X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/ee06d3543d865a3a1085a33aeef3d7d5af38046c..002e934c3f9d818e59b74fdb021f93766799ea9c:/cookbooks/web/templates/default/apache.frontend.erb?ds=inline diff --git a/cookbooks/web/templates/default/apache.frontend.erb b/cookbooks/web/templates/default/apache.frontend.erb index c11fd95d9..12beede35 100644 --- a/cookbooks/web/templates/default/apache.frontend.erb +++ b/cookbooks/web/templates/default/apache.frontend.erb @@ -1,25 +1,25 @@ # DO NOT EDIT - This file is being maintained by Chef -<% [80, 443].each do |port| -%> -> + # # Basic server configuration # ServerName <%= node[:fqdn] %> - ServerAlias api.openstreetmap.org www.openstreetmap.org + ServerAlias api.openstreetmap.org www.openstreetmap.org 127.0.0.1 ServerAdmin webmaster@openstreetmap.org -<% if port == 443 -%> # # Enable SSL # SSLEngine on -<% end -%> + SSLProxyEngine on + SSLCertificateFile /etc/ssl/certs/www.openstreetmap.org.pem + SSLCertificateKeyFile /etc/ssl/private/www.openstreetmap.org.key # # Setup logging # - LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %Ts" combined_with_time + LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %Dus %{UNIQUE_ID}e %{SSL_PROTOCOL}x %{SSL_CIPHER}x" combined_with_time CustomLog /var/log/apache2/access.log combined_with_time ErrorLog /var/log/apache2/error.log @@ -29,6 +29,16 @@ ExpiresActive On RewriteEngine on + # + # Add the unique ID to the request headers + # + RequestHeader set X-Request-Id %{UNIQUE_ID}e + + # + # Remove Proxy request header to mitigate https://httpoxy.org/ + # + RequestHeader unset Proxy early + # # Block troublesome GPX data scrapping # @@ -41,10 +51,21 @@ RewriteCond %{HTTP_USER_AGENT} tilesAtHome RewriteRule . - [F,L] + # + # Block changeset scraper + # + RewriteCond %{HTTP_USER_AGENT} "OSMApp Tuner" + RewriteRule . - [F,L] + # # Block requests for the old 404 map tile + # and force cache headers on response # - RewriteRule ^/openlayers/img/404.png$ - [G,L] + + Header always set Cache-Control "public, max-age=31536000, immutable" + Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT" + RewriteRule ^ - [G,L] + # # Block attempts to access old API versions @@ -53,7 +74,7 @@ # # Block JOSM revisions 1722-1727 as they have a serious bug that causes - # lat/lon to be swapped (http://josm.openstreetmap.de/ticket/2804) + # lat/lon to be swapped (https://josm.openstreetmap.de/ticket/2804) # RewriteCond %{HTTP_USER_AGENT} "^JOSM/[0-9]+\.[0-9]+ \(172[234567]\)" RewriteRule . - [F,L] @@ -75,17 +96,16 @@ # Header unset Last-Modified - Header unset ETag - FileETag None + FileETag Size ExpiresDefault "access plus 1 year" + Header set Cache-Control "immutable, max-age=31536000" # # Set expiry for attachments # - Header unset Last-Modified Header unset ETag FileETag None @@ -101,32 +121,9 @@ ExpiresDefault "access plus 10 years" - - ExpiresDefault "access plus 10 years" - ExpiresDefault "access plus 7 days" - - ExpiresDefault "access plus 10 years" - - - # - # Set expiry for Potlatch 1 - # - - ExpiresDefault "access plus 7 days" - - - # - # Set expiry for Potlatch 2 - # - - ExpiresByType application/x-shockwave-flash "access plus 1 day" - ExpiresByType application/xml "access plus 1 day" - ExpiresByType text/css "access plus 1 day" - ExpiresByType image/png "access plus 7 days" - # # Configure rails @@ -135,8 +132,12 @@ RailsEnv production PassengerMinInstances 10 PassengerMaxRequests 5000 - PassengerPreStart http://www.openstreetmap.org/ - Alias /favicon.ico <%= node[:web][:base_directory] %>/rails/app/assets/images/favicon.ico + PassengerMaxRequestQueueSize 250 + PassengerPreStart https://www.openstreetmap.org/ + PassengerAppGroupName rails + SetEnv OPENSTREETMAP_STATUS <%= @status %> + SetEnv SECRET_KEY_BASE <%= @secret_key_base %> + Alias /favicon.ico <%= node[:web][:base_directory] %>/rails/app/assets/favicons/favicon.ico Alias /openlayers <%= node[:web][:base_directory] %>/rails/vendor/assets/openlayers Alias /stats /store/rails/stats Alias /user/image /store/rails/user/image @@ -156,123 +157,171 @@ # Allow all proxy requests # - Allow from all + Require all granted # - # Pass other heavy duty API calls to the bulkapi backends via a load balancer + # Pass some other API calls to the backends via a load balancer # - ProxyPass /api/0.6/map balancer://bulkapi/api/0.6/map - ProxyPass /api/0.6/tracepoints balancer://bulkapi/api/0.6/tracepoints - ProxyPass /api/0.6/amf/read balancer://bulkapi/api/0.6/amf/read - ProxyPass /api/0.6/swf/trackpoints balancer://bulkapi/api/0.6/swf/trackpoints - ProxyPassMatch ^(/api/0.6/changeset/[0-9]+/(upload|download))$ balancer://bulkapi$1 - ProxyPassMatch ^(/api/0.6/.*/(full|history|search|ways))$ balancer://bulkapi$1 - ProxyPass /api/0.6/nodes balancer://bulkapi/api/0.6/nodes - ProxyPass /api/0.6/ways balancer://bulkapi/api/0.6/ways - ProxyPassMatch ^(/trace/[0-9]+/data(|/|.xml))$ balancer://bulkapi$1 + ProxyPassMatch ^(/api/0\.6/map(\.json|\.xml)?)$ balancer://backend$1 + ProxyPassMatch ^(/api/0\.6/tracepoints)$ balancer://backend$1 + ProxyPassMatch ^(/api/0\.6/amf/read)$ balancer://backend$1 + ProxyPassMatch ^(/api/0\.6/swf/trackpoints)$ balancer://backend$1 + ProxyPassMatch ^(/api/0\.6/changeset/[0-9]+(\.json|\.xml)?)$ balancer://backend$1 + ProxyPassMatch ^(/api/0\.6/changeset/[0-9]+/upload(\.json|\.xml)?)$ balancer://amsterdam$1 + ProxyPassMatch ^(/api/0\.6/changeset/[0-9]+/download(\.json|\.xml)?)$ balancer://backend$1 + ProxyPassMatch ^(/api/0\.6/(node|way|relation)/[0-9]+(\.json|\.xml)?)$ balancer://backend$1 + ProxyPassMatch ^(/api/0\.6/(node|way|relation)/[0-9]+/(full|history|search|ways|relations)(\.json|\.xml)?)$ balancer://backend$1 + ProxyPassMatch ^(/api/0\.6/nodes(\.json|\.xml)?)$ balancer://backend$1 + ProxyPassMatch ^(/api/0\.6/ways(\.json|\.xml)?)$ balancer://backend$1 + ProxyPassMatch ^(/api/0\.6/relations(\.json|\.xml)?)$ balancer://backend$1 + ProxyPassMatch ^(/trace/[0-9]+/data(|/|.xml))$ balancer://backend$1 # # Redirect trac and wiki requests to the right places # - RedirectPermanent /trac/ http://trac.openstreetmap.org/ - RedirectPermanent /wiki/ http://wiki.openstreetmap.org/ + RedirectPermanent /trac/ https://trac.openstreetmap.org/ + RedirectPermanent /wiki/ https://wiki.openstreetmap.org/ # # Redirect requests for various images to the right place # - RedirectPermanent /images/osm_logo.png http://www.openstreetmap.org/assets/osm_logo.png - RedirectPermanent /images/cc_button.png http://www.openstreetmap.org/assets/cc_button.png + RedirectPermanent /images/osm_logo.png https://www.openstreetmap.org/assets/osm_logo.png + RedirectPermanent /images/cc_button.png https://www.openstreetmap.org/assets/cc_button.png # - # Define a load balancer for the bulkapi backends + # Define a load balancer for the local backends # - + ProxySet lbmethod=bybusyness - BalancerMember http://rails1 - BalancerMember http://rails2 - BalancerMember http://rails3 +<% Array(node[:web][:backends]).each do |backend| -%> + BalancerMember https://<%= backend %> disablereuse=on +<% end -%> -<% if port == 80 -%> # - # Redirect requests which should be secure to the SSL site + # Define a load balancer for the Amsterdam backends # - RewriteCond %{REQUEST_URI} ^/login(\.html)?$ [OR] - RewriteCond %{REQUEST_URI} ^/user/(new|create-account\.html)$ [OR] - RewriteCond %{REQUEST_URI} ^/user/terms$ [OR] - RewriteCond %{REQUEST_URI} ^/user/save$ [OR] - RewriteCond %{REQUEST_URI} ^/user/([^/]+)/account$ [OR] - RewriteCond %{REQUEST_URI} ^/user/reset-password$ - RewriteRule ^(.*)$ https://www.openstreetmap.org$1 [L,NE,R=permanent] + + ProxySet lbmethod=bybusyness +<% ["rails1.ams", "rails2.ams", "rails3.ams"].each do |backend| -%> + BalancerMember https://<%= backend %> disablereuse=on +<% end -%> + + + # + # Define a load balancer for the Bytemark backends + # + + ProxySet lbmethod=bybusyness +<% ["rails4.bm", "rails5.bm"].each do |backend| -%> + BalancerMember https://<%= backend %> disablereuse=on +<% end -%> + # # Redirect api requests made to www.osm.org to api.osm.org # # RewriteCond %{HTTP_HOST} =www.openstreetmap.org -# RewriteRule ^/api/(.*)$ http://api.openstreetmap.org/api/$1 [L,NE,R=permanent] +# RewriteRule ^/api/(.*)$ https://api.openstreetmap.org/api/$1 [L,NE,R=permanent] # # Redirect non-api requests made to api.osm.org to www.osm.org # RewriteCond %{HTTP_HOST} =api.openstreetmap.org RewriteCond %{REQUEST_URI} !^/api/ - RewriteRule ^(.*)$ http://www.openstreetmap.org$1 [L,NE,R=permanent] -<% elsif port == 443 -%> + RewriteRule ^(.*)$ https://www.openstreetmap.org$1 [L,NE,R=permanent] + - # - # Redirect api requests to api.osm.org over http - # - RewriteRule ^/api/(.*)$ http://api.openstreetmap.org/api/$1 [L,NE,R=permanent] + + ServerName openstreetmap.org.uk + ServerAlias www.openstreetmap.org.uk + ServerAlias openstreetmap.co.uk + ServerAlias www.openstreetmap.co.uk - # - # Redirect requests which do not need to be secure over http - # - RewriteCond %{REQUEST_URI} !^/login(.html)?$ - RewriteCond %{REQUEST_URI} !^/user/(new|create-account.html)$ - RewriteCond %{REQUEST_URI} !^/user/terms$ - RewriteCond %{REQUEST_URI} !^/user/save$ - RewriteCond %{REQUEST_URI} !^/user/go_public$ - RewriteCond %{REQUEST_URI} !^/user/([^/]+)/account$ - RewriteCond %{REQUEST_URI} !^/user/reset-password$ - RewriteCond %{REQUEST_URI} !^/preview/ - RewriteCond %{REQUEST_URI} !^/assets/ - RewriteCond %{REQUEST_URI} !^/javascripts/ - RewriteCond %{REQUEST_URI} !^/images/ - RewriteCond %{REQUEST_URI} !^/stylesheets/ - RewriteCond %{REQUEST_URI} !^/openlayers/ - RewriteRule ^(.*)$ http://www.openstreetmap.org$1 [L,NE,R=permanent] -<% end -%> + RedirectPermanent /events.ics http://calendar.openstreetmap.org.uk/events.ics + RedirectPermanent / https://www.openstreetmap.org/ -<% end -%> ServerName openstreetmap.org - ServerAlias maps.openstreetmap.org mapz.openstreetmap.org - ServerAlias openstreetmap.com www.openstreetmap.com - ServerAlias maps.openstreetmap.com mapz.openstreetmap.com - ServerAlias openstreetmap.net www.openstreetmap.net - ServerAlias maps.openstreetmap.net mapz.openstreetmap.net - ServerAlias openstreetmaps.org www.openstreetmaps.org - ServerAlias maps.openstreetmaps.org mapz.openstreetmaps.org - ServerAlias osm.org www.osm.org - ServerAlias maps.osm.org mapz.osm.org - ServerAlias openmaps.org www.openmaps.org - ServerAlias maps.openmaps.org mapz.openmaps.org - ServerAlias openworldmap.org www.openworldmap.org - ServerAlias maps.openworldmap.org mapz.openworldmap.org - ServerAlias freeosm.org www.freeosm.org - ServerAlias maps.freeosm.org mapz.freeosm.org - - RedirectPermanent / http://www.openstreetmap.org/ + + Header always set Cache-Control "max-age=31536000" + Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT" + + RewriteEngine on + + RewriteRule ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 [R=permanent,L] + + RewriteCond %{REQUEST_URI} !^/server-status$ + RewriteRule ^(.*)$ https://openstreetmap.org$1 [L,NE,R=permanent] - ServerName openstreetmap.org.uk - ServerAlias www.openstreetmap.org.uk - ServerAlias openstreetmap.co.uk - ServerAlias www.openstreetmap.co.uk + ServerName www.openstreetmap.org + ServerAlias * - RedirectPermanent /events.ics http://calendar.openstreetmap.org.uk/events.ics - RedirectPermanent / http://www.openstreetmap.org/ + Header always set Cache-Control "max-age=31536000" + Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT" + + RewriteEngine on + + RewriteRule ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 [R=permanent,L] + + RewriteCond %{REQUEST_URI} !^/server-status$ + RewriteRule ^(.*)$ https://www.openstreetmap.org$1 [L,NE,R=permanent] + + + ServerName openstreetmap.org + ServerAlias * + + SSLEngine on + SSLCertificateFile /etc/ssl/certs/www.openstreetmap.org.pem + SSLCertificateKeyFile /etc/ssl/private/www.openstreetmap.org.key + + Header always set Cache-Control "max-age=31536000" + Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT" + + RedirectPermanent / https://www.openstreetmap.org/ + + +/rails/public> + Require all granted + + RewriteCond "%{HTTP:Accept-encoding}" "gzip" + RewriteCond "%{REQUEST_FILENAME}\.gz" -s + RewriteRule "^(.*)\.(css|ico|js|json|svg|xml)$" "$1\.$2\.gz" [QSA] + + RewriteRule "\.css\.gz$" "-" [T=text/css,E=no-gzip:1] + RewriteRule "\.ico\.gz$" "-" [T=image/vnd.microsoft.icon,E=no-gzip:1] + RewriteRule "\.js\.gz$" "-" [T=text/javascript,E=no-gzip:1] + RewriteRule "\.json\.gz$" "-" [T=application/json,E=no-gzip:1] + RewriteRule "\.svg\.gz$" "-" [T=image/svg+xml,E=no-gzip:1] + RewriteRule "\.xml\.gz$" "-" [T=application/xml,E=no-gzip:1] + + + Header append Content-Encoding gzip + Header append Vary Accept-Encoding + + + + + Require all granted + + + + Require all granted + + + + Require all granted + + + + Require all granted + + + + Require all granted +