X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/7b8e6c5716a77a423e9d0e3d87b217ebcedfaecd..61ba6f810b825a7e456579a60eb9b1a9c7d11a36:/cookbooks/tilecache/templates/default/nginx_tile.conf.erb

diff --git a/cookbooks/tilecache/templates/default/nginx_tile.conf.erb b/cookbooks/tilecache/templates/default/nginx_tile.conf.erb
index 7fb979c4a..1dfad9cf4 100644
--- a/cookbooks/tilecache/templates/default/nginx_tile.conf.erb
+++ b/cookbooks/tilecache/templates/default/nginx_tile.conf.erb
@@ -146,9 +146,22 @@ map $http_referer $denied_referer {
   '~^https?://geoportal360\.pl/'         1;
   '~^https?://skelbiu\.lt/'              1;
   '~^https?://[^.]*\.skelbiu\.lt/'       1;
-  # '~^https?://[^.]*\.wialon.com/'        1; # (hold per 2020-04-10 email)
+  '~^https?://wialon\.[^.]*/'            1; # wialon has many domains, so block them all
+  '~^https?://[^.]*\.wialon\.[^.]*/'     1;
+  '~^https?://gps-trace\.com/'           1;
+  '~^https?://[^.]*\.gps-trace\.com/'    1;
+  '~^https?://cellmapper\.net/'          1;
+  '~^https?://[^.]*\.cellmapper\.net/'   1;
 }
 
+map $http_referer $censored_referer {
+  default                                 0; # Not denied
+  # Legal Reasons
+  '~^https?://schiebt-sie-ab\.de/'        1;
+  '~^https?://[^.]*\.schiebt-sie-ab\.de/' 1;
+}
+
+
 map $http_referer $osm_referer {
   default                                 '';    # False
   '~^https:\/\/www\.openstreetmap\.org\/' 'osm'; # True
@@ -187,11 +200,11 @@ map $tile_cache$http_referer$scheme$http_user_agent $deny_missing_referer {
 
 server {
     # IPv4
-    listen       80 deferred backlog=16384 reuseport fastopen=2048 default_server;
-    listen       443 ssl deferred backlog=16384 reuseport fastopen=2048 http2 default_server;
+    listen       80 deferred backlog=16384 reuseport default_server;
+    listen       443 ssl deferred backlog=16384 reuseport http2 default_server;
     # IPv6
-    listen       [::]:80 deferred backlog=16384 reuseport fastopen=2048 default_server;
-    listen       [::]:443 ssl deferred backlog=16384 reuseport fastopen=2048 http2 default_server;
+    listen       [::]:80 deferred backlog=16384 reuseport default_server;
+    listen       [::]:443 ssl deferred backlog=16384 reuseport http2 default_server;
     server_name  localhost;
 
     proxy_buffers 8 64k;
@@ -212,31 +225,64 @@ server {
 <% end %>
 
     # Immediately 404 silly tile requests
+    location = /0/-1/-1.png {
+      return 404;
+    }
+    location = /0/-1/0.png {
+      return 404;
+    }
+    location = /0/-1/1.png {
+      return 404;
+    }
     location = /0/0/-1.png {
       return 404;
     }
-    location = /1/0/-1.png {
+    location = /0/0/1.png {
       return 404;
     }
-    location = /1/-1/0.png {
+    location = /0/0/2.png {
       return 404;
     }
-    location = /1/-1/1.png {
+    location = /0/1/-1.png {
+      return 404;
+    }
+    location = /0/1/0.png {
+      return 404;
+    }
+    location = /0/1/1.png {
+      return 404;
+    }
+    location = /0/1/2.png {
+      return 404;
+    }
+    location = /0/2/0.png {
+      return 404;
+    }
+    location = /0/2/1.png {
+      return 404;
+    }
+    location = /0/2/2.png {
       return 404;
     }
     location = /1/-1/-1.png {
       return 404;
     }
+    location = /1/-1/0.png {
+      return 404;
+    }
+    location = /1/-1/1.png {
+      return 404;
+    }
     location = /1/-1/2.png {
       return 404;
     }
-    location = /1/1/-1.png {
+    location = /1/0/-1.png {
       return 404;
     }
-    location = /1/2/-1.png {
+    location = /1/1/-1.png {
       return 404;
     }
-    location = /2/0/-1.png {
+    location = /1/2/-1.png {
       return 404;
     }
     location = /2/-1/0.png {
@@ -245,13 +291,40 @@ server {
     location = /2/-1/1.png {
       return 404;
     }
+    location = /2/-1/2.png {
+      return 404;
+    }
+    location = /2/-1/3.png {
+      return 404;
+    }
+    location = /2/0/-1.png {
+      return 404;
+    }
     location = /2/1/-1.png {
       return 404;
     }
-    location = /2/-1/2.png {
+    location = /2/1/4.png {
       return 404;
     }
-    location = /2/-1/3.png {
+    location = /2/2/4.png {
+      return 404;
+    }
+    location = /2/3/4.png {
+      return 404;
+    }
+    location = /2/4/0.png {
+      return 404;
+    }
+    location = /2/4/1.png {
+      return 404;
+    }
+    location = /2/4/2.png {
+      return 404;
+    }
+    location = /2/4/3.png {
+      return 404;
+    }
+    location = /2/4/4.png {
       return 404;
     }
 
@@ -279,25 +352,9 @@ server {
 
       # Replace host header.
       proxy_set_header Host 'tile.openstreetmap.org';
-      # Do not pass cookies to backends.
-      proxy_set_header Cookie '';
-      # Do not pass Accept-Encoding to backends.
-      proxy_set_header Accept-Encoding '';
-      # Do not pass Accept to backends.
-      proxy_set_header Accept '';
-      # Do not pass Accept-Language to backends as unused.
-      proxy_set_header Accept-Language '';
-      proxy_set_header Accept-Charset '';
-      # Do not send origin, we allow all.
-      proxy_set_header origin '';
-      # Do not pass invalid headers to backend.
-      proxy_set_header X-Forwarded-Host '';
-      proxy_set_header X-Host '';
-      proxy_set_header Authorization '';
-      proxy_set_header Proxy-Authorization '';
-
-      # Drop partial requests
-      proxy_set_header range '';
+      # Drop all request headers and request body
+      proxy_pass_request_headers off;
+      proxy_pass_request_body off;
 
       # Do not allow setting cookies from backends due to caching.
       proxy_ignore_headers Set-Cookie;
@@ -356,6 +413,11 @@ server {
         return 418;
       }
 
+      if ($censored_referer) {
+        set $limit_rate 512;
+        return 451 "Unavailable For Legal Reasons";
+      }
+
       # Strip any ?query parameters from urls
       set $args '';