X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/7216c8838b0804eca05f44ca4ac8a33f7d9fec73..22076001213b1d8d27763c787ffc125931c7c164:/cookbooks/nominatim/templates/default/nginx.erb diff --git a/cookbooks/nominatim/templates/default/nginx.erb b/cookbooks/nominatim/templates/default/nginx.erb index 2c22ae850..6f355dd11 100644 --- a/cookbooks/nominatim/templates/default/nginx.erb +++ b/cookbooks/nominatim/templates/default/nginx.erb @@ -1,5 +1,5 @@ upstream nominatim_service { - server 127.0.0.1:<%= @pools[:www][:port ]%>; + server unix:/run/php/php-nominatim.openstreetmap.org-fpm.sock; } map $uri $nominatim_script_name { @@ -24,6 +24,7 @@ map $uri/$format $forward_to_ui { ~/other$ 0; ~/reverse.*/default 0; ~/lookup.*/default 0; + ~/status.*/default 0; } map $query_string $email_id { @@ -49,14 +50,19 @@ map $http_referer $missing_referer { geo $whitelisted { default 0; <% @frontends.each do |frontend| -%> -<% frontend.ipaddresses(:role => :external) do |address| -%> +<% frontend.ipaddresses(:role => :external).sort.each do |address| -%> <%= address %> 1; <% end -%> <% end -%> 46.235.224.148 1; 209.132.180.180 1; 209.132.180.168 1; - 8.43.85.23 1; # gnome + 8.43.85.3 1; # gnome + 8.43.85.4 1; # gnome + 8.43.85.5 1; # gnome + 2620:52:3:1:5054:ff:fe0a:75a4 1; # gnome + 2620:52:3:1:5054:ff:fe0a:75a2 1; # gnome + 2620:52:3:1:5054:ff:fe0a:75aa 1; # gnome } map $missing_email$missing_referer$http_user_agent $blocked_user_agent { @@ -86,9 +92,22 @@ map $blocked_user_agent $limit_tarpit { 2 $binary_remote_addr; } +map $missing_email$missing_referer$http_user_agent $generic_mozilla { + default 0; + ~^11Mozilla/4.0 1; + ~^11Mozilla/5.0 2; +} + +map $whitelisted$generic_mozilla$uri $limit_reverse { + default ""; + ~01/reverse.* $binary_remote_addr; + ~02/reverse.* $binary_remote_addr; +} + limit_req_zone $limit_www zone=www:50m rate=2r/s; limit_req_zone $limit_tarpit zone=tarpit:10m rate=1r/s; limit_req_zone $binary_remote_addr zone=blocked:10m rate=20r/m; +limit_req_zone $limit_reverse zone=reverse:10m rate=10r/m; server { listen 80 default_server; @@ -114,9 +133,9 @@ server { server { # IPv4 - listen 443 ssl deferred backlog=16384 reuseport http2 default_server; + listen 443 ssl http2 default_server; # IPv6 - listen [::]:443 ssl deferred backlog=16384 reuseport http2 default_server; + listen [::]:443 ssl http2 default_server; server_name localhost; ssl_certificate /etc/ssl/certs/<%= node[:fqdn] %>.pem; @@ -155,6 +174,10 @@ server { index search.html; } + location /qa-data/ { + add_header Access-Control-Allow-Origin "*" always; + } + location @php { if ($blocked_user_agent ~ ^2$) { return 403; } @@ -162,9 +185,11 @@ server { { return 403; } if ($blocked_email) { return 403; } + include <%= @confdir %>/nginx_blocked_generic.conf; limit_req zone=www burst=10; - limit_req zone=tarpit burst=2; + limit_req zone=tarpit burst=5; + limit_req zone=reverse burst=5; limit_req_status 429; fastcgi_pass nominatim_service; include fastcgi_params; @@ -183,9 +208,11 @@ server { { return 403; } if ($blocked_email) { return 403; } + include <%= @confdir %>/nginx_blocked_generic.conf; limit_req zone=www burst=10; limit_req zone=tarpit burst=2; + limit_req zone=reverse burst=5; limit_req_status 429; fastcgi_pass nominatim_service; include fastcgi_params;