X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/df246797e4b8705a0912158c7aa46e4da3138e01..54817d1f97d837a7b740c805661388a03b8ffe22:/cookbooks/nominatim/templates/default/nginx.erb diff --git a/cookbooks/nominatim/templates/default/nginx.erb b/cookbooks/nominatim/templates/default/nginx.erb index f42c60f3b..e60f0e308 100644 --- a/cookbooks/nominatim/templates/default/nginx.erb +++ b/cookbooks/nominatim/templates/default/nginx.erb @@ -1,11 +1,11 @@ upstream nominatim_service { - server 127.0.0.1:<%= @pools[:www][:port ]%>; + server unix:/run/gunicorn-nominatim.openstreetmap.org.sock fail_timeout=0; } map $uri $nominatim_script_name { - ~^(.+?\.php) $1; - ~^/([^/]+) $1.php; - ^$ search.php; + ~^/*(.+?)\.php $1; + ~^/*([^/]+) $1; + ^$ search; } map $uri $nominatim_path_info { @@ -24,6 +24,7 @@ map $uri/$format $forward_to_ui { ~/other$ 0; ~/reverse.*/default 0; ~/lookup.*/default 0; + ~/status.*/default 0; } map $query_string $email_id { @@ -49,17 +50,30 @@ map $http_referer $missing_referer { geo $whitelisted { default 0; <% @frontends.each do |frontend| -%> -<% frontend.ipaddresses(:role => :external) do |address| -%> +<% frontend.ipaddresses(:role => :external).sort.each do |address| -%> <%= address %> 1; <% end -%> <% end -%> 46.235.224.148 1; 209.132.180.180 1; 209.132.180.168 1; - 8.43.85.23 1; # gnome + 8.43.85.3 1; # gnome + 8.43.85.4 1; # gnome + 8.43.85.5 1; # gnome + 2620:52:3:1:5054:ff:fe0a:75a4 1; # gnome + 2620:52:3:1:5054:ff:fe0a:75a2 1; # gnome + 2620:52:3:1:5054:ff:fe0a:75aa 1; # gnome + 34.234.151.67 1; # gnome - https://github.com/openstreetmap/operations/issues/1160 + 54.165.53.199 1; # gnome - https://github.com/openstreetmap/operations/issues/1160 + 35.153.15.118 1; # gnome - https://github.com/openstreetmap/operations/issues/1160 } -map $missing_email$missing_referer$http_user_agent $blocked_user_agent { +map $server_protocol$http_user_agent $cleaned_user_agent { + default $http_user_agent; + "~^HTTP/1..Mozilla/" Script$http_user_agent; +} + +map $missing_email$missing_referer$cleaned_user_agent $blocked_user_agent { default 0; "11" 2; # block any requests without identifier include <%= @confdir %>/nginx_blocked_user_agent.conf; @@ -86,9 +100,22 @@ map $blocked_user_agent $limit_tarpit { 2 $binary_remote_addr; } +map $missing_email$missing_referer$http_user_agent $generic_mozilla { + default 0; + ~^11Mozilla/4.0 1; + ~^11Mozilla/5.0 2; +} + +map $whitelisted$generic_mozilla$uri $limit_reverse { + default ""; + ~01/reverse.* $binary_remote_addr; + ~02/reverse.* $binary_remote_addr; +} + limit_req_zone $limit_www zone=www:50m rate=2r/s; limit_req_zone $limit_tarpit zone=tarpit:10m rate=1r/s; limit_req_zone $binary_remote_addr zone=blocked:10m rate=20r/m; +limit_req_zone $limit_reverse zone=reverse:10m rate=10r/m; server { listen 80 default_server; @@ -114,16 +141,16 @@ server { server { # IPv4 - listen 443 ssl deferred backlog=16384 reuseport http2 default_server; + listen 443 ssl http2 default_server; # IPv6 - listen [::]:443 ssl deferred backlog=16384 reuseport http2 default_server; + listen [::]:443 ssl http2 default_server; server_name localhost; ssl_certificate /etc/ssl/certs/<%= node[:fqdn] %>.pem; ssl_certificate_key /etc/ssl/private/<%= node[:fqdn] %>.key; - root <%= @directory %>/website; - index search.php; + root <%= @directory %>/static-website; + index /search; access_log <%= node[:nominatim][:logdir] %>/nominatim.openstreetmap.org-access.log combined; error_log <%= node[:nominatim][:logdir] %>/nominatim.openstreetmap.org-error.log; @@ -155,44 +182,47 @@ server { index search.html; } - location @php { - if ($blocked_user_agent ~ ^2$) - { return 403; } - if ($blocked_referrer) - { return 403; } - if ($blocked_email) - { return 403; } + location /qa-data/ { + add_header Access-Control-Allow-Origin "*" always; + } - limit_req zone=www burst=10; - limit_req zone=tarpit burst=2; - limit_req_status 429; - fastcgi_pass nominatim_service; - include fastcgi_params; - fastcgi_param QUERY_STRING $args; - fastcgi_param PATH_INFO "$nominatim_path_info"; - fastcgi_param SCRIPT_FILENAME "$document_root/$nominatim_script_name"; - if ($forward_to_ui) { - rewrite ^(/[^/]*) http://$host/ui$1.html redirect; - } + location ~* ^/(search|reverse)(\.php)?/ { + error_page 404 /404-old-search-syntax.html; + return 404; } - location ~* \.php$ { + location @php { + if ($forward_to_ui) { + rewrite ^(/[^/]*) https://$host/ui$1.html redirect; + } if ($blocked_user_agent ~ ^2$) { return 403; } if ($blocked_referrer) { return 403; } if ($blocked_email) { return 403; } + if ($args ~* "q=[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+[ &]") + { return 418; } + include <%= @confdir %>/nginx_blocked_generic.conf; limit_req zone=www burst=10; - limit_req zone=tarpit burst=2; + limit_req zone=tarpit burst=5; + limit_req zone=reverse burst=5; limit_req_status 429; - fastcgi_pass nominatim_service; - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - if ($forward_to_ui) { - rewrite (.*).php http://$host/ui$1.html redirect; + if ($request_method = 'OPTIONS') { + add_header 'Content-Type' 'text/plain; charset=UTF-8'; + add_header 'Content-Length' 0; + add_header Access-Control-Allow-Origin "*"; + add_header Access-Control-Allow-Methods 'GET,OPTIONS'; + add_header Access-Control-Allow-Headers $http_access_control_request_headers; + return 204; } + + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_redirect off; + proxy_pass http://nominatim_service; } }