X-Git-Url: https://git.openstreetmap.org/chef.git/blobdiff_plain/e45623f4f4d32626d7a336bcc310894e731863b2..db079c5b812a1cab38f2c7707a9d1c842fe71bd4:/cookbooks/tilecache/templates/default/nginx_tile.conf.erb

diff --git a/cookbooks/tilecache/templates/default/nginx_tile.conf.erb b/cookbooks/tilecache/templates/default/nginx_tile.conf.erb
index f53cb4ec4..eb7cb6771 100644
--- a/cookbooks/tilecache/templates/default/nginx_tile.conf.erb
+++ b/cookbooks/tilecache/templates/default/nginx_tile.conf.erb
@@ -73,18 +73,23 @@ map $http_referer $denied_referer {
   'http://osm.org'                 1; # Faked
 }
 
+map $http_referer $osm_referer {
+  default                                 '';    # False
+  '~^https:\/\/www\.openstreetmap\.org\/' 'osm'; # True
+}
+
 # Limit Cache-Control header to only approved User-Agents
-map $http_user_agent $limit_http_cache_control {
-  default '';                              # Unset Header
-  '~^Mozilla\/5\.0\ QGIS\/' '';            # Unset Header
-  '~^Mozilla\/5\.0\ ' $http_cache_control; # Pass Header
+map $osm_referer$http_user_agent $limit_http_cache_control {
+  default '';                                # Unset Header
+  '~^osmMozilla\/5\.0\ QGIS\/' '';            # Unset Header
+  '~^osmMozilla\/5\.0\ ' $http_cache_control; # Pass Header
 }
 
 # Limit Pragma header to only approved User-Agents
-map $http_user_agent $limit_http_pragma {
-  default '';                       # Unset Header
-  '~^Mozilla\/5\.0\ QGIS\/' '';     # Unset Header
-  '~^Mozilla\/5\.0\ ' $http_pragma; # Pass Header
+map $osm_referer$http_user_agent $limit_http_pragma {
+  default '';                          # Unset Header
+  '~^osmMozilla\/5\.0\ QGIS\/' '';     # Unset Header
+  '~^osmMozilla\/5\.0\ ' $http_pragma; # Pass Header
 }
 
 server {
@@ -174,6 +179,11 @@ server {
     # Dedicated zoom handler for caching
     location /<%= i %>/ {
 <% end %>
+      # Only allow GET / HEAD / OPTIONS (CORS) requests
+      limit_except GET HEAD OPTIONS {
+        deny all;
+      }
+
       proxy_pass http://tile_cache_backend;
       proxy_set_header X-Forwarded-For $remote_addr;
       proxy_http_version 1.1;
@@ -194,10 +204,11 @@ server {
       proxy_set_header Accept-Charset '';
       # Do not send origin, we allow all.
       proxy_set_header origin '';
-      # Do not pass invalid header to backend.
+      # Do not pass invalid headers to backend.
       proxy_set_header X-Forwarded-Host '';
       proxy_set_header X-Host '';
       proxy_set_header Authorization '';
+      proxy_set_header Proxy-Authorization '';
 
       # Drop partial requests
       proxy_set_header range '';