# DO NOT EDIT - This file is being maintained by Chef
# Basic server configuration
ServerName <%= node.name %>
ServerAlias tile.openstreetmap.org
ServerAlias render.openstreetmap.org
ServerAdmin webmaster@openstreetmap.org
#
# Enable SSL
#
SSLEngine on
SSLProxyEngine on
SSLCertificateFile /etc/ssl/certs/<%= node[:fqdn] %>.pem
SSLCertificateKeyFile /etc/ssl/private/<%= node[:fqdn] %>.key
# Configure location of static files and CGI scripts
DocumentRoot /srv/tile.openstreetmap.org/html
ScriptAlias /cgi-bin/ /srv/tile.openstreetmap.org/cgi-bin/
# Setup logging
LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined_with_remoteip
CustomLog /var/log/apache2/access.log combined_with_remoteip
ErrorLog /var/log/apache2/error.log
BufferedLogs on
# Always set Access-Control-Allow-Origin so that simple CORS requests
# will always work and can be cached
Header set Access-Control-Allow-Origin "*"
# Add diagnostics header to identify render server
Header set X-TileRender "<%= node.name %>"
# Tell clients to use stale tiles if necessary
Header append Cache-Control "stale-while-revalidate=604800, stale-if-error=604800" "expr=%{CONTENT_TYPE} == 'image/png'"
# Remove Proxy request header to mitigate https://httpoxy.org/
RequestHeader unset Proxy early
# Enable the rewrite engine
RewriteEngine on
# Rewrite tile requests to the default style
RewriteRule ^/(\d+)/(\d+)/(\d+)\.png$ /default/$1/$2/$3.png [PT,T=image/png,L]
RewriteRule ^/(\d+)/(\d+)/(\d+)\.png/status/?$ /default/$1/$2/$3.png/status [PT,T=text/plain,L]
RewriteRule ^/(\d+)/(\d+)/(\d+)\.png/dirty/?$ /default/$1/$2/$3.png/dirty [PT,T=text/plain,L]
# Historical Files redirect
RedirectPermanent /processed_p.tar.bz2 https://planet.openstreetmap.org/historical-shapefiles/
RedirectPermanent /shoreline_300.tar.bz2 https://planet.openstreetmap.org/historical-shapefiles/
RedirectPermanent /world_boundaries-spherical.tgz https://planet.openstreetmap.org/historical-shapefiles/
# Redirect ACME certificate challenges
RedirectPermanent /.well-known/acme-challenge/ http://acme.openstreetmap.org/.well-known/acme-challenge/
# Restrict tile access to CDN nodes and admins
<% @fastly.sort.each do |address| -%>
Require ip <%= address %>
<% end -%>
<% @statuscake.sort.reject { |address| address.empty? }.each do |address| -%>
Require ip <%= address %>
<% end -%>
<% @admins.sort.each do |address| -%>
Require ip <%= address %>
<% end -%>
Require ip 130.117.76.0/27
Require ip 2001:978:2:2C::/64
Require ip 184.104.226.96/27
Require ip 2001:470:1:b3b::/64
Require ip 193.60.236.0/24
# Get the real remote IP for requests via a trusted proxy
RemoteIPHeader Fastly-Client-IP
<% @fastly.sort.each do |address| -%>
RemoteIPTrustedProxy <%= address %>
<% end -%>
# Enforce rate limits
RewriteMap ipmap txt:/srv/tile.openstreetmap.org/conf/ip.map
RewriteCond ${ipmap:%{REMOTE_ADDR}} ^.+$
RewriteRule ^.*$ /${ipmap:%{REMOTE_ADDR}} [PT]
# Internal endpoint for blocked users
Header always set Cache-Control private
Redirect 429
# Basic server configuration
ServerName <%= node.name %>
ServerAlias tile.openstreetmap.org
ServerAlias render.openstreetmap.org
ServerAdmin webmaster@openstreetmap.org
# Setup logging
LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined_with_remoteip
CustomLog /var/log/apache2/access.log combined_with_remoteip
ErrorLog /var/log/apache2/error.log
BufferedLogs on
# Always set Access-Control-Allow-Origin so that simple CORS requests
# will always work and can be cached
Header set Access-Control-Allow-Origin "*"
# Add diagnostics header to identify render server
Header set X-TileRender "<%= node.name %>"
# Remove Proxy request header to mitigate https://httpoxy.org/
RequestHeader unset Proxy early
# Enable the rewrite engine
RewriteEngine on
# Redirect ACME certificate challenges
RewriteRule ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 [R=permanent,L]
# Redirect to https
RewriteCond %{REQUEST_URI} !^/server-status$
RewriteCond %{REQUEST_URI} !^/mod_tile$
RewriteRule (.*) https://%{SERVER_NAME}/$1 [R=permanent,L]
Options None
AllowOverride None
Require all granted
Options ExecCGI
AllowOverride None
Require all granted