X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/45d560c26e7b69e73d8e5fa56eeb504000823a40..f61fef8f4ef75e9fc9a6a0421b9e3c5304c79784:/cookbooks/nominatim/templates/default/nginx.erb?ds=sidebyside diff --git a/cookbooks/nominatim/templates/default/nginx.erb b/cookbooks/nominatim/templates/default/nginx.erb index ef0a2fdc8..a44e9382c 100644 --- a/cookbooks/nominatim/templates/default/nginx.erb +++ b/cookbooks/nominatim/templates/default/nginx.erb @@ -1,3 +1,7 @@ +upstream nominatim_service { + server unix:/run/php/nominatim.openstreetmap.org.sock; +} + map $uri $nominatim_script_name { ~^(.+?\.php) $1; ~^/([^/]+) $1.php; @@ -8,19 +12,44 @@ map $uri $nominatim_path_info { ~^/([^/]+)(.*)$ $2; } +map $args $format { + default default; + ~(^|&)format=html(&|$) html; + ~(^|&)format= other; +} + +map $uri/$format $forward_to_ui { + default 1; + ~^/ui 0; + ~/other$ 0; + ~/reverse.*/default 0; + ~/lookup.*/default 0; +} + map $query_string $email_id { ~(^|&)email=([^&]+) $2; } -upstream nominatim_service { - server 127.0.0.1:<%= @pools[:www][:port ]%>; +map $email_id $missing_email { + default ""; + "" 1; +} + +map $http_user_agent $missing_ua { + default ""; + "" 1; +} + +map $http_referer $missing_referer { + default ""; + "" 1; } # Whitelisted IPs geo $whitelisted { default 0; <% @frontends.each do |frontend| -%> -<% frontend.ipaddresses(:role => :external) do |address| -%> +<% frontend.ipaddresses(:role => :external).sort.each do |address| -%> <%= address %> 1; <% end -%> <% end -%> @@ -30,16 +59,22 @@ geo $whitelisted { 8.43.85.23 1; # gnome } -map $http_user_agent $blocked_user_agent { +map $missing_email$missing_referer$http_user_agent $blocked_user_agent { default 0; + "11" 2; # block any requests without identifier include <%= @confdir %>/nginx_blocked_user_agent.conf; } -map $http_referer $blocked_referrer { +map $missing_email$missing_ua$http_referer $blocked_referrer { default 0; include <%= @confdir %>/nginx_blocked_referrer.conf; } +map $missing_referer$missing_ua$email_id $blocked_email { + default 0; + include <%= @confdir %>/nginx_blocked_email.conf; +} + map $whitelisted $limit_www { 1 ""; 0 $binary_remote_addr; @@ -51,15 +86,31 @@ map $blocked_user_agent $limit_tarpit { 2 $binary_remote_addr; } +map $missing_email$missing_referer$http_user_agent $generic_mozilla { + default 0; + ~^11Mozilla/4.0 1; + ~^11Mozilla/5.0 2; +} + +map $whitelisted$generic_mozilla$uri $limit_reverse { + default ""; + ~01/reverse.* $binary_remote_addr; + ~02/reverse.* $binary_remote_addr; +} + limit_req_zone $limit_www zone=www:50m rate=2r/s; limit_req_zone $limit_tarpit zone=tarpit:10m rate=1r/s; limit_req_zone $binary_remote_addr zone=blocked:10m rate=20r/m; +limit_req_zone $limit_reverse zone=reverse:10m rate=10r/m; server { - listen 80 default_server; - listen [::]:80 default_server; + listen 80 default_server; + listen [::]:80 default_server; - location /nginx_status { + access_log <%= node[:nominatim][:logdir] %>/nominatim.openstreetmap.org-access.log combined; + error_log <%= node[:nominatim][:logdir] %>/nominatim.openstreetmap.org-error.log; + + location /nginx_status { stub_status on; access_log off; allow 127.0.0.1; @@ -67,18 +118,18 @@ server { deny all; } - rewrite ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 permanent; + rewrite ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 permanent; - location / { - return 301 https://$host$request_uri; - } + location / { + return 301 https://$host$request_uri; + } } server { # IPv4 - listen 443 ssl deferred backlog=16384 reuseport fastopen=2048 http2 default_server; + listen 443 ssl deferred backlog=16384 reuseport http2 default_server; # IPv6 - listen [::]:443 ssl deferred backlog=16384 reuseport fastopen=2048 http2 default_server; + listen [::]:443 ssl deferred backlog=16384 reuseport http2 default_server; server_name localhost; ssl_certificate /etc/ssl/certs/<%= node[:fqdn] %>.pem; @@ -109,34 +160,56 @@ server { } location / { - set $anyid $http_referer$http_user_agent$email_id; - if ($anyid = "") - { return 403; } + try_files $uri $uri/ @php; + } + + location /ui/ { + alias <%= @ui_directory %>/dist/; + index search.html; + } + + location @php { if ($blocked_user_agent ~ ^2$) { return 403; } if ($blocked_referrer) { return 403; } + if ($blocked_email) + { return 403; } + include <%= @confdir %>/nginx_blocked_generic.conf; - try_files $uri $uri/ @php; - } - - location @php { limit_req zone=www burst=10; limit_req zone=tarpit burst=2; + limit_req zone=reverse burst=5; limit_req_status 429; fastcgi_pass nominatim_service; include fastcgi_params; fastcgi_param QUERY_STRING $args; fastcgi_param PATH_INFO "$nominatim_path_info"; fastcgi_param SCRIPT_FILENAME "$document_root/$nominatim_script_name"; + if ($forward_to_ui) { + rewrite ^(/[^/]*) https://$host/ui$1.html redirect; + } } location ~* \.php$ { + if ($blocked_user_agent ~ ^2$) + { return 403; } + if ($blocked_referrer) + { return 403; } + if ($blocked_email) + { return 403; } + include <%= @confdir %>/nginx_blocked_generic.conf; + limit_req zone=www burst=10; limit_req zone=tarpit burst=2; + limit_req zone=reverse burst=5; limit_req_status 429; fastcgi_pass nominatim_service; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + + if ($forward_to_ui) { + rewrite (.*).php https://$host/ui$1.html redirect; + } } }