# DO NOT EDIT - This file is being maintained by Chef
+#
+# Setup logging
+#
+SetEnvIfNoCase Authorization "^Basic " AUTH_METHOD=basic
+SetEnvIfNoCase Authorization "^OAuth " AUTH_METHOD=oauth1
+SetEnvIfNoCase Authorization "^Bearer " AUTH_METHOD=oauth2
+SetEnvIfExpr "%{QUERY_STRING} =~ /(^|&)oauth_signature=/" AUTH_METHOD=oauth1
+LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %Dus %{UNIQUE_ID}e %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{AUTH_METHOD}e" combined_with_time
+CustomLog /var/log/apache2/access.log combined_with_time
+ErrorLog /var/log/apache2/error.log
+
<VirtualHost *:443>
#
# Basic server configuration
# Enable SSL
#
SSLEngine on
- SSLProxyEngine on
SSLCertificateFile /etc/ssl/certs/www.openstreetmap.org.pem
SSLCertificateKeyFile /etc/ssl/private/www.openstreetmap.org.key
- #
- # Setup logging
- #
- LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %Dus %{UNIQUE_ID}e %{SSL_PROTOCOL}x %{SSL_CIPHER}x" combined_with_time
- CustomLog /var/log/apache2/access.log combined_with_time
- ErrorLog /var/log/apache2/error.log
-
#
# Turn on various features
#
ExpiresActive On
RewriteEngine on
+ #
+ # Configure timeouts
+ #
+ RequestReadTimeout handshake=20-40,MinRate=500 header=20-40,MinRate=500 body=20-120,MinRate=500
+ LogLevel reqtimeout:info
+
#
# Add the unique ID to the request headers
#
RewriteRule . - [F,L]
#
- # Block requests for the old 404 map tile
+ # Block trace scraper
+ #
+ RewriteCond %{HTTP_USER_AGENT} "python-httpx/0.24.1"
+ RewriteRule . - [F,L]
+
+ #
+ # Block out of control spider
#
- RewriteRule ^/openlayers/img/404.png$ - [G,L]
+ RewriteCond %{HTTP_USER_AGENT} "Bytespider"
+ RewriteRule . - [F,L]
#
# Block attempts to access old API versions
#
RewriteRule ^/api/0.6/changeset/6823497/download$ - [F,L]
+ #
+ # Ignore Vicon Valerus "online" status pings
+ # https://gist.github.com/Firefishy/86ed5b86991b225179b54bbafbcd769e
+ #
+ RewriteCond "%{QUERY_STRING}" "^q=abcde&t=20"
+ RewriteRule "^/api/0\.6/notes/search$" - [R=429,L]
+
#
# Force special MIME type for crossdomain.xml files
#
#
<Location /assets/>
Header unset Last-Modified
- Header unset ETag
- FileETag None
+ FileETag Size
ExpiresDefault "access plus 1 year"
+ Header set Cache-Control "immutable, max-age=31536000"
</Location>
#
# Set expiry for attachments
#
<Location /attachments/>
- Header unset Last-Modified
Header unset ETag
FileETag None
<Location /images/>
ExpiresDefault "access plus 10 years"
</Location>
- <Location /javascripts/>
- ExpiresDefault "access plus 10 years"
- </Location>
<Location /openlayers/>
- ExpiresDefault "access plus 7 days"
- </Location>
- <Location /stylesheets/>
- ExpiresDefault "access plus 10 years"
- </Location>
-
- #
- # Set expiry for Potlatch 1
- #
- <Location /potlatch/>
- ExpiresDefault "access plus 7 days"
- </Location>
+ Header unset Last-Modified
+ FileETag Size
- #
- # Set expiry for Potlatch 2
- #
- <Location /potlatch2/>
- ExpiresByType application/x-shockwave-flash "access plus 1 day"
- ExpiresByType application/xml "access plus 1 day"
- ExpiresByType text/css "access plus 1 day"
- ExpiresByType image/png "access plus 7 days"
+ Header always set Cache-Control "public, max-age=31536000, immutable"
+ Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT"
</Location>
#
PassengerMaxRequestQueueSize 250
PassengerPreStart https://www.openstreetmap.org/
PassengerAppGroupName rails
+ SetEnv OPENSTREETMAP_STATUS <%= @status %>
SetEnv SECRET_KEY_BASE <%= @secret_key_base %>
Alias /favicon.ico <%= node[:web][:base_directory] %>/rails/app/assets/favicons/favicon.ico
- Alias /openlayers <%= node[:web][:base_directory] %>/rails/vendor/assets/openlayers
- Alias /stats /store/rails/stats
- Alias /user/image /store/rails/user/image
- Alias /attachments /store/rails/attachments
-
- #
- # Preserve the host name when forwarding to the proxy
- #
- ProxyPreserveHost on
+ Alias /openlayers <%= node[:web][:base_directory] %>/static/openlayers
+ RedirectPermanent /stats https://planet.openstreetmap.org/statistics
#
- # Set a long timeout - changeset uploads can take a long time
+ # Pass authentication related headers to cgimap
#
- ProxyTimeout 3600
-
- #
- # Allow all proxy requests
- #
- <Proxy *>
- Require all granted
- </Proxy>
+ <Location />
+ CGIPassAuth On
+ </Location>
#
- # Pass some other API calls to the backends via a load balancer
+ # Pass supported calls to cgimap
#
- ProxyPass /api/0.6/map balancer://backend/api/0.6/map
- ProxyPass /api/0.6/tracepoints balancer://backend/api/0.6/tracepoints
- ProxyPass /api/0.6/amf/read balancer://backend/api/0.6/amf/read
- ProxyPass /api/0.6/swf/trackpoints balancer://backend/api/0.6/swf/trackpoints
- ProxyPassMatch ^(/api/0\.6/changeset/[0-9]+)$ balancer://backend$1
- ProxyPassMatch ^(/api/0\.6/changeset/[0-9]+/upload)$ balancer://bytemark$1
- ProxyPassMatch ^(/api/0\.6/changeset/[0-9]+/download)$ balancer://backend$1
- ProxyPassMatch ^(/api/0\.6/(node|way|relation)/[0-9]+)$ balancer://backend$1
- ProxyPassMatch ^(/api/0\.6/(node|way|relation)/[0-9]+/(full|history|search|ways))$ balancer://backend$1
- ProxyPass /api/0.6/nodes balancer://backend/api/0.6/nodes
- ProxyPass /api/0.6/ways balancer://backend/api/0.6/ways
- ProxyPass /api/0.6/relations balancer://backend/api/0.6/relations
- ProxyPassMatch ^(/trace/[0-9]+/data(|/|.xml))$ balancer://backend$1
+ RewriteRule ^/api/0\.6/map(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
+ RewriteCond %{REQUEST_METHOD} ^(HEAD|GET)$
+ RewriteRule ^/api/0\.6/(node|way|relation|changeset)/[0-9]+(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
+ RewriteRule ^/api/0\.6/(node|way|relation)/[0-9]+/history(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
+ RewriteRule ^/api/0\.6/(node|way|relation)/[0-9]+/relations(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
+ RewriteRule ^/api/0\.6/node/[0-9]+/ways(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
+ RewriteRule ^/api/0\.6/(way|relation)/[0-9]+/full(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
+ RewriteRule ^/api/0\.6/(nodes|ways|relations)(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
+ RewriteRule ^/api/0\.6/changeset/[0-9]+/(upload|download)(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
#
# Redirect trac and wiki requests to the right places
RedirectPermanent /images/cc_button.png https://www.openstreetmap.org/assets/cc_button.png
#
- # Define a load balancer for the local backends
- #
- <Proxy balancer://backend>
- ProxySet lbmethod=bybusyness
-<% node[:web][:backends].each do |backend| -%>
- BalancerMember https://<%= backend %> disablereuse=on
-<% end -%>
- </Proxy>
-
- #
- # Define a load balancer for the IC backends
- #
- <Proxy balancer://ic>
- ProxySet lbmethod=bybusyness
-<% ["rails1.ic", "rails2.ic", "rails3.ic"].each do |backend| -%>
- BalancerMember https://<%= backend %> disablereuse=on
-<% end -%>
- </Proxy>
-
- #
- # Define a load balancer for the Bytemark backends
- #
- <Proxy balancer://bytemark>
- ProxySet lbmethod=bybusyness
-<% ["rails4.bm", "rails5.bm"].each do |backend| -%>
- BalancerMember https://<%= backend %> disablereuse=on
-<% end -%>
- </Proxy>
-
- #
- # Redirect api requests made to www.osm.org to api.osm.org
+ # Redirect api requests made to www.openstreetmap.org to api.openstreetmap.org
#
# RewriteCond %{HTTP_HOST} =www.openstreetmap.org
# RewriteRule ^/api/(.*)$ https://api.openstreetmap.org/api/$1 [L,NE,R=permanent]
#
- # Redirect non-api requests made to api.osm.org to www.osm.org
+ # Redirect non-api requests made to api.openstreetmap.org to www.openstreetmap.org
#
RewriteCond %{HTTP_HOST} =api.openstreetmap.org
RewriteCond %{REQUEST_URI} !^/api/
RedirectPermanent / https://www.openstreetmap.org/
</VirtualHost>
+<VirtualHost *:80>
+ ServerName osm.org
+
+ Header always set Cache-Control "max-age=31536000"
+ Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT"
+
+ RewriteEngine on
+
+ RewriteRule ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 [R=permanent,L]
+
+ RewriteCond %{REQUEST_URI} !^/server-status$
+ RewriteRule ^(.*)$ https://osm.org$1 [L,NE,R=permanent]
+</VirtualHost>
+
+<VirtualHost *:80>
+ ServerName www.osm.org
+
+ Header always set Cache-Control "max-age=31536000"
+ Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT"
+
+ RewriteEngine on
+
+ RewriteRule ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 [R=permanent,L]
+
+ RewriteCond %{REQUEST_URI} !^/server-status$
+ RewriteRule ^(.*)$ https://www.osm.org$1 [L,NE,R=permanent]
+</VirtualHost>
+
<VirtualHost *:80>
ServerName openstreetmap.org
- ServerAlias *
+
+ Header always set Cache-Control "max-age=31536000"
+ Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT"
RewriteEngine on
RewriteRule ^(.*)$ https://openstreetmap.org$1 [L,NE,R=permanent]
</VirtualHost>
+<VirtualHost *:80>
+ ServerName www.openstreetmap.org
+ ServerAlias *
+
+ Header always set Cache-Control "max-age=31536000"
+ Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT"
+
+ RewriteEngine on
+
+ RewriteRule ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 [R=permanent,L]
+
+ RewriteCond %{REQUEST_URI} !^/server-status$
+ RewriteRule ^(.*)$ https://www.openstreetmap.org$1 [L,NE,R=permanent]
+</VirtualHost>
+
<VirtualHost *:443>
ServerName openstreetmap.org
ServerAlias *
SSLCertificateFile /etc/ssl/certs/www.openstreetmap.org.pem
SSLCertificateKeyFile /etc/ssl/private/www.openstreetmap.org.key
+ Header always set Cache-Control "max-age=31536000"
+ Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT"
+
RedirectPermanent / https://www.openstreetmap.org/
</VirtualHost>
<Directory <%= node[:web][:base_directory] %>/rails/public>
Require all granted
-</Directory>
-<Directory /srv/www.openstreetmap.org/rails/app/assets>
- Require all granted
+ RewriteCond "%{HTTP:Accept-encoding}" "br"
+ RewriteCond "%{REQUEST_FILENAME}\.br" -s
+ RewriteRule "^(.*)\.(css|ico|js|json|svg|xml)$" "$1\.$2\.br" [QSA]
+
+ RewriteCond "%{HTTP:Accept-encoding}" "gzip"
+ RewriteCond "%{REQUEST_FILENAME}\.gz" -s
+ RewriteRule "^(.*)\.(css|ico|js|json|svg|xml)$" "$1\.$2\.gz" [QSA]
+
+ RewriteRule "\.css\.(br|gz)$" "-" [T=text/css,E=no-gzip:1,E=no-brotli:1]
+ RewriteRule "\.ico\.(br|gz)$" "-" [T=image/vnd.microsoft.icon,E=no-gzip:1,E=no-brotli:1]
+ RewriteRule "\.js\.(br|gz)$" "-" [T=text/javascript,E=no-gzip:1,E=no-brotli:1]
+ RewriteRule "\.json\.(br|gz)$" "-" [T=application/json,E=no-gzip:1,E=no-brotli:1]
+ RewriteRule "\.svg\.(br|gz)$" "-" [T=image/svg+xml,E=no-gzip:1,E=no-brotli:1]
+ RewriteRule "\.xml\.(br|gz)$" "-" [T=application/xml,E=no-gzip:1,E=no-brotli:1]
+
+ <FilesMatch "\.(css|ico|js|json|svg|xml)\.br$">
+ Header append Content-Encoding br
+ Header append Vary Accept-Encoding
+ </FilesMatch>
+
+ <FilesMatch "\.(css|ico|js|json|svg|xml)\.gz$">
+ Header append Content-Encoding gzip
+ Header append Vary Accept-Encoding
+ </FilesMatch>
</Directory>
-<Directory /srv/www.openstreetmap.org/rails/vendor/assets>
+<Directory /srv/www.openstreetmap.org/static>
Require all granted
</Directory>
-<Directory /store/rails/stats>
- Require all granted
-</Directory>
-
-<Directory /store/rails/user/image>
+<Directory /srv/www.openstreetmap.org/rails/app/assets>
Require all granted
</Directory>
-<Directory /store/rails/attachments>
+<Directory /srv/www.openstreetmap.org/rails/vendor/assets>
Require all granted
</Directory>