]> git.openstreetmap.org Git - chef.git/blobdiff - cookbooks/nominatim/templates/default/nginx.erb
Really set a limit on expiring long way segments
[chef.git] / cookbooks / nominatim / templates / default / nginx.erb
index def54f1ace9a6414dff411bdaee36dba1e61abb7..ddebe7c0b70fdb1a32e00e23c6edc2a38d2b766a 100644 (file)
@@ -7,9 +7,9 @@ upstream nominatim_service {
 }
 
 map $uri $nominatim_script_name {
 }
 
 map $uri $nominatim_script_name {
-    ~^(.+?\.php)         $1;
-    ~^/([^/]+)           $1.php;
-    ^$                   search.php;
+    ~^/*(.+?)\.php        $1;
+    ~^/*([^/]+)           $1;
+    ^$                   search;
 }
 
 map $uri $nominatim_path_info {
 }
 
 map $uri $nominatim_path_info {
@@ -69,7 +69,12 @@ geo $whitelisted {
     2620:52:3:1:5054:ff:fe0a:75aa 1; # gnome
 }
 
     2620:52:3:1:5054:ff:fe0a:75aa 1; # gnome
 }
 
-map $missing_email$missing_referer$http_user_agent $blocked_user_agent {
+map $server_protocol$http_user_agent $cleaned_user_agent {
+    default $http_user_agent;
+    "~^HTTP/1..Mozilla/" Script$http_user_agent;
+}
+
+map $missing_email$missing_referer$cleaned_user_agent $blocked_user_agent {
    default 0;
    "11" 2; # block any requests without identifier
    include <%= @confdir %>/nginx_blocked_user_agent.conf;
    default 0;
    "11" 2; # block any requests without identifier
    include <%= @confdir %>/nginx_blocked_user_agent.conf;
@@ -188,12 +193,17 @@ server {
     }
 
     location @php {
     }
 
     location @php {
+        if ($forward_to_ui) {
+            rewrite ^(/[^/]*) https://$host/ui$1.html redirect;
+        }
         if ($blocked_user_agent ~ ^2$)
         { return 403; }
         if ($blocked_referrer)
         { return 403; }
         if ($blocked_email)
         { return 403; }
         if ($blocked_user_agent ~ ^2$)
         { return 403; }
         if ($blocked_referrer)
         { return 403; }
         if ($blocked_email)
         { return 403; }
+        if ($args ~* "q=[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+[ &]")
+        { return 418; }
         include <%= @confdir %>/nginx_blocked_generic.conf;
 
         limit_req zone=www burst=10;
         include <%= @confdir %>/nginx_blocked_generic.conf;
 
         limit_req zone=www burst=10;
@@ -211,8 +221,9 @@ server {
         if ($request_method = 'OPTIONS') {
           add_header 'Content-Type' 'text/plain; charset=UTF-8';
           add_header 'Content-Length' 0;
         if ($request_method = 'OPTIONS') {
           add_header 'Content-Type' 'text/plain; charset=UTF-8';
           add_header 'Content-Length' 0;
-          add_header Access-Control-Allow-Origin "*" always;
-          add_header Access-Control-Allow-Methods 'GET,OPTIONS' always;
+          add_header Access-Control-Allow-Origin "*";
+          add_header Access-Control-Allow-Methods 'GET,OPTIONS';
+          add_header Access-Control-Allow-Headers $http_access_control_request_headers;
           return 204;
         }
 
           return 204;
         }
 
@@ -222,9 +233,6 @@ server {
         proxy_redirect off;
         proxy_pass http://nominatim_service;
 <% end -%>
         proxy_redirect off;
         proxy_pass http://nominatim_service;
 <% end -%>
-        if ($forward_to_ui) {
-            rewrite ^(/[^/]*) https://$host/ui$1.html redirect;
-        }
     }
 
 <% if node[:nominatim][:api_flavour] == "php" %>
     }
 
 <% if node[:nominatim][:api_flavour] == "php" %>