X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/14e316cd3e1ab5f25a54d0765ebad61ac665ccb4..200f486870c88f3916ede7bcb36b47b374a63901:/cookbooks/tile/templates/default/apache.erb
diff --git a/cookbooks/tile/templates/default/apache.erb b/cookbooks/tile/templates/default/apache.erb
index a707cba05..9652ec825 100644
--- a/cookbooks/tile/templates/default/apache.erb
+++ b/cookbooks/tile/templates/default/apache.erb
@@ -19,6 +19,12 @@
DocumentRoot /srv/tile.openstreetmap.org/html
ScriptAlias /cgi-bin/ /srv/tile.openstreetmap.org/cgi-bin/
+ # Get the real remote IP for requests via a trusted proxy
+ RemoteIPHeader Fastly-Client-IP
+<% @fastly.sort.each do |address| -%>
+ RemoteIPTrustedProxy <%= address %>
+<% end -%>
+
# Setup logging
LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined_with_remoteip
CustomLog /var/log/apache2/access.log combined_with_remoteip
@@ -56,38 +62,30 @@
# Restrict tile access to CDN nodes and admins
+ Require expr "%{CONN_REMOTE_ADDR} != %{REMOTE_ADDR}"
+ # Fastly POPs
<% @fastly.sort.each do |address| -%>
Require ip <%= address %>
<% end -%>
+ # StatusCake monitoring
<% @statuscake.sort.reject { |address| address.empty? }.each do |address| -%>
Require ip <%= address %>
<% end -%>
+ # Administrators
<% @admins.sort.each do |address| -%>
Require ip <%= address %>
<% end -%>
- Require ip 130.117.76.0/27
- Require ip 2001:978:2:2C::/64
+ # OSM Amsterdam IPv4
+ Require ip 184.104.179.128/27
+ # OSM Amsterdam IPv6
+ Require ip 2001:470:1:fa1::/64
+ # OSM Dublin IPv4
Require ip 184.104.226.96/27
+ # OSM Dublin IPv6
Require ip 2001:470:1:b3b::/64
+ # OSM UCL IPv4
Require ip 193.60.236.0/24
-
- # Get the real remote IP for requests via a trusted proxy
- RemoteIPHeader Fastly-Client-IP
-<% @fastly.sort.each do |address| -%>
- RemoteIPTrustedProxy <%= address %>
-<% end -%>
-
- # Enforce rate limits
- RewriteMap ipmap txt:/srv/tile.openstreetmap.org/conf/ip.map
- RewriteCond ${ipmap:%{REMOTE_ADDR}} ^.+$
- RewriteRule ^.*$ /${ipmap:%{REMOTE_ADDR}} [PT]
-
- # Internal endpoint for blocked users
-
- Header always set Cache-Control private
- Redirect 429
-