]> git.openstreetmap.org Git - chef.git/blobdiff - cookbooks/tile/templates/default/apache.erb
projects / chef.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Add some comments to tile config
[chef.git] / cookbooks / tile / templates / default / apache.erb
diff --git a/cookbooks/tile/templates/default/apache.erb b/cookbooks/tile/templates/default/apache.erb
index e6f8ade1cbb135d3aa427acdb80e50b134183c06..c24e06e821349eb182d9c8e94693aaa099a960a1 100644 (file)
--- a/cookbooks/tile/templates/default/apache.erb
+++ b/cookbooks/tile/templates/default/apache.erb
@@ -20,12 +20,7 @@
   ScriptAlias /cgi-bin/ /srv/tile.openstreetmap.org/cgi-bin/
 
   # Get the real remote IP for requests via a trusted proxy
-  RemoteIPHeader X-Forwarded-For
-<% @caches.each do |cache| -%>
-<% cache.ipaddresses(:role => :external).sort.each do |address| -%>
-  RemoteIPTrustedProxy <%= address %>
-<% end -%>
-<% end -%>
+  RemoteIPHeader Fastly-Client-IP
 <% @fastly.sort.each do |address| -%>
   RemoteIPTrustedProxy <%= address %>
 <% end -%>
@@ -52,6 +47,11 @@
   # Enable the rewrite engine
   RewriteEngine on
 
+  # Enforce rate limits
+  RewriteMap ipmap txt:/srv/tile.openstreetmap.org/conf/ip.map
+  RewriteCond ${ipmap:%{REMOTE_ADDR}} ^.+$
+  RewriteRule ^.*$ /${ipmap:%{REMOTE_ADDR}} [PT]
+
   # Rewrite tile requests to the default style
   RewriteRule ^/(\d+)/(\d+)/(\d+)\.png$ /default/$1/$2/$3.png [PT,T=image/png,L]
   RewriteRule ^/(\d+)/(\d+)/(\d+)\.png/status/?$  /default/$1/$2/$3.png/status [PT,T=text/plain,L]
@@ -64,6 +64,39 @@
 
   # Redirect ACME certificate challenges
   RedirectPermanent /.well-known/acme-challenge/ http://acme.openstreetmap.org/.well-known/acme-challenge/
+
+  # Restrict tile access to CDN nodes and admins
+  <LocationMatch ^/default/\d+/\d+/\d+\.png$>
+    Require expr "%{CONN_REMOTE_ADDR} != %{REMOTE_ADDR}"
+    # Fastly POPs
+<% @fastly.sort.each do |address| -%>
+    Require ip <%= address %>
+<% end -%>
+    # StatusCake monitoring
+<% @statuscake.sort.reject { |address| address.empty? }.each do |address| -%>
+    Require ip <%= address %>
+<% end -%>
+    # Administrators
+<% @admins.sort.each do |address| -%>
+    Require ip <%= address %>
+<% end -%>
+    # OSM Amsterdam Cogent IPv4
+    Require ip 130.117.76.0/27
+    # OSM Amsterdam Cogent IPv6
+    Require ip 2001:978:2:2C::/64
+    # OSM Dublin IPv4
+    Require ip 184.104.226.96/27
+    # OSM Dublin IPv6
+    Require ip 2001:470:1:b3b::/64
+    # OSM UCL IPv4
+    Require ip 193.60.236.0/24
+  </LocationMatch>
+
+  # Internal endpoint for blocked users
+  <Location /blocked>
+    Header always set Cache-Control private
+    Redirect 429
+  </Location>
 </VirtualHost>
 
 <VirtualHost *:80>
@@ -73,14 +106,6 @@
   ServerAlias render.openstreetmap.org
   ServerAdmin webmaster@openstreetmap.org
 
-  # Get the real remote IP for requests via a trusted proxy
-  RemoteIPHeader X-Forwarded-For
-<% @caches.each do |cache| -%>
-<% cache.ipaddresses(:role => :external).sort.each do |address| -%>
-  RemoteIPTrustedProxy <%= address %>
-<% end -%>
-<% end -%>
-
   # Setup logging
   LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined_with_remoteip
   CustomLog /var/log/apache2/access.log combined_with_remoteip
Chef configuration management public repo for configuring & maintaining the OpenStreetMap servers.