# DO NOT EDIT - This file is being maintained by Chef # Basic server configuration ServerName <%= node.name %> ServerAlias tile.openstreetmap.org ServerAlias render.openstreetmap.org ServerAdmin webmaster@openstreetmap.org # # Enable SSL # SSLEngine on SSLProxyEngine on SSLCertificateFile /etc/ssl/certs/<%= node[:fqdn] %>.pem SSLCertificateKeyFile /etc/ssl/private/<%= node[:fqdn] %>.key # Configure location of static files and CGI scripts DocumentRoot /srv/tile.openstreetmap.org/html ScriptAlias /cgi-bin/ /srv/tile.openstreetmap.org/cgi-bin/ # Get the real remote IP for requests via a trusted proxy RemoteIPHeader Fastly-Client-IP <% @fastly.sort.each do |address| -%> RemoteIPTrustedProxy <%= address %> <% end -%> # Setup logging LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined_with_remoteip CustomLog /var/log/apache2/access.log combined_with_remoteip ErrorLog /var/log/apache2/error.log BufferedLogs on # Always set Access-Control-Allow-Origin so that simple CORS requests # will always work and can be cached Header set Access-Control-Allow-Origin "*" # Add diagnostics header to identify render server Header set X-TileRender "<%= node.name %>" # Tell clients to use stale tiles if necessary Header append Cache-Control "stale-while-revalidate=604800, stale-if-error=604800" "expr=%{CONTENT_TYPE} == 'image/png'" # Remove Proxy request header to mitigate https://httpoxy.org/ RequestHeader unset Proxy early # Enable the rewrite engine RewriteEngine on # Rewrite tile requests to the default style RewriteRule ^/(\d+)/(\d+)/(\d+)\.png$ /default/$1/$2/$3.png [PT,T=image/png,L] RewriteRule ^/(\d+)/(\d+)/(\d+)\.png/status/?$ /default/$1/$2/$3.png/status [PT,T=text/plain,L] RewriteRule ^/(\d+)/(\d+)/(\d+)\.png/dirty/?$ /default/$1/$2/$3.png/dirty [PT,T=text/plain,L] # Historical Files redirect RedirectPermanent /processed_p.tar.bz2 https://planet.openstreetmap.org/historical-shapefiles/ RedirectPermanent /shoreline_300.tar.bz2 https://planet.openstreetmap.org/historical-shapefiles/ RedirectPermanent /world_boundaries-spherical.tgz https://planet.openstreetmap.org/historical-shapefiles/ # Redirect ACME certificate challenges RedirectPermanent /.well-known/acme-challenge/ http://acme.openstreetmap.org/.well-known/acme-challenge/ # Restrict tile access to CDN nodes and admins Require expr "%{CONN_REMOTE_ADDR} != %{REMOTE_ADDR}" # Fastly POPs <% @fastly.sort.each do |address| -%> Require ip <%= address %> <% end -%> # StatusCake monitoring <% @statuscake.sort.reject { |address| address.empty? }.each do |address| -%> Require ip <%= address %> <% end -%> # Administrators <% @admins.sort.each do |address| -%> Require ip <%= address %> <% end -%> # OSM Amsterdam Cogent IPv4 Require ip 130.117.76.0/27 # OSM Amsterdam Cogent IPv6 Require ip 2001:978:2:2C::/64 # OSM Dublin IPv4 Require ip 184.104.226.96/27 # OSM Dublin IPv6 Require ip 2001:470:1:b3b::/64 # OSM UCL IPv4 Require ip 193.60.236.0/24 # Basic server configuration ServerName <%= node.name %> ServerAlias tile.openstreetmap.org ServerAlias render.openstreetmap.org ServerAdmin webmaster@openstreetmap.org # Setup logging LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined_with_remoteip CustomLog /var/log/apache2/access.log combined_with_remoteip ErrorLog /var/log/apache2/error.log BufferedLogs on # Always set Access-Control-Allow-Origin so that simple CORS requests # will always work and can be cached Header set Access-Control-Allow-Origin "*" # Add diagnostics header to identify render server Header set X-TileRender "<%= node.name %>" # Remove Proxy request header to mitigate https://httpoxy.org/ RequestHeader unset Proxy early # Enable the rewrite engine RewriteEngine on # Redirect ACME certificate challenges RewriteRule ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 [R=permanent,L] # Redirect to https RewriteCond %{REQUEST_URI} !^/server-status$ RewriteCond %{REQUEST_URI} !^/mod_tile$ RewriteRule (.*) https://%{SERVER_NAME}/$1 [R=permanent,L] Options None AllowOverride None Require all granted Options ExecCGI AllowOverride None Require all granted