X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/d9f9b729153253f693a92ad761eacfa76db5895c..e613260d8e47f845ca4d2b48d71d92b42b4aac65:/cookbooks/nominatim/templates/default/nginx.erb diff --git a/cookbooks/nominatim/templates/default/nginx.erb b/cookbooks/nominatim/templates/default/nginx.erb index 51b40776e..d56d99c8a 100644 --- a/cookbooks/nominatim/templates/default/nginx.erb +++ b/cookbooks/nominatim/templates/default/nginx.erb @@ -1,3 +1,7 @@ +upstream nominatim_service { + server 127.0.0.1:<%= @pools[:www][:port ]%>; +} + map $uri $nominatim_script_name { ~^(.+?\.php) $1; ~^/([^/]+) $1.php; @@ -8,12 +12,37 @@ map $uri $nominatim_path_info { ~^/([^/]+)(.*)$ $2; } +map $args $format { + default default; + ~(^|&)format=html(&|$) html; + ~(^|&)format= other; +} + +map $uri/$format $forward_to_ui { + default 1; + ~^/ui 0; + ~/other$ 0; + ~/reverse.*/default 0; + ~/lookup.*/default 0; +} + map $query_string $email_id { ~(^|&)email=([^&]+) $2; } -upstream nominatim_service { - server 127.0.0.1:<%= @pools[:www][:port ]%>; +map $email_id $missing_email { + default ""; + "" 1; +} + +map $http_user_agent $missing_ua { + default ""; + "" 1; +} + +map $http_referer $missing_referer { + default ""; + "" 1; } # Whitelisted IPs @@ -30,16 +59,22 @@ geo $whitelisted { 8.43.85.23 1; # gnome } -map $http_user_agent $blocked_user_agent { +map $missing_email$missing_referer$http_user_agent $blocked_user_agent { default 0; + "11" 2; # block any requests without identifier include <%= @confdir %>/nginx_blocked_user_agent.conf; } -map $http_referer $blocked_referrer { +map $missing_email$missing_ua$http_referer $blocked_referrer { default 0; include <%= @confdir %>/nginx_blocked_referrer.conf; } +map $missing_referer$missing_ua$email_id $blocked_email { + default 0; + include <%= @confdir %>/nginx_blocked_email.conf; +} + map $whitelisted $limit_www { 1 ""; 0 $binary_remote_addr; @@ -79,9 +114,9 @@ server { server { # IPv4 - listen 443 ssl deferred backlog=16384 reuseport fastopen=2048 http2 default_server; + listen 443 ssl deferred backlog=16384 reuseport http2 default_server; # IPv6 - listen [::]:443 ssl deferred backlog=16384 reuseport fastopen=2048 http2 default_server; + listen [::]:443 ssl deferred backlog=16384 reuseport http2 default_server; server_name localhost; ssl_certificate /etc/ssl/certs/<%= node[:fqdn] %>.pem; @@ -112,18 +147,23 @@ server { } location / { - set $anyid $http_referer$http_user_agent$email_id; - if ($anyid = "") - { return 403; } + try_files $uri $uri/ @php; + } + + location /ui/ { + alias <%= @ui_directory %>/dist/; + index search.html; + } + + location @php { if ($blocked_user_agent ~ ^2$) { return 403; } if ($blocked_referrer) { return 403; } + if ($blocked_email) + { return 403; } + include <%= @confdir %>/nginx_blocked_generic.conf; - try_files $uri $uri/ @php; - } - - location @php { limit_req zone=www burst=10; limit_req zone=tarpit burst=2; limit_req_status 429; @@ -132,14 +172,29 @@ server { fastcgi_param QUERY_STRING $args; fastcgi_param PATH_INFO "$nominatim_path_info"; fastcgi_param SCRIPT_FILENAME "$document_root/$nominatim_script_name"; + if ($forward_to_ui) { + rewrite ^(/[^/]*) https://$host/ui$1.html redirect; + } } location ~* \.php$ { + if ($blocked_user_agent ~ ^2$) + { return 403; } + if ($blocked_referrer) + { return 403; } + if ($blocked_email) + { return 403; } + include <%= @confdir %>/nginx_blocked_generic.conf; + limit_req zone=www burst=10; limit_req zone=tarpit burst=2; limit_req_status 429; fastcgi_pass nominatim_service; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + + if ($forward_to_ui) { + rewrite (.*).php https://$host/ui$1.html redirect; + } } }