X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/b98b149c81f900ac5fc5f238accf826ac8b515a6..53a51b1f4d048aa2e860ce99aeb27331afe7bd56:/cookbooks/tilecache/templates/default/nginx_tile.conf.erb?ds=sidebyside diff --git a/cookbooks/tilecache/templates/default/nginx_tile.conf.erb b/cookbooks/tilecache/templates/default/nginx_tile.conf.erb index b8b0b5321..338e0d51d 100644 --- a/cookbooks/tilecache/templates/default/nginx_tile.conf.erb +++ b/cookbooks/tilecache/templates/default/nginx_tile.conf.erb @@ -154,6 +154,14 @@ map $http_referer $denied_referer { '~^https?://[^.]*\.cellmapper\.net/' 1; } +map $http_referer $censored_referer { + default 0; # Not denied + # Blocked on board instructions + '~^https?://schiebt-sie-ab\.de/' 1; + '~^https?://[^.]*\.schiebt-sie-ab\.de/' 1; +} + + map $http_referer $osm_referer { default ''; # False '~^https:\/\/www\.openstreetmap\.org\/' 'osm'; # True @@ -192,11 +200,11 @@ map $tile_cache$http_referer$scheme$http_user_agent $deny_missing_referer { server { # IPv4 - listen 80 deferred backlog=16384 reuseport fastopen=2048 default_server; - listen 443 ssl deferred backlog=16384 reuseport fastopen=2048 http2 default_server; + listen 80 deferred backlog=16384 reuseport default_server; + listen 443 ssl deferred backlog=16384 reuseport http2 default_server; # IPv6 - listen [::]:80 deferred backlog=16384 reuseport fastopen=2048 default_server; - listen [::]:443 ssl deferred backlog=16384 reuseport fastopen=2048 http2 default_server; + listen [::]:80 deferred backlog=16384 reuseport default_server; + listen [::]:443 ssl deferred backlog=16384 reuseport http2 default_server; server_name localhost; proxy_buffers 8 64k; @@ -217,31 +225,64 @@ server { <% end %> # Immediately 404 silly tile requests + location = /0/-1/-1.png { + return 404; + } + location = /0/-1/0.png { + return 404; + } + location = /0/-1/1.png { + return 404; + } location = /0/0/-1.png { return 404; } - location = /1/0/-1.png { + location = /0/0/1.png { return 404; } - location = /1/-1/0.png { + location = /0/0/2.png { return 404; } - location = /1/-1/1.png { + location = /0/1/-1.png { + return 404; + } + location = /0/1/0.png { + return 404; + } + location = /0/1/1.png { + return 404; + } + location = /0/1/2.png { + return 404; + } + location = /0/2/0.png { + return 404; + } + location = /0/2/1.png { + return 404; + } + location = /0/2/2.png { return 404; } location = /1/-1/-1.png { return 404; } + location = /1/-1/0.png { + return 404; + } + location = /1/-1/1.png { + return 404; + } location = /1/-1/2.png { return 404; } - location = /1/1/-1.png { + location = /1/0/-1.png { return 404; } - location = /1/2/-1.png { + location = /1/1/-1.png { return 404; } - location = /2/0/-1.png { + location = /1/2/-1.png { return 404; } location = /2/-1/0.png { @@ -250,13 +291,40 @@ server { location = /2/-1/1.png { return 404; } + location = /2/-1/2.png { + return 404; + } + location = /2/-1/3.png { + return 404; + } + location = /2/0/-1.png { + return 404; + } location = /2/1/-1.png { return 404; } - location = /2/-1/2.png { + location = /2/1/4.png { return 404; } - location = /2/-1/3.png { + location = /2/2/4.png { + return 404; + } + location = /2/3/4.png { + return 404; + } + location = /2/4/0.png { + return 404; + } + location = /2/4/1.png { + return 404; + } + location = /2/4/2.png { + return 404; + } + location = /2/4/3.png { + return 404; + } + location = /2/4/4.png { return 404; } @@ -284,25 +352,9 @@ server { # Replace host header. proxy_set_header Host 'tile.openstreetmap.org'; - # Do not pass cookies to backends. - proxy_set_header Cookie ''; - # Do not pass Accept-Encoding to backends. - proxy_set_header Accept-Encoding ''; - # Do not pass Accept to backends. - proxy_set_header Accept ''; - # Do not pass Accept-Language to backends as unused. - proxy_set_header Accept-Language ''; - proxy_set_header Accept-Charset ''; - # Do not send origin, we allow all. - proxy_set_header origin ''; - # Do not pass invalid headers to backend. - proxy_set_header X-Forwarded-Host ''; - proxy_set_header X-Host ''; - proxy_set_header Authorization ''; - proxy_set_header Proxy-Authorization ''; - - # Drop partial requests - proxy_set_header range ''; + # Drop all request headers and request body + proxy_pass_request_headers off; + proxy_pass_request_body off; # Do not allow setting cookies from backends due to caching. proxy_ignore_headers Set-Cookie; @@ -361,6 +413,11 @@ server { return 418; } + if ($censored_referer) { + set $limit_rate 512; + return 451 "Unavailable at OSMF Board request"; + } + # Strip any ?query parameters from urls set $args '';