# DO NOT EDIT - This file is being maintained by Chef
upstream tile_cache_backend {
- server 127.0.0.1:8080;
+ server 127.0.0.1;
+
+ # Add the other caches to relieve pressure if local squid failing
+ # Balancer: round-robin
+<% @caches.each do |cache| -%>
+<% if cache[:hostname] != node[:hostname] -%>
+<% if node[:tilecache][:tile_siblings].include? cache[:fqdn] -%>
+<% cache.ipaddresses(:family => :inet, :role => :external).sort.each do |address| -%>
+ server <%= address %> backup; # Server <%= cache[:hostname] %>
+<% end -%>
+<% end -%>
+<% end -%>
+<% end -%>
- keepalive 32;
+ keepalive 1024;
+ keepalive_requests 1024;
+}
+
+# Geo Map of tile caches
+geo $tile_cache {
+ default 0;
+<% @caches.each do |cache| -%>
+<% cache.ipaddresses(:family => :inet, :role => :external).sort.each do |address| -%>
+ <%= address %> 1; # <%= cache[:hostname] %>
+<% end -%>
+<% end -%>
}
# Rates table based on current cookie value
-map $cookie_qos_token $limit_rate_qos {
+map $cookie__osm_totp_token $limit_rate_qos {
include /etc/nginx/conf.d/tile_qos_rates.map;
}
# Set-Cookie table based on current cookie value
-map $cookie_qos_token $cookie_qos_token_set {
+map $cookie__osm_totp_token $cookie_qos_token_set {
include /etc/nginx/conf.d/tile_qos_cookies.map;
}
map $http_user_agent $approved_scraper {
- default ''; # Not approved
- '~^JOSM\/' 'JOSM';
- '~^Mozilla\/5\.0\ QGIS\/' 'QGIS';
+ default 0; # Not approved
+ '~^JOSM\/' 1; # JOSM
+ '~^Mozilla\/5\.0\ QGIS\/' 1; # QGIS
+}
+
+map $http_user_agent $denied_scraper {
+ default 0; # Not denied
+ '' 1; # No User-Agent Set
+ '~^Python\-urllib\/' 1; # Library Default
+ '~^python\-requests\/' 1; # Library Default
+ '~^node\-fetch\/' 1; # Library Default
+ '~^R$' 1; # Library Default
+ '~^Java\/' 1; # Library Default
+ '~^tiles$' 1; # Library Default
+ '~^runtastic' 1; # App
+ 'Mozilla/4.0' 1; # Fake
+ 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)' 1; # Fake
+}
+
+map $http_referer $denied_referer {
+ default 0; # Not denied
+ 'http://www.openstreetmap.org/' 1; # Faked
+ 'http://www.openstreetmap.org' 1; # Faked
+ 'http://openstreetmap.org/' 1; # Faked
+ 'http://openstreetmap.org' 1; # Faked
+ 'http://www.osm.org/' 1; # Faked
+ 'http://www.osm.org' 1; # Faked
+ 'http://osm.org/' 1; # Faked
+ 'http://osm.org' 1; # Faked
}
# Limit Cache-Control header to only approved User-Agents
}
server {
- listen 443 ssl fastopen=2048 http2 default_server;
+ listen 443 ssl deferred backlog=16384 reuseport fastopen=2048 http2 default_server;
server_name localhost;
proxy_buffers 8 64k;
ssl_certificate /etc/ssl/certs/tile.openstreetmap.org.pem;
ssl_certificate_key /etc/ssl/private/tile.openstreetmap.org.key;
+ # Requests sent within early data are subject to replay attacks.
+ # See: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data
+ ssl_early_data on;
+
+ # Immediately 404 layers we do not support
+<% for i in 20..99 do %>
+ location /<%= i %>/ {
+ set $limit_rate 512;
+ return 404;
+ }
+<% end %>
+
+ # Immediately 404 silly tile requests
+ location = /0/0/-1.png {
+ set $limit_rate 512;
+ return 404;
+ }
+ location = /1/0/-1.png {
+ set $limit_rate 512;
+ return 404;
+ }
+ location = /1/-1/0.png {
+ set $limit_rate 512;
+ return 404;
+ }
+ location = /1/-1/1.png {
+ set $limit_rate 512;
+ return 404;
+ }
+ location = /1/-1/-1.png {
+ set $limit_rate 512;
+ return 404;
+ }
+ location = /1/-1/2.png {
+ set $limit_rate 512;
+ return 404;
+ }
+ location = /1/1/-1.png {
+ set $limit_rate 512;
+ return 404;
+ }
+ location = /1/2/-1.png {
+ set $limit_rate 512;
+ return 404;
+ }
+ location = /2/0/-1.png {
+ set $limit_rate 512;
+ return 404;
+ }
+ location = /2/-1/0.png {
+ set $limit_rate 512;
+ return 404;
+ }
+ location = /2/-1/1.png {
+ set $limit_rate 512;
+ return 404;
+ }
+ location = /2/1/-1.png {
+ set $limit_rate 512;
+ return 404;
+ }
+ location = /2/-1/2.png {
+ set $limit_rate 512;
+ return 404;
+ }
+ location = /2/-1/3.png {
+ set $limit_rate 512;
+ return 404;
+ }
+
+<% for i in 0..13 do %>
+<% if i == 0 -%>
+ # Default Fallback Location Handler (lowest)
location / {
+<% elsif -%>
+ # Dedicated zoom handler for caching
+ location /<%= i %>/ {
+<% end %>
proxy_pass http://tile_cache_backend;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_http_version 1.1;
proxy_connect_timeout 5s;
+ # Preserve host header.
+ proxy_set_header Host $host;
# Do not pass cookies to backends.
proxy_set_header Cookie '';
# Do not pass Accept-Encoding to backends.
proxy_ignore_headers Set-Cookie;
proxy_hide_header Set-Cookie;
+<% if i != 0 -%>
+ # Caching
+ proxy_cache "proxy_cache_zone";
+ proxy_cache_lock on;
+ proxy_cache_valid 200 1d;
+ proxy_cache_valid 404 15m;
+ # Serve stale cache on errors or if updating
+ proxy_cache_use_stale error timeout updating http_500 http_503 http_504;
+ # If in cache as stale, serve stale and update in background
+ proxy_cache_background_update on;
+ proxy_cache_min_uses 8;
+
+ add_header X-Nginx-Cache-Status $upstream_cache_status;
+<% end -%>
+
# Set a QoS cookie if none presented (uses nginx Map)
add_header Set-Cookie $cookie_qos_token_set;
<% if node[:ssl][:strict_transport_security] -%>
# Allow Higher Traffic Rate from Approved User-Agents which do not support cookies (uses nginx Map)
if ($approved_scraper) {
- set $limit_rate 32768;
+ set $limit_rate 65536;
+ }
+
+ if ($denied_scraper) {
+ set $limit_rate 512;
+ return 429;
+ }
+ if ($denied_referer) {
+ set $limit_rate 512;
+ return 418;
}
# Strip any ?query parameters from urls
proxy_set_header Cache-Control $limit_http_cache_control;
proxy_set_header Pragma $limit_http_pragma;
}
-}
-
-# Convert all http requests to https
-server {
- listen 80 default_server;
- listen [::]:80 default_server;
- server_name _;
- add_header Access-Control-Allow-Origin *;
- return 301 https://$host$request_uri;
-}
-
-server {
- listen 80;
- listen [::]:80;
- server_name ~^(?<subdomain>(?:[a-d]\.)?tile)\.osm\.org$;
- add_header Access-Control-Allow-Origin *;
- return 301 https://$subdomain.openstreetmap.org$request_uri;
+<% end %>
}
projects / chef.git / blobdiff