1 upstream nominatim_service {
2 server unix:/run/php/nominatim.openstreetmap.org.sock;
5 map $uri $nominatim_script_name {
11 map $uri $nominatim_path_info {
17 ~(^|&)format=html(&|$) html;
21 map $uri/$format $forward_to_ui {
25 ~/reverse.*/default 0;
30 map $query_string $email_id {
31 ~(^|&)email=([^&]+) $2;
34 map $email_id $missing_email {
39 map $http_user_agent $missing_ua {
44 map $http_referer $missing_referer {
52 <% @frontends.each do |frontend| -%>
53 <% frontend.ipaddresses(:role => :external).sort.each do |address| -%>
63 map $missing_email$missing_referer$http_user_agent $blocked_user_agent {
65 "11" 2; # block any requests without identifier
66 include <%= @confdir %>/nginx_blocked_user_agent.conf;
69 map $missing_email$missing_ua$http_referer $blocked_referrer {
71 include <%= @confdir %>/nginx_blocked_referrer.conf;
74 map $missing_referer$missing_ua$email_id $blocked_email {
76 include <%= @confdir %>/nginx_blocked_email.conf;
79 map $whitelisted $limit_www {
81 0 $binary_remote_addr;
84 map $blocked_user_agent $limit_tarpit {
86 1 $binary_remote_addr;
87 2 $binary_remote_addr;
90 map $missing_email$missing_referer$http_user_agent $generic_mozilla {
96 map $whitelisted$generic_mozilla$uri $limit_reverse {
98 ~01/reverse.* $binary_remote_addr;
99 ~02/reverse.* $binary_remote_addr;
102 limit_req_zone $limit_www zone=www:50m rate=2r/s;
103 limit_req_zone $limit_tarpit zone=tarpit:10m rate=1r/s;
104 limit_req_zone $binary_remote_addr zone=blocked:10m rate=20r/m;
105 limit_req_zone $limit_reverse zone=reverse:10m rate=10r/m;
108 listen 80 default_server;
109 listen [::]:80 default_server;
111 access_log <%= node[:nominatim][:logdir] %>/nominatim.openstreetmap.org-access.log combined;
112 error_log <%= node[:nominatim][:logdir] %>/nominatim.openstreetmap.org-error.log;
114 location /nginx_status {
122 rewrite ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 permanent;
125 return 301 https://$host$request_uri;
131 listen 443 ssl http2 default_server;
133 listen [::]:443 ssl http2 default_server;
134 server_name localhost;
136 ssl_certificate /etc/ssl/certs/<%= node[:fqdn] %>.pem;
137 ssl_certificate_key /etc/ssl/private/<%= node[:fqdn] %>.key;
139 root <%= @directory %>/website;
142 access_log <%= node[:nominatim][:logdir] %>/nominatim.openstreetmap.org-access.log combined;
143 error_log <%= node[:nominatim][:logdir] %>/nominatim.openstreetmap.org-error.log;
145 location /nginx_status {
153 error_page 403 /403.html;
155 limit_req zone=blocked burst=5;
158 error_page 429 /509.html;
160 limit_req zone=blocked burst=5;
164 try_files $uri $uri/ @php;
168 alias <%= @ui_directory %>/dist/;
173 add_header Access-Control-Allow-Origin "*" always;
177 if ($blocked_user_agent ~ ^2$)
179 if ($blocked_referrer)
183 include <%= @confdir %>/nginx_blocked_generic.conf;
185 limit_req zone=www burst=10;
186 limit_req zone=tarpit burst=5;
187 limit_req zone=reverse burst=5;
188 limit_req_status 429;
189 fastcgi_pass nominatim_service;
190 include fastcgi_params;
191 fastcgi_param QUERY_STRING $args;
192 fastcgi_param PATH_INFO "$nominatim_path_info";
193 fastcgi_param SCRIPT_FILENAME "$document_root/$nominatim_script_name";
194 if ($forward_to_ui) {
195 rewrite ^(/[^/]*) https://$host/ui$1.html redirect;
200 if ($blocked_user_agent ~ ^2$)
202 if ($blocked_referrer)
206 include <%= @confdir %>/nginx_blocked_generic.conf;
208 limit_req zone=www burst=10;
209 limit_req zone=tarpit burst=2;
210 limit_req zone=reverse burst=5;
211 limit_req_status 429;
212 fastcgi_pass nominatim_service;
213 include fastcgi_params;
214 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
216 if ($forward_to_ui) {
217 rewrite (.*).php https://$host/ui$1.html redirect;