# DO NOT EDIT - This file is being maintained by Chef
-<VirtualHost *:80>
+<VirtualHost *:443>
# Basic server configuration
- ServerName <%= node[:fqdn] %>
+ ServerName <%= node.name %>
ServerAlias tile.openstreetmap.org
- ServerAlias parent.tile.openstreetmap.org
+ ServerAlias render.openstreetmap.org
ServerAdmin webmaster@openstreetmap.org
+ #
+ # Enable SSL
+ #
+ SSLEngine on
+ SSLProxyEngine on
+ SSLCertificateFile /etc/ssl/certs/<%= node[:fqdn] %>.pem
+ SSLCertificateKeyFile /etc/ssl/private/<%= node[:fqdn] %>.key
+
# Configure location of static files and CGI scripts
DocumentRoot /srv/tile.openstreetmap.org/html
ScriptAlias /cgi-bin/ /srv/tile.openstreetmap.org/cgi-bin/
# Get the real remote IP for requests via a trusted proxy
- RemoteIPHeader X-Forwarded-For
-<% @caches.each do |cache| -%>
-<% cache.ipaddresses(:role => :external) do |address| -%>
+ RemoteIPHeader Fastly-Client-IP
+<% @fastly.sort.each do |address| -%>
RemoteIPTrustedProxy <%= address %>
-<% end -%>
<% end -%>
# Setup logging
- CustomLog /var/log/apache2/access.log combined
+ LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined_with_remoteip
+ CustomLog /var/log/apache2/access.log combined_with_remoteip
ErrorLog /var/log/apache2/error.log
BufferedLogs on
+ # Always set Access-Control-Allow-Origin so that simple CORS requests
+ # will always work and can be cached
+ Header set Access-Control-Allow-Origin "*"
+
+ # Add diagnostics header to identify render server
+ Header set X-TileRender "<%= node.name %>"
+
+ # Tell clients to use stale tiles if necessary
+ Header append Cache-Control "stale-while-revalidate=604800, stale-if-error=604800" "expr=%{CONTENT_TYPE} == 'image/png'"
+
+ # Remove Proxy request header to mitigate https://httpoxy.org/
+ RequestHeader unset Proxy early
+
# Enable the rewrite engine
RewriteEngine on
- # Rewrite tile status or tile dirty requests to default style
- RewriteRule ^/(-?\d+)/(-?\d+)/(-?\d+)\.png/status/?$ /default/$1/$2/$3.png/status [PT,T=text/plain,L]
- RewriteRule ^/(-?\d+)/(-?\d+)/(-?\d+)\.png/dirty/?$ /default/$1/$2/$3.png/dirty [PT,T=text/plain,L]
+ # Enforce rate limits
+ RewriteMap ipmap txt:/srv/tile.openstreetmap.org/conf/ip.map
+ RewriteCond ${ipmap:%{REMOTE_ADDR}} ^.+$
+ RewriteRule ^.*$ /${ipmap:%{REMOTE_ADDR}} [PT]
# Rewrite tile requests to the default style
- RewriteRule ^/(-?\d+)/(-?\d+)/(-?\d+)\.png$ /default/$1/$2/$3.png [PT,T=image/png,L]
+ RewriteRule ^/(\d+)/(\d+)/(\d+)\.png$ /default/$1/$2/$3.png [PT,T=image/png,L]
+ RewriteRule ^/(\d+)/(\d+)/(\d+)\.png/status/?$ /default/$1/$2/$3.png/status [PT,T=text/plain,L]
+ RewriteRule ^/(\d+)/(\d+)/(\d+)\.png/dirty/?$ /default/$1/$2/$3.png/dirty [PT,T=text/plain,L]
+
+ # Historical Files redirect
+ RedirectPermanent /processed_p.tar.bz2 https://planet.openstreetmap.org/historical-shapefiles/
+ RedirectPermanent /shoreline_300.tar.bz2 https://planet.openstreetmap.org/historical-shapefiles/
+ RedirectPermanent /world_boundaries-spherical.tgz https://planet.openstreetmap.org/historical-shapefiles/
+
+ # Redirect ACME certificate challenges
+ RedirectPermanent /.well-known/acme-challenge/ http://acme.openstreetmap.org/.well-known/acme-challenge/
+
+ # Restrict tile access to CDN nodes and admins
+ <LocationMatch ^/default/\d+/\d+/\d+\.png$>
+ Require expr "%{CONN_REMOTE_ADDR} != %{REMOTE_ADDR}"
+ # Fastly POPs
+<% @fastly.sort.each do |address| -%>
+ Require ip <%= address %>
+<% end -%>
+ # StatusCake monitoring
+<% @statuscake.sort.reject { |address| address.empty? }.each do |address| -%>
+ Require ip <%= address %>
+<% end -%>
+ # Administrators
+<% @admins.sort.each do |address| -%>
+ Require ip <%= address %>
+<% end -%>
+ # OSM Amsterdam Cogent IPv4
+ Require ip 130.117.76.0/27
+ # OSM Amsterdam Cogent IPv6
+ Require ip 2001:978:2:2C::/64
+ # OSM Dublin IPv4
+ Require ip 184.104.226.96/27
+ # OSM Dublin IPv6
+ Require ip 2001:470:1:b3b::/64
+ # OSM UCL IPv4
+ Require ip 193.60.236.0/24
+ </LocationMatch>
+
+ # Internal endpoint for blocked users
+ <Location /blocked>
+ Header always set Cache-Control private
+ Redirect 429
+ </Location>
+</VirtualHost>
+
+<VirtualHost *:80>
+ # Basic server configuration
+ ServerName <%= node.name %>
+ ServerAlias tile.openstreetmap.org
+ ServerAlias render.openstreetmap.org
+ ServerAdmin webmaster@openstreetmap.org
+
+ # Setup logging
+ LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined_with_remoteip
+ CustomLog /var/log/apache2/access.log combined_with_remoteip
+ ErrorLog /var/log/apache2/error.log
+ BufferedLogs on
+
+ # Always set Access-Control-Allow-Origin so that simple CORS requests
+ # will always work and can be cached
+ Header set Access-Control-Allow-Origin "*"
+
+ # Add diagnostics header to identify render server
+ Header set X-TileRender "<%= node.name %>"
+
+ # Remove Proxy request header to mitigate https://httpoxy.org/
+ RequestHeader unset Proxy early
+
+ # Enable the rewrite engine
+ RewriteEngine on
+
+ # Redirect ACME certificate challenges
+ RewriteRule ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 [R=permanent,L]
+
+ # Redirect to https
+ RewriteCond %{REQUEST_URI} !^/server-status$
+ RewriteCond %{REQUEST_URI} !^/mod_tile$
+ RewriteRule (.*) https://%{SERVER_NAME}/$1 [R=permanent,L]
</VirtualHost>
<Directory /srv/tile.openstreetmap.org/html>
Options None
AllowOverride None
- Order allow,deny
- Allow from all
+ Require all granted
</Directory>
<Directory /srv/tile.openstreetmap.org/cgi-bin>
Options ExecCGI
AllowOverride None
- Order allow,deny
- Allow from all
+ Require all granted
</Directory>
projects / chef.git / blobdiff