]> git.openstreetmap.org Git - chef.git/blobdiff - cookbooks/nominatim/templates/default/nginx.erb
nominatim: improve IP query block expression
[chef.git] / cookbooks / nominatim / templates / default / nginx.erb
index 3d7d0e19ca8648446028af2543d609fa1c18f9fd..4f171bf06958e71427b9edcc508fc4a70a188b46 100644 (file)
@@ -7,9 +7,9 @@ upstream nominatim_service {
 }
 
 map $uri $nominatim_script_name {
-    ~^(.+?\.php)         $1;
-    ~^/([^/]+)           $1.php;
-    ^$                   search.php;
+    ~^/*(.+?)\.php        $1;
+    ~^/*([^/]+)           $1;
+    ^$                   search;
 }
 
 map $uri $nominatim_path_info {
@@ -146,7 +146,7 @@ server {
     ssl_certificate_key /etc/ssl/private/<%= node[:fqdn] %>.key;
 
     root <%= @directory %>/static-website;
-    index search.php;
+    index /search;
 
     access_log <%= node[:nominatim][:logdir] %>/nominatim.openstreetmap.org-access.log combined;
     error_log <%= node[:nominatim][:logdir] %>/nominatim.openstreetmap.org-error.log;
@@ -182,6 +182,11 @@ server {
         add_header Access-Control-Allow-Origin "*" always;
     }
 
+    location ~* ^/(search|reverse)(\.php)?/ {
+        error_page 404 /404-old-search-syntax.html;
+        return 404;
+    }
+
     location @php {
         if ($blocked_user_agent ~ ^2$)
         { return 403; }
@@ -189,6 +194,8 @@ server {
         { return 403; }
         if ($blocked_email)
         { return 403; }
+        if ($arg_q ~* "^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$")
+        { return 418; }
         include <%= @confdir %>/nginx_blocked_generic.conf;
 
         limit_req zone=www burst=10;
@@ -202,6 +209,16 @@ server {
         fastcgi_param PATH_INFO       "$nominatim_path_info";
         fastcgi_param SCRIPT_FILENAME  "<%= @directory %>/website/$nominatim_script_name";
 <% elsif node[:nominatim][:api_flavour] == "python" %>
+
+        if ($request_method = 'OPTIONS') {
+          add_header 'Content-Type' 'text/plain; charset=UTF-8';
+          add_header 'Content-Length' 0;
+          add_header Access-Control-Allow-Origin "*";
+          add_header Access-Control-Allow-Methods 'GET,OPTIONS';
+          add_header Access-Control-Allow-Headers $http_access_control_request_headers;
+          return 204;
+        }
+
         proxy_set_header Host $http_host;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;