X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/326a072ad0025a729806c9c9ab1d98effc65886a..d7eb7df41c4c67b388e191a3da66714eb4bd6cd8:/cookbooks/web/templates/default/apache.backend.erb?ds=sidebyside diff --git a/cookbooks/web/templates/default/apache.backend.erb b/cookbooks/web/templates/default/apache.backend.erb index 336ab56c5..b69b3f0e6 100644 --- a/cookbooks/web/templates/default/apache.backend.erb +++ b/cookbooks/web/templates/default/apache.backend.erb @@ -1,25 +1,24 @@ # DO NOT EDIT - This file is being maintained by Chef -<% [80, 443].each do |port| -%> -> + # # Basic server configuration # ServerName <%= node[:fqdn] %> ServerAlias api.openstreetmap.org www.openstreetmap.org ServerAdmin webmaster@openstreetmap.org -<% if port == 443 -%> # # Enable SSL # SSLEngine on -<% end -%> + SSLCertificateFile /etc/ssl/certs/www.openstreetmap.org.pem + SSLCertificateKeyFile /etc/ssl/private/www.openstreetmap.org.key # # Setup logging # - LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %Ts" combined_with_time + LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %Dus %{UNIQUE_ID}e %{SSL_PROTOCOL}x %{SSL_CIPHER}x" combined_with_time CustomLog /var/log/apache2/access.log combined_with_time ErrorLog /var/log/apache2/error.log @@ -28,6 +27,11 @@ # RewriteEngine on + # + # Recover the unique ID from the request headers + # + SetEnvIf X-Request-Id ^(.*)$ UNIQUE_ID=$1 + # # Configure rails # @@ -35,28 +39,38 @@ RailsEnv production PassengerMinInstances 3 PassengerMaxRequests 500 - PassengerPreStart http://www.openstreetmap.org/ + PassengerPreStart https://www.openstreetmap.org/ + PassengerAppGroupName rails + SetEnv OPENSTREETMAP_STATUS <%= @status %> SetEnv SECRET_KEY_BASE <%= @secret_key_base %> # # Get the real remote IP for requests via a trusted proxy # RemoteIPHeader X-Forwarded-For - RemoteIPTrustedProxy 146.179.159.160/27 + RemoteIPTrustedProxy 10.0.32.0/24 + RemoteIPTrustedProxy 10.0.48.0/24 + + # + # Pass authentication related headers to cgimap + # + + CGIPassAuth On + # # Pass supported calls to cgimap # - RewriteRule ^/api/0\.6/map$ - [H=fcgi:127.0.0.1:8000] + RewriteRule ^/api/0\.6/map$ fcgi://127.0.0.1:8000$0 [P] RewriteCond %{REQUEST_METHOD} ^(HEAD|GET)$ -<% if node[:lsb][:release].to_f >= 14.04 -%> - RewriteRule ^/api/0\.6/(node|way|relation)/[0-9]+$ fcgi://127.0.0.1:8000$0 [P] + RewriteRule ^/api/0\.6/(node|way|relation|changeset)/[0-9]+$ fcgi://127.0.0.1:8000$0 [P] + RewriteRule ^/api/0\.6/(node|way|relation)/[0-9]+/history$ fcgi://127.0.0.1:8000$0 [P] RewriteRule ^/api/0\.6/(way|relation)/[0-9]+/full$ fcgi://127.0.0.1:8000$0 [P] RewriteRule ^/api/0\.6/(nodes|ways|relations)$ fcgi://127.0.0.1:8000$0 [P] -<% else -%> - RewriteRule ^/api/0\.6/(node|way|relation)/[0-9]+$ - [H=fcgi:127.0.0.1:8000] - RewriteRule ^/api/0\.6/(way|relation)/[0-9]+/full$ - [H=fcgi:127.0.0.1:8000] - RewriteRule ^/api/0\.6/(nodes|ways|relations)$ - [H=fcgi:127.0.0.1:8000] -<% end -%> + RewriteRule ^/api/0\.6/changeset/[0-9]+/download$ fcgi://127.0.0.1:8000$0 [P] + RewriteRule ^/api/0\.6/changeset/[0-9]+/upload$ fcgi://127.0.0.1:8000$0 [P] -<% end -%> + +/rails/public> + Require all granted +