X-Git-Url: https://git.openstreetmap.org/chef.git/blobdiff_plain/589c6a679bf2f9497188978af05055cc10530393..HEAD:/cookbooks/tilecache/templates/default/nginx_tile.conf.erb diff --git a/cookbooks/tilecache/templates/default/nginx_tile.conf.erb b/cookbooks/tilecache/templates/default/nginx_tile.conf.erb deleted file mode 100644 index fb03fca55..000000000 --- a/cookbooks/tilecache/templates/default/nginx_tile.conf.erb +++ /dev/null @@ -1,315 +0,0 @@ -# DO NOT EDIT - This file is being maintained by Chef - -upstream tile_cache_backend { - server 127.0.0.1:8080; - server 127.0.0.2:8080; - - # Add the other caches to relieve pressure if local squid failing - # Balancer: round-robin -<% @caches.each do |cache| -%> -<% if cache[:hostname] != node[:hostname] -%> -<% cache.ipaddresses(:family => :inet, :role => :external).sort.each do |address| -%> - server <%= address %>:80 backup; # Server <%= cache[:hostname] %> -<% end -%> -<% end -%> -<% end -%> - - keepalive 512; - keepalive_requests 1024; -} - -# Geo Map of tile caches -geo $tile_cache { - default 0; -<% @caches.each do |cache| -%> -<% cache.ipaddresses(:family => :inet, :role => :external).sort.each do |address| -%> - <%= address %> 1; # <%= cache[:hostname] %> -<% end -%> -<% end -%> -} - -# Rates table based on current cookie value -# map $cookie__osm_totp_token $limit_rate_qos { -# include /etc/nginx/conf.d/tile_qos_rates.map; -# } - -# Set-Cookie table based on current cookie value -# map $cookie__osm_totp_token $cookie_qos_token_set { -# include /etc/nginx/conf.d/tile_qos_cookies.map; -# } - -map $http_user_agent $approved_scraper { - default 0; # Not approved - '~^JOSM\/' 1; # JOSM - '~^Mozilla\/5\.0\ QGIS\/' 1; # QGIS -} - -map $http_user_agent $denied_scraper { - default 0; # Not denied - '' 1; # No User-Agent Set - '~^Python\-urllib\/' 1; # Library Default - '~^python\-requests\/' 1; # Library Default - '~^node\-fetch\/' 1; # Library Default - '~^R$' 1; # Library Default - '~^Java\/' 1; # Library Default - '~^tiles$' 1; # Library Default - '~^okhttp\/' 1; # Library Default - '~^Microsoft-ATL-Native\/' 1; #Library Default - '/n software IPWorks HTTP/S Component - www.nsoftware.com' 1; #Library default - '~^Wget\/' 1; #Library Default - 'C# TilesDownloader' 1; # Downloader - 'MapDownloader' 1; # Downloader - '~^staticmaps' 1; # Downloader - 'Android' 1; # Default or fake - 'kc_android' 1; # Default or fake - 'Mozilla/4.0' 1; # Fake - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)' 1; # Fake - '~^runtastic' 1; # App - '~^Where\ my\ children' 1; # App - 'nossoonibusjp.android.crosswalk' 1; # App - 'br.com.concisoti.potybus' 1; # App - 'com.soft373.taptaxi' 1; - 'com.kradac.ktxcore' 1; - 'ru.crowdsystems.topcontrol.knd' 1; -} - -map $http_referer $denied_referer { - default 0; # Not denied - 'http://www.openstreetmap.org/' 1; # Faked - 'http://www.openstreetmap.org' 1; # Faked - 'https://www.openstreetmap.org' 1; # Faked - 'http://openstreetmap.org/' 1; # Faked - 'http://openstreetmap.org' 1; # Faked - 'https://openstreetmap.org' 1; # Faked - 'http://www.osm.org/' 1; # Faked - 'http://www.osm.org' 1; # Faked - 'http://osm.org/' 1; # Faked - 'http://osm.org' 1; # Faked - 'http://google.com' 1; # Faked - 'http://www.google.com' 1; # Faked - 'http://google.com/' 1; # Faked - 'http://www.google.com/' 1; # Faked - 'https://google.com' 1; # Faked - 'https://www.google.com' 1; # Faked - 'https://google.com/' 1; # Faked - 'https://www.google.com/' 1; # Faked - 'http://www.microsoft.com/' 1; # Faked - '~^https?://pmap\.kuku\.lu/' 1; # Too much traffic - '~^https?://[^.]*\.pmap\.kuku\.lu/' 1; # Too much traffic - '~^https?://fastpokemap\.com/' 1; # Too much traffic - '~^https?://[^.]*\.fastpokemap\.com/' 1; # Too much traffic - '~^https?://pkget\.com/' 1; # Too much traffic - '~^https?://[^.]*\.pkget\.com/' 1; # Too much traffic - '~^https?://twpkinfo\.com/' 1; # Too much traffic - '~^https?://[^.]*\.twpkinfo\.com/' 1; # Too much traffic - '~^https?://9db\.jp/' 1; # Too much traffic - '~^https?://[^.]*\.9db\.jp/' 1; # Too much traffic - '~^https?://clustrmaps\.com/' 1; # Too much traffic - '~^https?://[^.]*\.clustrmaps\.com/' 1; # Too much traffic -} - -map $http_referer $osm_referer { - default ''; # False - '~^https:\/\/www\.openstreetmap\.org\/' 'osm'; # True -} - -# Limit Cache-Control header to only approved User-Agents -map $osm_referer$http_user_agent $limit_http_cache_control { - default ''; # Unset Header - '~^osmMozilla\/5\.0\ QGIS\/' ''; # Unset Header - '~^osmMozilla\/5\.0\ ' $http_cache_control; # Pass Header -} - -# Limit Pragma header to only approved User-Agents -map $osm_referer$http_user_agent $limit_http_pragma { - default ''; # Unset Header - '~^osmMozilla\/5\.0\ QGIS\/' ''; # Unset Header - '~^osmMozilla\/5\.0\ ' $http_pragma; # Pass Header -} - -server { - # IPv4 - listen 80 deferred backlog=16384 reuseport fastopen=2048 default_server; - listen 443 ssl deferred backlog=16384 reuseport fastopen=2048 http2 default_server; - # IPv6 - listen [::]:80 deferred backlog=16384 reuseport fastopen=2048 default_server; - listen [::]:443 ssl deferred backlog=16384 reuseport fastopen=2048 http2 default_server; - server_name localhost; - - proxy_buffers 8 64k; - proxy_busy_buffers_size 64k; - - ssl_certificate /etc/ssl/certs/tile.openstreetmap.org.pem; - ssl_certificate_key /etc/ssl/private/tile.openstreetmap.org.key; - - # Requests sent within early data are subject to replay attacks. - # See: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data - ssl_early_data on; - - # Immediately 404 layers we do not support -<% for i in 20..99 do %> - location /<%= i %>/ { - set $limit_rate 512; - return 404; - } -<% end %> - - # Immediately 404 silly tile requests - location = /0/0/-1.png { - set $limit_rate 512; - return 404; - } - location = /1/0/-1.png { - set $limit_rate 512; - return 404; - } - location = /1/-1/0.png { - set $limit_rate 512; - return 404; - } - location = /1/-1/1.png { - set $limit_rate 512; - return 404; - } - location = /1/-1/-1.png { - set $limit_rate 512; - return 404; - } - location = /1/-1/2.png { - set $limit_rate 512; - return 404; - } - location = /1/1/-1.png { - set $limit_rate 512; - return 404; - } - location = /1/2/-1.png { - set $limit_rate 512; - return 404; - } - location = /2/0/-1.png { - set $limit_rate 512; - return 404; - } - location = /2/-1/0.png { - set $limit_rate 512; - return 404; - } - location = /2/-1/1.png { - set $limit_rate 512; - return 404; - } - location = /2/1/-1.png { - set $limit_rate 512; - return 404; - } - location = /2/-1/2.png { - set $limit_rate 512; - return 404; - } - location = /2/-1/3.png { - set $limit_rate 512; - return 404; - } - -<% for i in 0..16 do %> -<% if i == 0 -%> - # Default Fallback Location Handler (lowest) - location / { -<% elsif -%> - # Dedicated zoom handler for caching - location /<%= i %>/ { -<% end %> - # Only allow GET / HEAD / OPTIONS (CORS) requests - limit_except GET HEAD OPTIONS { - deny all; - } - - proxy_pass http://tile_cache_backend; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_http_version 1.1; - proxy_set_header Connection ''; - - proxy_connect_timeout 20s; - - # Replace host header. - proxy_set_header Host 'tile.openstreetmap.org'; - # Do not pass cookies to backends. - proxy_set_header Cookie ''; - # Do not pass Accept-Encoding to backends. - proxy_set_header Accept-Encoding ''; - # Do not pass Accept to backends. - proxy_set_header Accept ''; - # Do not pass Accept-Language to backends as unused. - proxy_set_header Accept-Language ''; - proxy_set_header Accept-Charset ''; - # Do not send origin, we allow all. - proxy_set_header origin ''; - # Do not pass invalid headers to backend. - proxy_set_header X-Forwarded-Host ''; - proxy_set_header X-Host ''; - proxy_set_header Authorization ''; - proxy_set_header Proxy-Authorization ''; - - # Drop partial requests - proxy_set_header range ''; - - # Do not allow setting cookies from backends due to caching. - proxy_ignore_headers Set-Cookie; - proxy_hide_header Set-Cookie; - -<% if i != 0 -%> - # Caching - proxy_cache "proxy_cache_zone"; - proxy_cache_lock on; - proxy_cache_valid 200 2d; - proxy_cache_valid 404 15m; - # Serve stale cache on errors or if updating - proxy_cache_use_stale error timeout updating http_404 http_500 http_503 http_504; - # If in cache as stale, serve stale and update in background - proxy_cache_background_update on; - # Workaround nginx async bug which causes stale cache replies to wait for the async backend cache update reply (seen in v1.16.0) - keepalive_requests 0; - # Enable revalidation using If-Modified-Since and If-None-Match for stale items - proxy_cache_revalidate on; - proxy_cache_min_uses 4; - - add_header x-cache-status $upstream_cache_status; -<% end -%> - - # Set a QoS cookie if none presented (uses nginx Map) - # add_header Set-Cookie $cookie_qos_token_set; -<% if node[:ssl][:strict_transport_security] -%> - # Ensure Strict-Transport-Security header is removed from proxied server responses - proxy_hide_header Strict-Transport-Security; - - # Enable HSTS - add_header Strict-Transport-Security "<%= node[:ssl][:strict_transport_security] %>" always; -<% end -%> - - # QoS Traffic Rate see $limit_rate on http://nginx.org/en/docs/http/ngx_http_core_module.html - # set $limit_rate $limit_rate_qos; - - # Allow Higher Traffic Rate from Approved User-Agents which do not support cookies (uses nginx Map) - # if ($approved_scraper) { - # set $limit_rate 65536; - # } - - if ($denied_scraper) { - set $limit_rate 512; - return 429; - } - if ($denied_referer) { - set $limit_rate 512; - return 418; - } - - # Strip any ?query parameters from urls - set $args ''; - - # Allow cache purging headers only from select User-Agents (uses nginx Map) - proxy_set_header Cache-Control $limit_http_cache_control; - proxy_set_header Pragma $limit_http_pragma; - } -<% end %> -}