nginx: enable TLS 1.3

[chef.git] / cookbooks / tilecache / templates / default / nginx_tile.conf.erb

diff --git a/cookbooks/tilecache/templates/default/nginx_tile.conf.erb b/cookbooks/tilecache/templates/default/nginx_tile.conf.erb
index d5d40405c89a528a9b497af513e79531be3a2823..611bd4a73a52cab8e72c331110ae54055f64567d 100644 (file)
--- a/cookbooks/tilecache/templates/default/nginx_tile.conf.erb
+++ b/cookbooks/tilecache/templates/default/nginx_tile.conf.erb
@@ -29,12 +29,12 @@ geo $tile_cache {
 }
 
 # Rates table based on current cookie value
-map $cookie_qos_token $limit_rate_qos {
+map $cookie__osm_totp_token $limit_rate_qos {
   include /etc/nginx/conf.d/tile_qos_rates.map;
 }
 
 # Set-Cookie table based on current cookie value
-map $cookie_qos_token $cookie_qos_token_set {
+map $cookie__osm_totp_token $cookie_qos_token_set {
   include /etc/nginx/conf.d/tile_qos_cookies.map;
 }
 
@@ -53,7 +53,6 @@ map $http_user_agent $denied_scraper {
   '~^R$'                 1; # Library Default
   '~^Java\/'             1; # Library Default
   '~^tiles$'             1; # Library Default
-  '~^Dalvik\/'           1; # Library Default
   '~^runtastic'          1; # App
   'Mozilla/4.0'          1; # Fake
   'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)' 1;  # Fake
@@ -94,6 +93,76 @@ server {
     ssl_certificate      /etc/ssl/certs/tile.openstreetmap.org.pem;
     ssl_certificate_key  /etc/ssl/private/tile.openstreetmap.org.key;
 
+    # Requests sent within early data are subject to replay attacks.
+    # See: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data
+    ssl_early_data on;
+
+    # Immediately 404 layers we do not support
+<% for i in 20..99 do %>
+    location /<%= i %>/ {
+      set $limit_rate 512;
+      return 404;
+    }
+<% end %>
+
+    # Immediately 404 silly tile requests
+    location = /0/0/-1.png {
+      set $limit_rate 512;
+      return 404;
+    }
+    location = /1/0/-1.png {
+      set $limit_rate 512;
+      return 404;
+    }
+    location = /1/-1/0.png {
+      set $limit_rate 512;
+      return 404;
+    }
+    location = /1/-1/1.png {
+      set $limit_rate 512;
+      return 404;
+    }
+    location = /1/-1/-1.png {
+      set $limit_rate 512;
+      return 404;
+    }
+    location = /1/-1/2.png {
+      set $limit_rate 512;
+      return 404;
+    }
+    location = /1/1/-1.png {
+      set $limit_rate 512;
+      return 404;
+    }
+    location = /1/2/-1.png {
+      set $limit_rate 512;
+      return 404;
+    }
+    location = /2/0/-1.png {
+      set $limit_rate 512;
+      return 404;
+    }
+    location = /2/-1/0.png {
+      set $limit_rate 512;
+      return 404;
+    }
+    location = /2/-1/1.png {
+      set $limit_rate 512;
+      return 404;
+    }
+    location = /2/1/-1.png {
+      set $limit_rate 512;
+      return 404;
+    }
+    location = /2/-1/2.png {
+      set $limit_rate 512;
+      return 404;
+    }
+    location = /2/-1/3.png {
+      set $limit_rate 512;
+      return 404;
+    }
+
     location / {
       proxy_pass http://tile_cache_backend;
       proxy_set_header X-Forwarded-For $remote_addr;