ScriptAlias /cgi-bin/ /srv/tile.openstreetmap.org/cgi-bin/
# Get the real remote IP for requests via a trusted proxy
- RemoteIPHeader X-Forwarded-For
-<% @caches.each do |cache| -%>
-<% cache.ipaddresses(:role => :external).sort.each do |address| -%>
- RemoteIPTrustedProxy <%= address %>
-<% end -%>
-<% end -%>
+ RemoteIPHeader Fastly-Client-IP
<% @fastly.sort.each do |address| -%>
RemoteIPTrustedProxy <%= address %>
<% end -%>
# Enable the rewrite engine
RewriteEngine on
+ # Enforce rate limits
+ RewriteMap ipmap txt:/srv/tile.openstreetmap.org/conf/ip.map
+ RewriteCond ${ipmap:%{REMOTE_ADDR}} ^.+$
+ RewriteRule ^.*$ /${ipmap:%{REMOTE_ADDR}} [PT]
+
# Rewrite tile requests to the default style
RewriteRule ^/(\d+)/(\d+)/(\d+)\.png$ /default/$1/$2/$3.png [PT,T=image/png,L]
RewriteRule ^/(\d+)/(\d+)/(\d+)\.png/status/?$ /default/$1/$2/$3.png/status [PT,T=text/plain,L]
# Redirect ACME certificate challenges
RedirectPermanent /.well-known/acme-challenge/ http://acme.openstreetmap.org/.well-known/acme-challenge/
+
+ # Internal endpoint for blocked users
+ <Location /blocked>
+ Header always set Cache-Control private
+ Redirect 429
+ </Location>
</VirtualHost>
<VirtualHost *:80>
ServerAlias render.openstreetmap.org
ServerAdmin webmaster@openstreetmap.org
- # Get the real remote IP for requests via a trusted proxy
- RemoteIPHeader X-Forwarded-For
-<% @caches.each do |cache| -%>
-<% cache.ipaddresses(:role => :external).sort.each do |address| -%>
- RemoteIPTrustedProxy <%= address %>
-<% end -%>
-<% end -%>
-
# Setup logging
LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined_with_remoteip
CustomLog /var/log/apache2/access.log combined_with_remoteip
projects / chef.git / blobdiff