From: Grant Slater <git@firefishy.com>
Date: Fri, 22 Nov 2019 14:37:15 +0000 (+0000)
Subject: tilecache: remove cache poisoning headers
X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/e45623f4f4d32626d7a336bcc310894e731863b2

tilecache: remove cache poisoning headers
---

diff --git a/cookbooks/tilecache/templates/default/nginx_tile.conf.erb b/cookbooks/tilecache/templates/default/nginx_tile.conf.erb
index d461b0640..f53cb4ec4 100644
--- a/cookbooks/tilecache/templates/default/nginx_tile.conf.erb
+++ b/cookbooks/tilecache/templates/default/nginx_tile.conf.erb
@@ -179,14 +179,28 @@ server {
       proxy_http_version 1.1;
       proxy_set_header Connection '';
 
-      proxy_connect_timeout 5s;
+      proxy_connect_timeout 10s;
 
-      # Preserve host header.
-      proxy_set_header Host $host;
+      # Replace host header.
+      proxy_set_header Host 'tile.openstreetmap.org';
       # Do not pass cookies to backends.
       proxy_set_header Cookie '';
       # Do not pass Accept-Encoding to backends.
       proxy_set_header Accept-Encoding '';
+      # Do not pass Accept to backends.
+      proxy_set_header Accept '';
+      # Do not pass Accept-Language to backends as unused.
+      proxy_set_header Accept-Language '';
+      proxy_set_header Accept-Charset '';
+      # Do not send origin, we allow all.
+      proxy_set_header origin '';
+      # Do not pass invalid header to backend.
+      proxy_set_header X-Forwarded-Host '';
+      proxy_set_header X-Host '';
+      proxy_set_header Authorization '';
+
+      # Drop partial requests
+      proxy_set_header range '';
 
       # Do not allow setting cookies from backends due to caching.
       proxy_ignore_headers Set-Cookie;