upstream nominatim_service {
-<% if node[:nominatim][:api_flavour] == "php" %>
- server unix:/run/php/php-nominatim.openstreetmap.org-fpm.sock fail_timeout=0;
-<% elsif node[:nominatim][:api_flavour] == "python" %>
server unix:/run/gunicorn-nominatim.openstreetmap.org.sock fail_timeout=0;
-<% end -%>
}
map $uri $nominatim_script_name {
- ~^(.+?\.php) $1;
- ~^/([^/]+) $1.php;
- ^$ search.php;
+ ~^/*(.+?)\.php $1;
+ ~^/*([^/]+) $1;
+ ^$ search;
}
map $uri $nominatim_path_info {
2620:52:3:1:5054:ff:fe0a:75a4 1; # gnome
2620:52:3:1:5054:ff:fe0a:75a2 1; # gnome
2620:52:3:1:5054:ff:fe0a:75aa 1; # gnome
+ 34.234.151.67 1; # gnome - https://github.com/openstreetmap/operations/issues/1160
+ 54.165.53.199 1; # gnome - https://github.com/openstreetmap/operations/issues/1160
+ 35.153.15.118 1; # gnome - https://github.com/openstreetmap/operations/issues/1160
+}
+
+map $server_protocol$http_user_agent $cleaned_user_agent {
+ default $http_user_agent;
+ "~^HTTP/1..Mozilla/" Script$http_user_agent;
}
-map $missing_email$missing_referer$http_user_agent $blocked_user_agent {
+map $missing_email$missing_referer$cleaned_user_agent $blocked_user_agent {
default 0;
"11" 2; # block any requests without identifier
include <%= @confdir %>/nginx_blocked_user_agent.conf;
ssl_certificate /etc/ssl/certs/<%= node[:fqdn] %>.pem;
ssl_certificate_key /etc/ssl/private/<%= node[:fqdn] %>.key;
-<% if node[:nominatim][:api_flavour] == "php" %>
- root <%= @directory %>/website;
-<% else -%>
root <%= @directory %>/static-website;
-<% end -%>
- index search.php;
+ index /search;
access_log <%= node[:nominatim][:logdir] %>/nominatim.openstreetmap.org-access.log combined;
error_log <%= node[:nominatim][:logdir] %>/nominatim.openstreetmap.org-error.log;
add_header Access-Control-Allow-Origin "*" always;
}
+ location ~* ^/(search|reverse)(\.php)?/ {
+ error_page 404 /404-old-search-syntax.html;
+ return 404;
+ }
+
location @php {
+ if ($forward_to_ui) {
+ rewrite ^(/[^/]*) https://$host/ui$1.html redirect;
+ }
if ($blocked_user_agent ~ ^2$)
{ return 403; }
if ($blocked_referrer)
{ return 403; }
if ($blocked_email)
{ return 403; }
+ if ($args ~* "q=[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+[ &]")
+ { return 418; }
include <%= @confdir %>/nginx_blocked_generic.conf;
limit_req zone=www burst=10;
limit_req zone=tarpit burst=5;
limit_req zone=reverse burst=5;
limit_req_status 429;
-<% if node[:nominatim][:api_flavour] == "php" %>
- fastcgi_pass nominatim_service;
- include fastcgi_params;
- fastcgi_param QUERY_STRING $args;
- fastcgi_param PATH_INFO "$nominatim_path_info";
- fastcgi_param SCRIPT_FILENAME "<%= @directory %>/website/$nominatim_script_name";
-<% elsif node[:nominatim][:api_flavour] == "python" %>
+
+ if ($request_method = 'OPTIONS') {
+ add_header 'Content-Type' 'text/plain; charset=UTF-8';
+ add_header 'Content-Length' 0;
+ add_header Access-Control-Allow-Origin "*";
+ add_header Access-Control-Allow-Methods 'GET,OPTIONS';
+ add_header Access-Control-Allow-Headers $http_access_control_request_headers;
+ return 204;
+ }
+
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
proxy_pass http://nominatim_service;
-<% end -%>
- if ($forward_to_ui) {
- rewrite ^(/[^/]*) https://$host/ui$1.html redirect;
- }
}
-
-<% if node[:nominatim][:api_flavour] == "php" %>
- location ~* \.php$ {
- if ($blocked_user_agent ~ ^2$)
- { return 403; }
- if ($blocked_referrer)
- { return 403; }
- if ($blocked_email)
- { return 403; }
- include <%= @confdir %>/nginx_blocked_generic.conf;
-
- limit_req zone=www burst=10;
- limit_req zone=tarpit burst=2;
- limit_req zone=reverse burst=5;
- limit_req_status 429;
- fastcgi_pass nominatim_service;
- include fastcgi_params;
- fastcgi_param SCRIPT_FILENAME <%= @directory %>/website/$fastcgi_script_name;
-
- if ($forward_to_ui) {
- rewrite (.*).php https://$host/ui$1.html redirect;
- }
- }
-<% end -%>
}