From: Tom Hughes <tom@compton.nu>
Date: Thu, 30 Nov 2023 00:26:07 +0000 (+0000)
Subject: Use unix domain sockets for cgimap on the production servers
X-Git-Url: https://git.openstreetmap.org./chef.git/commitdiff_plain/e93ea7c47fe2f91e54edde1d37db37d26a27d34e

Use unix domain sockets for cgimap on the production servers
---

diff --git a/cookbooks/web/recipes/cgimap.rb b/cookbooks/web/recipes/cgimap.rb
index 8a8a7de1c..d36550684 100644
--- a/cookbooks/web/recipes/cgimap.rb
+++ b/cookbooks/web/recipes/cgimap.rb
@@ -32,6 +32,7 @@ database_host = node[:web][:readonly_database_host] || node[:web][:database_host
 memcached_servers = node[:web][:memcached_servers] || []
 
 cgimap_options = {
+  "CGIMAP_SOCKET" => "/run/cgimap/socket",
   "CGIMAP_HOST" => database_host,
   "CGIMAP_DBNAME" => "openstreetmap",
   "CGIMAP_USERNAME" => "cgimap",
@@ -61,8 +62,11 @@ systemd_service "cgimap" do
   type "forking"
   environment_file cgimap_options
   user "rails"
-  exec_start "/usr/bin/openstreetmap-cgimap --daemon --port 8000 --instances 30"
+  group "www-data"
+  umask "0002"
+  exec_start "/usr/bin/openstreetmap-cgimap --daemon --instances 30"
   exec_reload "/bin/kill -HUP $MAINPID"
+  runtime_directory "cgimap"
   private_tmp true
   private_devices true
   protect_system "full"
diff --git a/cookbooks/web/templates/default/apache.frontend.erb b/cookbooks/web/templates/default/apache.frontend.erb
index b097dee55..94ba7a007 100644
--- a/cookbooks/web/templates/default/apache.frontend.erb
+++ b/cookbooks/web/templates/default/apache.frontend.erb
@@ -172,15 +172,15 @@
   #
   # Pass supported calls to cgimap
   #
-  RewriteRule ^/api/0\.6/map(\.json|\.xml)?$ fcgi://127.0.0.1:8000$0 [P]
+  RewriteRule ^/api/0\.6/map(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
   RewriteCond %{REQUEST_METHOD} ^(HEAD|GET)$
-  RewriteRule ^/api/0\.6/(node|way|relation|changeset)/[0-9]+(\.json|\.xml)?$ fcgi://127.0.0.1:8000$0 [P]
-  RewriteRule ^/api/0\.6/(node|way|relation)/[0-9]+/history(\.json|\.xml)?$ fcgi://127.0.0.1:8000$0 [P]
-  RewriteRule ^/api/0\.6/(node|way|relation)/[0-9]+/relations(\.json|\.xml)?$ fcgi://127.0.0.1:8000$0 [P]
-  RewriteRule ^/api/0\.6/node/[0-9]+/ways(\.json|\.xml)?$ fcgi://127.0.0.1:8000$0 [P]
-  RewriteRule ^/api/0\.6/(way|relation)/[0-9]+/full(\.json|\.xml)?$ fcgi://127.0.0.1:8000$0 [P]
-  RewriteRule ^/api/0\.6/(nodes|ways|relations)(\.json|\.xml)?$ fcgi://127.0.0.1:8000$0 [P]
-  RewriteRule ^/api/0\.6/changeset/[0-9]+/(upload|download)(\.json|\.xml)?$ fcgi://127.0.0.1:8000$0 [P]
+  RewriteRule ^/api/0\.6/(node|way|relation|changeset)/[0-9]+(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
+  RewriteRule ^/api/0\.6/(node|way|relation)/[0-9]+/history(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
+  RewriteRule ^/api/0\.6/(node|way|relation)/[0-9]+/relations(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
+  RewriteRule ^/api/0\.6/node/[0-9]+/ways(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
+  RewriteRule ^/api/0\.6/(way|relation)/[0-9]+/full(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
+  RewriteRule ^/api/0\.6/(nodes|ways|relations)(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
+  RewriteRule ^/api/0\.6/changeset/[0-9]+/(upload|download)(\.json|\.xml)?$ unix:/run/cgimap/socket|fcgi://127.0.0.1$0 [P]
 
   #
   # Redirect trac and wiki requests to the right places