]> git.openstreetmap.org Git - chef.git/blobdiff - cookbooks/tile/templates/default/apache.erb
projects / chef.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Add some comments to tile config
[chef.git] / cookbooks / tile / templates / default / apache.erb
diff --git a/cookbooks/tile/templates/default/apache.erb b/cookbooks/tile/templates/default/apache.erb
index a707cba05b0d24fc22ca949ba2673add7f64cca9..c24e06e821349eb182d9c8e94693aaa099a960a1 100644 (file)
--- a/cookbooks/tile/templates/default/apache.erb
+++ b/cookbooks/tile/templates/default/apache.erb
@@ -19,6 +19,12 @@
   DocumentRoot /srv/tile.openstreetmap.org/html
   ScriptAlias /cgi-bin/ /srv/tile.openstreetmap.org/cgi-bin/
 
+  # Get the real remote IP for requests via a trusted proxy
+  RemoteIPHeader Fastly-Client-IP
+<% @fastly.sort.each do |address| -%>
+  RemoteIPTrustedProxy <%= address %>
+<% end -%>
+
   # Setup logging
   LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined_with_remoteip
   CustomLog /var/log/apache2/access.log combined_with_remoteip
@@ -41,6 +47,11 @@
   # Enable the rewrite engine
   RewriteEngine on
 
+  # Enforce rate limits
+  RewriteMap ipmap txt:/srv/tile.openstreetmap.org/conf/ip.map
+  RewriteCond ${ipmap:%{REMOTE_ADDR}} ^.+$
+  RewriteRule ^.*$ /${ipmap:%{REMOTE_ADDR}} [PT]
+
   # Rewrite tile requests to the default style
   RewriteRule ^/(\d+)/(\d+)/(\d+)\.png$ /default/$1/$2/$3.png [PT,T=image/png,L]
   RewriteRule ^/(\d+)/(\d+)/(\d+)\.png/status/?$  /default/$1/$2/$3.png/status [PT,T=text/plain,L]
@@ -56,33 +67,31 @@
 
   # Restrict tile access to CDN nodes and admins
   <LocationMatch ^/default/\d+/\d+/\d+\.png$>
+    Require expr "%{CONN_REMOTE_ADDR} != %{REMOTE_ADDR}"
+    # Fastly POPs
 <% @fastly.sort.each do |address| -%>
     Require ip <%= address %>
 <% end -%>
+    # StatusCake monitoring
 <% @statuscake.sort.reject { |address| address.empty? }.each do |address| -%>
     Require ip <%= address %>
 <% end -%>
+    # Administrators
 <% @admins.sort.each do |address| -%>
     Require ip <%= address %>
 <% end -%>
+    # OSM Amsterdam Cogent IPv4
     Require ip 130.117.76.0/27
+    # OSM Amsterdam Cogent IPv6
     Require ip 2001:978:2:2C::/64
+    # OSM Dublin IPv4
     Require ip 184.104.226.96/27
+    # OSM Dublin IPv6
     Require ip 2001:470:1:b3b::/64
+    # OSM UCL IPv4
     Require ip 193.60.236.0/24
   </LocationMatch>
 
-  # Get the real remote IP for requests via a trusted proxy
-  RemoteIPHeader Fastly-Client-IP
-<% @fastly.sort.each do |address| -%>
-  RemoteIPTrustedProxy <%= address %>
-<% end -%>
-
-  # Enforce rate limits
-  RewriteMap ipmap txt:/srv/tile.openstreetmap.org/conf/ip.map
-  RewriteCond ${ipmap:%{REMOTE_ADDR}} ^.+$
-  RewriteRule ^.*$ /${ipmap:%{REMOTE_ADDR}} [PT]
-
   # Internal endpoint for blocked users
   <Location /blocked>
     Header always set Cache-Control private
Chef configuration management public repo for configuring & maintaining the OpenStreetMap servers.