'http://osm.org' 1; # Faked
}
+map $http_referer $osm_referer {
+ default ''; # False
+ '~^https:\/\/www\.openstreetmap\.org\/' 'osm'; # True
+}
+
# Limit Cache-Control header to only approved User-Agents
-map $http_user_agent $limit_http_cache_control {
- default ''; # Unset Header
- '~^Mozilla\/5\.0\ QGIS\/' ''; # Unset Header
- '~^Mozilla\/5\.0\ ' $http_cache_control; # Pass Header
+map $osm_referer$http_user_agent $limit_http_cache_control {
+ default ''; # Unset Header
+ '~^osmMozilla\/5\.0\ QGIS\/' ''; # Unset Header
+ '~^osmMozilla\/5\.0\ ' $http_cache_control; # Pass Header
}
# Limit Pragma header to only approved User-Agents
-map $http_user_agent $limit_http_pragma {
- default ''; # Unset Header
- '~^Mozilla\/5\.0\ QGIS\/' ''; # Unset Header
- '~^Mozilla\/5\.0\ ' $http_pragma; # Pass Header
+map $osm_referer$http_user_agent $limit_http_pragma {
+ default ''; # Unset Header
+ '~^osmMozilla\/5\.0\ QGIS\/' ''; # Unset Header
+ '~^osmMozilla\/5\.0\ ' $http_pragma; # Pass Header
}
server {
# Dedicated zoom handler for caching
location /<%= i %>/ {
<% end %>
+ # Only allow GET / HEAD / OPTIONS (CORS) requests
+ limit_except GET HEAD OPTIONS {
+ deny all;
+ }
+
proxy_pass http://tile_cache_backend;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_http_version 1.1;
proxy_set_header Accept-Charset '';
# Do not send origin, we allow all.
proxy_set_header origin '';
- # Do not pass invalid header to backend.
+ # Do not pass invalid headers to backend.
proxy_set_header X-Forwarded-Host '';
proxy_set_header X-Host '';
proxy_set_header Authorization '';
+ proxy_set_header Proxy-Authorization '';
# Drop partial requests
proxy_set_header range '';
projects / chef.git / blobdiff