From 5d7a8f818d35fc59408204ff7ca10c5eef541569 Mon Sep 17 00:00:00 2001
From: Grant Slater <git@firefishy.com>
Date: Sun, 5 Jan 2014 01:21:58 +0000
Subject: [PATCH] tilecache: add basic nginx ssl configuration

---
 cookbooks/tilecache/recipes/default.rb           | 10 ++++++++++
 .../templates/default/nginx_tile_ssl.conf.erb    | 16 ++++++++++++++++
 2 files changed, 26 insertions(+)
 create mode 100644 cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb

diff --git a/cookbooks/tilecache/recipes/default.rb b/cookbooks/tilecache/recipes/default.rb
index 53b5abb42..9357ee6d7 100644
--- a/cookbooks/tilecache/recipes/default.rb
+++ b/cookbooks/tilecache/recipes/default.rb
@@ -21,6 +21,7 @@ node.default[:ssl][:certificates] = node[:ssl][:certificates] | [ "tile.openstre
 
 include_recipe "ssl"
 include_recipe "squid"
+include_recipe "nginx"
 
 tilecaches = search(:node, "roles:tilecache").sort_by { |n| n[:hostname] }
 tilerenders = search(:node, "roles:tile").sort_by { |n| n[:hostname] }
@@ -60,3 +61,12 @@ template "/etc/logrotate.d/squid" do
   mode 0644
 end
 
+nginx_site "default" do
+  action :delete
+end
+
+nginx_site "tile-ssl" do
+  action :create
+  source "nginx_tile_ssl.conf.erb"
+end
+
diff --git a/cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb b/cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb
new file mode 100644
index 000000000..63d5e14f4
--- /dev/null
+++ b/cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb
@@ -0,0 +1,16 @@
+server {
+    listen       443 ssl;
+    server_name  localhost;
+
+    ssl_certificate      /etc/ssl/certs/tile.openstreetmap.pem;
+    ssl_certificate_key  /etc/ssl/private/tile.openstreetmap.key;
+
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+
+    location / { proxy_pass http://127.0.0.1; }
+
+}
-- 
2.43.2