X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/d4a74eb0ce478386a1f5cf927708d1f2a485e7dd..4a113afcc41328a691818b323809acc890854d9a:/cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb?ds=sidebyside

diff --git a/cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb b/cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb
index c441c039c..cd8775dab 100644
--- a/cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb
+++ b/cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb
@@ -53,16 +53,6 @@ server {
     ssl_certificate      /etc/ssl/certs/tile.openstreetmap.org.pem;
     ssl_certificate_key  /etc/ssl/private/tile.openstreetmap.org.key;
 
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers <%= node[:ssl][:ciphers] -%>;
-    ssl_prefer_server_ciphers on;
-    ssl_session_cache shared:SSL:50m;
-    ssl_session_timeout 30m;
-    ssl_stapling on;
-    ssl_dhparam /etc/ssl/certs/dhparam.pem;
-    resolver <%= @resolvers.join(" ") %>;
-    resolver_timeout 5s;
-
     location / {
       proxy_pass http://tile_cache_backend;
       proxy_set_header X-Forwarded-For $remote_addr;
@@ -82,6 +72,11 @@ server {
 
       # Set a QoS cookie if none presented (uses nginx Map)
       add_header Set-Cookie $cookie_qos_token_set;
+<% if node[:ssl][:strict_transport_security] -%>
+
+      # Enable HSTS
+      add_header Strict-Transport-Security "<%= node[:ssl][:strict_transport_security] %>" always;
+<% end -%>
 
       # QoS Traffic Rate see $limit_rate on http://nginx.org/en/docs/http/ngx_http_core_module.html
       set $limit_rate $limit_rate_qos;