X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/c249fadcc5ce27698d1f11fe5ec4a1c299786b3c..11fdeeaa56975b200a46cc3ee7124e529621fba9:/cookbooks/web/templates/default/apache.frontend.erb?ds=inline diff --git a/cookbooks/web/templates/default/apache.frontend.erb b/cookbooks/web/templates/default/apache.frontend.erb index 2058b7a98..39f2a6007 100644 --- a/cookbooks/web/templates/default/apache.frontend.erb +++ b/cookbooks/web/templates/default/apache.frontend.erb @@ -1,30 +1,36 @@ # DO NOT EDIT - This file is being maintained by Chef -<% [80, 443].each do |port| -%> -> +# +# Setup logging +# +SetEnvIfNoCase Authorization "^Basic " AUTH_METHOD=basic +SetEnvIfNoCase Authorization "^OAuth " AUTH_METHOD=oauth1 +SetEnvIfNoCase Authorization "^Bearer " AUTH_METHOD=oauth2 +SetEnvIfExpr "%{QUERY_STRING} =~ /(^|&)oauth_signature=/" AUTH_METHOD=oauth1 +LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %Dus %{UNIQUE_ID}e %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{AUTH_METHOD}e" combined_with_time +CustomLog /var/log/apache2/access.log combined_with_time +ErrorLog /var/log/apache2/error.log + + # # Basic server configuration # ServerName <%= node[:fqdn] %> ServerAlias api.openstreetmap.org www.openstreetmap.org 127.0.0.1 ServerAdmin webmaster@openstreetmap.org -<% if port == 443 -%> # # Enable SSL # SSLEngine on - SSLProxyEngine on SSLCertificateFile /etc/ssl/certs/www.openstreetmap.org.pem SSLCertificateKeyFile /etc/ssl/private/www.openstreetmap.org.key -<% end -%> - # - # Setup logging - # - LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %Dus %{UNIQUE_ID}e %{SSL_PROTOCOL}x %{SSL_CIPHER}x" combined_with_time - CustomLog /var/log/apache2/access.log combined_with_time - ErrorLog /var/log/apache2/error.log + # Get the real remote IP for requests via a trusted proxy + RemoteIPHeader CF-Connecting-IP +<% @cloudflare.sort.each do |address| -%> + RemoteIPTrustedProxy <%= address %> +<% end -%> # # Turn on various features @@ -32,6 +38,12 @@ ExpiresActive On RewriteEngine on + # + # Configure timeouts + # + RequestReadTimeout handshake=20-40,MinRate=500 header=20-40,MinRate=500 body=20-120,MinRate=500 + LogLevel reqtimeout:info + # # Add the unique ID to the request headers # @@ -61,9 +73,16 @@ RewriteRule . - [F,L] # - # Block requests for the old 404 map tile + # Block trace scraper # - RewriteRule ^/openlayers/img/404.png$ - [G,L] + RewriteCond %{HTTP_USER_AGENT} "python-httpx/0.24.1" + RewriteRule . - [F,L] + + # + # Block out of control spider + # + RewriteCond %{HTTP_USER_AGENT} "Bytespider" + RewriteRule . - [F,L] # # Block attempts to access old API versions @@ -82,6 +101,13 @@ # RewriteRule ^/api/0.6/changeset/6823497/download$ - [F,L] + # + # Ignore Vicon Valerus "online" status pings + # https://gist.github.com/Firefishy/86ed5b86991b225179b54bbafbcd769e + # + RewriteCond "%{QUERY_STRING}" "^q=abcde&t=20" + RewriteRule "^/api/0\.6/notes/search$" - [R=429,L] + # # Force special MIME type for crossdomain.xml files # @@ -94,17 +120,16 @@ # Header unset Last-Modified - Header unset ETag - FileETag None + FileETag Size ExpiresDefault "access plus 1 year" + Header set Cache-Control "immutable, max-age=31536000" "expr=%{REQUEST_STATUS} == 200" # # Set expiry for attachments # - Header unset Last-Modified Header unset ETag FileETag None @@ -120,31 +145,12 @@ ExpiresDefault "access plus 10 years" - - ExpiresDefault "access plus 10 years" - - ExpiresDefault "access plus 7 days" - - - ExpiresDefault "access plus 10 years" - - - # - # Set expiry for Potlatch 1 - # - - ExpiresDefault "access plus 7 days" - + Header unset Last-Modified + FileETag Size - # - # Set expiry for Potlatch 2 - # - - ExpiresByType application/x-shockwave-flash "access plus 1 day" - ExpiresByType application/xml "access plus 1 day" - ExpiresByType text/css "access plus 1 day" - ExpiresByType image/png "access plus 7 days" + Header always set Cache-Control "public, max-age=31536000, immutable" + Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT" # @@ -155,56 +161,33 @@ PassengerMinInstances 10 PassengerMaxRequests 5000 PassengerMaxRequestQueueSize 250 -<% if port == 443 -%> PassengerPreStart https://www.openstreetmap.org/ -<% else -%> - PassengerPreStart http://www.openstreetmap.org/ -<% end -%> + PassengerAppGroupName rails + SetEnv OPENSTREETMAP_STATUS <%= @status %> SetEnv SECRET_KEY_BASE <%= @secret_key_base %> Alias /favicon.ico <%= node[:web][:base_directory] %>/rails/app/assets/favicons/favicon.ico - Alias /openlayers <%= node[:web][:base_directory] %>/rails/vendor/assets/openlayers - Alias /stats /store/rails/stats - Alias /user/image /store/rails/user/image - Alias /attachments /store/rails/attachments + Alias /openlayers <%= node[:web][:base_directory] %>/static/openlayers + RedirectPermanent /stats https://planet.openstreetmap.org/statistics # - # Preserve the host name when forwarding to the proxy + # Pass authentication related headers to cgimap # - ProxyPreserveHost on - - # - # Set a long timeout - changeset uploads can take a long time - # - ProxyTimeout 3600 - - # - # Allow all proxy requests - # - - Require all granted - - - # - # Pass some other API calls to the backends via a load balancer - # - ProxyPass /api/0.6/map balancer://backend/api/0.6/map - ProxyPass /api/0.6/tracepoints balancer://backend/api/0.6/tracepoints - ProxyPass /api/0.6/amf/read balancer://backend/api/0.6/amf/read - ProxyPass /api/0.6/swf/trackpoints balancer://backend/api/0.6/swf/trackpoints - ProxyPassMatch ^(/api/0\.6/changeset/[0-9]+)$ balancer://backend$1 - ProxyPassMatch ^(/api/0\.6/changeset/[0-9]+/upload)$ balancer://ic$1 - ProxyPassMatch ^(/api/0\.6/changeset/[0-9]+/download)$ balancer://backend$1 - ProxyPassMatch ^(/api/0\.6/(node|way|relation)/[0-9]+)$ balancer://backend$1 - ProxyPassMatch ^(/api/0\.6/(node|way|relation)/[0-9]+/(full|history|search|ways))$ balancer://backend$1 - ProxyPass /api/0.6/nodes balancer://backend/api/0.6/nodes - ProxyPass /api/0.6/ways balancer://backend/api/0.6/ways - ProxyPass /api/0.6/relations balancer://backend/api/0.6/relations - ProxyPassMatch ^(/trace/[0-9]+/data(|/|.xml))$ balancer://backend$1 + + CGIPassAuth On + # - # Redirect ACME certificate challenges + # Pass supported calls to cgimap # - RedirectPermanent /.well-known/acme-challenge/ http://acme.openstreetmap.org/.well-known/acme-challenge/ + RewriteRule ^/api/0\.6/map(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P] + RewriteCond %{REQUEST_METHOD} ^(HEAD|GET)$ + RewriteRule ^/api/0\.6/(node|way|relation|changeset)/[0-9]+(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P] + RewriteRule ^/api/0\.6/(node|way|relation)/[0-9]+/history(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P] + RewriteRule ^/api/0\.6/(node|way|relation)/[0-9]+/relations(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P] + RewriteRule ^/api/0\.6/node/[0-9]+/ways(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P] + RewriteRule ^/api/0\.6/(way|relation)/[0-9]+/full(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P] + RewriteRule ^/api/0\.6/(nodes|ways|relations)(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P] + RewriteRule ^/api/0\.6/changeset/[0-9]+/(upload|download)(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P] # # Redirect trac and wiki requests to the right places @@ -219,75 +202,19 @@ RedirectPermanent /images/cc_button.png https://www.openstreetmap.org/assets/cc_button.png # - # Define a load balancer for the local backends - # - - ProxySet lbmethod=bybusyness -<% node[:web][:backends].each do |backend| -%> -<% if port == 443 -%> - BalancerMember https://<%= backend %> disablereuse=on -<% else -%> - BalancerMember http://<%= backend %> -<% end -%> -<% end -%> - - - # - # Define a load balancer for the IC backends - # - - ProxySet lbmethod=bybusyness -<% ["rails1.ic", "rails2.ic", "rails3.ic"].each do |backend| -%> -<% if port == 443 -%> - BalancerMember https://<%= backend %> disablereuse=on -<% else -%> - BalancerMember http://<%= backend %> -<% end -%> -<% end -%> - -<% if port == 80 -%> - - # - # Redirect requests which should be secure to https - # - RewriteCond %{REQUEST_URI} ^/login(\.html)?$ [OR] - RewriteCond %{REQUEST_URI} ^/user/(new|create-account\.html)$ [OR] - RewriteCond %{REQUEST_URI} ^/user/terms$ [OR] - RewriteCond %{REQUEST_URI} ^/user/save$ [OR] - RewriteCond %{REQUEST_URI} ^/user/([^/]+)/account$ [OR] - RewriteCond %{REQUEST_URI} ^/user/reset-password$ - RewriteRule ^(.*)$ https://www.openstreetmap.org$1 [L,NE,R=permanent] - - # - # Redirect api requests made to www.osm.org to api.osm.org - # -# RewriteCond %{HTTP_HOST} =www.openstreetmap.org -# RewriteRule ^/api/(.*)$ http://api.openstreetmap.org/api/$1 [L,NE,R=permanent] - - # - # Redirect non-api requests made to api.osm.org to www.osm.org - # - RewriteCond %{HTTP_HOST} =api.openstreetmap.org - RewriteCond %{REQUEST_URI} !^/api/ - RewriteRule ^(.*)$ http://www.openstreetmap.org$1 [L,NE,R=permanent] -<% elsif port == 443 -%> - - # - # Redirect api requests made to www.osm.org to api.osm.org + # Redirect api requests made to www.openstreetmap.org to api.openstreetmap.org # # RewriteCond %{HTTP_HOST} =www.openstreetmap.org # RewriteRule ^/api/(.*)$ https://api.openstreetmap.org/api/$1 [L,NE,R=permanent] # - # Redirect non-api requests made to api.osm.org to www.osm.org + # Redirect non-api requests made to api.openstreetmap.org to www.openstreetmap.org # RewriteCond %{HTTP_HOST} =api.openstreetmap.org RewriteCond %{REQUEST_URI} !^/api/ RewriteRule ^(.*)$ https://www.openstreetmap.org$1 [L,NE,R=permanent] -<% end -%> -<% end -%> ServerName openstreetmap.org.uk ServerAlias www.openstreetmap.org.uk @@ -298,11 +225,61 @@ RedirectPermanent / https://www.openstreetmap.org/ + + ServerName osm.org + + Header always set Cache-Control "max-age=31536000" + Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT" + + RewriteEngine on + + RewriteRule ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 [R=permanent,L] + + RewriteCond %{REQUEST_URI} !^/server-status$ + RewriteRule ^(.*)$ https://osm.org$1 [L,NE,R=permanent] + + + + ServerName www.osm.org + + Header always set Cache-Control "max-age=31536000" + Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT" + + RewriteEngine on + + RewriteRule ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 [R=permanent,L] + + RewriteCond %{REQUEST_URI} !^/server-status$ + RewriteRule ^(.*)$ https://www.osm.org$1 [L,NE,R=permanent] + + ServerName openstreetmap.org + + Header always set Cache-Control "max-age=31536000" + Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT" + + RewriteEngine on + + RewriteRule ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 [R=permanent,L] + + RewriteCond %{REQUEST_URI} !^/server-status$ + RewriteRule ^(.*)$ https://openstreetmap.org$1 [L,NE,R=permanent] + + + + ServerName www.openstreetmap.org ServerAlias * - RedirectPermanent / https://www.openstreetmap.org/ + Header always set Cache-Control "max-age=31536000" + Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT" + + RewriteEngine on + + RewriteRule ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 [R=permanent,L] + + RewriteCond %{REQUEST_URI} !^/server-status$ + RewriteRule ^(.*)$ https://www.openstreetmap.org$1 [L,NE,R=permanent] @@ -313,29 +290,49 @@ SSLCertificateFile /etc/ssl/certs/www.openstreetmap.org.pem SSLCertificateKeyFile /etc/ssl/private/www.openstreetmap.org.key + Header always set Cache-Control "max-age=31536000" + Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT" + RedirectPermanent / https://www.openstreetmap.org/ /rails/public> Require all granted - - - Require all granted + RewriteCond "%{HTTP:Accept-encoding}" "br" + RewriteCond "%{REQUEST_FILENAME}\.br" -s + RewriteRule "^(.*)\.(css|ico|js|json|svg|xml)$" "$1\.$2\.br" [QSA] + + RewriteCond "%{HTTP:Accept-encoding}" "gzip" + RewriteCond "%{REQUEST_FILENAME}\.gz" -s + RewriteRule "^(.*)\.(css|ico|js|json|svg|xml)$" "$1\.$2\.gz" [QSA] + + RewriteRule "\.css\.(br|gz)$" "-" [T=text/css,E=no-gzip:1,E=no-brotli:1] + RewriteRule "\.ico\.(br|gz)$" "-" [T=image/vnd.microsoft.icon,E=no-gzip:1,E=no-brotli:1] + RewriteRule "\.js\.(br|gz)$" "-" [T=text/javascript,E=no-gzip:1,E=no-brotli:1] + RewriteRule "\.json\.(br|gz)$" "-" [T=application/json,E=no-gzip:1,E=no-brotli:1] + RewriteRule "\.svg\.(br|gz)$" "-" [T=image/svg+xml,E=no-gzip:1,E=no-brotli:1] + RewriteRule "\.xml\.(br|gz)$" "-" [T=application/xml,E=no-gzip:1,E=no-brotli:1] + + + Header append Content-Encoding br + Header append Vary Accept-Encoding + + + + Header append Content-Encoding gzip + Header append Vary Accept-Encoding + - - Require all granted - - - + Require all granted - + Require all granted - + Require all granted