+upstream nominatim_service {
+<% if node[:nominatim][:api_flavour] == "php" %>
+ server unix:/run/php/php-nominatim.openstreetmap.org-fpm.sock fail_timeout=0;
+<% elsif node[:nominatim][:api_flavour] == "python" %>
+ server unix:/run/gunicorn-nominatim.openstreetmap.org.sock fail_timeout=0;
+<% end -%>
+}
+
map $uri $nominatim_script_name {
- ~^(.+?\.php) $1;
- ~^/([^/]+) $1.php;
- ^$ search.php;
+ ~^/*(.+?)\.php $1;
+ ~^/*([^/]+) $1;
+ ^$ search;
}
map $uri $nominatim_path_info {
~^/([^/]+)(.*)$ $2;
}
+map $args $format {
+ default default;
+ ~(^|&)format=html(&|$) html;
+ ~(^|&)format= other;
+}
+
+map $uri/$format $forward_to_ui {
+ default 1;
+ ~^/ui 0;
+ ~/other$ 0;
+ ~/reverse.*/default 0;
+ ~/lookup.*/default 0;
+ ~/status.*/default 0;
+}
+
map $query_string $email_id {
~(^|&)email=([^&]+) $2;
}
-upstream nominatim_service {
- server 127.0.0.1:<%= @pools[:www][:port ]%>;
+map $email_id $missing_email {
+ default "";
+ "" 1;
+}
+
+map $http_user_agent $missing_ua {
+ default "";
+ "" 1;
+}
+
+map $http_referer $missing_referer {
+ default "";
+ "" 1;
}
# Whitelisted IPs
geo $whitelisted {
default 0;
<% @frontends.each do |frontend| -%>
-<% frontend.ipaddresses(:role => :external) do |address| -%>
+<% frontend.ipaddresses(:role => :external).sort.each do |address| -%>
<%= address %> 1;
<% end -%>
<% end -%>
46.235.224.148 1;
209.132.180.180 1;
209.132.180.168 1;
- 8.43.85.23 1; # gnome
+ 8.43.85.3 1; # gnome
+ 8.43.85.4 1; # gnome
+ 8.43.85.5 1; # gnome
+ 2620:52:3:1:5054:ff:fe0a:75a4 1; # gnome
+ 2620:52:3:1:5054:ff:fe0a:75a2 1; # gnome
+ 2620:52:3:1:5054:ff:fe0a:75aa 1; # gnome
+ 34.234.151.67 1; # gnome - https://github.com/openstreetmap/operations/issues/1160
+ 54.165.53.199 1; # gnome - https://github.com/openstreetmap/operations/issues/1160
+ 35.153.15.118 1; # gnome - https://github.com/openstreetmap/operations/issues/1160
+}
+
+map $server_protocol$http_user_agent $cleaned_user_agent {
+ default $http_user_agent;
+ "~^HTTP/1..Mozilla/" Script$http_user_agent;
}
-map $http_user_agent $blocked_user_agent {
+map $missing_email$missing_referer$cleaned_user_agent $blocked_user_agent {
default 0;
+ "11" 2; # block any requests without identifier
include <%= @confdir %>/nginx_blocked_user_agent.conf;
}
-map $http_referer $blocked_referrer {
+map $missing_email$missing_ua$http_referer $blocked_referrer {
default 0;
include <%= @confdir %>/nginx_blocked_referrer.conf;
}
+map $missing_referer$missing_ua$email_id $blocked_email {
+ default 0;
+ include <%= @confdir %>/nginx_blocked_email.conf;
+}
+
map $whitelisted $limit_www {
1 "";
0 $binary_remote_addr;
2 $binary_remote_addr;
}
+map $missing_email$missing_referer$http_user_agent $generic_mozilla {
+ default 0;
+ ~^11Mozilla/4.0 1;
+ ~^11Mozilla/5.0 2;
+}
+
+map $whitelisted$generic_mozilla$uri $limit_reverse {
+ default "";
+ ~01/reverse.* $binary_remote_addr;
+ ~02/reverse.* $binary_remote_addr;
+}
+
limit_req_zone $limit_www zone=www:50m rate=2r/s;
limit_req_zone $limit_tarpit zone=tarpit:10m rate=1r/s;
limit_req_zone $binary_remote_addr zone=blocked:10m rate=20r/m;
+limit_req_zone $limit_reverse zone=reverse:10m rate=10r/m;
server {
- listen 80 default_server;
- listen [::]:80 default_server;
+ listen 80 default_server;
+ listen [::]:80 default_server;
- location /nginx_status {
+ access_log <%= node[:nominatim][:logdir] %>/nominatim.openstreetmap.org-access.log combined;
+ error_log <%= node[:nominatim][:logdir] %>/nominatim.openstreetmap.org-error.log;
+
+ location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
- rewrite ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 permanent;
+ rewrite ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 permanent;
- location / {
- return 301 https://$host$request_uri;
- }
+ location / {
+ return 301 https://$host$request_uri;
+ }
}
server {
# IPv4
- listen 443 ssl deferred backlog=16384 reuseport fastopen=2048 http2 default_server;
+ listen 443 ssl http2 default_server;
# IPv6
- listen [::]:443 ssl deferred backlog=16384 reuseport fastopen=2048 http2 default_server;
+ listen [::]:443 ssl http2 default_server;
server_name localhost;
ssl_certificate /etc/ssl/certs/<%= node[:fqdn] %>.pem;
ssl_certificate_key /etc/ssl/private/<%= node[:fqdn] %>.key;
- root <%= @directory %>/website;
- index search.php;
+ root <%= @directory %>/static-website;
+ index /search;
access_log <%= node[:nominatim][:logdir] %>/nominatim.openstreetmap.org-access.log combined;
error_log <%= node[:nominatim][:logdir] %>/nominatim.openstreetmap.org-error.log;
}
location / {
- set $anyid $http_referer$http_user_agent$email_id;
- if ($anyid = "")
- { return 403; }
+ try_files $uri $uri/ @php;
+ }
+
+ location /ui/ {
+ alias <%= @ui_directory %>/dist/;
+ index search.html;
+ }
+
+ location /qa-data/ {
+ add_header Access-Control-Allow-Origin "*" always;
+ }
+
+ location ~* ^/(search|reverse)(\.php)?/ {
+ error_page 404 /404-old-search-syntax.html;
+ return 404;
+ }
+
+ location @php {
+ if ($forward_to_ui) {
+ rewrite ^(/[^/]*) https://$host/ui$1.html redirect;
+ }
if ($blocked_user_agent ~ ^2$)
{ return 403; }
if ($blocked_referrer)
{ return 403; }
+ if ($blocked_email)
+ { return 403; }
+ if ($args ~* "q=[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+[ &]")
+ { return 418; }
+ include <%= @confdir %>/nginx_blocked_generic.conf;
- try_files $uri $uri/ @php;
- }
-
- location @php {
limit_req zone=www burst=10;
- limit_req zone=tarpit burst=2;
+ limit_req zone=tarpit burst=5;
+ limit_req zone=reverse burst=5;
limit_req_status 429;
+<% if node[:nominatim][:api_flavour] == "php" %>
fastcgi_pass nominatim_service;
include fastcgi_params;
fastcgi_param QUERY_STRING $args;
fastcgi_param PATH_INFO "$nominatim_path_info";
- fastcgi_param SCRIPT_FILENAME "$document_root/$nominatim_script_name";
+ fastcgi_param SCRIPT_FILENAME "<%= @directory %>/website/$nominatim_script_name";
+<% elsif node[:nominatim][:api_flavour] == "python" %>
+
+ if ($request_method = 'OPTIONS') {
+ add_header 'Content-Type' 'text/plain; charset=UTF-8';
+ add_header 'Content-Length' 0;
+ add_header Access-Control-Allow-Origin "*";
+ add_header Access-Control-Allow-Methods 'GET,OPTIONS';
+ add_header Access-Control-Allow-Headers $http_access_control_request_headers;
+ return 204;
+ }
+
+ proxy_set_header Host $http_host;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_redirect off;
+ proxy_pass http://nominatim_service;
+<% end -%>
}
+<% if node[:nominatim][:api_flavour] == "php" %>
location ~* \.php$ {
+ if ($blocked_user_agent ~ ^2$)
+ { return 403; }
+ if ($blocked_referrer)
+ { return 403; }
+ if ($blocked_email)
+ { return 403; }
+ include <%= @confdir %>/nginx_blocked_generic.conf;
+
limit_req zone=www burst=10;
limit_req zone=tarpit burst=2;
+ limit_req zone=reverse burst=5;
limit_req_status 429;
fastcgi_pass nominatim_service;
include fastcgi_params;
- fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_param SCRIPT_FILENAME <%= @directory %>/website/$fastcgi_script_name;
+
+ if ($forward_to_ui) {
+ rewrite (.*).php https://$host/ui$1.html redirect;
+ }
}
+<% end -%>
}