Merge remote-tracking branch 'github/pull/528'

[chef.git] / cookbooks / web / templates / default / apache.frontend.erb

# DO NOT EDIT - This file is being maintained by Chef

<VirtualHost *:443>
  #
  # Basic server configuration
  #
  ServerName <%= node[:fqdn] %>
  ServerAlias api.openstreetmap.org www.openstreetmap.org 127.0.0.1
  ServerAdmin webmaster@openstreetmap.org

  #
  # Enable SSL
  #
  SSLEngine on
  SSLCertificateFile /etc/ssl/certs/www.openstreetmap.org.pem
  SSLCertificateKeyFile /etc/ssl/private/www.openstreetmap.org.key

  #
  # Setup logging
  #
  LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %Dus %{UNIQUE_ID}e %{SSL_PROTOCOL}x %{SSL_CIPHER}x" combined_with_time
  CustomLog /var/log/apache2/access.log combined_with_time
  CustomLog /var/log/apache2/basic.log combined_with_time "expr=%{HTTP:Authorization} =~ /^Basic/i"
  ErrorLog /var/log/apache2/error.log

  #
  # Turn on various features
  #
  ExpiresActive On
  RewriteEngine on

  #
  # Configure timeouts
  #
  RequestReadTimeout handshake=20-40,MinRate=500 header=20-40,MinRate=500 body=20,MinRate=500

  #
  # Add the unique ID to the request headers
  #
  RequestHeader set X-Request-Id %{UNIQUE_ID}e

  #
  # Remove Proxy request header to mitigate https://httpoxy.org/
  #
  RequestHeader unset Proxy early

  #
  # Block troublesome GPX data scrapping
  #
  RewriteCond %{REQUEST_METHOD} HEAD
  RewriteRule ^/trace/\d+/data - [F,L]

  #
  # Block tilesAtHome
  #
  RewriteCond %{HTTP_USER_AGENT} tilesAtHome
  RewriteRule . - [F,L]

  #
  # Block changeset scraper
  #
  RewriteCond %{HTTP_USER_AGENT} "OSMApp Tuner"
  RewriteRule . - [F,L]

  #
  # Block attempts to access old API versions
  #
  RewriteRule ^/api/0.[12345]/ - [G,L]

  #
  # Block JOSM revisions  1722-1727 as they have a serious bug that causes
  # lat/lon to be swapped (https://josm.openstreetmap.de/ticket/2804)
  #
  RewriteCond %{HTTP_USER_AGENT} "^JOSM/[0-9]+\.[0-9]+ \(172[234567]\)"
  RewriteRule . - [F,L]

  #
  # Block a changeset that seems to lock things up
  #
  RewriteRule ^/api/0.6/changeset/6823497/download$ - [F,L]

  #
  # Ignore Vicon Valerus "online" status pings
  # https://gist.github.com/Firefishy/86ed5b86991b225179b54bbafbcd769e
  #
  RewriteCond "%{QUERY_STRING}" "^q=abcde&t=20"
  RewriteRule "^/api/0\.6/notes/search$" - [R=429,L]

  #
  # Force special MIME type for crossdomain.xml files
  #
  <Files crossdomain.xml>
    ForceType text/x-cross-domain-policy
  </Files>

  #
  # Set expiry for assets
  #
  <Location /assets/>
    Header unset Last-Modified
    FileETag Size

    ExpiresDefault "access plus 1 year"
    Header set Cache-Control "immutable, max-age=31536000"
  </Location>

  #
  # Set expiry for attachments
  #
  <Location /attachments/>
    Header unset ETag
    FileETag None

    ExpiresDefault "access plus 1 year"
  </Location>

  #
  # Set expiry for other static content
  #
  <Location /export/embed.html>
    ExpiresDefault "access plus 7 days"
  </Location>
  <Location /images/>
    ExpiresDefault "access plus 10 years"
  </Location>
  <Location /openlayers/>
    Header unset Last-Modified
    FileETag Size

    Header always set Cache-Control "public, max-age=31536000, immutable"
    Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT"
  </Location>

  #
  # Configure rails
  #
  DocumentRoot <%= node[:web][:base_directory] %>/rails/public
  RailsEnv production
  PassengerMinInstances 10
  PassengerMaxRequests 5000
  PassengerMaxRequestQueueSize 250
  PassengerPreStart https://www.openstreetmap.org/
  PassengerAppGroupName rails
  SetEnv OPENSTREETMAP_STATUS <%= @status %>
  SetEnv SECRET_KEY_BASE <%= @secret_key_base %>
  Alias /favicon.ico <%= node[:web][:base_directory] %>/rails/app/assets/favicons/favicon.ico
  Alias /openlayers <%= node[:web][:base_directory] %>/static/openlayers
  RedirectPermanent /stats https://planet.openstreetmap.org/statistics

  #
  # Pass authentication related headers to cgimap
  #
  <Location />
    CGIPassAuth On
  </Location>

  #
  # Pass supported calls to cgimap
  #
  RewriteRule ^/api/0\.6/map(\.json|\.xml)?$ fcgi://127.0.0.1:8000$0 [P]
  RewriteCond %{REQUEST_METHOD} ^(HEAD|GET)$
  RewriteRule ^/api/0\.6/(node|way|relation|changeset)/[0-9]+(\.json|\.xml)?$ fcgi://127.0.0.1:8000$0 [P]
  RewriteRule ^/api/0\.6/(node|way|relation)/[0-9]+/history(\.json|\.xml)?$ fcgi://127.0.0.1:8000$0 [P]
  RewriteRule ^/api/0\.6/(node|way|relation)/[0-9]+/relations(\.json|\.xml)?$ fcgi://127.0.0.1:8000$0 [P]
  RewriteRule ^/api/0\.6/node/[0-9]+/ways(\.json|\.xml)?$ fcgi://127.0.0.1:8000$0 [P]
  RewriteRule ^/api/0\.6/(way|relation)/[0-9]+/full(\.json|\.xml)?$ fcgi://127.0.0.1:8000$0 [P]
  RewriteRule ^/api/0\.6/(nodes|ways|relations)(\.json|\.xml)?$ fcgi://127.0.0.1:8000$0 [P]
  RewriteRule ^/api/0\.6/changeset/[0-9]+/(upload|download)(\.json|\.xml)?$ fcgi://127.0.0.1:8000$0 [P]

  #
  # Redirect trac and wiki requests to the right places
  #
  RedirectPermanent /trac/ https://trac.openstreetmap.org/
  RedirectPermanent /wiki/ https://wiki.openstreetmap.org/

  #
  # Redirect requests for various images to the right place
  #
  RedirectPermanent /images/osm_logo.png https://www.openstreetmap.org/assets/osm_logo.png
  RedirectPermanent /images/cc_button.png https://www.openstreetmap.org/assets/cc_button.png

  #
  # Redirect api requests made to www.openstreetmap.org to api.openstreetmap.org
  #
#  RewriteCond %{HTTP_HOST} =www.openstreetmap.org
#  RewriteRule ^/api/(.*)$ https://api.openstreetmap.org/api/$1 [L,NE,R=permanent]

  #
  # Redirect non-api requests made to api.openstreetmap.org to www.openstreetmap.org
  #
  RewriteCond %{HTTP_HOST} =api.openstreetmap.org
  RewriteCond %{REQUEST_URI} !^/api/
  RewriteRule ^(.*)$ https://www.openstreetmap.org$1 [L,NE,R=permanent]
</VirtualHost>

<VirtualHost *:80>
  ServerName openstreetmap.org.uk
  ServerAlias www.openstreetmap.org.uk
  ServerAlias openstreetmap.co.uk
  ServerAlias www.openstreetmap.co.uk

  RedirectPermanent /events.ics http://calendar.openstreetmap.org.uk/events.ics
  RedirectPermanent / https://www.openstreetmap.org/
</VirtualHost>

<VirtualHost *:80>
  ServerName osm.org

  Header always set Cache-Control "max-age=31536000"
  Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT"

  RewriteEngine on

  RewriteRule ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 [R=permanent,L]

  RewriteCond %{REQUEST_URI} !^/server-status$
  RewriteRule ^(.*)$ https://osm.org$1 [L,NE,R=permanent]
</VirtualHost>

<VirtualHost *:80>
  ServerName www.osm.org

  Header always set Cache-Control "max-age=31536000"
  Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT"

  RewriteEngine on

  RewriteRule ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 [R=permanent,L]

  RewriteCond %{REQUEST_URI} !^/server-status$
  RewriteRule ^(.*)$ https://www.osm.org$1 [L,NE,R=permanent]
</VirtualHost>

<VirtualHost *:80>
  ServerName openstreetmap.org

  Header always set Cache-Control "max-age=31536000"
  Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT"

  RewriteEngine on

  RewriteRule ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 [R=permanent,L]

  RewriteCond %{REQUEST_URI} !^/server-status$
  RewriteRule ^(.*)$ https://openstreetmap.org$1 [L,NE,R=permanent]
</VirtualHost>

<VirtualHost *:80>
  ServerName www.openstreetmap.org
  ServerAlias *

  Header always set Cache-Control "max-age=31536000"
  Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT"

  RewriteEngine on

  RewriteRule ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 [R=permanent,L]

  RewriteCond %{REQUEST_URI} !^/server-status$
  RewriteRule ^(.*)$ https://www.openstreetmap.org$1 [L,NE,R=permanent]
</VirtualHost>

<VirtualHost *:443>
  ServerName openstreetmap.org
  ServerAlias *

  SSLEngine on
  SSLCertificateFile /etc/ssl/certs/www.openstreetmap.org.pem
  SSLCertificateKeyFile /etc/ssl/private/www.openstreetmap.org.key

  Header always set Cache-Control "max-age=31536000"
  Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT"

  RedirectPermanent / https://www.openstreetmap.org/
</VirtualHost>

<Directory <%= node[:web][:base_directory] %>/rails/public>
  Require all granted

  RewriteCond "%{HTTP:Accept-encoding}" "br"
  RewriteCond "%{REQUEST_FILENAME}\.br" -s
  RewriteRule "^(.*)\.(css|ico|js|json|svg|xml)$" "$1\.$2\.br" [QSA]

  RewriteCond "%{HTTP:Accept-encoding}" "gzip"
  RewriteCond "%{REQUEST_FILENAME}\.gz" -s
  RewriteRule "^(.*)\.(css|ico|js|json|svg|xml)$" "$1\.$2\.gz" [QSA]

  RewriteRule "\.css\.(br|gz)$" "-" [T=text/css,E=no-gzip:1,E=no-brotli:1]
  RewriteRule "\.ico\.(br|gz)$"  "-" [T=image/vnd.microsoft.icon,E=no-gzip:1,E=no-brotli:1]
  RewriteRule "\.js\.(br|gz)$"  "-" [T=text/javascript,E=no-gzip:1,E=no-brotli:1]
  RewriteRule "\.json\.(br|gz)$"  "-" [T=application/json,E=no-gzip:1,E=no-brotli:1]
  RewriteRule "\.svg\.(br|gz)$"  "-" [T=image/svg+xml,E=no-gzip:1,E=no-brotli:1]
  RewriteRule "\.xml\.(br|gz)$"  "-" [T=application/xml,E=no-gzip:1,E=no-brotli:1]

  <FilesMatch "\.(css|ico|js|json|svg|xml)\.br$">
    Header append Content-Encoding br
    Header append Vary Accept-Encoding
  </FilesMatch>

  <FilesMatch "\.(css|ico|js|json|svg|xml)\.gz$">
    Header append Content-Encoding gzip
    Header append Vary Accept-Encoding
  </FilesMatch>
</Directory>

<Directory /srv/www.openstreetmap.org/static>
  Require all granted
</Directory>

<Directory /srv/www.openstreetmap.org/rails/app/assets>
  Require all granted
</Directory>

<Directory /srv/www.openstreetmap.org/rails/vendor/assets>
  Require all granted
</Directory>