X-Git-Url: https://git.openstreetmap.org/chef.git/blobdiff_plain/3de67d68da6544a04c93acbbdca50cd2d520e4ad..8a108732b58fe598e13930f9644341fe919b8c44:/cookbooks/nominatim/templates/default/nginx.erb diff --git a/cookbooks/nominatim/templates/default/nginx.erb b/cookbooks/nominatim/templates/default/nginx.erb index 4596d65e9..941051d95 100644 --- a/cookbooks/nominatim/templates/default/nginx.erb +++ b/cookbooks/nominatim/templates/default/nginx.erb @@ -1,5 +1,5 @@ upstream nominatim_service { - server 127.0.0.1:<%= @pools[:www][:port ]%>; + server unix:/run/php/nominatim.openstreetmap.org.sock; } map $uri $nominatim_script_name { @@ -12,6 +12,21 @@ map $uri $nominatim_path_info { ~^/([^/]+)(.*)$ $2; } +map $args $format { + default default; + ~(^|&)format=html(&|$) html; + ~(^|&)format= other; +} + +map $uri/$format $forward_to_ui { + default 1; + ~^/ui 0; + ~/other$ 0; + ~/reverse.*/default 0; + ~/lookup.*/default 0; + ~/status.*/default 0; +} + map $query_string $email_id { ~(^|&)email=([^&]+) $2; } @@ -35,7 +50,7 @@ map $http_referer $missing_referer { geo $whitelisted { default 0; <% @frontends.each do |frontend| -%> -<% frontend.ipaddresses(:role => :external) do |address| -%> +<% frontend.ipaddresses(:role => :external).sort.each do |address| -%> <%= address %> 1; <% end -%> <% end -%> @@ -72,9 +87,22 @@ map $blocked_user_agent $limit_tarpit { 2 $binary_remote_addr; } +map $missing_email$missing_referer$http_user_agent $generic_mozilla { + default 0; + ~^11Mozilla/4.0 1; + ~^11Mozilla/5.0 2; +} + +map $whitelisted$generic_mozilla$uri $limit_reverse { + default ""; + ~01/reverse.* $binary_remote_addr; + ~02/reverse.* $binary_remote_addr; +} + limit_req_zone $limit_www zone=www:50m rate=2r/s; limit_req_zone $limit_tarpit zone=tarpit:10m rate=1r/s; limit_req_zone $binary_remote_addr zone=blocked:10m rate=20r/m; +limit_req_zone $limit_reverse zone=reverse:10m rate=10r/m; server { listen 80 default_server; @@ -100,9 +128,9 @@ server { server { # IPv4 - listen 443 ssl deferred backlog=16384 reuseport fastopen=2048 http2 default_server; + listen 443 ssl deferred backlog=16384 reuseport http2 default_server; # IPv6 - listen [::]:443 ssl deferred backlog=16384 reuseport fastopen=2048 http2 default_server; + listen [::]:443 ssl deferred backlog=16384 reuseport http2 default_server; server_name localhost; ssl_certificate /etc/ssl/certs/<%= node[:fqdn] %>.pem; @@ -136,6 +164,15 @@ server { try_files $uri $uri/ @php; } + location /ui/ { + alias <%= @ui_directory %>/dist/; + index search.html; + } + + location /qa-data/ { + add_header Access-Control-Allow-Origin "*" always; + } + location @php { if ($blocked_user_agent ~ ^2$) { return 403; } @@ -143,15 +180,20 @@ server { { return 403; } if ($blocked_email) { return 403; } + include <%= @confdir %>/nginx_blocked_generic.conf; limit_req zone=www burst=10; - limit_req zone=tarpit burst=2; + limit_req zone=tarpit burst=5; + limit_req zone=reverse burst=5; limit_req_status 429; fastcgi_pass nominatim_service; include fastcgi_params; fastcgi_param QUERY_STRING $args; fastcgi_param PATH_INFO "$nominatim_path_info"; fastcgi_param SCRIPT_FILENAME "$document_root/$nominatim_script_name"; + if ($forward_to_ui) { + rewrite ^(/[^/]*) https://$host/ui$1.html redirect; + } } location ~* \.php$ { @@ -161,12 +203,18 @@ server { { return 403; } if ($blocked_email) { return 403; } + include <%= @confdir %>/nginx_blocked_generic.conf; limit_req zone=www burst=10; limit_req zone=tarpit burst=2; + limit_req zone=reverse burst=5; limit_req_status 429; fastcgi_pass nominatim_service; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + + if ($forward_to_ui) { + rewrite (.*).php https://$host/ui$1.html redirect; + } } }