Merge remote-tracking branch 'github/pull/524'

[chef.git] / cookbooks / web / templates / default / apache.frontend.erb

diff --git a/cookbooks/web/templates/default/apache.frontend.erb b/cookbooks/web/templates/default/apache.frontend.erb
index 5f189ba372bae2c4cda77b45927db297ebb364ed..91304f497bf5f07057bfa3205b49fc3561ca3c28 100644 (file)
--- a/cookbooks/web/templates/default/apache.frontend.erb
+++ b/cookbooks/web/templates/default/apache.frontend.erb
@@ -1,26 +1,26 @@
 # DO NOT EDIT - This file is being maintained by Chef
 
 # DO NOT EDIT - This file is being maintained by Chef
 

-<% [80, 443].each do |port| -%>
-<VirtualHost *:<%= port %>>
+<VirtualHost *:443>

   #
   # Basic server configuration
   #
   ServerName <%= node[:fqdn] %>
   #
   # Basic server configuration
   #
   ServerName <%= node[:fqdn] %>

-  ServerAlias api.openstreetmap.org www.openstreetmap.org
+  ServerAlias api.openstreetmap.org www.openstreetmap.org 127.0.0.1

   ServerAdmin webmaster@openstreetmap.org
   ServerAdmin webmaster@openstreetmap.org

-<% if port == 443 -%>

 
   #
   # Enable SSL
   #
   SSLEngine on
 
   #
   # Enable SSL
   #
   SSLEngine on

-<% end -%>
+  SSLCertificateFile /etc/ssl/certs/www.openstreetmap.org.pem
+  SSLCertificateKeyFile /etc/ssl/private/www.openstreetmap.org.key

 
   #
   # Setup logging
   #
 
   #
   # Setup logging
   #

-  LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %Ts" combined_with_time
+  LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %Dus %{UNIQUE_ID}e %{SSL_PROTOCOL}x %{SSL_CIPHER}x" combined_with_time

   CustomLog /var/log/apache2/access.log combined_with_time
   CustomLog /var/log/apache2/access.log combined_with_time

+  CustomLog /var/log/apache2/basic.log combined_with_time "expr=%{HTTP:Authorization} =~ /^Basic/i"

   ErrorLog /var/log/apache2/error.log
 
   #
   ErrorLog /var/log/apache2/error.log
 
   #


@@ -29,6 +29,16 @@
   ExpiresActive On
   RewriteEngine on
 
   ExpiresActive On
   RewriteEngine on
 

+  #
+  # Add the unique ID to the request headers
+  #
+  RequestHeader set X-Request-Id %{UNIQUE_ID}e
+
+  #
+  # Remove Proxy request header to mitigate https://httpoxy.org/
+  #
+  RequestHeader unset Proxy early
+

   #
   # Block troublesome GPX data scrapping
   #
   #
   # Block troublesome GPX data scrapping
   #


@@ -42,9 +52,10 @@
   RewriteRule . - [F,L]
 
   #
   RewriteRule . - [F,L]
 
   #

-  # Block requests for the old 404 map tile
+  # Block changeset scraper

   #
   #

-  RewriteRule ^/openlayers/img/404.png$ - [G,L]
+  RewriteCond %{HTTP_USER_AGENT} "OSMApp Tuner"
+  RewriteRule . - [F,L]

 
   #
   # Block attempts to access old API versions
 
   #
   # Block attempts to access old API versions


@@ -53,7 +64,7 @@
 
   #
   # Block JOSM revisions  1722-1727 as they have a serious bug that causes
 
   #
   # Block JOSM revisions  1722-1727 as they have a serious bug that causes

-  # lat/lon to be swapped (http://josm.openstreetmap.de/ticket/2804)
+  # lat/lon to be swapped (https://josm.openstreetmap.de/ticket/2804)

   #
   RewriteCond %{HTTP_USER_AGENT} "^JOSM/[0-9]+\.[0-9]+ \(172[234567]\)"
   RewriteRule . - [F,L]
   #
   RewriteCond %{HTTP_USER_AGENT} "^JOSM/[0-9]+\.[0-9]+ \(172[234567]\)"
   RewriteRule . - [F,L]


@@ -63,6 +74,13 @@
   #
   RewriteRule ^/api/0.6/changeset/6823497/download$ - [F,L]
 
   #
   RewriteRule ^/api/0.6/changeset/6823497/download$ - [F,L]
 

+  #
+  # Ignore Vicon Valerus "online" status pings
+  # https://gist.github.com/Firefishy/86ed5b86991b225179b54bbafbcd769e
+  #
+  RewriteCond "%{QUERY_STRING}" "^q=abcde&t=20"
+  RewriteRule "^/api/0\.6/notes/search$" - [R=429,L]
+

   #
   # Force special MIME type for crossdomain.xml files
   #
   #
   # Force special MIME type for crossdomain.xml files
   #


@@ -75,17 +93,16 @@
   #
   <Location /assets/>
     Header unset Last-Modified
   #
   <Location /assets/>
     Header unset Last-Modified

-    Header unset ETag
-    FileETag None
+    FileETag Size

 
     ExpiresDefault "access plus 1 year"
 
     ExpiresDefault "access plus 1 year"

+    Header set Cache-Control "immutable, max-age=31536000"

   </Location>
 
   #
   # Set expiry for attachments
   #
   <Location /attachments/>
   </Location>
 
   #
   # Set expiry for attachments
   #
   <Location /attachments/>

-    Header unset Last-Modified

     Header unset ETag
     FileETag None
 
     Header unset ETag
     FileETag None
 


@@ -101,31 +118,12 @@
   <Location /images/>
     ExpiresDefault "access plus 10 years"
   </Location>
   <Location /images/>
     ExpiresDefault "access plus 10 years"
   </Location>

-  <Location /javascripts/>
-    ExpiresDefault "access plus 10 years"
-  </Location>

   <Location /openlayers/>
   <Location /openlayers/>

-    ExpiresDefault "access plus 7 days"
-  </Location>
-  <Location /stylesheets/>
-    ExpiresDefault "access plus 10 years"
-  </Location>
-
-  #
-  # Set expiry for Potlatch 1
-  #
-  <Location /potlatch/>
-    ExpiresDefault "access plus 7 days"
-  </Location>
+    Header unset Last-Modified
+    FileETag Size

 
 

-  #
-  # Set expiry for Potlatch 2
-  #
-  <Location /potlatch2/>
-    ExpiresByType application/x-shockwave-flash "access plus 1 day"
-    ExpiresByType application/xml "access plus 1 day"
-    ExpiresByType text/css "access plus 1 day"
-    ExpiresByType image/png "access plus 7 days"
+    Header always set Cache-Control "public, max-age=31536000, immutable"
+    Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT"

   </Location>
 
   #
   </Location>
 
   #


@@ -135,163 +133,179 @@
   RailsEnv production
   PassengerMinInstances 10
   PassengerMaxRequests 5000
   RailsEnv production
   PassengerMinInstances 10
   PassengerMaxRequests 5000

-  PassengerPreStart http://www.openstreetmap.org/
-  Alias /favicon.ico <%= node[:web][:base_directory] %>/rails/app/assets/images/favicon.ico
-  Alias /openlayers <%= node[:web][:base_directory] %>/rails/vendor/assets/openlayers
-  Alias /stats /store/rails/stats
-  Alias /user/image /store/rails/user/image
-  Alias /attachments /store/rails/attachments
-
-  #
-  # Preserve the host name when forwarding to the proxy
-  #
-  ProxyPreserveHost on
-
-  #
-  # Set a long timeout - changeset uploads can take a long time
-  #
-  ProxyTimeout 3600
+  PassengerMaxRequestQueueSize 250
+  PassengerPreStart https://www.openstreetmap.org/
+  PassengerAppGroupName rails
+  SetEnv OPENSTREETMAP_STATUS <%= @status %>
+  SetEnv SECRET_KEY_BASE <%= @secret_key_base %>
+  Alias /favicon.ico <%= node[:web][:base_directory] %>/rails/app/assets/favicons/favicon.ico
+  Alias /openlayers <%= node[:web][:base_directory] %>/static/openlayers
+  RedirectPermanent /stats https://planet.openstreetmap.org/statistics

 
   #
 
   #

-  # Allow all proxy requests
+  # Pass authentication related headers to cgimap

   #
   #

-  <Proxy *>
-    Allow from all
-  </Proxy>
+  <Location />
+    CGIPassAuth On
+  </Location>

 
   #
 
   #

-  # Pass some other API calls to the backends via a load balancer
+  # Pass supported calls to cgimap

   #
   #

-  ProxyPass /api/0.6/map balancer://backend/api/0.6/map
-  ProxyPass /api/0.6/tracepoints balancer://backend/api/0.6/tracepoints
-  ProxyPass /api/0.6/amf/read balancer://backend/api/0.6/amf/read
-  ProxyPass /api/0.6/swf/trackpoints balancer://backend/api/0.6/swf/trackpoints
-  ProxyPassMatch ^(/api/0\.6/changeset/[0-9]+/(upload|download))$ balancer://backend$1
-  ProxyPassMatch ^(/api/0\.6/(node|way|relation)/[0-9]+)$ balancer://backend$1
-  ProxyPassMatch ^(/api/0\.6/(node|way|relation)/[0-9]+/(full|history|search|ways))$ balancer://backend$1
-  ProxyPass /api/0.6/nodes balancer://backend/api/0.6/nodes
-  ProxyPass /api/0.6/ways balancer://backend/api/0.6/ways
-  ProxyPass /api/0.6/relations balancer://backend/api/0.6/relations
-  ProxyPassMatch ^(/trace/[0-9]+/data(|/|.xml))$ balancer://backend$1
+  RewriteRule ^/api/0\.6/map(\.json|\.xml)?$ fcgi://127.0.0.1:8000$0 [P]
+  RewriteCond %{REQUEST_METHOD} ^(HEAD|GET)$
+  RewriteRule ^/api/0\.6/(node|way|relation|changeset)/[0-9]+(\.json|\.xml)?$ fcgi://127.0.0.1:8000$0 [P]
+  RewriteRule ^/api/0\.6/(node|way|relation)/[0-9]+/history(\.json|\.xml)?$ fcgi://127.0.0.1:8000$0 [P]
+  RewriteRule ^/api/0\.6/(node|way|relation)/[0-9]+/relations(\.json|\.xml)?$ fcgi://127.0.0.1:8000$0 [P]
+  RewriteRule ^/api/0\.6/node/[0-9]+/ways(\.json|\.xml)?$ fcgi://127.0.0.1:8000$0 [P]
+  RewriteRule ^/api/0\.6/(way|relation)/[0-9]+/full(\.json|\.xml)?$ fcgi://127.0.0.1:8000$0 [P]
+  RewriteRule ^/api/0\.6/(nodes|ways|relations)(\.json|\.xml)?$ fcgi://127.0.0.1:8000$0 [P]
+  RewriteRule ^/api/0\.6/changeset/[0-9]+/(upload|download)(\.json|\.xml)?$ fcgi://127.0.0.1:8000$0 [P]

 
   #
   # Redirect trac and wiki requests to the right places
   #
 
   #
   # Redirect trac and wiki requests to the right places
   #

-  RedirectPermanent /trac/ http://trac.openstreetmap.org/
-  RedirectPermanent /wiki/ http://wiki.openstreetmap.org/
+  RedirectPermanent /trac/ https://trac.openstreetmap.org/
+  RedirectPermanent /wiki/ https://wiki.openstreetmap.org/

 
   #
   # Redirect requests for various images to the right place
   #
 
   #
   # Redirect requests for various images to the right place
   #

-  RedirectPermanent /images/osm_logo.png http://www.openstreetmap.org/assets/osm_logo.png
-  RedirectPermanent /images/cc_button.png http://www.openstreetmap.org/assets/cc_button.png
+  RedirectPermanent /images/osm_logo.png https://www.openstreetmap.org/assets/osm_logo.png
+  RedirectPermanent /images/cc_button.png https://www.openstreetmap.org/assets/cc_button.png

 
   #
 
   #

-  # Define a load balancer for the backends
-  #
-  <Proxy balancer://backend>
-    ProxySet lbmethod=bybusyness
-    BalancerMember http://rails1
-    BalancerMember http://rails2
-    BalancerMember http://rails3
-  </Proxy>
-<% if port == 80 -%>
-
-  #
-  # Redirect requests which should be secure to the SSL site
-  #
-  RewriteCond %{REQUEST_URI} ^/login(\.html)?$ [OR]
-  RewriteCond %{REQUEST_URI} ^/user/(new|create-account\.html)$ [OR]
-  RewriteCond %{REQUEST_URI} ^/user/terms$ [OR]
-  RewriteCond %{REQUEST_URI} ^/user/save$ [OR]
-  RewriteCond %{REQUEST_URI} ^/user/([^/]+)/account$ [OR]
-  RewriteCond %{REQUEST_URI} ^/user/reset-password$
-  RewriteRule ^(.*)$ https://www.openstreetmap.org$1 [L,NE,R=permanent]
-
-  #
-  # Redirect api requests made to www.osm.org to api.osm.org
+  # Redirect api requests made to www.openstreetmap.org to api.openstreetmap.org

   #
 #  RewriteCond %{HTTP_HOST} =www.openstreetmap.org
   #
 #  RewriteCond %{HTTP_HOST} =www.openstreetmap.org

-#  RewriteRule ^/api/(.*)$ http://api.openstreetmap.org/api/$1 [L,NE,R=permanent]
+#  RewriteRule ^/api/(.*)$ https://api.openstreetmap.org/api/$1 [L,NE,R=permanent]

 
   #
 
   #

-  # Redirect non-api requests made to api.osm.org to www.osm.org
+  # Redirect non-api requests made to api.openstreetmap.org to www.openstreetmap.org

   #
   RewriteCond %{HTTP_HOST} =api.openstreetmap.org
   RewriteCond %{REQUEST_URI} !^/api/
   #
   RewriteCond %{HTTP_HOST} =api.openstreetmap.org
   RewriteCond %{REQUEST_URI} !^/api/

-  RewriteRule ^(.*)$ http://www.openstreetmap.org$1 [L,NE,R=permanent]
-<% elsif port == 443 -%>
+  RewriteRule ^(.*)$ https://www.openstreetmap.org$1 [L,NE,R=permanent]
+</VirtualHost>

 
 

-  #
-  # Redirect api requests to api.osm.org over http
-  #
-  RewriteRule ^/api/(.*)$ http://api.openstreetmap.org/api/$1 [L,NE,R=permanent]
+<VirtualHost *:80>
+  ServerName openstreetmap.org.uk
+  ServerAlias www.openstreetmap.org.uk
+  ServerAlias openstreetmap.co.uk
+  ServerAlias www.openstreetmap.co.uk

 
 

-  #
-  # Redirect requests which do not need to be secure over http
-  #
-  RewriteCond %{REQUEST_URI} !^/login(.html)?$
-  RewriteCond %{REQUEST_URI} !^/user/(new|create-account.html)$
-  RewriteCond %{REQUEST_URI} !^/user/terms$
-  RewriteCond %{REQUEST_URI} !^/user/save$
-  RewriteCond %{REQUEST_URI} !^/user/go_public$
-  RewriteCond %{REQUEST_URI} !^/user/([^/]+)/account$
-  RewriteCond %{REQUEST_URI} !^/user/reset-password$
-  RewriteCond %{REQUEST_URI} !^/preview/
-  RewriteCond %{REQUEST_URI} !^/assets/
-  RewriteCond %{REQUEST_URI} !^/javascripts/
-  RewriteCond %{REQUEST_URI} !^/images/
-  RewriteCond %{REQUEST_URI} !^/stylesheets/
-  RewriteCond %{REQUEST_URI} !^/openlayers/
-  RewriteRule ^(.*)$ http://www.openstreetmap.org$1 [L,NE,R=permanent]
-<% end -%>
+  RedirectPermanent /events.ics http://calendar.openstreetmap.org.uk/events.ics
+  RedirectPermanent / https://www.openstreetmap.org/
+</VirtualHost>
+
+<VirtualHost *:80>
+  ServerName osm.org
+
+  Header always set Cache-Control "max-age=31536000"
+  Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT"
+
+  RewriteEngine on
+
+  RewriteRule ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 [R=permanent,L]
+
+  RewriteCond %{REQUEST_URI} !^/server-status$
+  RewriteRule ^(.*)$ https://osm.org$1 [L,NE,R=permanent]
+</VirtualHost>
+
+<VirtualHost *:80>
+  ServerName www.osm.org
+
+  Header always set Cache-Control "max-age=31536000"
+  Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT"
+
+  RewriteEngine on
+
+  RewriteRule ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 [R=permanent,L]
+
+  RewriteCond %{REQUEST_URI} !^/server-status$
+  RewriteRule ^(.*)$ https://www.osm.org$1 [L,NE,R=permanent]

 </VirtualHost>
 
 </VirtualHost>
 

-<% end -%>

 <VirtualHost *:80>
   ServerName openstreetmap.org
 <VirtualHost *:80>
   ServerName openstreetmap.org

-  ServerAlias maps.openstreetmap.org mapz.openstreetmap.org
-  ServerAlias openstreetmap.com www.openstreetmap.com
-  ServerAlias maps.openstreetmap.com mapz.openstreetmap.com
-  ServerAlias openstreetmap.net www.openstreetmap.net
-  ServerAlias maps.openstreetmap.net mapz.openstreetmap.net
-  ServerAlias openstreetmap.ca www.openstreetmap.ca
-  ServerAlias maps.openstreetmap.ca mapz.openstreetmap.ca
-  ServerAlias openstreetmap.eu www.openstreetmap.eu
-  ServerAlias maps.openstreetmap.eu mapz.openstreetmap.eu
-  ServerAlias openstreetmap.pro www.openstreetmap.pro
-  ServerAlias maps.openstreetmap.pro mapz.openstreetmap.pro
-  ServerAlias openstreetmaps.org www.openstreetmaps.org
-  ServerAlias maps.openstreetmaps.org mapz.openstreetmaps.org
-  ServerAlias osm.org www.osm.org
-  ServerAlias maps.osm.org mapz.osm.org
-  ServerAlias openmaps.org www.openmaps.org
-  ServerAlias maps.openmaps.org mapz.openmaps.org
-  ServerAlias openstreetmap.io www.openstreetmap.io
-  ServerAlias maps.openstreetmap.io mapz.openstreetmap.io
-  ServerAlias osm.io www.osm.io
-  ServerAlias maps.osm.io mapz.osm.io
-  ServerAlias openworldmap.org www.openworldmap.org
-  ServerAlias maps.openworldmap.org mapz.openworldmap.org
-  ServerAlias freeosm.org www.freeosm.org
-  ServerAlias maps.freeosm.org mapz.freeosm.org
-  ServerAlias open-maps.org www.open-maps.org
-  ServerAlias maps.open-maps.org mapz.open-maps.org
-  ServerAlias open-maps.com www.open-maps.com
-  ServerAlias maps.open-maps.com mapz.open-maps.com
-
-  #Third Party Sites
-  ServerAlias openstreetmap.pm www.openstreetmap.pm
-
-  RedirectPermanent / http://www.openstreetmap.org/
+
+  Header always set Cache-Control "max-age=31536000"
+  Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT"
+
+  RewriteEngine on
+
+  RewriteRule ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 [R=permanent,L]
+
+  RewriteCond %{REQUEST_URI} !^/server-status$
+  RewriteRule ^(.*)$ https://openstreetmap.org$1 [L,NE,R=permanent]

 </VirtualHost>
 
 <VirtualHost *:80>
 </VirtualHost>
 
 <VirtualHost *:80>

-  ServerName openstreetmap.org.uk
-  ServerAlias www.openstreetmap.org.uk
-  ServerAlias openstreetmap.co.uk
-  ServerAlias www.openstreetmap.co.uk
+  ServerName www.openstreetmap.org
+  ServerAlias *

 
 

-  RedirectPermanent /events.ics http://calendar.openstreetmap.org.uk/events.ics
-  RedirectPermanent / http://www.openstreetmap.org/
+  Header always set Cache-Control "max-age=31536000"
+  Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT"
+
+  RewriteEngine on
+
+  RewriteRule ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 [R=permanent,L]
+
+  RewriteCond %{REQUEST_URI} !^/server-status$
+  RewriteRule ^(.*)$ https://www.openstreetmap.org$1 [L,NE,R=permanent]

 </VirtualHost>
 </VirtualHost>

+
+<VirtualHost *:443>
+  ServerName openstreetmap.org
+  ServerAlias *
+
+  SSLEngine on
+  SSLCertificateFile /etc/ssl/certs/www.openstreetmap.org.pem
+  SSLCertificateKeyFile /etc/ssl/private/www.openstreetmap.org.key
+
+  Header always set Cache-Control "max-age=31536000"
+  Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT"
+
+  RedirectPermanent / https://www.openstreetmap.org/
+</VirtualHost>
+
+<Directory <%= node[:web][:base_directory] %>/rails/public>
+  Require all granted
+
+  RewriteCond "%{HTTP:Accept-encoding}" "br"
+  RewriteCond "%{REQUEST_FILENAME}\.br" -s
+  RewriteRule "^(.*)\.(css|ico|js|json|svg|xml)$" "$1\.$2\.br" [QSA]
+
+  RewriteCond "%{HTTP:Accept-encoding}" "gzip"
+  RewriteCond "%{REQUEST_FILENAME}\.gz" -s
+  RewriteRule "^(.*)\.(css|ico|js|json|svg|xml)$" "$1\.$2\.gz" [QSA]
+
+  RewriteRule "\.css\.(br|gz)$" "-" [T=text/css,E=no-gzip:1,E=no-brotli:1]
+  RewriteRule "\.ico\.(br|gz)$"  "-" [T=image/vnd.microsoft.icon,E=no-gzip:1,E=no-brotli:1]
+  RewriteRule "\.js\.(br|gz)$"  "-" [T=text/javascript,E=no-gzip:1,E=no-brotli:1]
+  RewriteRule "\.json\.(br|gz)$"  "-" [T=application/json,E=no-gzip:1,E=no-brotli:1]
+  RewriteRule "\.svg\.(br|gz)$"  "-" [T=image/svg+xml,E=no-gzip:1,E=no-brotli:1]
+  RewriteRule "\.xml\.(br|gz)$"  "-" [T=application/xml,E=no-gzip:1,E=no-brotli:1]
+
+  <FilesMatch "\.(css|ico|js|json|svg|xml)\.br$">
+    Header append Content-Encoding br
+    Header append Vary Accept-Encoding
+  </FilesMatch>
+
+  <FilesMatch "\.(css|ico|js|json|svg|xml)\.gz$">
+    Header append Content-Encoding gzip
+    Header append Vary Accept-Encoding
+  </FilesMatch>
+</Directory>
+
+<Directory /srv/www.openstreetmap.org/static>
+  Require all granted
+</Directory>
+
+<Directory /srv/www.openstreetmap.org/rails/app/assets>
+  Require all granted
+</Directory>
+
+<Directory /srv/www.openstreetmap.org/rails/vendor/assets>
+  Require all granted
+</Directory>