From 760e5e31409e1de5d52f10decbe31688f5157f07 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Tue, 16 Jan 2018 12:30:17 +0000
Subject: [PATCH 1/1] Fix HSTS for tile caches

---
 .../tilecache/templates/default/nginx_tile_ssl.conf.erb  | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb b/cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb
index a517b2075..cd8775dab 100644
--- a/cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb
+++ b/cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb
@@ -52,10 +52,6 @@ server {
 
     ssl_certificate      /etc/ssl/certs/tile.openstreetmap.org.pem;
     ssl_certificate_key  /etc/ssl/private/tile.openstreetmap.org.key;
-<% if node[:ssl][:strict_transport_security] -%>
-
-    add_header Strict-Transport-Security "<%= node[:ssl][:strict_transport_security] %>" always;
-<% end -%>
 
     location / {
       proxy_pass http://tile_cache_backend;
@@ -76,6 +72,11 @@ server {
 
       # Set a QoS cookie if none presented (uses nginx Map)
       add_header Set-Cookie $cookie_qos_token_set;
+<% if node[:ssl][:strict_transport_security] -%>
+
+      # Enable HSTS
+      add_header Strict-Transport-Security "<%= node[:ssl][:strict_transport_security] %>" always;
+<% end -%>
 
       # QoS Traffic Rate see $limit_rate on http://nginx.org/en/docs/http/ngx_http_core_module.html
       set $limit_rate $limit_rate_qos;
-- 
2.43.2