X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/ce4d234ef22e628fe216f93a552f7f31dcb0897d..0f1dd9c9525203c7c4fe682f4ce99942344e193b:/cookbooks/tilecache/templates/default/nginx_tile.conf.erb diff --git a/cookbooks/tilecache/templates/default/nginx_tile.conf.erb b/cookbooks/tilecache/templates/default/nginx_tile.conf.erb index d5207f465..6895ea54c 100644 --- a/cookbooks/tilecache/templates/default/nginx_tile.conf.erb +++ b/cookbooks/tilecache/templates/default/nginx_tile.conf.erb @@ -1,51 +1,187 @@ # DO NOT EDIT - This file is being maintained by Chef upstream tile_cache_backend { - server 127.0.0.1; + server 127.0.0.1:8080; + server 127.0.0.2:8080; - keepalive 256; + # Add the other caches to relieve pressure if local squid failing + # Balancer: round-robin +<% @caches.each do |cache| -%> +<% if cache[:hostname] != node[:hostname] -%> +<% cache.ipaddresses(:family => :inet, :role => :external).sort.each do |address| -%> + server <%= address %>:80 backup; # Server <%= cache[:hostname] %> +<% end -%> +<% end -%> +<% end -%> + + keepalive 512; + keepalive_requests 1024; +} + +# Geo Map of tile caches +geo $tile_cache { + default 0; +<% @caches.each do |cache| -%> +<% cache.ipaddresses(:family => :inet, :role => :external).sort.each do |address| -%> + <%= address %> 1; # <%= cache[:hostname] %> +<% end -%> +<% end -%> } # Rates table based on current cookie value -map $cookie_qos_token $limit_rate_qos { +map $cookie__osm_totp_token $limit_rate_qos { include /etc/nginx/conf.d/tile_qos_rates.map; } # Set-Cookie table based on current cookie value -map $cookie_qos_token $cookie_qos_token_set { +map $cookie__osm_totp_token $cookie_qos_token_set { include /etc/nginx/conf.d/tile_qos_cookies.map; } map $http_user_agent $approved_scraper { - default ''; # Not approved - '~^JOSM\/' 'JOSM'; - '~^Mozilla\/5\.0\ QGIS\/' 'QGIS'; + default 0; # Not approved + '~^JOSM\/' 1; # JOSM + '~^Mozilla\/5\.0\ QGIS\/' 1; # QGIS +} + +map $http_user_agent $denied_scraper { + default 0; # Not denied + '' 1; # No User-Agent Set + '~^Python\-urllib\/' 1; # Library Default + '~^python\-requests\/' 1; # Library Default + '~^node\-fetch\/' 1; # Library Default + '~^R$' 1; # Library Default + '~^Java\/' 1; # Library Default + '~^tiles$' 1; # Library Default + '~^runtastic' 1; # App + 'Mozilla/4.0' 1; # Fake + 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)' 1; # Fake +} + +map $http_referer $denied_referer { + default 0; # Not denied + 'http://www.openstreetmap.org/' 1; # Faked + 'http://www.openstreetmap.org' 1; # Faked + 'http://openstreetmap.org/' 1; # Faked + 'http://openstreetmap.org' 1; # Faked + 'http://www.osm.org/' 1; # Faked + 'http://www.osm.org' 1; # Faked + 'http://osm.org/' 1; # Faked + 'http://osm.org' 1; # Faked +} + +map $http_referer $osm_referer { + default ''; # False + '~^https:\/\/www\.openstreetmap\.org\/' 'osm'; # True } # Limit Cache-Control header to only approved User-Agents -map $http_user_agent $limit_http_cache_control { - default ''; # Unset Header - '~^Mozilla\/5\.0\ QGIS\/' ''; # Unset Header - '~^Mozilla\/5\.0\ ' $http_cache_control; # Pass Header +map $osm_referer$http_user_agent $limit_http_cache_control { + default ''; # Unset Header + '~^osmMozilla\/5\.0\ QGIS\/' ''; # Unset Header + '~^osmMozilla\/5\.0\ ' $http_cache_control; # Pass Header } # Limit Pragma header to only approved User-Agents -map $http_user_agent $limit_http_pragma { - default ''; # Unset Header - '~^Mozilla\/5\.0\ QGIS\/' ''; # Unset Header - '~^Mozilla\/5\.0\ ' $http_pragma; # Pass Header +map $osm_referer$http_user_agent $limit_http_pragma { + default ''; # Unset Header + '~^osmMozilla\/5\.0\ QGIS\/' ''; # Unset Header + '~^osmMozilla\/5\.0\ ' $http_pragma; # Pass Header } server { - listen 443 ssl fastopen=2048 http2 default_server; + listen 443 ssl deferred backlog=16384 reuseport fastopen=2048 http2 default_server; server_name localhost; proxy_buffers 8 64k; + proxy_busy_buffers_size 64k; ssl_certificate /etc/ssl/certs/tile.openstreetmap.org.pem; ssl_certificate_key /etc/ssl/private/tile.openstreetmap.org.key; + # Requests sent within early data are subject to replay attacks. + # See: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data + ssl_early_data on; + + # Immediately 404 layers we do not support +<% for i in 20..99 do %> + location /<%= i %>/ { + set $limit_rate 512; + return 404; + } +<% end %> + + # Immediately 404 silly tile requests + location = /0/0/-1.png { + set $limit_rate 512; + return 404; + } + location = /1/0/-1.png { + set $limit_rate 512; + return 404; + } + location = /1/-1/0.png { + set $limit_rate 512; + return 404; + } + location = /1/-1/1.png { + set $limit_rate 512; + return 404; + } + location = /1/-1/-1.png { + set $limit_rate 512; + return 404; + } + location = /1/-1/2.png { + set $limit_rate 512; + return 404; + } + location = /1/1/-1.png { + set $limit_rate 512; + return 404; + } + location = /1/2/-1.png { + set $limit_rate 512; + return 404; + } + location = /2/0/-1.png { + set $limit_rate 512; + return 404; + } + location = /2/-1/0.png { + set $limit_rate 512; + return 404; + } + location = /2/-1/1.png { + set $limit_rate 512; + return 404; + } + location = /2/1/-1.png { + set $limit_rate 512; + return 404; + } + location = /2/-1/2.png { + set $limit_rate 512; + return 404; + } + location = /2/-1/3.png { + set $limit_rate 512; + return 404; + } + +<% for i in 0..14 do %> +<% if i == 0 -%> + # Default Fallback Location Handler (lowest) location / { +<% elsif -%> + # Dedicated zoom handler for caching + location /<%= i %>/ { +<% end %> + # Only allow GET / HEAD / OPTIONS (CORS) requests + limit_except GET HEAD OPTIONS { + deny all; + } + proxy_pass http://tile_cache_backend; proxy_set_header X-Forwarded-For $remote_addr; proxy_http_version 1.1; @@ -53,17 +189,49 @@ server { proxy_connect_timeout 10s; - # Preserve host header. - proxy_set_header Host $host; + # Replace host header. + proxy_set_header Host 'tile.openstreetmap.org'; # Do not pass cookies to backends. proxy_set_header Cookie ''; # Do not pass Accept-Encoding to backends. proxy_set_header Accept-Encoding ''; + # Do not pass Accept to backends. + proxy_set_header Accept ''; + # Do not pass Accept-Language to backends as unused. + proxy_set_header Accept-Language ''; + proxy_set_header Accept-Charset ''; + # Do not send origin, we allow all. + proxy_set_header origin ''; + # Do not pass invalid headers to backend. + proxy_set_header X-Forwarded-Host ''; + proxy_set_header X-Host ''; + proxy_set_header Authorization ''; + proxy_set_header Proxy-Authorization ''; + + # Drop partial requests + proxy_set_header range ''; # Do not allow setting cookies from backends due to caching. proxy_ignore_headers Set-Cookie; proxy_hide_header Set-Cookie; +<% if i != 0 -%> + # Caching + proxy_cache "proxy_cache_zone"; + proxy_cache_lock on; + proxy_cache_valid 200 1d; + proxy_cache_valid 404 15m; + # Serve stale cache on errors or if updating + proxy_cache_use_stale error timeout updating http_500 http_503 http_504; + # If in cache as stale, serve stale and update in background + proxy_cache_background_update on; + # Enable revalidation using If-Modified-Since and If-None-Match for stale items + proxy_cache_revalidate on; + proxy_cache_min_uses 8; + + add_header x-cache-status $upstream_cache_status; +<% end -%> + # Set a QoS cookie if none presented (uses nginx Map) add_header Set-Cookie $cookie_qos_token_set; <% if node[:ssl][:strict_transport_security] -%> @@ -82,6 +250,15 @@ server { set $limit_rate 65536; } + if ($denied_scraper) { + set $limit_rate 512; + return 429; + } + if ($denied_referer) { + set $limit_rate 512; + return 418; + } + # Strip any ?query parameters from urls set $args ''; @@ -89,4 +266,5 @@ server { proxy_set_header Cache-Control $limit_http_cache_control; proxy_set_header Pragma $limit_http_pragma; } +<% end %> }