X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/14e316cd3e1ab5f25a54d0765ebad61ac665ccb4..200f486870c88f3916ede7bcb36b47b374a63901:/cookbooks/tile/templates/default/apache.erb diff --git a/cookbooks/tile/templates/default/apache.erb b/cookbooks/tile/templates/default/apache.erb index a707cba05..9652ec825 100644 --- a/cookbooks/tile/templates/default/apache.erb +++ b/cookbooks/tile/templates/default/apache.erb @@ -19,6 +19,12 @@ DocumentRoot /srv/tile.openstreetmap.org/html ScriptAlias /cgi-bin/ /srv/tile.openstreetmap.org/cgi-bin/ + # Get the real remote IP for requests via a trusted proxy + RemoteIPHeader Fastly-Client-IP +<% @fastly.sort.each do |address| -%> + RemoteIPTrustedProxy <%= address %> +<% end -%> + # Setup logging LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined_with_remoteip CustomLog /var/log/apache2/access.log combined_with_remoteip @@ -56,38 +62,30 @@ # Restrict tile access to CDN nodes and admins + Require expr "%{CONN_REMOTE_ADDR} != %{REMOTE_ADDR}" + # Fastly POPs <% @fastly.sort.each do |address| -%> Require ip <%= address %> <% end -%> + # StatusCake monitoring <% @statuscake.sort.reject { |address| address.empty? }.each do |address| -%> Require ip <%= address %> <% end -%> + # Administrators <% @admins.sort.each do |address| -%> Require ip <%= address %> <% end -%> - Require ip 130.117.76.0/27 - Require ip 2001:978:2:2C::/64 + # OSM Amsterdam IPv4 + Require ip 184.104.179.128/27 + # OSM Amsterdam IPv6 + Require ip 2001:470:1:fa1::/64 + # OSM Dublin IPv4 Require ip 184.104.226.96/27 + # OSM Dublin IPv6 Require ip 2001:470:1:b3b::/64 + # OSM UCL IPv4 Require ip 193.60.236.0/24 - - # Get the real remote IP for requests via a trusted proxy - RemoteIPHeader Fastly-Client-IP -<% @fastly.sort.each do |address| -%> - RemoteIPTrustedProxy <%= address %> -<% end -%> - - # Enforce rate limits - RewriteMap ipmap txt:/srv/tile.openstreetmap.org/conf/ip.map - RewriteCond ${ipmap:%{REMOTE_ADDR}} ^.+$ - RewriteRule ^.*$ /${ipmap:%{REMOTE_ADDR}} [PT] - - # Internal endpoint for blocked users - - Header always set Cache-Control private - Redirect 429 -