X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/ae4d13c8ba1b86d2f94bcdec799d0db052425333..74ab040da0b0e0fb7df9ec8811741a3eb92c27a0:/cookbooks/web/templates/default/apache.frontend.erb
diff --git a/cookbooks/web/templates/default/apache.frontend.erb b/cookbooks/web/templates/default/apache.frontend.erb
index a950d7746..39f2a6007 100644
--- a/cookbooks/web/templates/default/apache.frontend.erb
+++ b/cookbooks/web/templates/default/apache.frontend.erb
@@ -1,30 +1,36 @@
# DO NOT EDIT - This file is being maintained by Chef
-<% [80, 443].each do |port| -%>
->
+#
+# Setup logging
+#
+SetEnvIfNoCase Authorization "^Basic " AUTH_METHOD=basic
+SetEnvIfNoCase Authorization "^OAuth " AUTH_METHOD=oauth1
+SetEnvIfNoCase Authorization "^Bearer " AUTH_METHOD=oauth2
+SetEnvIfExpr "%{QUERY_STRING} =~ /(^|&)oauth_signature=/" AUTH_METHOD=oauth1
+LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %Dus %{UNIQUE_ID}e %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{AUTH_METHOD}e" combined_with_time
+CustomLog /var/log/apache2/access.log combined_with_time
+ErrorLog /var/log/apache2/error.log
+
+
#
# Basic server configuration
#
ServerName <%= node[:fqdn] %>
ServerAlias api.openstreetmap.org www.openstreetmap.org 127.0.0.1
ServerAdmin webmaster@openstreetmap.org
-<% if port == 443 -%>
#
# Enable SSL
#
SSLEngine on
- SSLProxyEngine on
SSLCertificateFile /etc/ssl/certs/www.openstreetmap.org.pem
SSLCertificateKeyFile /etc/ssl/private/www.openstreetmap.org.key
-<% end -%>
- #
- # Setup logging
- #
- LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %Dus %{UNIQUE_ID}e %{SSL_PROTOCOL}x %{SSL_CIPHER}x" combined_with_time
- CustomLog /var/log/apache2/access.log combined_with_time
- ErrorLog /var/log/apache2/error.log
+ # Get the real remote IP for requests via a trusted proxy
+ RemoteIPHeader CF-Connecting-IP
+<% @cloudflare.sort.each do |address| -%>
+ RemoteIPTrustedProxy <%= address %>
+<% end -%>
#
# Turn on various features
@@ -32,6 +38,12 @@
ExpiresActive On
RewriteEngine on
+ #
+ # Configure timeouts
+ #
+ RequestReadTimeout handshake=20-40,MinRate=500 header=20-40,MinRate=500 body=20-120,MinRate=500
+ LogLevel reqtimeout:info
+
#
# Add the unique ID to the request headers
#
@@ -61,9 +73,16 @@
RewriteRule . - [F,L]
#
- # Block requests for the old 404 map tile
+ # Block trace scraper
#
- RewriteRule ^/openlayers/img/404.png$ - [G,L]
+ RewriteCond %{HTTP_USER_AGENT} "python-httpx/0.24.1"
+ RewriteRule . - [F,L]
+
+ #
+ # Block out of control spider
+ #
+ RewriteCond %{HTTP_USER_AGENT} "Bytespider"
+ RewriteRule . - [F,L]
#
# Block attempts to access old API versions
@@ -82,6 +101,13 @@
#
RewriteRule ^/api/0.6/changeset/6823497/download$ - [F,L]
+ #
+ # Ignore Vicon Valerus "online" status pings
+ # https://gist.github.com/Firefishy/86ed5b86991b225179b54bbafbcd769e
+ #
+ RewriteCond "%{QUERY_STRING}" "^q=abcde&t=20"
+ RewriteRule "^/api/0\.6/notes/search$" - [R=429,L]
+
#
# Force special MIME type for crossdomain.xml files
#
@@ -94,17 +120,16 @@
#
Header unset Last-Modified
- Header unset ETag
- FileETag None
+ FileETag Size
ExpiresDefault "access plus 1 year"
+ Header set Cache-Control "immutable, max-age=31536000" "expr=%{REQUEST_STATUS} == 200"
#
# Set expiry for attachments
#
- Header unset Last-Modified
Header unset ETag
FileETag None
@@ -120,31 +145,12 @@
ExpiresDefault "access plus 10 years"
-
- ExpiresDefault "access plus 10 years"
-
- ExpiresDefault "access plus 7 days"
-
-
- ExpiresDefault "access plus 10 years"
-
-
- #
- # Set expiry for Potlatch 1
- #
-
- ExpiresDefault "access plus 7 days"
-
+ Header unset Last-Modified
+ FileETag Size
- #
- # Set expiry for Potlatch 2
- #
-
- ExpiresByType application/x-shockwave-flash "access plus 1 day"
- ExpiresByType application/xml "access plus 1 day"
- ExpiresByType text/css "access plus 1 day"
- ExpiresByType image/png "access plus 7 days"
+ Header always set Cache-Control "public, max-age=31536000, immutable"
+ Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT"
#
@@ -155,56 +161,33 @@
PassengerMinInstances 10
PassengerMaxRequests 5000
PassengerMaxRequestQueueSize 250
-<% if port == 443 -%>
PassengerPreStart https://www.openstreetmap.org/
-<% else -%>
- PassengerPreStart http://www.openstreetmap.org/
-<% end -%>
+ PassengerAppGroupName rails
+ SetEnv OPENSTREETMAP_STATUS <%= @status %>
SetEnv SECRET_KEY_BASE <%= @secret_key_base %>
Alias /favicon.ico <%= node[:web][:base_directory] %>/rails/app/assets/favicons/favicon.ico
- Alias /openlayers <%= node[:web][:base_directory] %>/rails/vendor/assets/openlayers
- Alias /stats /store/rails/stats
- Alias /user/image /store/rails/user/image
- Alias /attachments /store/rails/attachments
+ Alias /openlayers <%= node[:web][:base_directory] %>/static/openlayers
+ RedirectPermanent /stats https://planet.openstreetmap.org/statistics
#
- # Preserve the host name when forwarding to the proxy
+ # Pass authentication related headers to cgimap
#
- ProxyPreserveHost on
-
- #
- # Set a long timeout - changeset uploads can take a long time
- #
- ProxyTimeout 3600
-
- #
- # Allow all proxy requests
- #
-
- Require all granted
-
-
- #
- # Pass some other API calls to the backends via a load balancer
- #
- ProxyPass /api/0.6/map balancer://backend/api/0.6/map
- ProxyPass /api/0.6/tracepoints balancer://backend/api/0.6/tracepoints
- ProxyPass /api/0.6/amf/read balancer://backend/api/0.6/amf/read
- ProxyPass /api/0.6/swf/trackpoints balancer://backend/api/0.6/swf/trackpoints
- ProxyPassMatch ^(/api/0\.6/changeset/[0-9]+)$ balancer://backend$1
- ProxyPassMatch ^(/api/0\.6/changeset/[0-9]+/upload)$ balancer://ic$1
- ProxyPassMatch ^(/api/0\.6/changeset/[0-9]+/download)$ balancer://backend$1
- ProxyPassMatch ^(/api/0\.6/(node|way|relation)/[0-9]+)$ balancer://backend$1
- ProxyPassMatch ^(/api/0\.6/(node|way|relation)/[0-9]+/(full|history|search|ways))$ balancer://backend$1
- ProxyPass /api/0.6/nodes balancer://backend/api/0.6/nodes
- ProxyPass /api/0.6/ways balancer://backend/api/0.6/ways
- ProxyPass /api/0.6/relations balancer://backend/api/0.6/relations
- ProxyPassMatch ^(/trace/[0-9]+/data(|/|.xml))$ balancer://backend$1
+
+ CGIPassAuth On
+
#
- # Redirect ACME certificate challenges
+ # Pass supported calls to cgimap
#
- RedirectPermanent /.well-known/acme-challenge/ http://acme.openstreetmap.org/.well-known/acme-challenge/
+ RewriteRule ^/api/0\.6/map(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
+ RewriteCond %{REQUEST_METHOD} ^(HEAD|GET)$
+ RewriteRule ^/api/0\.6/(node|way|relation|changeset)/[0-9]+(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
+ RewriteRule ^/api/0\.6/(node|way|relation)/[0-9]+/history(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
+ RewriteRule ^/api/0\.6/(node|way|relation)/[0-9]+/relations(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
+ RewriteRule ^/api/0\.6/node/[0-9]+/ways(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
+ RewriteRule ^/api/0\.6/(way|relation)/[0-9]+/full(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
+ RewriteRule ^/api/0\.6/(nodes|ways|relations)(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
+ RewriteRule ^/api/0\.6/changeset/[0-9]+/(upload|download)(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
#
# Redirect trac and wiki requests to the right places
@@ -219,75 +202,19 @@
RedirectPermanent /images/cc_button.png https://www.openstreetmap.org/assets/cc_button.png
#
- # Define a load balancer for the local backends
- #
-
- ProxySet lbmethod=bybusyness
-<% node[:web][:backends].each do |backend| -%>
-<% if port == 443 -%>
- BalancerMember https://<%= backend %> disablereuse=on
-<% else -%>
- BalancerMember http://<%= backend %>
-<% end -%>
-<% end -%>
-
-
- #
- # Define a load balancer for the IC backends
- #
-
- ProxySet lbmethod=bybusyness
-<% ["rails1.ic", "rails2.ic", "rails3.ic"].each do |backend| -%>
-<% if port == 443 -%>
- BalancerMember https://<%= backend %> disablereuse=on
-<% else -%>
- BalancerMember http://<%= backend %>
-<% end -%>
-<% end -%>
-
-<% if port == 80 -%>
-
- #
- # Redirect requests which should be secure to https
- #
- RewriteCond %{REQUEST_URI} ^/login(\.html)?$ [OR]
- RewriteCond %{REQUEST_URI} ^/user/(new|create-account\.html)$ [OR]
- RewriteCond %{REQUEST_URI} ^/user/terms$ [OR]
- RewriteCond %{REQUEST_URI} ^/user/save$ [OR]
- RewriteCond %{REQUEST_URI} ^/user/([^/]+)/account$ [OR]
- RewriteCond %{REQUEST_URI} ^/user/reset-password$
- RewriteRule ^(.*)$ https://www.openstreetmap.org$1 [L,NE,R=permanent]
-
- #
- # Redirect api requests made to www.osm.org to api.osm.org
- #
-# RewriteCond %{HTTP_HOST} =www.openstreetmap.org
-# RewriteRule ^/api/(.*)$ http://api.openstreetmap.org/api/$1 [L,NE,R=permanent]
-
- #
- # Redirect non-api requests made to api.osm.org to www.osm.org
- #
- RewriteCond %{HTTP_HOST} =api.openstreetmap.org
- RewriteCond %{REQUEST_URI} !^/api/
- RewriteRule ^(.*)$ http://www.openstreetmap.org$1 [L,NE,R=permanent]
-<% elsif port == 443 -%>
-
- #
- # Redirect api requests made to www.osm.org to api.osm.org
+ # Redirect api requests made to www.openstreetmap.org to api.openstreetmap.org
#
# RewriteCond %{HTTP_HOST} =www.openstreetmap.org
# RewriteRule ^/api/(.*)$ https://api.openstreetmap.org/api/$1 [L,NE,R=permanent]
#
- # Redirect non-api requests made to api.osm.org to www.osm.org
+ # Redirect non-api requests made to api.openstreetmap.org to www.openstreetmap.org
#
RewriteCond %{HTTP_HOST} =api.openstreetmap.org
RewriteCond %{REQUEST_URI} !^/api/
RewriteRule ^(.*)$ https://www.openstreetmap.org$1 [L,NE,R=permanent]
-<% end -%>
-<% end -%>
ServerName openstreetmap.org.uk
ServerAlias www.openstreetmap.org.uk
@@ -298,12 +225,59 @@
RedirectPermanent / https://www.openstreetmap.org/
+
+ ServerName osm.org
+
+ Header always set Cache-Control "max-age=31536000"
+ Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT"
+
+ RewriteEngine on
+
+ RewriteRule ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 [R=permanent,L]
+
+ RewriteCond %{REQUEST_URI} !^/server-status$
+ RewriteRule ^(.*)$ https://osm.org$1 [L,NE,R=permanent]
+
+
+
+ ServerName www.osm.org
+
+ Header always set Cache-Control "max-age=31536000"
+ Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT"
+
+ RewriteEngine on
+
+ RewriteRule ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 [R=permanent,L]
+
+ RewriteCond %{REQUEST_URI} !^/server-status$
+ RewriteRule ^(.*)$ https://www.osm.org$1 [L,NE,R=permanent]
+
+
ServerName openstreetmap.org
+
+ Header always set Cache-Control "max-age=31536000"
+ Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT"
+
+ RewriteEngine on
+
+ RewriteRule ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 [R=permanent,L]
+
+ RewriteCond %{REQUEST_URI} !^/server-status$
+ RewriteRule ^(.*)$ https://openstreetmap.org$1 [L,NE,R=permanent]
+
+
+
+ ServerName www.openstreetmap.org
ServerAlias *
+ Header always set Cache-Control "max-age=31536000"
+ Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT"
+
RewriteEngine on
+ RewriteRule ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 [R=permanent,L]
+
RewriteCond %{REQUEST_URI} !^/server-status$
RewriteRule ^(.*)$ https://www.openstreetmap.org$1 [L,NE,R=permanent]
@@ -316,29 +290,49 @@
SSLCertificateFile /etc/ssl/certs/www.openstreetmap.org.pem
SSLCertificateKeyFile /etc/ssl/private/www.openstreetmap.org.key
+ Header always set Cache-Control "max-age=31536000"
+ Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT"
+
RedirectPermanent / https://www.openstreetmap.org/
/rails/public>
Require all granted
-
-
- Require all granted
+ RewriteCond "%{HTTP:Accept-encoding}" "br"
+ RewriteCond "%{REQUEST_FILENAME}\.br" -s
+ RewriteRule "^(.*)\.(css|ico|js|json|svg|xml)$" "$1\.$2\.br" [QSA]
+
+ RewriteCond "%{HTTP:Accept-encoding}" "gzip"
+ RewriteCond "%{REQUEST_FILENAME}\.gz" -s
+ RewriteRule "^(.*)\.(css|ico|js|json|svg|xml)$" "$1\.$2\.gz" [QSA]
+
+ RewriteRule "\.css\.(br|gz)$" "-" [T=text/css,E=no-gzip:1,E=no-brotli:1]
+ RewriteRule "\.ico\.(br|gz)$" "-" [T=image/vnd.microsoft.icon,E=no-gzip:1,E=no-brotli:1]
+ RewriteRule "\.js\.(br|gz)$" "-" [T=text/javascript,E=no-gzip:1,E=no-brotli:1]
+ RewriteRule "\.json\.(br|gz)$" "-" [T=application/json,E=no-gzip:1,E=no-brotli:1]
+ RewriteRule "\.svg\.(br|gz)$" "-" [T=image/svg+xml,E=no-gzip:1,E=no-brotli:1]
+ RewriteRule "\.xml\.(br|gz)$" "-" [T=application/xml,E=no-gzip:1,E=no-brotli:1]
+
+
+ Header append Content-Encoding br
+ Header append Vary Accept-Encoding
+
+
+
+ Header append Content-Encoding gzip
+ Header append Vary Accept-Encoding
+
-
- Require all granted
-
-
-
+
Require all granted
-
+
Require all granted
-
+
Require all granted