+++ /dev/null
-# DO NOT EDIT - This file is being maintained by Chef
-
-upstream tile_cache_backend {
- server 127.0.0.1:8080;
- server 127.0.0.2:8080;
-
- # Add the other caches to relieve pressure if local squid failing
- # Balancer: round-robin
-<% @caches.each do |cache| -%>
-<% if cache[:hostname] != node[:hostname] -%>
-<% cache.ipaddresses(:family => :inet, :role => :external).sort.each do |address| -%>
- server <%= address %>:80 backup; # Server <%= cache[:hostname] %>
-<% end -%>
-<% end -%>
-<% end -%>
-
- keepalive 512;
- keepalive_requests 1024;
-}
-
-# Geo Map of tile caches
-geo $tile_cache {
- default 0;
-<% @caches.each do |cache| -%>
-<% cache.ipaddresses(:family => :inet, :role => :external).sort.each do |address| -%>
- <%= address %> 1; # <%= cache[:hostname] %>
-<% end -%>
-<% end -%>
-}
-
-# Rates table based on current cookie value
-# map $cookie__osm_totp_token $limit_rate_qos {
-# include /etc/nginx/conf.d/tile_qos_rates.map;
-# }
-
-# Set-Cookie table based on current cookie value
-# map $cookie__osm_totp_token $cookie_qos_token_set {
-# include /etc/nginx/conf.d/tile_qos_cookies.map;
-# }
-
-map $http_user_agent $approved_scraper {
- default 0; # Not approved
- '~^JOSM\/' 1; # JOSM
- '~^Mozilla\/5\.0\ QGIS\/' 1; # QGIS
-}
-
-map $http_user_agent $denied_scraper {
- default 0; # Not denied
- '' 1; # No User-Agent Set
- '~^Python\-urllib\/' 1; # Library Default
- '~^python\-requests\/' 1; # Library Default
- '~^node\-fetch\/' 1; # Library Default
- '~^R$' 1; # Library Default
- '~^Java\/' 1; # Library Default
- '~^tiles$' 1; # Library Default
- '~^okhttp\/' 1; # Library Default
- '~^Microsoft-ATL-Native\/' 1; #Library Default
- '/n software IPWorks HTTP/S Component - www.nsoftware.com' 1; #Library default
- '~^Wget\/' 1; #Library Default
- 'C# TilesDownloader' 1; # Downloader
- 'MapDownloader' 1; # Downloader
- '~^staticmaps' 1; # Downloader
- 'Android' 1; # Default or fake
- 'kc_android' 1; # Default or fake
- 'Mozilla/4.0' 1; # Fake
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)' 1; # Fake
- '~^runtastic' 1; # App
- '~^Where\ my\ children' 1; # App
- 'nossoonibusjp.android.crosswalk' 1; # App
- 'br.com.concisoti.potybus' 1; # App
- 'com.soft373.taptaxi' 1;
- 'com.kradac.ktxcore' 1;
- 'ru.crowdsystems.topcontrol.knd' 1;
-}
-
-map $http_referer $denied_referer {
- default 0; # Not denied
- 'http://www.openstreetmap.org/' 1; # Faked
- 'http://www.openstreetmap.org' 1; # Faked
- 'https://www.openstreetmap.org' 1; # Faked
- 'http://openstreetmap.org/' 1; # Faked
- 'http://openstreetmap.org' 1; # Faked
- 'https://openstreetmap.org' 1; # Faked
- 'http://www.osm.org/' 1; # Faked
- 'http://www.osm.org' 1; # Faked
- 'http://osm.org/' 1; # Faked
- 'http://osm.org' 1; # Faked
- 'http://google.com' 1; # Faked
- 'http://www.google.com' 1; # Faked
- 'http://google.com/' 1; # Faked
- 'http://www.google.com/' 1; # Faked
- 'https://google.com' 1; # Faked
- 'https://www.google.com' 1; # Faked
- 'https://google.com/' 1; # Faked
- 'https://www.google.com/' 1; # Faked
- 'http://www.microsoft.com/' 1; # Faked
- '~^https?://pmap\.kuku\.lu/' 1; # Too much traffic
- '~^https?://[^.]*\.pmap\.kuku\.lu/' 1; # Too much traffic
- '~^https?://fastpokemap\.com/' 1; # Too much traffic
- '~^https?://[^.]*\.fastpokemap\.com/' 1; # Too much traffic
- '~^https?://pkget\.com/' 1; # Too much traffic
- '~^https?://[^.]*\.pkget\.com/' 1; # Too much traffic
- '~^https?://twpkinfo\.com/' 1; # Too much traffic
- '~^https?://[^.]*\.twpkinfo\.com/' 1; # Too much traffic
- '~^https?://9db\.jp/' 1; # Too much traffic
- '~^https?://[^.]*\.9db\.jp/' 1; # Too much traffic
- '~^https?://clustrmaps\.com/' 1; # Too much traffic
- '~^https?://[^.]*\.clustrmaps\.com/' 1; # Too much traffic
-}
-
-map $http_referer $osm_referer {
- default ''; # False
- '~^https:\/\/www\.openstreetmap\.org\/' 'osm'; # True
-}
-
-# Limit Cache-Control header to only approved User-Agents
-map $osm_referer$http_user_agent $limit_http_cache_control {
- default ''; # Unset Header
- '~^osmMozilla\/5\.0\ QGIS\/' ''; # Unset Header
- '~^osmMozilla\/5\.0\ ' $http_cache_control; # Pass Header
-}
-
-# Limit Pragma header to only approved User-Agents
-map $osm_referer$http_user_agent $limit_http_pragma {
- default ''; # Unset Header
- '~^osmMozilla\/5\.0\ QGIS\/' ''; # Unset Header
- '~^osmMozilla\/5\.0\ ' $http_pragma; # Pass Header
-}
-
-server {
- # IPv4
- listen 80 deferred backlog=16384 reuseport fastopen=2048 default_server;
- listen 443 ssl deferred backlog=16384 reuseport fastopen=2048 http2 default_server;
- # IPv6
- listen [::]:80 deferred backlog=16384 reuseport fastopen=2048 default_server;
- listen [::]:443 ssl deferred backlog=16384 reuseport fastopen=2048 http2 default_server;
- server_name localhost;
-
- proxy_buffers 8 64k;
- proxy_busy_buffers_size 64k;
-
- ssl_certificate /etc/ssl/certs/tile.openstreetmap.org.pem;
- ssl_certificate_key /etc/ssl/private/tile.openstreetmap.org.key;
-
- # Requests sent within early data are subject to replay attacks.
- # See: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data
- ssl_early_data on;
-
- # Immediately 404 layers we do not support
-<% for i in 20..99 do %>
- location /<%= i %>/ {
- set $limit_rate 512;
- return 404;
- }
-<% end %>
-
- # Immediately 404 silly tile requests
- location = /0/0/-1.png {
- set $limit_rate 512;
- return 404;
- }
- location = /1/0/-1.png {
- set $limit_rate 512;
- return 404;
- }
- location = /1/-1/0.png {
- set $limit_rate 512;
- return 404;
- }
- location = /1/-1/1.png {
- set $limit_rate 512;
- return 404;
- }
- location = /1/-1/-1.png {
- set $limit_rate 512;
- return 404;
- }
- location = /1/-1/2.png {
- set $limit_rate 512;
- return 404;
- }
- location = /1/1/-1.png {
- set $limit_rate 512;
- return 404;
- }
- location = /1/2/-1.png {
- set $limit_rate 512;
- return 404;
- }
- location = /2/0/-1.png {
- set $limit_rate 512;
- return 404;
- }
- location = /2/-1/0.png {
- set $limit_rate 512;
- return 404;
- }
- location = /2/-1/1.png {
- set $limit_rate 512;
- return 404;
- }
- location = /2/1/-1.png {
- set $limit_rate 512;
- return 404;
- }
- location = /2/-1/2.png {
- set $limit_rate 512;
- return 404;
- }
- location = /2/-1/3.png {
- set $limit_rate 512;
- return 404;
- }
-
-<% for i in 0..16 do %>
-<% if i == 0 -%>
- # Default Fallback Location Handler (lowest)
- location / {
-<% elsif -%>
- # Dedicated zoom handler for caching
- location /<%= i %>/ {
-<% end %>
- # Only allow GET / HEAD / OPTIONS (CORS) requests
- limit_except GET HEAD OPTIONS {
- deny all;
- }
-
- proxy_pass http://tile_cache_backend;
- proxy_set_header X-Forwarded-For $remote_addr;
- proxy_http_version 1.1;
- proxy_set_header Connection '';
-
- proxy_connect_timeout 20s;
-
- # Replace host header.
- proxy_set_header Host 'tile.openstreetmap.org';
- # Do not pass cookies to backends.
- proxy_set_header Cookie '';
- # Do not pass Accept-Encoding to backends.
- proxy_set_header Accept-Encoding '';
- # Do not pass Accept to backends.
- proxy_set_header Accept '';
- # Do not pass Accept-Language to backends as unused.
- proxy_set_header Accept-Language '';
- proxy_set_header Accept-Charset '';
- # Do not send origin, we allow all.
- proxy_set_header origin '';
- # Do not pass invalid headers to backend.
- proxy_set_header X-Forwarded-Host '';
- proxy_set_header X-Host '';
- proxy_set_header Authorization '';
- proxy_set_header Proxy-Authorization '';
-
- # Drop partial requests
- proxy_set_header range '';
-
- # Do not allow setting cookies from backends due to caching.
- proxy_ignore_headers Set-Cookie;
- proxy_hide_header Set-Cookie;
-
-<% if i != 0 -%>
- # Caching
- proxy_cache "proxy_cache_zone";
- proxy_cache_lock on;
- proxy_cache_valid 200 2d;
- proxy_cache_valid 404 15m;
- # Serve stale cache on errors or if updating
- proxy_cache_use_stale error timeout updating http_404 http_500 http_503 http_504;
- # If in cache as stale, serve stale and update in background
- proxy_cache_background_update on;
- # Workaround nginx async bug which causes stale cache replies to wait for the async backend cache update reply (seen in v1.16.0)
- keepalive_requests 0;
- # Enable revalidation using If-Modified-Since and If-None-Match for stale items
- proxy_cache_revalidate on;
- proxy_cache_min_uses 4;
-
- add_header x-cache-status $upstream_cache_status;
-<% end -%>
-
- # Set a QoS cookie if none presented (uses nginx Map)
- # add_header Set-Cookie $cookie_qos_token_set;
-<% if node[:ssl][:strict_transport_security] -%>
- # Ensure Strict-Transport-Security header is removed from proxied server responses
- proxy_hide_header Strict-Transport-Security;
-
- # Enable HSTS
- add_header Strict-Transport-Security "<%= node[:ssl][:strict_transport_security] %>" always;
-<% end -%>
-
- # QoS Traffic Rate see $limit_rate on http://nginx.org/en/docs/http/ngx_http_core_module.html
- # set $limit_rate $limit_rate_qos;
-
- # Allow Higher Traffic Rate from Approved User-Agents which do not support cookies (uses nginx Map)
- # if ($approved_scraper) {
- # set $limit_rate 65536;
- # }
-
- if ($denied_scraper) {
- set $limit_rate 512;
- return 429;
- }
- if ($denied_referer) {
- set $limit_rate 512;
- return 418;
- }
-
- # Strip any ?query parameters from urls
- set $args '';
-
- # Allow cache purging headers only from select User-Agents (uses nginx Map)
- proxy_set_header Cache-Control $limit_http_cache_control;
- proxy_set_header Pragma $limit_http_pragma;
- }
-<% end %>
-}
projects / chef.git / blobdiff