X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/981b586040b3fe307a4855e58e846da75555aa05..7cc521a88e4f612c44cf841639b03bec51706341:/cookbooks/tilecache/templates/default/nginx_tile.conf.erb diff --git a/cookbooks/tilecache/templates/default/nginx_tile.conf.erb b/cookbooks/tilecache/templates/default/nginx_tile.conf.erb index 149ddd001..ccc7a8316 100644 --- a/cookbooks/tilecache/templates/default/nginx_tile.conf.erb +++ b/cookbooks/tilecache/templates/default/nginx_tile.conf.erb @@ -1,77 +1,244 @@ # DO NOT EDIT - This file is being maintained by Chef upstream tile_cache_backend { - server 127.0.0.1:8080; - <% @caches.each do |cache| -%> - <% if cache[:hostname] != node[:hostname] -%> - #Server <%= cache[:hostname] %> - <% cache.ipaddresses(:family => :inet, :role => :external).sort.each do |address| -%> - server <%= address %> backup; - <% end -%> - <% end -%> - <% end -%> - - keepalive 32; + server 127.0.0.1:8080; + server 127.0.0.2:8080; + + # Add the other caches to relieve pressure if local squid failing + # Balancer: round-robin +<% @caches.each do |cache| -%> +<% if cache[:hostname] != node[:hostname] -%> +<% cache.ipaddresses(:family => :inet, :role => :external).sort.each do |address| -%> + server <%= address %>:80 backup; # Server <%= cache[:hostname] %> +<% end -%> +<% end -%> +<% end -%> + + keepalive 512; + keepalive_requests 1024; } -# Rates table based on current cookie value -map $cookie_qos_token $limit_rate_qos { - include /etc/nginx/conf.d/tile_qos_rates.map; +# Geo Map of tile caches +geo $tile_cache { + default 0; +<% @caches.each do |cache| -%> +<% cache.ipaddresses(:family => :inet, :role => :external).sort.each do |address| -%> + <%= address %> 1; # <%= cache[:hostname] %> +<% end -%> +<% end -%> } +# Rates table based on current cookie value +# map $cookie__osm_totp_token $limit_rate_qos { +# include /etc/nginx/conf.d/tile_qos_rates.map; +# } + # Set-Cookie table based on current cookie value -map $cookie_qos_token $cookie_qos_token_set { - include /etc/nginx/conf.d/tile_qos_cookies.map; -} +# map $cookie__osm_totp_token $cookie_qos_token_set { +# include /etc/nginx/conf.d/tile_qos_cookies.map; +# } map $http_user_agent $approved_scraper { - default ''; # Not approved - '~^JOSM\/' 'JOSM'; - '~^Mozilla\/5\.0\ QGIS\/' 'QGIS'; + default 0; # Not approved + '~^JOSM\/' 1; # JOSM + '~^Mozilla\/5\.0\ QGIS\/' 1; # QGIS +} + +map $http_user_agent $denied_scraper { + default 0; # Not denied + '' 1; # No User-Agent Set + '~^Python\-urllib\/' 1; # Library Default + '~^python\-requests\/' 1; # Library Default + '~^node\-fetch\/' 1; # Library Default + '~^R$' 1; # Library Default + '~^Java\/' 1; # Library Default + '~^tiles$' 1; # Library Default + '~^runtastic' 1; # App + 'Mozilla/4.0' 1; # Fake + 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)' 1; # Fake +} + +map $http_referer $denied_referer { + default 0; # Not denied + 'http://www.openstreetmap.org/' 1; # Faked + 'http://www.openstreetmap.org' 1; # Faked + 'http://openstreetmap.org/' 1; # Faked + 'http://openstreetmap.org' 1; # Faked + 'http://www.osm.org/' 1; # Faked + 'http://www.osm.org' 1; # Faked + 'http://osm.org/' 1; # Faked + 'http://osm.org' 1; # Faked +} + +map $http_referer $osm_referer { + default ''; # False + '~^https:\/\/www\.openstreetmap\.org\/' 'osm'; # True } # Limit Cache-Control header to only approved User-Agents -map $http_user_agent $limit_http_cache_control { - default ''; # Unset Header - '~^Mozilla\/5\.0\ QGIS\/' ''; # Unset Header - '~^Mozilla\/5\.0\ ' $http_cache_control; # Pass Header +map $osm_referer$http_user_agent $limit_http_cache_control { + default ''; # Unset Header + '~^osmMozilla\/5\.0\ QGIS\/' ''; # Unset Header + '~^osmMozilla\/5\.0\ ' $http_cache_control; # Pass Header } # Limit Pragma header to only approved User-Agents -map $http_user_agent $limit_http_pragma { - default ''; # Unset Header - '~^Mozilla\/5\.0\ QGIS\/' ''; # Unset Header - '~^Mozilla\/5\.0\ ' $http_pragma; # Pass Header +map $osm_referer$http_user_agent $limit_http_pragma { + default ''; # Unset Header + '~^osmMozilla\/5\.0\ QGIS\/' ''; # Unset Header + '~^osmMozilla\/5\.0\ ' $http_pragma; # Pass Header } server { - listen 443 ssl fastopen=2048 http2 default_server; + # IPv4 + listen 80 deferred backlog=16384 reuseport fastopen=2048 default_server; + listen 443 ssl deferred backlog=16384 reuseport fastopen=2048 http2 default_server; + # IPv6 + listen [::]:80 deferred backlog=16384 reuseport fastopen=2048 default_server; + listen [::]:443 ssl deferred backlog=16384 reuseport fastopen=2048 http2 default_server; server_name localhost; proxy_buffers 8 64k; + proxy_busy_buffers_size 64k; ssl_certificate /etc/ssl/certs/tile.openstreetmap.org.pem; ssl_certificate_key /etc/ssl/private/tile.openstreetmap.org.key; + # Requests sent within early data are subject to replay attacks. + # See: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data + ssl_early_data on; + + # Immediately 404 layers we do not support +<% for i in 20..99 do %> + location /<%= i %>/ { + set $limit_rate 512; + return 404; + } +<% end %> + + # Immediately 404 silly tile requests + location = /0/0/-1.png { + set $limit_rate 512; + return 404; + } + location = /1/0/-1.png { + set $limit_rate 512; + return 404; + } + location = /1/-1/0.png { + set $limit_rate 512; + return 404; + } + location = /1/-1/1.png { + set $limit_rate 512; + return 404; + } + location = /1/-1/-1.png { + set $limit_rate 512; + return 404; + } + location = /1/-1/2.png { + set $limit_rate 512; + return 404; + } + location = /1/1/-1.png { + set $limit_rate 512; + return 404; + } + location = /1/2/-1.png { + set $limit_rate 512; + return 404; + } + location = /2/0/-1.png { + set $limit_rate 512; + return 404; + } + location = /2/-1/0.png { + set $limit_rate 512; + return 404; + } + location = /2/-1/1.png { + set $limit_rate 512; + return 404; + } + location = /2/1/-1.png { + set $limit_rate 512; + return 404; + } + location = /2/-1/2.png { + set $limit_rate 512; + return 404; + } + location = /2/-1/3.png { + set $limit_rate 512; + return 404; + } + +<% for i in 0..14 do %> +<% if i == 0 -%> + # Default Fallback Location Handler (lowest) location / { +<% elsif -%> + # Dedicated zoom handler for caching + location /<%= i %>/ { +<% end %> + # Only allow GET / HEAD / OPTIONS (CORS) requests + limit_except GET HEAD OPTIONS { + deny all; + } + proxy_pass http://tile_cache_backend; proxy_set_header X-Forwarded-For $remote_addr; proxy_http_version 1.1; proxy_set_header Connection ''; - proxy_connect_timeout 5s; + proxy_connect_timeout 10s; + # Replace host header. + proxy_set_header Host 'tile.openstreetmap.org'; # Do not pass cookies to backends. proxy_set_header Cookie ''; # Do not pass Accept-Encoding to backends. proxy_set_header Accept-Encoding ''; + # Do not pass Accept to backends. + proxy_set_header Accept ''; + # Do not pass Accept-Language to backends as unused. + proxy_set_header Accept-Language ''; + proxy_set_header Accept-Charset ''; + # Do not send origin, we allow all. + proxy_set_header origin ''; + # Do not pass invalid headers to backend. + proxy_set_header X-Forwarded-Host ''; + proxy_set_header X-Host ''; + proxy_set_header Authorization ''; + proxy_set_header Proxy-Authorization ''; + + # Drop partial requests + proxy_set_header range ''; # Do not allow setting cookies from backends due to caching. proxy_ignore_headers Set-Cookie; proxy_hide_header Set-Cookie; +<% if i != 0 -%> + # Caching + proxy_cache "proxy_cache_zone"; + proxy_cache_lock on; + proxy_cache_valid 200 1d; + proxy_cache_valid 404 15m; + # Serve stale cache on errors or if updating + proxy_cache_use_stale error timeout updating http_404 http_500 http_503 http_504; + # If in cache as stale, serve stale and update in background + proxy_cache_background_update on; + # Enable revalidation using If-Modified-Since and If-None-Match for stale items + proxy_cache_revalidate on; + proxy_cache_min_uses 8; + + add_header x-cache-status $upstream_cache_status; +<% end -%> + # Set a QoS cookie if none presented (uses nginx Map) - add_header Set-Cookie $cookie_qos_token_set; + # add_header Set-Cookie $cookie_qos_token_set; <% if node[:ssl][:strict_transport_security] -%> # Ensure Strict-Transport-Security header is removed from proxied server responses proxy_hide_header Strict-Transport-Security; @@ -81,11 +248,20 @@ server { <% end -%> # QoS Traffic Rate see $limit_rate on http://nginx.org/en/docs/http/ngx_http_core_module.html - set $limit_rate $limit_rate_qos; + # set $limit_rate $limit_rate_qos; # Allow Higher Traffic Rate from Approved User-Agents which do not support cookies (uses nginx Map) - if ($approved_scraper) { - set $limit_rate 32768; + # if ($approved_scraper) { + # set $limit_rate 65536; + # } + + if ($denied_scraper) { + set $limit_rate 512; + return 429; + } + if ($denied_referer) { + set $limit_rate 512; + return 418; } # Strip any ?query parameters from urls @@ -95,12 +271,5 @@ server { proxy_set_header Cache-Control $limit_http_cache_control; proxy_set_header Pragma $limit_http_pragma; } -} - -# Convert all http requests to https -server { - listen 80 default_server; - listen [::]:80 default_server; - server_name _; - return 301 https://$host$request_uri; +<% end %> }