]> git.openstreetmap.org Git - chef.git/blobdiff - cookbooks/nominatim/templates/default/nginx.erb
Drop segment length limit from tile server replication
[chef.git] / cookbooks / nominatim / templates / default / nginx.erb
index 6aa07dbe139a61293d4503ae107f443761bc19b5..3685b9de778f4c455bc806a6558914c5bca1394c 100644 (file)
@@ -67,9 +67,17 @@ geo $whitelisted {
     2620:52:3:1:5054:ff:fe0a:75a4 1; # gnome
     2620:52:3:1:5054:ff:fe0a:75a2 1; # gnome
     2620:52:3:1:5054:ff:fe0a:75aa 1; # gnome
     2620:52:3:1:5054:ff:fe0a:75a4 1; # gnome
     2620:52:3:1:5054:ff:fe0a:75a2 1; # gnome
     2620:52:3:1:5054:ff:fe0a:75aa 1; # gnome
+    34.234.151.67 1; # gnome - https://github.com/openstreetmap/operations/issues/1160
+    54.165.53.199 1; # gnome - https://github.com/openstreetmap/operations/issues/1160
+    35.153.15.118 1; # gnome - https://github.com/openstreetmap/operations/issues/1160
 }
 
 }
 
-map $missing_email$missing_referer$http_user_agent $blocked_user_agent {
+map $server_protocol$http_user_agent $cleaned_user_agent {
+    default $http_user_agent;
+    "~^HTTP/1..Mozilla/" Script$http_user_agent;
+}
+
+map $missing_email$missing_referer$cleaned_user_agent $blocked_user_agent {
    default 0;
    "11" 2; # block any requests without identifier
    include <%= @confdir %>/nginx_blocked_user_agent.conf;
    default 0;
    "11" 2; # block any requests without identifier
    include <%= @confdir %>/nginx_blocked_user_agent.conf;
@@ -85,11 +93,6 @@ map $missing_referer$missing_ua$email_id $blocked_email {
    include <%= @confdir %>/nginx_blocked_email.conf;
 }
 
    include <%= @confdir %>/nginx_blocked_email.conf;
 }
 
-map $nominatim_script_name$missing_referer $blocked_path {
-   default 0;
-   "details1" 1;
-}
-
 map $whitelisted $limit_www {
     1 "";
     0 $binary_remote_addr;
 map $whitelisted $limit_www {
     1 "";
     0 $binary_remote_addr;
@@ -193,14 +196,17 @@ server {
     }
 
     location @php {
     }
 
     location @php {
+        if ($forward_to_ui) {
+            rewrite ^(/[^/]*) https://$host/ui$1.html redirect;
+        }
         if ($blocked_user_agent ~ ^2$)
         { return 403; }
         if ($blocked_referrer)
         { return 403; }
         if ($blocked_email)
         { return 403; }
         if ($blocked_user_agent ~ ^2$)
         { return 403; }
         if ($blocked_referrer)
         { return 403; }
         if ($blocked_email)
         { return 403; }
-        if ($blocked_path)
-        { return 403; }
+        if ($args ~* "q=[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+[ &]")
+        { return 418; }
         include <%= @confdir %>/nginx_blocked_generic.conf;
 
         limit_req zone=www burst=10;
         include <%= @confdir %>/nginx_blocked_generic.conf;
 
         limit_req zone=www burst=10;
@@ -230,9 +236,6 @@ server {
         proxy_redirect off;
         proxy_pass http://nominatim_service;
 <% end -%>
         proxy_redirect off;
         proxy_pass http://nominatim_service;
 <% end -%>
-        if ($forward_to_ui) {
-            rewrite ^(/[^/]*) https://$host/ui$1.html redirect;
-        }
     }
 
 <% if node[:nominatim][:api_flavour] == "php" %>
     }
 
 <% if node[:nominatim][:api_flavour] == "php" %>