapbox-vector-tile; - return 200 ''; - - add_header 'Access-Control-Allow-Origin' '*' always; - add_header Cache-Control public; - expires 10y; - } -} diff --git a/scripts/http_host/nginx_sync/nginx_template_cf.conf b/scripts/http_host/nginx_sync/nginx_template_cf.conf new file mode 100644 index 0000000..20efded --- /dev/null +++ b/scripts/http_host/nginx_sync/nginx_template_cf.conf @@ -0,0 +1,37 @@ +server { + server_name ofm tiles.openfreemap.com; + + # ssl: https://ssl-config.mozilla.org / modern config + # to be used with the Cloudflare proxied endpoint + + listen 80; + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + + ssl_certificate /data/nginx/certs/openfreemap.com.pem; + ssl_certificate_key /data/nginx/certs/openfreemap.com.key; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + # access log normally not enabled + #access_log /data/ofm/http_host/logs_nginx/tiles-com-access.log access_json buffer=32k; + access_log off; + + error_log /data/ofm/http_host/logs_nginx/tiles-com-error.log; + + ___LOCATION_BLOCKS___ + + # we need to handle missing tiles as valid request returning empty string + location @empty { + default_type application/vnd.mapbox-vector-tile; + return 200 ''; + + add_header 'Access-Control-Allow-Origin' '*' always; + add_header Cache-Control public; + expires 10y; + } +} diff --git a/ssh_lib/assets/nginx/nginx.conf b/ssh_lib/assets/nginx/nginx.conf index e438098..078a412 100644 --- a/ssh_lib/assets/nginx/nginx.conf +++ b/ssh_lib/assets/nginx/nginx.conf @@ -44,24 +44,22 @@ http { log_format access_json '{' '"time": "$time_iso8601", ' - '"msec": "$msec", ' '"status": $status, ' - '"request": "$request", ' '"request_method": "$request_method", ' + '"uri": "$uri", ' + '"request": "$request", ' '"request_time": $request_time, ' '"body_bytes_sent": $body_bytes_sent, ' '"remote_addr": "$remote_addr", ' - '"remote_user": "$remote_user", ' - '"http_referrer": "$http_referer", ' '"http_x_forwarded_for": "$http_x_forwarded_for", ' - '"http_user_agent": "$http_user_agent", ' - '"host": "$host", ' - '"uri": "$uri", ' '"http_cf_connecting_ip": "$http_cf_connecting_ip", ' - '"http_cf_ray": "$http_cf_ray", ' - '"http_cf_ipcountry": "$http_cf_ipcountry", ' + '"http_referrer": "$http_referer", ' + '"http_user_agent": "$http_user_agent", ' '"scheme": "$scheme", ' - '"http_host": "$http_host"' + '"host": "$host", ' + '"http_host": "$http_host", ' + '"http_cf_ray": "$http_cf_ray", ' + '"http_cf_ipcountry": "$http_cf_ipcountry"' '}'; access_log /data/nginx/logs/nginx-access.log access_json buffer=32k; diff --git a/ssh_lib/nginx.py b/ssh_lib/nginx.py index 319af4f..ebe5674 100644 --- a/ssh_lib/nginx.py +++ b/ssh_lib/nginx.py @@ -49,6 +49,7 @@ def nginx(c): put(c, f'{ASSETS_DIR}/nginx/default_disable.conf', '/data/nginx/sites') put(c, f'{ASSETS_DIR}/nginx/cloudflare.conf', '/data/nginx/config') + c.sudo('nginx -t') c.sudo('service nginx restart')