tilecache: add basic nginx ssl configuration

diff --git a/cookbooks/tilecache/recipes/default.rb b/cookbooks/tilecache/recipes/default.rb
index 53b5abb42a947a0da8ad54bb609df8c524cef452..9357ee6d7f0a191dbd60cc92a371797b821aa1c6 100644 (file)
--- a/cookbooks/tilecache/recipes/default.rb
+++ b/cookbooks/tilecache/recipes/default.rb
@@ -21,6 +21,7 @@ node.default[:ssl][:certificates] = node[:ssl][:certificates] | [ "tile.openstre
 
 include_recipe "ssl"
 include_recipe "squid"
+include_recipe "nginx"
 
 tilecaches = search(:node, "roles:tilecache").sort_by { |n| n[:hostname] }
 tilerenders = search(:node, "roles:tile").sort_by { |n| n[:hostname] }
@@ -60,3 +61,12 @@ template "/etc/logrotate.d/squid" do
   mode 0644
 end
 
+nginx_site "default" do
+  action :delete
+end
+
+nginx_site "tile-ssl" do
+  action :create
+  source "nginx_tile_ssl.conf.erb"
+end
+

diff --git a/cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb b/cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb
new file mode 100644 (file)
index 0000000..63d5e14
--- /dev/null
+++ b/cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb
@@ -0,0 +1,16 @@
+server {
+    listen       443 ssl;
+    server_name  localhost;
+
+    ssl_certificate      /etc/ssl/certs/tile.openstreetmap.pem;
+    ssl_certificate_key  /etc/ssl/private/tile.openstreetmap.key;
+
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+
+    location / { proxy_pass http://127.0.0.1; }
+
+}