DocumentRoot /srv/tile.openstreetmap.org/html
ScriptAlias /cgi-bin/ /srv/tile.openstreetmap.org/cgi-bin/
+ # Get the real remote IP for requests via a trusted proxy
+ RemoteIPHeader Fastly-Client-IP
+<% @fastly.sort.each do |address| -%>
+ RemoteIPTrustedProxy <%= address %>
+<% end -%>
+
# Setup logging
LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined_with_remoteip
CustomLog /var/log/apache2/access.log combined_with_remoteip
# Restrict tile access to CDN nodes and admins
<LocationMatch ^/default/\d+/\d+/\d+\.png$>
+ Require expr "%{CONN_REMOTE_ADDR} != %{REMOTE_ADDR}"
+ # Fastly POPs
<% @fastly.sort.each do |address| -%>
Require ip <%= address %>
<% end -%>
+ # StatusCake monitoring
<% @statuscake.sort.reject { |address| address.empty? }.each do |address| -%>
Require ip <%= address %>
<% end -%>
+ # Administrators
<% @admins.sort.each do |address| -%>
Require ip <%= address %>
<% end -%>
- Require ip 130.117.76.0/27
- Require ip 2001:978:2:2C::/64
+ # OSM Amsterdam IPv4
+ Require ip 184.104.179.128/27
+ # OSM Amsterdam IPv6
+ Require ip 2001:470:1:fa1::/64
+ # OSM Dublin IPv4
Require ip 184.104.226.96/27
+ # OSM Dublin IPv6
Require ip 2001:470:1:b3b::/64
+ # OSM UCL IPv4
Require ip 193.60.236.0/24
</LocationMatch>
-
- # Get the real remote IP for requests via a trusted proxy
- RemoteIPHeader Fastly-Client-IP
-<% @fastly.sort.each do |address| -%>
- RemoteIPTrustedProxy <%= address %>
-<% end -%>
-
- # Enforce rate limits
- RewriteMap ipmap txt:/srv/tile.openstreetmap.org/conf/ip.map
- RewriteCond ${ipmap:%{REMOTE_ADDR}} ^.+$
- RewriteRule ^.*$ /${ipmap:%{REMOTE_ADDR}} [PT]
-
- # Internal endpoint for blocked users
- <Location /blocked>
- Header always set Cache-Control private
- Redirect 429
- </Location>
</VirtualHost>
<VirtualHost *:80>
projects / chef.git / blobdiff