upstream nominatim_service {
- server 127.0.0.1:<%= @pools[:www][:port ]%>;
+ server unix:/run/php/php-nominatim.openstreetmap.org-fpm.sock;
}
map $uri $nominatim_script_name {
~/other$ 0;
~/reverse.*/default 0;
~/lookup.*/default 0;
+ ~/status.*/default 0;
}
map $query_string $email_id {
geo $whitelisted {
default 0;
<% @frontends.each do |frontend| -%>
-<% frontend.ipaddresses(:role => :external) do |address| -%>
+<% frontend.ipaddresses(:role => :external).sort.each do |address| -%>
<%= address %> 1;
<% end -%>
<% end -%>
46.235.224.148 1;
209.132.180.180 1;
209.132.180.168 1;
- 8.43.85.23 1; # gnome
+ 8.43.85.3 1; # gnome
+ 8.43.85.4 1; # gnome
+ 8.43.85.5 1; # gnome
+ 2620:52:3:1:5054:ff:fe0a:75a4 1; # gnome
+ 2620:52:3:1:5054:ff:fe0a:75a2 1; # gnome
+ 2620:52:3:1:5054:ff:fe0a:75aa 1; # gnome
}
map $missing_email$missing_referer$http_user_agent $blocked_user_agent {
2 $binary_remote_addr;
}
+map $missing_email$missing_referer$http_user_agent $generic_mozilla {
+ default 0;
+ ~^11Mozilla/4.0 1;
+ ~^11Mozilla/5.0 2;
+}
+
+map $whitelisted$generic_mozilla$uri $limit_reverse {
+ default "";
+ ~01/reverse.* $binary_remote_addr;
+ ~02/reverse.* $binary_remote_addr;
+}
+
limit_req_zone $limit_www zone=www:50m rate=2r/s;
limit_req_zone $limit_tarpit zone=tarpit:10m rate=1r/s;
limit_req_zone $binary_remote_addr zone=blocked:10m rate=20r/m;
+limit_req_zone $limit_reverse zone=reverse:10m rate=10r/m;
server {
listen 80 default_server;
server {
# IPv4
- listen 443 ssl deferred backlog=16384 reuseport http2 default_server;
+ listen 443 ssl http2 default_server;
# IPv6
- listen [::]:443 ssl deferred backlog=16384 reuseport http2 default_server;
+ listen [::]:443 ssl http2 default_server;
server_name localhost;
ssl_certificate /etc/ssl/certs/<%= node[:fqdn] %>.pem;
index search.html;
}
+ location /qa-data/ {
+ add_header Access-Control-Allow-Origin "*" always;
+ }
+
location @php {
if ($blocked_user_agent ~ ^2$)
{ return 403; }
{ return 403; }
if ($blocked_email)
{ return 403; }
+ include <%= @confdir %>/nginx_blocked_generic.conf;
limit_req zone=www burst=10;
- limit_req zone=tarpit burst=2;
+ limit_req zone=tarpit burst=5;
+ limit_req zone=reverse burst=5;
limit_req_status 429;
fastcgi_pass nominatim_service;
include fastcgi_params;
{ return 403; }
if ($blocked_email)
{ return 403; }
+ include <%= @confdir %>/nginx_blocked_generic.conf;
limit_req zone=www burst=10;
limit_req zone=tarpit burst=2;
+ limit_req zone=reverse burst=5;
limit_req_status 429;
fastcgi_pass nominatim_service;
include fastcgi_params;