]> git.openstreetmap.org Git - chef.git/blobdiff - cookbooks/nominatim/templates/default/nginx.erb
community: use a custom policyd-spf.conf
[chef.git] / cookbooks / nominatim / templates / default / nginx.erb
index 1a5fa0c985015e22f2528df9372ec350def7418c..ddebe7c0b70fdb1a32e00e23c6edc2a38d2b766a 100644 (file)
@@ -1,54 +1,98 @@
+upstream nominatim_service {
+<% if node[:nominatim][:api_flavour] == "php" %>
+  server unix:/run/php/php-nominatim.openstreetmap.org-fpm.sock fail_timeout=0;
+<% elsif node[:nominatim][:api_flavour] == "python"  %>
+  server unix:/run/gunicorn-nominatim.openstreetmap.org.sock fail_timeout=0;
+<% end -%>
+}
+
 map $uri $nominatim_script_name {
-    ~^(.+?\.php)         $1;
-    ~^/([^/]+)           $1.php;
-    ^$                   search.php;
+    ~^/*(.+?)\.php        $1;
+    ~^/*([^/]+)           $1;
+    ^$                   search;
 }
 
 map $uri $nominatim_path_info {
     ~^/([^/]+)(.*)$      $2;
 }
 
+map $args $format {
+    default                  default;
+    ~(^|&)format=html(&|$)   html;
+    ~(^|&)format=            other;
+}
+
+map $uri/$format $forward_to_ui {
+    default               1;
+    ~^/ui                 0;
+    ~/other$              0;
+    ~/reverse.*/default   0;
+    ~/lookup.*/default    0;
+    ~/status.*/default    0;
+}
+
 map $query_string $email_id {
     ~(^|&)email=([^&]+)  $2;
 }
 
-upstream nominatim_service {
-  server 127.0.0.1:<%= @pools[:www][:port ]%>;
+map $email_id $missing_email {
+    default "";
+    "" 1;
+}
+
+map $http_user_agent $missing_ua {
+    default "";
+    "" 1;
+}
+
+map $http_referer $missing_referer {
+    default "";
+    "" 1;
 }
 
 # Whitelisted IPs
-geo $limit {
-    default 1;
-    2001:978:2:2c::172:6 0;
-    2001:978:2:2c::172:7 0;
-    2001:978:2:2c::172:8 0;
-    2001:978:2:2c::172:b 0;
-    2001:978:2:2c::172:c 0;
-    2001:978:2:2c::172:d 0;
-    130.117.76.6 0;
-    130.117.76.7 0;
-    130.117.76.8 0;
-    89.16.162.21 0;
-    89.16.162.22 0;
-    46.235.224.148 0;
-    209.132.180.180 0;
-    209.132.180.168 0;
-    8.43.85.23 0; # gnome
-}
-
-map $http_user_agent $blocked_user_agent {
+geo $whitelisted {
+    default 0;
+<% @frontends.each do |frontend| -%>
+<% frontend.ipaddresses(:role => :external).sort.each do |address| -%>
+    <%= address %> 1;
+<% end -%>
+<% end -%>
+    46.235.224.148 1;
+    209.132.180.180 1;
+    209.132.180.168 1;
+    8.43.85.3 1; # gnome
+    8.43.85.4 1; # gnome
+    8.43.85.5 1; # gnome
+    2620:52:3:1:5054:ff:fe0a:75a4 1; # gnome
+    2620:52:3:1:5054:ff:fe0a:75a2 1; # gnome
+    2620:52:3:1:5054:ff:fe0a:75aa 1; # gnome
+}
+
+map $server_protocol$http_user_agent $cleaned_user_agent {
+    default $http_user_agent;
+    "~^HTTP/1..Mozilla/" Script$http_user_agent;
+}
+
+map $missing_email$missing_referer$cleaned_user_agent $blocked_user_agent {
    default 0;
+   "11" 2; # block any requests without identifier
    include <%= @confdir %>/nginx_blocked_user_agent.conf;
 }
 
-map $http_referer $blocked_referrer {
+map $missing_email$missing_ua$http_referer $blocked_referrer {
    default 0;
    include <%= @confdir %>/nginx_blocked_referrer.conf;
 }
 
-map $limit $limit_key {
-    0 "";
-    1 $binary_remote_addr;
+map $missing_referer$missing_ua$email_id $blocked_email {
+   default 0;
+   include <%= @confdir %>/nginx_blocked_email.conf;
+}
+
+map $whitelisted $limit_www {
+    1 "";
+    0 $binary_remote_addr;
 }
 
 map $blocked_user_agent $limit_tarpit {
@@ -57,24 +101,57 @@ map $blocked_user_agent $limit_tarpit {
     2 $binary_remote_addr;
 }
 
-limit_req_zone $limit zone=www:50m rate=2r/s;
+map $missing_email$missing_referer$http_user_agent $generic_mozilla {
+    default 0;
+    ~^11Mozilla/4.0 1;
+    ~^11Mozilla/5.0 2;
+}
+
+map $whitelisted$generic_mozilla$uri $limit_reverse {
+    default "";
+    ~01/reverse.*  $binary_remote_addr;
+    ~02/reverse.*  $binary_remote_addr;
+}
+
+limit_req_zone $limit_www zone=www:50m rate=2r/s;
 limit_req_zone $limit_tarpit zone=tarpit:10m rate=1r/s;
 limit_req_zone $binary_remote_addr zone=blocked:10m rate=20r/m;
+limit_req_zone $limit_reverse zone=reverse:10m rate=10r/m;
+
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    access_log <%= node[:nominatim][:logdir] %>/nominatim.openstreetmap.org-access.log combined;
+    error_log <%= node[:nominatim][:logdir] %>/nominatim.openstreetmap.org-error.log;
+
+    location /nginx_status {
+        stub_status on;
+        access_log   off;
+        allow 127.0.0.1;
+        allow ::1;
+        deny all;
+    }
+
+     rewrite ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 permanent;
+
+     location / {
+         return 301 https://$host$request_uri;
+     }
+}
 
 server {
     # IPv4
-    listen       80 deferred backlog=16384 reuseport fastopen=2048 default_server;
-    listen       443 ssl deferred backlog=16384 reuseport fastopen=2048 http2 default_server;
+    listen       443 ssl http2 default_server;
     # IPv6
-    listen       [::]:80 deferred backlog=16384 reuseport fastopen=2048 default_server;
-    listen       [::]:443 ssl deferred backlog=16384 reuseport fastopen=2048 http2 default_server;
+    listen       [::]:443 ssl http2 default_server;
     server_name  localhost;
 
     ssl_certificate /etc/ssl/certs/<%= node[:fqdn] %>.pem;
     ssl_certificate_key /etc/ssl/private/<%= node[:fqdn] %>.key;
 
-    root <%= @directory %>/website;
-    index search.php;
+    root <%= @directory %>/static-website;
+    index /search;
 
     access_log <%= node[:nominatim][:logdir] %>/nominatim.openstreetmap.org-access.log combined;
     error_log <%= node[:nominatim][:logdir] %>/nominatim.openstreetmap.org-error.log;
@@ -98,34 +175,87 @@ server {
     }
 
     location / {
-        set anyid = $http_referer$http_user_agent$email_id;
-        if (anyid = "")
-        { return 403; }
+        try_files $uri $uri/ @php;
+    }
+
+    location /ui/ {
+        alias <%= @ui_directory %>/dist/;
+        index search.html;
+    }
+
+    location /qa-data/ {
+        add_header Access-Control-Allow-Origin "*" always;
+    }
+
+    location ~* ^/(search|reverse)(\.php)?/ {
+        error_page 404 /404-old-search-syntax.html;
+        return 404;
+    }
+
+    location @php {
+        if ($forward_to_ui) {
+            rewrite ^(/[^/]*) https://$host/ui$1.html redirect;
+        }
         if ($blocked_user_agent ~ ^2$)
         { return 403; }
         if ($blocked_referrer)
         { return 403; }
+        if ($blocked_email)
+        { return 403; }
+        if ($args ~* "q=[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+[ &]")
+        { return 418; }
+        include <%= @confdir %>/nginx_blocked_generic.conf;
 
-        try_files $uri $uri/ @php;
-    }
-
-    location @php {
         limit_req zone=www burst=10;
-        limit_req zone=tarpit burst=2;
+        limit_req zone=tarpit burst=5;
+        limit_req zone=reverse burst=5;
         limit_req_status 429;
+<% if node[:nominatim][:api_flavour] == "php" %>
         fastcgi_pass nominatim_service;
         include fastcgi_params;
         fastcgi_param QUERY_STRING    $args;
         fastcgi_param PATH_INFO       "$nominatim_path_info";
-        fastcgi_param SCRIPT_FILENAME  "$document_root/$nominatim_script_name";
+        fastcgi_param SCRIPT_FILENAME  "<%= @directory %>/website/$nominatim_script_name";
+<% elsif node[:nominatim][:api_flavour] == "python" %>
+
+        if ($request_method = 'OPTIONS') {
+          add_header 'Content-Type' 'text/plain; charset=UTF-8';
+          add_header 'Content-Length' 0;
+          add_header Access-Control-Allow-Origin "*";
+          add_header Access-Control-Allow-Methods 'GET,OPTIONS';
+          add_header Access-Control-Allow-Headers $http_access_control_request_headers;
+          return 204;
+        }
+
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_redirect off;
+        proxy_pass http://nominatim_service;
+<% end -%>
     }
 
+<% if node[:nominatim][:api_flavour] == "php" %>
     location ~* \.php$ {
+        if ($blocked_user_agent ~ ^2$)
+        { return 403; }
+        if ($blocked_referrer)
+        { return 403; }
+        if ($blocked_email)
+        { return 403; }
+        include <%= @confdir %>/nginx_blocked_generic.conf;
+
         limit_req zone=www burst=10;
         limit_req zone=tarpit burst=2;
+        limit_req zone=reverse burst=5;
         limit_req_status 429;
         fastcgi_pass    nominatim_service;
         include         fastcgi_params;
-        fastcgi_param   SCRIPT_FILENAME    $document_root$fastcgi_script_name;
+        fastcgi_param   SCRIPT_FILENAME    <%= @directory %>/website/$fastcgi_script_name;
+
+        if ($forward_to_ui) {
+            rewrite (.*).php https://$host/ui$1.html redirect;
+        }
     }
+<% end -%>
 }