upstream nominatim_service {
- server 127.0.0.1:<%= @pools[:www][:port ]%>;
+ server unix:/run/php/nominatim.openstreetmap.org.sock;
}
map $uri $nominatim_script_name {
~/other$ 0;
~/reverse.*/default 0;
~/lookup.*/default 0;
+ ~/status.*/default 0;
}
map $query_string $email_id {
geo $whitelisted {
default 0;
<% @frontends.each do |frontend| -%>
-<% frontend.ipaddresses(:role => :external) do |address| -%>
+<% frontend.ipaddresses(:role => :external).sort.each do |address| -%>
<%= address %> 1;
<% end -%>
<% end -%>
2 $binary_remote_addr;
}
+map $missing_email$missing_referer$http_user_agent $generic_mozilla {
+ default 0;
+ ~^11Mozilla/4.0 1;
+ ~^11Mozilla/5.0 2;
+}
+
+map $whitelisted$generic_mozilla$uri $limit_reverse {
+ default "";
+ ~01/reverse.* $binary_remote_addr;
+ ~02/reverse.* $binary_remote_addr;
+}
+
limit_req_zone $limit_www zone=www:50m rate=2r/s;
limit_req_zone $limit_tarpit zone=tarpit:10m rate=1r/s;
limit_req_zone $binary_remote_addr zone=blocked:10m rate=20r/m;
+limit_req_zone $limit_reverse zone=reverse:10m rate=10r/m;
server {
listen 80 default_server;
index search.html;
}
+ location /qa-data/ {
+ add_header Access-Control-Allow-Origin "*" always;
+ }
+
location @php {
if ($blocked_user_agent ~ ^2$)
{ return 403; }
{ return 403; }
if ($blocked_email)
{ return 403; }
+ include <%= @confdir %>/nginx_blocked_generic.conf;
limit_req zone=www burst=10;
- limit_req zone=tarpit burst=2;
+ limit_req zone=tarpit burst=5;
+ limit_req zone=reverse burst=5;
limit_req_status 429;
fastcgi_pass nominatim_service;
include fastcgi_params;
{ return 403; }
if ($blocked_email)
{ return 403; }
+ include <%= @confdir %>/nginx_blocked_generic.conf;
limit_req zone=www burst=10;
limit_req zone=tarpit burst=2;
+ limit_req zone=reverse burst=5;
limit_req_status 429;
fastcgi_pass nominatim_service;
include fastcgi_params;