geo $whitelisted {
default 0;
<% @frontends.each do |frontend| -%>
-<% frontend.ipaddresses(:role => :external) do |address| -%>
+<% frontend.ipaddresses(:role => :external).sort.each do |address| -%>
<%= address %> 1;
<% end -%>
<% end -%>
2 $binary_remote_addr;
}
+map $missing_email$missing_referer$http_user_agent $generic_mozilla {
+ default 0;
+ ~^11Mozilla/4.0 1;
+ ~^11Mozilla/5.0 2;
+}
+
+map $whitelisted$generic_mozilla$uri $limit_reverse {
+ default "";
+ ~01/reverse.* $binary_remote_addr;
+ ~02/reverse.* $binary_remote_addr;
+}
+
limit_req_zone $limit_www zone=www:50m rate=2r/s;
limit_req_zone $limit_tarpit zone=tarpit:10m rate=1r/s;
limit_req_zone $binary_remote_addr zone=blocked:10m rate=20r/m;
+limit_req_zone $limit_reverse zone=reverse:10m rate=10r/m;
server {
listen 80 default_server;
{ return 403; }
if ($blocked_email)
{ return 403; }
+ include <%= @confdir %>/nginx_blocked_generic.conf;
limit_req zone=www burst=10;
limit_req zone=tarpit burst=2;
+ limit_req zone=reverse burst=5;
limit_req_status 429;
fastcgi_pass nominatim_service;
include fastcgi_params;
fastcgi_param PATH_INFO "$nominatim_path_info";
fastcgi_param SCRIPT_FILENAME "$document_root/$nominatim_script_name";
if ($forward_to_ui) {
- rewrite ^(/[^/]*) http://$host/ui$1.html redirect;
+ rewrite ^(/[^/]*) https://$host/ui$1.html redirect;
}
}
{ return 403; }
if ($blocked_email)
{ return 403; }
+ include <%= @confdir %>/nginx_blocked_generic.conf;
limit_req zone=www burst=10;
limit_req zone=tarpit burst=2;
+ limit_req zone=reverse burst=5;
limit_req_status 429;
fastcgi_pass nominatim_service;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
if ($forward_to_ui) {
- rewrite (.*).php http://$host/ui$1.html redirect;
+ rewrite (.*).php https://$host/ui$1.html redirect;
}
}
}
projects / chef.git / blobdiff