1 upstream nominatim_service {
2 server 127.0.0.1:<%= @pools[:www][:port ]%>;
5 map $uri $nominatim_script_name {
11 map $uri $nominatim_path_info {
15 map $query_string $email_id {
16 ~(^|&)email=([^&]+) $2;
19 map $email_id $missing_email {
24 map $http_user_agent $missing_ua {
29 map $http_referer $missing_referer {
37 <% @frontends.each do |frontend| -%>
38 <% frontend.ipaddresses(:role => :external) do |address| -%>
48 map $missing_email$missing_referer$http_user_agent $blocked_user_agent {
50 "11" 2; # block any requests without identifier
51 include <%= @confdir %>/nginx_blocked_user_agent.conf;
54 map $missing_email$missing_ua$http_referer $blocked_referrer {
56 include <%= @confdir %>/nginx_blocked_referrer.conf;
59 map $missing_referer$missing_ua$email_id $blocked_email {
61 include <%= @confdir %>/nginx_blocked_email.conf;
64 map $whitelisted $limit_www {
66 0 $binary_remote_addr;
69 map $blocked_user_agent $limit_tarpit {
71 1 $binary_remote_addr;
72 2 $binary_remote_addr;
75 limit_req_zone $limit_www zone=www:50m rate=2r/s;
76 limit_req_zone $limit_tarpit zone=tarpit:10m rate=1r/s;
77 limit_req_zone $binary_remote_addr zone=blocked:10m rate=20r/m;
80 listen 80 default_server;
81 listen [::]:80 default_server;
83 access_log <%= node[:nominatim][:logdir] %>/nominatim.openstreetmap.org-access.log combined;
84 error_log <%= node[:nominatim][:logdir] %>/nominatim.openstreetmap.org-error.log;
86 location /nginx_status {
94 rewrite ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 permanent;
97 return 301 https://$host$request_uri;
103 listen 443 ssl deferred backlog=16384 reuseport fastopen=2048 http2 default_server;
105 listen [::]:443 ssl deferred backlog=16384 reuseport fastopen=2048 http2 default_server;
106 server_name localhost;
108 ssl_certificate /etc/ssl/certs/<%= node[:fqdn] %>.pem;
109 ssl_certificate_key /etc/ssl/private/<%= node[:fqdn] %>.key;
111 root <%= @directory %>/website;
114 access_log <%= node[:nominatim][:logdir] %>/nominatim.openstreetmap.org-access.log combined;
115 error_log <%= node[:nominatim][:logdir] %>/nominatim.openstreetmap.org-error.log;
117 location /nginx_status {
125 error_page 403 /403.html;
127 limit_req zone=blocked burst=5;
130 error_page 429 /509.html;
132 limit_req zone=blocked burst=5;
136 try_files $uri $uri/ @php;
140 if ($blocked_user_agent ~ ^2$)
142 if ($blocked_referrer)
147 limit_req zone=www burst=10;
148 limit_req zone=tarpit burst=2;
149 limit_req_status 429;
150 fastcgi_pass nominatim_service;
151 include fastcgi_params;
152 fastcgi_param QUERY_STRING $args;
153 fastcgi_param PATH_INFO "$nominatim_path_info";
154 fastcgi_param SCRIPT_FILENAME "$document_root/$nominatim_script_name";
158 if ($blocked_user_agent ~ ^2$)
160 if ($blocked_referrer)
165 limit_req zone=www burst=10;
166 limit_req zone=tarpit burst=2;
167 limit_req_status 429;
168 fastcgi_pass nominatim_service;
169 include fastcgi_params;
170 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;