nominatim: allow blocking by email field

[chef.git] / cookbooks / nominatim / templates / default / nginx.erb

upstream nominatim_service {
  server 127.0.0.1:<%= @pools[:www][:port ]%>;
}

map $uri $nominatim_script_name {
    ~^(.+?\.php)         $1;
    ~^/([^/]+)           $1.php;
    ^$                   search.php;
}

map $uri $nominatim_path_info {
    ~^/([^/]+)(.*)$      $2;
}

map $query_string $email_id {
    ~(^|&)email=([^&]+)  $2;
}

map $email_id $missing_email {
    default "";
    "" 1;
}

map $http_user_agent $missing_ua {
    default "";
    "" 1;
}

map $http_referer $missing_referer {
    default "";
    "" 1;
}

# Whitelisted IPs
geo $whitelisted {
    default 0;
<% @frontends.each do |frontend| -%>
<% frontend.ipaddresses(:role => :external) do |address| -%>
    <%= address %> 1;
<% end -%>
<% end -%>
    46.235.224.148 1;
    209.132.180.180 1;
    209.132.180.168 1;
    8.43.85.23 1; # gnome
}

map $missing_email$missing_referer$http_user_agent $blocked_user_agent {
   default 0;
   "11" 2; # block any requests without identifier
   include <%= @confdir %>/nginx_blocked_user_agent.conf;
}

map $missing_email$missing_ua$http_referer $blocked_referrer {
   default 0;
   include <%= @confdir %>/nginx_blocked_referrer.conf;
}

map $missing_referer$missing_ua$http_referer $blocked_email {
   default 0;
   include <%= @confdir %>/nginx_blocked_email.conf;
}

map $whitelisted $limit_www {
    1 "";
    0 $binary_remote_addr;
}

map $blocked_user_agent $limit_tarpit {
    0 "";
    1 $binary_remote_addr;
    2 $binary_remote_addr;
}

limit_req_zone $limit_www zone=www:50m rate=2r/s;
limit_req_zone $limit_tarpit zone=tarpit:10m rate=1r/s;
limit_req_zone $binary_remote_addr zone=blocked:10m rate=20r/m;

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    access_log <%= node[:nominatim][:logdir] %>/nominatim.openstreetmap.org-access.log combined;
    error_log <%= node[:nominatim][:logdir] %>/nominatim.openstreetmap.org-error.log;

    location /nginx_status {
        stub_status on;
        access_log   off;
        allow 127.0.0.1;
        allow ::1;
        deny all;
    }

     rewrite ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 permanent;

     location / {
         return 301 https://$host$request_uri;
     }
}

server {
    # IPv4
    listen       443 ssl deferred backlog=16384 reuseport fastopen=2048 http2 default_server;
    # IPv6
    listen       [::]:443 ssl deferred backlog=16384 reuseport fastopen=2048 http2 default_server;
    server_name  localhost;

    ssl_certificate /etc/ssl/certs/<%= node[:fqdn] %>.pem;
    ssl_certificate_key /etc/ssl/private/<%= node[:fqdn] %>.key;

    root <%= @directory %>/website;
    index search.php;

    access_log <%= node[:nominatim][:logdir] %>/nominatim.openstreetmap.org-access.log combined;
    error_log <%= node[:nominatim][:logdir] %>/nominatim.openstreetmap.org-error.log;

    location /nginx_status {
        stub_status on;
        access_log   off;
        allow 127.0.0.1;
        allow ::1;
        deny all;
    }

    error_page 403 /403.html;
    location /403.html {
        limit_req zone=blocked burst=5;
    }

    error_page 429 /509.html;
    location /509.html {
        limit_req zone=blocked burst=5;
    }

    location / {
        if ($blocked_user_agent ~ ^2$)
        { return 403; }
        if ($blocked_referrer)
        { return 403; }
        if ($blocked_email)
        { return 403; }

        try_files $uri $uri/ @php;
    }

    location @php {
        limit_req zone=www burst=10;
        limit_req zone=tarpit burst=2;
        limit_req_status 429;
        fastcgi_pass nominatim_service;
        include fastcgi_params;
        fastcgi_param QUERY_STRING    $args;
        fastcgi_param PATH_INFO       "$nominatim_path_info";
        fastcgi_param SCRIPT_FILENAME  "$document_root/$nominatim_script_name";
    }

    location ~* \.php$ {
        limit_req zone=www burst=10;
        limit_req zone=tarpit burst=2;
        limit_req_status 429;
        fastcgi_pass    nominatim_service;
        include         fastcgi_params;
        fastcgi_param   SCRIPT_FILENAME    $document_root$fastcgi_script_name;
    }
}