# DO NOT EDIT - This file is being maintained by Chef
-<VirtualHost *:80>
+<VirtualHost *:443>
# Basic server configuration
ServerName <%= node[:fqdn] %>
ServerAlias tile.openstreetmap.org
- ServerAlias parent.tile.openstreetmap.org
+ ServerAlias render.openstreetmap.org
ServerAdmin webmaster@openstreetmap.org
+ #
+ # Enable SSL
+ #
+ SSLEngine on
+ SSLProxyEngine on
+ SSLCertificateFile /etc/ssl/certs/<%= node[:fqdn] %>.pem
+ SSLCertificateKeyFile /etc/ssl/private/<%= node[:fqdn] %>.key
+
# Configure location of static files and CGI scripts
DocumentRoot /srv/tile.openstreetmap.org/html
ScriptAlias /cgi-bin/ /srv/tile.openstreetmap.org/cgi-bin/
# Get the real remote IP for requests via a trusted proxy
RemoteIPHeader X-Forwarded-For
<% @caches.each do |cache| -%>
-<% cache.ipaddresses(:role => :external) do |address| -%>
+<% cache.ipaddresses(:role => :external).sort.each do |address| -%>
RemoteIPTrustedProxy <%= address %>
<% end -%>
<% end -%>
# Setup logging
- CustomLog /var/log/apache2/access.log combined
+ LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined_with_remoteip
+ CustomLog /var/log/apache2/access.log combined_with_remoteip
ErrorLog /var/log/apache2/error.log
BufferedLogs on
+ # Always set Access-Control-Allow-Origin so that simple CORS requests
+ # will always work and can be cached
+ Header set Access-Control-Allow-Origin "*"
+
+ # Remove Proxy request header to mitigate https://httpoxy.org/
+ RequestHeader unset Proxy early
+
# Enable the rewrite engine
RewriteEngine on
- # Rewrite tile status or tile dirty requests to default style
+ # Rewrite tile requests to the default style
+ RewriteRule ^/(-?\d+)/(-?\d+)/(-?\d+)\.png$ /default/$1/$2/$3.png [PT,T=image/png,L]
RewriteRule ^/(-?\d+)/(-?\d+)/(-?\d+)\.png/status/?$ /default/$1/$2/$3.png/status [PT,T=text/plain,L]
RewriteRule ^/(-?\d+)/(-?\d+)/(-?\d+)\.png/dirty/?$ /default/$1/$2/$3.png/dirty [PT,T=text/plain,L]
- # Rewrite tile requests to the default style
- RewriteRule ^/(-?\d+)/(-?\d+)/(-?\d+)\.png$ /default/$1/$2/$3.png [PT,T=image/png,L]
+ # Historical Files redirect
+ RedirectPermanent /processed_p.tar.bz2 https://planet.openstreetmap.org/historical-shapefiles/processed_p.tar.bz2
+ RedirectPermanent /shoreline_300.tar.bz2 https://planet.openstreetmap.org/historical-shapefiles/shoreline_300.tar.bz2
+ RedirectPermanent /world_boundaries-spherical.tgz https://planet.openstreetmap.org/historical-shapefiles/world_boundaries-spherical.tgz
+
+ # Redirect ACME certificate challenges
+ RedirectPermanent /.well-known/acme-challenge/ http://acme.openstreetmap.org/.well-known/acme-challenge/
+</VirtualHost>
+
+<VirtualHost *:80>
+ # Basic server configuration
+ ServerName <%= node[:fqdn] %>
+ ServerAlias tile.openstreetmap.org
+ ServerAlias render.openstreetmap.org
+ ServerAdmin webmaster@openstreetmap.org
+
+ # Get the real remote IP for requests via a trusted proxy
+ RemoteIPHeader X-Forwarded-For
+<% @caches.each do |cache| -%>
+<% cache.ipaddresses(:role => :external).sort.each do |address| -%>
+ RemoteIPTrustedProxy <%= address %>
+<% end -%>
+<% end -%>
+
+ # Setup logging
+ LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined_with_remoteip
+ CustomLog /var/log/apache2/access.log combined_with_remoteip
+ ErrorLog /var/log/apache2/error.log
+ BufferedLogs on
+
+ # Always set Access-Control-Allow-Origin so that simple CORS requests
+ # will always work and can be cached
+ Header set Access-Control-Allow-Origin "*"
+
+ # Remove Proxy request header to mitigate https://httpoxy.org/
+ RequestHeader unset Proxy early
+
+ # Enable the rewrite engine
+ RewriteEngine on
+
+ # Redirect ACME certificate challenges
+ RewriteRule ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 [R=permanent,L]
+
+ # Redirect to https
+ RewriteCond %{REQUEST_URI} !^/server-status$
+ RewriteCond %{REQUEST_URI} !^/mod_tile$
+ RewriteRule (.*) https://%{SERVER_NAME}/$1 [R=permanent,L]
</VirtualHost>
<Directory /srv/tile.openstreetmap.org/html>
Options None
AllowOverride None
- Order allow,deny
- Allow from all
+ Require all granted
</Directory>
<Directory /srv/tile.openstreetmap.org/cgi-bin>
Options ExecCGI
AllowOverride None
- Order allow,deny
- Allow from all
+ Require all granted
</Directory>