# DO NOT EDIT - This file is being maintained by Chef
+#
+# Setup logging
+#
+SetEnvIfNoCase Authorization "^Basic " AUTH_METHOD=basic
+SetEnvIfNoCase Authorization "^OAuth " AUTH_METHOD=oauth1
+SetEnvIfNoCase Authorization "^Bearer " AUTH_METHOD=oauth2
+SetEnvIfExpr "%{QUERY_STRING} =~ /(^|&)oauth_signature=/" AUTH_METHOD=oauth1
+LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %Dus %{UNIQUE_ID}e %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{AUTH_METHOD}e" combined_with_time
+CustomLog /var/log/apache2/access.log combined_with_time
+ErrorLog /var/log/apache2/error.log
+
<VirtualHost *:443>
#
# Basic server configuration
SSLCertificateFile /etc/ssl/certs/www.openstreetmap.org.pem
SSLCertificateKeyFile /etc/ssl/private/www.openstreetmap.org.key
- #
- # Setup logging
- #
- LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %Dus %{UNIQUE_ID}e %{SSL_PROTOCOL}x %{SSL_CIPHER}x" combined_with_time
- CustomLog /var/log/apache2/access.log combined_with_time
- CustomLog /var/log/apache2/basic.log combined_with_time "expr=%{HTTP:WWW-Authenticate} =~ /^Basic/i"
- ErrorLog /var/log/apache2/error.log
+ # Get the real remote IP for requests via a trusted proxy
+ RemoteIPHeader CF-Connecting-IP
+<% @cloudflare.sort.each do |address| -%>
+ RemoteIPTrustedProxy <%= address %>
+<% end -%>
#
# Turn on various features
ExpiresActive On
RewriteEngine on
+ #
+ # Configure timeouts
+ #
+ RequestReadTimeout handshake=20-40,MinRate=500 header=20-40,MinRate=500 body=20-120,MinRate=500
+ LogLevel reqtimeout:info
+
#
# Add the unique ID to the request headers
#
RewriteCond %{HTTP_USER_AGENT} "OSMApp Tuner"
RewriteRule . - [F,L]
+ #
+ # Block trace scraper
+ #
+ RewriteCond %{HTTP_USER_AGENT} "python-httpx/0.24.1"
+ RewriteRule . - [F,L]
+
+ #
+ # Block out of control spider
+ #
+ RewriteCond %{HTTP_USER_AGENT} "Bytespider"
+ RewriteRule . - [F,L]
+
#
# Block attempts to access old API versions
#
#
# Pass supported calls to cgimap
#
- RewriteRule ^/api/0\.6/map(\.json|\.xml)?$ fcgi://127.0.0.1:8000$0 [P]
+ RewriteRule ^/api/0\.6/map(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
RewriteCond %{REQUEST_METHOD} ^(HEAD|GET)$
- RewriteRule ^/api/0\.6/(node|way|relation|changeset)/[0-9]+(\.json|\.xml)?$ fcgi://127.0.0.1:8000$0 [P]
- RewriteRule ^/api/0\.6/(node|way|relation)/[0-9]+/history(\.json|\.xml)?$ fcgi://127.0.0.1:8000$0 [P]
- RewriteRule ^/api/0\.6/(node|way|relation)/[0-9]+/relations(\.json|\.xml)?$ fcgi://127.0.0.1:8000$0 [P]
- RewriteRule ^/api/0\.6/node/[0-9]+/ways(\.json|\.xml)?$ fcgi://127.0.0.1:8000$0 [P]
- RewriteRule ^/api/0\.6/(way|relation)/[0-9]+/full(\.json|\.xml)?$ fcgi://127.0.0.1:8000$0 [P]
- RewriteRule ^/api/0\.6/(nodes|ways|relations)(\.json|\.xml)?$ fcgi://127.0.0.1:8000$0 [P]
- RewriteRule ^/api/0\.6/changeset/[0-9]+/(upload|download)(\.json|\.xml)?$ fcgi://127.0.0.1:8000$0 [P]
+ RewriteRule ^/api/0\.6/(node|way|relation|changeset)/[0-9]+(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
+ RewriteRule ^/api/0\.6/(node|way|relation)/[0-9]+/history(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
+ RewriteRule ^/api/0\.6/(node|way|relation)/[0-9]+/relations(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
+ RewriteRule ^/api/0\.6/node/[0-9]+/ways(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
+ RewriteRule ^/api/0\.6/(way|relation)/[0-9]+/full(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
+ RewriteRule ^/api/0\.6/(nodes|ways|relations)(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
+ RewriteRule ^/api/0\.6/changeset/[0-9]+/(upload|download)(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
#
# Redirect trac and wiki requests to the right places