From: Sarah Hoffmann <lonvia@denofr.de>
Date: Sat, 25 Apr 2020 09:12:31 +0000 (+0200)
Subject: nominatim: allow blocking by email field
X-Git-Url: https://git.openstreetmap.org./chef.git/commitdiff_plain/08e8b63150703826141d47c582498989f0e0f832

nominatim: allow blocking by email field

Also adds the means to only block by UA/referrer/email when
other means of identification are missing.
---

diff --git a/cookbooks/nominatim/recipes/default.rb b/cookbooks/nominatim/recipes/default.rb
index d89891137..929645f38 100644
--- a/cookbooks/nominatim/recipes/default.rb
+++ b/cookbooks/nominatim/recipes/default.rb
@@ -312,18 +312,13 @@ directory "#{basedir}/etc" do
   mode 0o775
 end
 
-file "#{basedir}/etc/nginx_blocked_user_agent.conf" do
-  action :create_if_missing
-  owner "nominatim"
-  group "adm"
-  mode 0o664
-end
-
-file "#{basedir}/etc/nginx_blocked_referrer.conf" do
-  action :create_if_missing
-  owner "nominatim"
-  group "adm"
-  mode 0o664
+%w[user_agent referer email].each do |name|
+  file "#{basedir}/etc/nginx_blocked_#{name}.conf" do
+    action :create_if_missing
+    owner "nominatim"
+    group "adm"
+    mode 0o664
+  end
 end
 
 service "php7.2-fpm" do
diff --git a/cookbooks/nominatim/templates/default/nginx.erb b/cookbooks/nominatim/templates/default/nginx.erb
index 51b40776e..969f625bd 100644
--- a/cookbooks/nominatim/templates/default/nginx.erb
+++ b/cookbooks/nominatim/templates/default/nginx.erb
@@ -1,3 +1,7 @@
+upstream nominatim_service {
+  server 127.0.0.1:<%= @pools[:www][:port ]%>;
+}
+
 map $uri $nominatim_script_name {
     ~^(.+?\.php)         $1;
     ~^/([^/]+)           $1.php;
@@ -12,8 +16,19 @@ map $query_string $email_id {
     ~(^|&)email=([^&]+)  $2;
 }
 
-upstream nominatim_service {
-  server 127.0.0.1:<%= @pools[:www][:port ]%>;
+map $email_id $missing_email {
+    default "";
+    "" 1;
+}
+
+map $http_user_agent $missing_ua {
+    default "";
+    "" 1;
+}
+
+map $http_referer $missing_referer {
+    default "";
+    "" 1;
 }
 
 # Whitelisted IPs
@@ -30,16 +45,22 @@ geo $whitelisted {
     8.43.85.23 1; # gnome
 }
 
-map $http_user_agent $blocked_user_agent {
+map $missing_email$missing_referer$http_user_agent $blocked_user_agent {
    default 0;
+   "11" 2; # block any requests without identifier
    include <%= @confdir %>/nginx_blocked_user_agent.conf;
 }
 
-map $http_referer $blocked_referrer {
+map $missing_email$missing_ua$http_referer $blocked_referrer {
    default 0;
    include <%= @confdir %>/nginx_blocked_referrer.conf;
 }
 
+map $missing_referer$missing_ua$http_referer $blocked_email {
+   default 0;
+   include <%= @confdir %>/nginx_blocked_email.conf;
+}
+
 map $whitelisted $limit_www {
     1 "";
     0 $binary_remote_addr;
@@ -112,13 +133,12 @@ server {
     }
 
     location / {
-        set $anyid $http_referer$http_user_agent$email_id;
-        if ($anyid = "")
-        { return 403; }
         if ($blocked_user_agent ~ ^2$)
         { return 403; }
         if ($blocked_referrer)
         { return 403; }
+        if ($blocked_email)
+        { return 403; }
 
         try_files $uri $uri/ @php;
     }