[chef.git] / cookbooks / nominatim / templates / default / nginx.erb

upstream nominatim_service {
  server unix:/run/php/php-nominatim.openstreetmap.org-fpm.sock;
}

map $uri $nominatim_script_name {
    ~^(.+?\.php)         $1;
    ~^/([^/]+)           $1.php;
    ^$                   search.php;
}

map $uri $nominatim_path_info {
    ~^/([^/]+)(.*)$      $2;
}

map $args $format {
    default                  default;
    ~(^|&)format=html(&|$)   html;
    ~(^|&)format=            other;
}

map $uri/$format $forward_to_ui {
    default               1;
    ~^/ui                 0;
    ~/other$              0;
    ~/reverse.*/default   0;
    ~/lookup.*/default    0;
    ~/status.*/default    0;
}

map $query_string $email_id {
    ~(^|&)email=([^&]+)  $2;
}

map $email_id $missing_email {
    default "";
    "" 1;
}

map $http_user_agent $missing_ua {
    default "";
    "" 1;
}

map $http_referer $missing_referer {
    default "";
    "" 1;
}

# Whitelisted IPs
geo $whitelisted {
    default 0;
<% @frontends.each do |frontend| -%>
<% frontend.ipaddresses(:role => :external).sort.each do |address| -%>
    <%= address %> 1;
<% end -%>
<% end -%>
    46.235.224.148 1;
    209.132.180.180 1;
    209.132.180.168 1;
    8.43.85.3 1; # gnome
    8.43.85.4 1; # gnome
    8.43.85.5 1; # gnome
}

map $missing_email$missing_referer$http_user_agent $blocked_user_agent {
   default 0;
   "11" 2; # block any requests without identifier
   include <%= @confdir %>/nginx_blocked_user_agent.conf;
}

map $missing_email$missing_ua$http_referer $blocked_referrer {
   default 0;
   include <%= @confdir %>/nginx_blocked_referrer.conf;
}

map $missing_referer$missing_ua$email_id $blocked_email {
   default 0;
   include <%= @confdir %>/nginx_blocked_email.conf;
}

map $whitelisted $limit_www {
    1 "";
    0 $binary_remote_addr;
}

map $blocked_user_agent $limit_tarpit {
    0 "";
    1 $binary_remote_addr;
    2 $binary_remote_addr;
}

map $missing_email$missing_referer$http_user_agent $generic_mozilla {
    default 0;
    ~^11Mozilla/4.0 1;
    ~^11Mozilla/5.0 2;
}

map $whitelisted$generic_mozilla$uri $limit_reverse {
    default "";
    ~01/reverse.*  $binary_remote_addr;
    ~02/reverse.*  $binary_remote_addr;
}

limit_req_zone $limit_www zone=www:50m rate=2r/s;
limit_req_zone $limit_tarpit zone=tarpit:10m rate=1r/s;
limit_req_zone $binary_remote_addr zone=blocked:10m rate=20r/m;
limit_req_zone $limit_reverse zone=reverse:10m rate=10r/m;

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    access_log <%= node[:nominatim][:logdir] %>/nominatim.openstreetmap.org-access.log combined;
    error_log <%= node[:nominatim][:logdir] %>/nominatim.openstreetmap.org-error.log;

    location /nginx_status {
        stub_status on;
        access_log   off;
        allow 127.0.0.1;
        allow ::1;
        deny all;
    }

     rewrite ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 permanent;

     location / {
         return 301 https://$host$request_uri;
     }
}

server {
    # IPv4
    listen       443 ssl http2 default_server;
    # IPv6
    listen       [::]:443 ssl http2 default_server;
    server_name  localhost;

    ssl_certificate /etc/ssl/certs/<%= node[:fqdn] %>.pem;
    ssl_certificate_key /etc/ssl/private/<%= node[:fqdn] %>.key;

    root <%= @directory %>/website;
    index search.php;

    access_log <%= node[:nominatim][:logdir] %>/nominatim.openstreetmap.org-access.log combined;
    error_log <%= node[:nominatim][:logdir] %>/nominatim.openstreetmap.org-error.log;

    location /nginx_status {
        stub_status on;
        access_log   off;
        allow 127.0.0.1;
        allow ::1;
        deny all;
    }

    error_page 403 /403.html;
    location /403.html {
        limit_req zone=blocked burst=5;
    }

    error_page 429 /509.html;
    location /509.html {
        limit_req zone=blocked burst=5;
    }

    location / {
        try_files $uri $uri/ @php;
    }

    location /ui/ {
        alias <%= @ui_directory %>/dist/;
        index search.html;
    }

    location /qa-data/ {
        add_header Access-Control-Allow-Origin "*" always;
    }

    location @php {
        if ($blocked_user_agent ~ ^2$)
        { return 403; }
        if ($blocked_referrer)
        { return 403; }
        if ($blocked_email)
        { return 403; }
        include <%= @confdir %>/nginx_blocked_generic.conf;

        limit_req zone=www burst=10;
        limit_req zone=tarpit burst=5;
        limit_req zone=reverse burst=5;
        limit_req_status 429;
        fastcgi_pass nominatim_service;
        include fastcgi_params;
        fastcgi_param QUERY_STRING    $args;
        fastcgi_param PATH_INFO       "$nominatim_path_info";
        fastcgi_param SCRIPT_FILENAME  "$document_root/$nominatim_script_name";
        if ($forward_to_ui) {
            rewrite ^(/[^/]*) https://$host/ui$1.html redirect;
        }
    }

    location ~* \.php$ {
        if ($blocked_user_agent ~ ^2$)
        { return 403; }
        if ($blocked_referrer)
        { return 403; }
        if ($blocked_email)
        { return 403; }
        include <%= @confdir %>/nginx_blocked_generic.conf;

        limit_req zone=www burst=10;
        limit_req zone=tarpit burst=2;
        limit_req zone=reverse burst=5;
        limit_req_status 429;
        fastcgi_pass    nominatim_service;
        include         fastcgi_params;
        fastcgi_param   SCRIPT_FILENAME    $document_root$fastcgi_script_name;

        if ($forward_to_ui) {
            rewrite (.*).php https://$host/ui$1.html redirect;
        }
    }
}