X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/58d0fd170746360fe4c91782c9004807a281d148..7f9be6dad4ab03828bc242cc1d7d9b9a75ea4518:/cookbooks/nominatim/templates/default/nginx.erb

diff --git a/cookbooks/nominatim/templates/default/nginx.erb b/cookbooks/nominatim/templates/default/nginx.erb
index 3ba964660..fd4ed93fa 100644
--- a/cookbooks/nominatim/templates/default/nginx.erb
+++ b/cookbooks/nominatim/templates/default/nginx.erb
@@ -1,3 +1,7 @@
+upstream nominatim_service {
+  server 127.0.0.1:<%= @pools[:www][:port ]%>;
+}
+
 map $uri $nominatim_script_name {
     ~^(.+?\.php)         $1;
     ~^/([^/]+)           $1.php;
@@ -12,8 +16,19 @@ map $query_string $email_id {
     ~(^|&)email=([^&]+)  $2;
 }
 
-upstream nominatim_service {
-  server 127.0.0.1:<%= @pools[:www][:port ]%>;
+map $email_id $missing_email {
+    default "";
+    "" 1;
+}
+
+map $http_user_agent $missing_ua {
+    default "";
+    "" 1;
+}
+
+map $http_referer $missing_referer {
+    default "";
+    "" 1;
 }
 
 # Whitelisted IPs
@@ -21,7 +36,7 @@ geo $whitelisted {
     default 0;
 <% @frontends.each do |frontend| -%>
 <% frontend.ipaddresses(:role => :external) do |address| -%>
-    <%= address %>;
+    <%= address %> 1;
 <% end -%>
 <% end -%>
     46.235.224.148 1;
@@ -30,16 +45,22 @@ geo $whitelisted {
     8.43.85.23 1; # gnome
 }
 
-map $http_user_agent $blocked_user_agent {
+map $missing_email$missing_referer$http_user_agent $blocked_user_agent {
    default 0;
+   "11" 2; # block any requests without identifier
    include <%= @confdir %>/nginx_blocked_user_agent.conf;
 }
 
-map $http_referer $blocked_referrer {
+map $missing_email$missing_ua$http_referer $blocked_referrer {
    default 0;
    include <%= @confdir %>/nginx_blocked_referrer.conf;
 }
 
+map $missing_referer$missing_ua$email_id $blocked_email {
+   default 0;
+   include <%= @confdir %>/nginx_blocked_email.conf;
+}
+
 map $whitelisted $limit_www {
     1 "";
     0 $binary_remote_addr;
@@ -55,12 +76,32 @@ limit_req_zone $limit_www zone=www:50m rate=2r/s;
 limit_req_zone $limit_tarpit zone=tarpit:10m rate=1r/s;
 limit_req_zone $binary_remote_addr zone=blocked:10m rate=20r/m;
 
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    access_log <%= node[:nominatim][:logdir] %>/nominatim.openstreetmap.org-access.log combined;
+    error_log <%= node[:nominatim][:logdir] %>/nominatim.openstreetmap.org-error.log;
+
+    location /nginx_status {
+        stub_status on;
+        access_log   off;
+        allow 127.0.0.1;
+        allow ::1;
+        deny all;
+    }
+
+     rewrite ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 permanent;
+
+     location / {
+         return 301 https://$host$request_uri;
+     }
+}
+
 server {
     # IPv4
-    listen       80 deferred backlog=16384 reuseport fastopen=2048 default_server;
     listen       443 ssl deferred backlog=16384 reuseport fastopen=2048 http2 default_server;
     # IPv6
-    listen       [::]:80 deferred backlog=16384 reuseport fastopen=2048 default_server;
     listen       [::]:443 ssl deferred backlog=16384 reuseport fastopen=2048 http2 default_server;
     server_name  localhost;
 
@@ -92,13 +133,12 @@ server {
     }
 
     location / {
-        set $anyid $http_referer$http_user_agent$email_id;
-        if ($anyid = "")
-        { return 403; }
         if ($blocked_user_agent ~ ^2$)
         { return 403; }
         if ($blocked_referrer)
         { return 403; }
+        if ($blocked_email)
+        { return 403; }
 
         try_files $uri $uri/ @php;
     }