X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/7f9be6dad4ab03828bc242cc1d7d9b9a75ea4518..7302041c3f2c05098816f4fd9e3e538811f25a4e:/cookbooks/nominatim/templates/default/nginx.erb diff --git a/cookbooks/nominatim/templates/default/nginx.erb b/cookbooks/nominatim/templates/default/nginx.erb index fd4ed93fa..941051d95 100644 --- a/cookbooks/nominatim/templates/default/nginx.erb +++ b/cookbooks/nominatim/templates/default/nginx.erb @@ -1,5 +1,5 @@ upstream nominatim_service { - server 127.0.0.1:<%= @pools[:www][:port ]%>; + server unix:/run/php/nominatim.openstreetmap.org.sock; } map $uri $nominatim_script_name { @@ -12,6 +12,21 @@ map $uri $nominatim_path_info { ~^/([^/]+)(.*)$ $2; } +map $args $format { + default default; + ~(^|&)format=html(&|$) html; + ~(^|&)format= other; +} + +map $uri/$format $forward_to_ui { + default 1; + ~^/ui 0; + ~/other$ 0; + ~/reverse.*/default 0; + ~/lookup.*/default 0; + ~/status.*/default 0; +} + map $query_string $email_id { ~(^|&)email=([^&]+) $2; } @@ -35,7 +50,7 @@ map $http_referer $missing_referer { geo $whitelisted { default 0; <% @frontends.each do |frontend| -%> -<% frontend.ipaddresses(:role => :external) do |address| -%> +<% frontend.ipaddresses(:role => :external).sort.each do |address| -%> <%= address %> 1; <% end -%> <% end -%> @@ -72,9 +87,22 @@ map $blocked_user_agent $limit_tarpit { 2 $binary_remote_addr; } +map $missing_email$missing_referer$http_user_agent $generic_mozilla { + default 0; + ~^11Mozilla/4.0 1; + ~^11Mozilla/5.0 2; +} + +map $whitelisted$generic_mozilla$uri $limit_reverse { + default ""; + ~01/reverse.* $binary_remote_addr; + ~02/reverse.* $binary_remote_addr; +} + limit_req_zone $limit_www zone=www:50m rate=2r/s; limit_req_zone $limit_tarpit zone=tarpit:10m rate=1r/s; limit_req_zone $binary_remote_addr zone=blocked:10m rate=20r/m; +limit_req_zone $limit_reverse zone=reverse:10m rate=10r/m; server { listen 80 default_server; @@ -100,9 +128,9 @@ server { server { # IPv4 - listen 443 ssl deferred backlog=16384 reuseport fastopen=2048 http2 default_server; + listen 443 ssl deferred backlog=16384 reuseport http2 default_server; # IPv6 - listen [::]:443 ssl deferred backlog=16384 reuseport fastopen=2048 http2 default_server; + listen [::]:443 ssl deferred backlog=16384 reuseport http2 default_server; server_name localhost; ssl_certificate /etc/ssl/certs/<%= node[:fqdn] %>.pem; @@ -133,33 +161,60 @@ server { } location / { + try_files $uri $uri/ @php; + } + + location /ui/ { + alias <%= @ui_directory %>/dist/; + index search.html; + } + + location /qa-data/ { + add_header Access-Control-Allow-Origin "*" always; + } + + location @php { if ($blocked_user_agent ~ ^2$) { return 403; } if ($blocked_referrer) { return 403; } if ($blocked_email) { return 403; } + include <%= @confdir %>/nginx_blocked_generic.conf; - try_files $uri $uri/ @php; - } - - location @php { limit_req zone=www burst=10; - limit_req zone=tarpit burst=2; + limit_req zone=tarpit burst=5; + limit_req zone=reverse burst=5; limit_req_status 429; fastcgi_pass nominatim_service; include fastcgi_params; fastcgi_param QUERY_STRING $args; fastcgi_param PATH_INFO "$nominatim_path_info"; fastcgi_param SCRIPT_FILENAME "$document_root/$nominatim_script_name"; + if ($forward_to_ui) { + rewrite ^(/[^/]*) https://$host/ui$1.html redirect; + } } location ~* \.php$ { + if ($blocked_user_agent ~ ^2$) + { return 403; } + if ($blocked_referrer) + { return 403; } + if ($blocked_email) + { return 403; } + include <%= @confdir %>/nginx_blocked_generic.conf; + limit_req zone=www burst=10; limit_req zone=tarpit burst=2; + limit_req zone=reverse burst=5; limit_req_status 429; fastcgi_pass nominatim_service; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + + if ($forward_to_ui) { + rewrite (.*).php https://$host/ui$1.html redirect; + } } }