X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/2443cfc7684f070dac2dd89772db3a3db5e50a78..366f2c3039f3115f856906fc19cc1fbae348fffc:/cookbooks/web/templates/default/apache.frontend.erb
diff --git a/cookbooks/web/templates/default/apache.frontend.erb b/cookbooks/web/templates/default/apache.frontend.erb
index b2bf38a2e..4ee4c459c 100644
--- a/cookbooks/web/templates/default/apache.frontend.erb
+++ b/cookbooks/web/templates/default/apache.frontend.erb
@@ -1,43 +1,44 @@
# DO NOT EDIT - This file is being maintained by Chef
-<% [80, 443].each do |port| -%>
->
+#
+# Setup logging
+#
+SetEnvIfNoCase Authorization "^Basic " AUTH_METHOD=basic
+SetEnvIfNoCase Authorization "^OAuth " AUTH_METHOD=oauth1
+SetEnvIfNoCase Authorization "^Bearer " AUTH_METHOD=oauth2
+SetEnvIfExpr "%{QUERY_STRING} =~ /(^|&)oauth_signature=/" AUTH_METHOD=oauth1
+LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %Dus %{UNIQUE_ID}e %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{AUTH_METHOD}e" combined_with_time
+CustomLog /var/log/apache2/access.log combined_with_time
+ErrorLog /var/log/apache2/error.log
+
+
#
# Basic server configuration
#
ServerName <%= node[:fqdn] %>
ServerAlias api.openstreetmap.org www.openstreetmap.org 127.0.0.1
ServerAdmin webmaster@openstreetmap.org
-<% if port == 443 -%>
#
# Enable SSL
#
SSLEngine on
- SSLProxyEngine on
SSLCertificateFile /etc/ssl/certs/www.openstreetmap.org.pem
SSLCertificateKeyFile /etc/ssl/private/www.openstreetmap.org.key
- #
- # Disable HSTS for Firefox 52 to avoid issues with remote editing
- #
- BrowserMatch Firefox/52 no-hsts
- Header set Strict-Transport-Security "max-age=0" env=no-hsts
-<% end -%>
-
- #
- # Setup logging
- #
- LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %Dus %{UNIQUE_ID}e %{SSL_PROTOCOL}x %{SSL_CIPHER}x" combined_with_time
- CustomLog /var/log/apache2/access.log combined_with_time
- ErrorLog /var/log/apache2/error.log
-
#
# Turn on various features
#
ExpiresActive On
RewriteEngine on
+ #
+ # Configure timeouts
+ #
+ TimeOut 10
+ RequestReadTimeout handshake=10-20,MinRate=500 header=10-20,MinRate=500 body=10-120,MinRate=500
+ LogLevel reqtimeout:info
+
#
# Add the unique ID to the request headers
#
@@ -67,9 +68,16 @@
RewriteRule . - [F,L]
#
- # Block requests for the old 404 map tile
+ # Block trace scraper
+ #
+ RewriteCond %{HTTP_USER_AGENT} "python-httpx/0.24.1"
+ RewriteRule . - [F,L]
+
+ #
+ # Block out of control spider
#
- RewriteRule ^/openlayers/img/404.png$ - [G,L]
+ RewriteCond %{HTTP_USER_AGENT} "Bytespider"
+ RewriteRule . - [F,L]
#
# Block attempts to access old API versions
@@ -88,6 +96,13 @@
#
RewriteRule ^/api/0.6/changeset/6823497/download$ - [F,L]
+ #
+ # Ignore Vicon Valerus "online" status pings
+ # https://gist.github.com/Firefishy/86ed5b86991b225179b54bbafbcd769e
+ #
+ RewriteCond "%{QUERY_STRING}" "^q=abcde&t=20"
+ RewriteRule "^/api/0\.6/notes/search$" - [R=429,L]
+
#
# Force special MIME type for crossdomain.xml files
#
@@ -100,17 +115,16 @@
#
Header unset Last-Modified
- Header unset ETag
- FileETag None
+ FileETag Size
ExpiresDefault "access plus 1 year"
+ Header set Cache-Control "immutable, max-age=31536000"
#
# Set expiry for attachments
#
- Header unset Last-Modified
Header unset ETag
FileETag None
@@ -126,31 +140,12 @@
ExpiresDefault "access plus 10 years"
-
- ExpiresDefault "access plus 10 years"
-
- ExpiresDefault "access plus 7 days"
-
-
- ExpiresDefault "access plus 10 years"
-
-
- #
- # Set expiry for Potlatch 1
- #
-
- ExpiresDefault "access plus 7 days"
-
+ Header unset Last-Modified
+ FileETag Size
- #
- # Set expiry for Potlatch 2
- #
-
- ExpiresByType application/x-shockwave-flash "access plus 1 day"
- ExpiresByType application/xml "access plus 1 day"
- ExpiresByType text/css "access plus 1 day"
- ExpiresByType image/png "access plus 7 days"
+ Header always set Cache-Control "public, max-age=31536000, immutable"
+ Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT"
#
@@ -161,56 +156,33 @@
PassengerMinInstances 10
PassengerMaxRequests 5000
PassengerMaxRequestQueueSize 250
-<% if port == 443 -%>
PassengerPreStart https://www.openstreetmap.org/
-<% else -%>
- PassengerPreStart http://www.openstreetmap.org/
-<% end -%>
+ PassengerAppGroupName rails
+ SetEnv OPENSTREETMAP_STATUS <%= @status %>
SetEnv SECRET_KEY_BASE <%= @secret_key_base %>
Alias /favicon.ico <%= node[:web][:base_directory] %>/rails/app/assets/favicons/favicon.ico
- Alias /openlayers <%= node[:web][:base_directory] %>/rails/vendor/assets/openlayers
- Alias /stats /store/rails/stats
- Alias /user/image /store/rails/user/image
- Alias /attachments /store/rails/attachments
-
- #
- # Preserve the host name when forwarding to the proxy
- #
- ProxyPreserveHost on
+ Alias /openlayers <%= node[:web][:base_directory] %>/static/openlayers
+ RedirectPermanent /stats https://planet.openstreetmap.org/statistics
#
- # Set a long timeout - changeset uploads can take a long time
+ # Pass authentication related headers to cgimap
#
- ProxyTimeout 3600
-
- #
- # Allow all proxy requests
- #
-
- Require all granted
-
-
- #
- # Pass some other API calls to the backends via a load balancer
- #
- ProxyPass /api/0.6/map balancer://backend/api/0.6/map
- ProxyPass /api/0.6/tracepoints balancer://backend/api/0.6/tracepoints
- ProxyPass /api/0.6/amf/read balancer://backend/api/0.6/amf/read
- ProxyPass /api/0.6/swf/trackpoints balancer://backend/api/0.6/swf/trackpoints
- ProxyPassMatch ^(/api/0\.6/changeset/[0-9]+)$ balancer://backend$1
- ProxyPassMatch ^(/api/0\.6/changeset/[0-9]+/upload)$ balancer://ic$1
- ProxyPassMatch ^(/api/0\.6/changeset/[0-9]+/download)$ balancer://backend$1
- ProxyPassMatch ^(/api/0\.6/(node|way|relation)/[0-9]+)$ balancer://backend$1
- ProxyPassMatch ^(/api/0\.6/(node|way|relation)/[0-9]+/(full|history|search|ways))$ balancer://backend$1
- ProxyPass /api/0.6/nodes balancer://backend/api/0.6/nodes
- ProxyPass /api/0.6/ways balancer://backend/api/0.6/ways
- ProxyPass /api/0.6/relations balancer://backend/api/0.6/relations
- ProxyPassMatch ^(/trace/[0-9]+/data(|/|.xml))$ balancer://backend$1
+
+ CGIPassAuth On
+
#
- # Redirect ACME certificate challenges
+ # Pass supported calls to cgimap
#
- RedirectPermanent /.well-known/acme-challenge/ http://acme.openstreetmap.org/.well-known/acme-challenge/
+ RewriteRule ^/api/0\.6/map(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
+ RewriteCond %{REQUEST_METHOD} ^(HEAD|GET)$
+ RewriteRule ^/api/0\.6/(node|way|relation|changeset)/[0-9]+(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
+ RewriteRule ^/api/0\.6/(node|way|relation)/[0-9]+/history(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
+ RewriteRule ^/api/0\.6/(node|way|relation)/[0-9]+/relations(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
+ RewriteRule ^/api/0\.6/node/[0-9]+/ways(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
+ RewriteRule ^/api/0\.6/(way|relation)/[0-9]+/full(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
+ RewriteRule ^/api/0\.6/(nodes|ways|relations)(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
+ RewriteRule ^/api/0\.6/changeset/[0-9]+/(upload|download)(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
#
# Redirect trac and wiki requests to the right places
@@ -225,75 +197,19 @@
RedirectPermanent /images/cc_button.png https://www.openstreetmap.org/assets/cc_button.png
#
- # Define a load balancer for the local backends
- #
-
- ProxySet lbmethod=bybusyness
-<% node[:web][:backends].each do |backend| -%>
-<% if port == 443 -%>
- BalancerMember https://<%= backend %> disablereuse=on
-<% else -%>
- BalancerMember http://<%= backend %>
-<% end -%>
-<% end -%>
-
-
- #
- # Define a load balancer for the IC backends
- #
-
- ProxySet lbmethod=bybusyness
-<% ["rails1.ic", "rails2.ic", "rails3.ic"].each do |backend| -%>
-<% if port == 443 -%>
- BalancerMember https://<%= backend %> disablereuse=on
-<% else -%>
- BalancerMember http://<%= backend %>
-<% end -%>
-<% end -%>
-
-<% if port == 80 -%>
-
- #
- # Redirect requests which should be secure to https
- #
- RewriteCond %{REQUEST_URI} ^/login(\.html)?$ [OR]
- RewriteCond %{REQUEST_URI} ^/user/(new|create-account\.html)$ [OR]
- RewriteCond %{REQUEST_URI} ^/user/terms$ [OR]
- RewriteCond %{REQUEST_URI} ^/user/save$ [OR]
- RewriteCond %{REQUEST_URI} ^/user/([^/]+)/account$ [OR]
- RewriteCond %{REQUEST_URI} ^/user/reset-password$
- RewriteRule ^(.*)$ https://www.openstreetmap.org$1 [L,NE,R=permanent]
-
- #
- # Redirect api requests made to www.osm.org to api.osm.org
- #
-# RewriteCond %{HTTP_HOST} =www.openstreetmap.org
-# RewriteRule ^/api/(.*)$ http://api.openstreetmap.org/api/$1 [L,NE,R=permanent]
-
- #
- # Redirect non-api requests made to api.osm.org to www.osm.org
- #
- RewriteCond %{HTTP_HOST} =api.openstreetmap.org
- RewriteCond %{REQUEST_URI} !^/api/
- RewriteRule ^(.*)$ http://www.openstreetmap.org$1 [L,NE,R=permanent]
-<% elsif port == 443 -%>
-
- #
- # Redirect api requests made to www.osm.org to api.osm.org
+ # Redirect api requests made to www.openstreetmap.org to api.openstreetmap.org
#
# RewriteCond %{HTTP_HOST} =www.openstreetmap.org
# RewriteRule ^/api/(.*)$ https://api.openstreetmap.org/api/$1 [L,NE,R=permanent]
#
- # Redirect non-api requests made to api.osm.org to www.osm.org
+ # Redirect non-api requests made to api.openstreetmap.org to www.openstreetmap.org
#
RewriteCond %{HTTP_HOST} =api.openstreetmap.org
RewriteCond %{REQUEST_URI} !^/api/
RewriteRule ^(.*)$ https://www.openstreetmap.org$1 [L,NE,R=permanent]
-<% end -%>
-<% end -%>
ServerName openstreetmap.org.uk
ServerAlias www.openstreetmap.org.uk
@@ -304,12 +220,59 @@
RedirectPermanent / https://www.openstreetmap.org/
+
+ ServerName osm.org
+
+ Header always set Cache-Control "max-age=31536000"
+ Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT"
+
+ RewriteEngine on
+
+ RewriteRule ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 [R=permanent,L]
+
+ RewriteCond %{REQUEST_URI} !^/server-status$
+ RewriteRule ^(.*)$ https://osm.org$1 [L,NE,R=permanent]
+
+
+
+ ServerName www.osm.org
+
+ Header always set Cache-Control "max-age=31536000"
+ Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT"
+
+ RewriteEngine on
+
+ RewriteRule ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 [R=permanent,L]
+
+ RewriteCond %{REQUEST_URI} !^/server-status$
+ RewriteRule ^(.*)$ https://www.osm.org$1 [L,NE,R=permanent]
+
+
ServerName openstreetmap.org
+
+ Header always set Cache-Control "max-age=31536000"
+ Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT"
+
+ RewriteEngine on
+
+ RewriteRule ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 [R=permanent,L]
+
+ RewriteCond %{REQUEST_URI} !^/server-status$
+ RewriteRule ^(.*)$ https://openstreetmap.org$1 [L,NE,R=permanent]
+
+
+
+ ServerName www.openstreetmap.org
ServerAlias *
+ Header always set Cache-Control "max-age=31536000"
+ Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT"
+
RewriteEngine on
+ RewriteRule ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 [R=permanent,L]
+
RewriteCond %{REQUEST_URI} !^/server-status$
RewriteRule ^(.*)$ https://www.openstreetmap.org$1 [L,NE,R=permanent]
@@ -322,29 +285,49 @@
SSLCertificateFile /etc/ssl/certs/www.openstreetmap.org.pem
SSLCertificateKeyFile /etc/ssl/private/www.openstreetmap.org.key
+ Header always set Cache-Control "max-age=31536000"
+ Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT"
+
RedirectPermanent / https://www.openstreetmap.org/
/rails/public>
Require all granted
-
-
- Require all granted
+ RewriteCond "%{HTTP:Accept-encoding}" "br"
+ RewriteCond "%{REQUEST_FILENAME}\.br" -s
+ RewriteRule "^(.*)\.(css|ico|js|json|svg|xml)$" "$1\.$2\.br" [QSA]
+
+ RewriteCond "%{HTTP:Accept-encoding}" "gzip"
+ RewriteCond "%{REQUEST_FILENAME}\.gz" -s
+ RewriteRule "^(.*)\.(css|ico|js|json|svg|xml)$" "$1\.$2\.gz" [QSA]
+
+ RewriteRule "\.css\.(br|gz)$" "-" [T=text/css,E=no-gzip:1,E=no-brotli:1]
+ RewriteRule "\.ico\.(br|gz)$" "-" [T=image/vnd.microsoft.icon,E=no-gzip:1,E=no-brotli:1]
+ RewriteRule "\.js\.(br|gz)$" "-" [T=text/javascript,E=no-gzip:1,E=no-brotli:1]
+ RewriteRule "\.json\.(br|gz)$" "-" [T=application/json,E=no-gzip:1,E=no-brotli:1]
+ RewriteRule "\.svg\.(br|gz)$" "-" [T=image/svg+xml,E=no-gzip:1,E=no-brotli:1]
+ RewriteRule "\.xml\.(br|gz)$" "-" [T=application/xml,E=no-gzip:1,E=no-brotli:1]
+
+
+ Header append Content-Encoding br
+ Header append Vary Accept-Encoding
+
+
+
+ Header append Content-Encoding gzip
+ Header append Vary Accept-Encoding
+
-
- Require all granted
-
-
-
+
Require all granted
-
+
Require all granted
-
+
Require all granted