Allow hsts preload

[chef.git] / cookbooks / tilecache / templates / default / nginx_tile_ssl.conf.erb

diff --git a/cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb b/cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb
index 14a13a0e73e798c4cd8cff5358f320967f7ef98b..ac62a3775c07c5e6564a19374f93b059fd3e904f 100644 (file)
--- a/cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb
+++ b/cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb
@@ -1,3 +1,5 @@
+# DO NOT EDIT - This file is being maintained by Chef
+
 upstream tile_cache_backend {
     server 127.0.0.1;
     <% @caches.each do |cache| -%>
@@ -12,16 +14,14 @@ upstream tile_cache_backend {
     keepalive 32;
 }
 
-# Rates table based on cookie value
+# Rates table based on current cookie value
 map $cookie_qos_token $limit_rate_qos {
-  default 8192; # Default Rate
-  "test" 32768; # FIXME - Future TOTP Token
+  include /etc/nginx/conf.d/tile_qos_rates.map;
 }
 
+# Set-Cookie table based on current cookie value
 map $cookie_qos_token $cookie_qos_token_set {
-  # Cookie Domain per RFC 6265
-  default 'qos_token=test; Secure; httponly; Max-Age=3600; Domain=tile.openstreetmap.org; Path=/'; # FIXME - Future TOTP Token
-  "test" ''; # Do not Set-Cookie if current is valid
+  include /etc/nginx/conf.d/tile_qos_cookies.map;
 }
 
 map $http_user_agent $approved_scraper {
@@ -50,18 +50,8 @@ server {
 
     proxy_buffers 8 64k;
 
-    ssl_certificate      /etc/ssl/certs/<%= @certificate %>.pem;
-    ssl_certificate_key  /etc/ssl/private/<%= @certificate %>.key;
-
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers <%= node[:ssl][:ciphers] -%>;
-    ssl_prefer_server_ciphers on;
-    ssl_session_cache shared:SSL:50m;
-    ssl_session_timeout 30m;
-    ssl_stapling on;
-    ssl_dhparam /etc/ssl/certs/dhparam.pem;
-    resolver <%= @resolvers.join(" ") %>;
-    resolver_timeout 5s;
+    ssl_certificate      /etc/ssl/certs/tile.openstreetmap.org.pem;
+    ssl_certificate_key  /etc/ssl/private/tile.openstreetmap.org.key;
 
     location / {
       proxy_pass http://tile_cache_backend;
@@ -82,15 +72,25 @@ server {
 
       # Set a QoS cookie if none presented (uses nginx Map)
       add_header Set-Cookie $cookie_qos_token_set;
+<% if node[:ssl][:strict_transport_security] -%>
+      # Ensure Strict-Transport-Security header is removed from proxied server responses
+      proxy_hide_header Strict-Transport-Security;
+
+      # Enable HSTS
+      add_header Strict-Transport-Security "<%= node[:ssl][:strict_transport_security] %>" always;
+<% end -%>
 
       # QoS Traffic Rate see $limit_rate on http://nginx.org/en/docs/http/ngx_http_core_module.html
       set $limit_rate $limit_rate_qos;
 
       # Allow Higher Traffic Rate from Approved User-Agents which do not support cookies (uses nginx Map)
       if ($approved_scraper) {
-        set $limit_rate 16384;
+        set $limit_rate 32768;
       }
 
+      # Strip any ?query parameters from urls
+      set $args '';
+
       # Allow cache purging headers only from select User-Agents (uses nginx Map)
       proxy_set_header Cache-Control $limit_http_cache_control;
       proxy_set_header Pragma $limit_http_pragma;