X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/14e316cd3e1ab5f25a54d0765ebad61ac665ccb4..e92ed5e09215d67f2bd7dc21a32425d7ec5aa26f:/cookbooks/tile/templates/default/apache.erb

diff --git a/cookbooks/tile/templates/default/apache.erb b/cookbooks/tile/templates/default/apache.erb
index a707cba05..9652ec825 100644
--- a/cookbooks/tile/templates/default/apache.erb
+++ b/cookbooks/tile/templates/default/apache.erb
@@ -19,6 +19,12 @@
   DocumentRoot /srv/tile.openstreetmap.org/html
   ScriptAlias /cgi-bin/ /srv/tile.openstreetmap.org/cgi-bin/
 
+  # Get the real remote IP for requests via a trusted proxy
+  RemoteIPHeader Fastly-Client-IP
+<% @fastly.sort.each do |address| -%>
+  RemoteIPTrustedProxy <%= address %>
+<% end -%>
+
   # Setup logging
   LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined_with_remoteip
   CustomLog /var/log/apache2/access.log combined_with_remoteip
@@ -56,38 +62,30 @@
 
   # Restrict tile access to CDN nodes and admins
   <LocationMatch ^/default/\d+/\d+/\d+\.png$>
+    Require expr "%{CONN_REMOTE_ADDR} != %{REMOTE_ADDR}"
+    # Fastly POPs
 <% @fastly.sort.each do |address| -%>
     Require ip <%= address %>
 <% end -%>
+    # StatusCake monitoring
 <% @statuscake.sort.reject { |address| address.empty? }.each do |address| -%>
     Require ip <%= address %>
 <% end -%>
+    # Administrators
 <% @admins.sort.each do |address| -%>
     Require ip <%= address %>
 <% end -%>
-    Require ip 130.117.76.0/27
-    Require ip 2001:978:2:2C::/64
+    # OSM Amsterdam IPv4
+    Require ip 184.104.179.128/27
+    # OSM Amsterdam IPv6
+    Require ip 2001:470:1:fa1::/64
+    # OSM Dublin IPv4
     Require ip 184.104.226.96/27
+    # OSM Dublin IPv6
     Require ip 2001:470:1:b3b::/64
+    # OSM UCL IPv4
     Require ip 193.60.236.0/24
   </LocationMatch>
-
-  # Get the real remote IP for requests via a trusted proxy
-  RemoteIPHeader Fastly-Client-IP
-<% @fastly.sort.each do |address| -%>
-  RemoteIPTrustedProxy <%= address %>
-<% end -%>
-
-  # Enforce rate limits
-  RewriteMap ipmap txt:/srv/tile.openstreetmap.org/conf/ip.map
-  RewriteCond ${ipmap:%{REMOTE_ADDR}} ^.+$
-  RewriteRule ^.*$ /${ipmap:%{REMOTE_ADDR}} [PT]
-
-  # Internal endpoint for blocked users
-  <Location /blocked>
-    Header always set Cache-Control private
-    Redirect 429
-  </Location>
 </VirtualHost>
 
 <VirtualHost *:80>