X-Git-Url: https://git.openstreetmap.org/chef.git/blobdiff_plain/5b4d331dee733d42b3a2c4aa937f6e8ba6c6d9ab..e26014200863b3118f65f48175260fa05768bcb7:/cookbooks/tilecache/templates/default/nginx_tile.conf.erb

diff --git a/cookbooks/tilecache/templates/default/nginx_tile.conf.erb b/cookbooks/tilecache/templates/default/nginx_tile.conf.erb
index bc41ffbaf..4e1daee4a 100644
--- a/cookbooks/tilecache/templates/default/nginx_tile.conf.erb
+++ b/cookbooks/tilecache/templates/default/nginx_tile.conf.erb
@@ -1,18 +1,15 @@
 # DO NOT EDIT - This file is being maintained by Chef
 
 upstream tile_cache_backend {
-  server 127.0.0.1;
-  server 127.0.0.2;
-  server 127.0.0.3;
+  server 127.0.0.1:8080;
+  server 127.0.0.2:8080;
 
   # Add the other caches to relieve pressure if local squid failing
   # Balancer: round-robin
 <% @caches.each do |cache| -%>
 <% if cache[:hostname] != node[:hostname] -%>
-<% if node[:tilecache][:tile_siblings].include? cache[:fqdn] -%>
 <% cache.ipaddresses(:family => :inet, :role => :external).sort.each do |address| -%>
-  server <%= address %> backup; # Server <%= cache[:hostname] %>
-<% end -%>
+  server <%= address %>:80 backup; # Server <%= cache[:hostname] %>
 <% end -%>
 <% end -%>
 <% end -%>
@@ -32,14 +29,14 @@ geo $tile_cache {
 }
 
 # Rates table based on current cookie value
-map $cookie__osm_totp_token $limit_rate_qos {
-  include /etc/nginx/conf.d/tile_qos_rates.map;
-}
+# map $cookie__osm_totp_token $limit_rate_qos {
+#  include /etc/nginx/conf.d/tile_qos_rates.map;
+# }
 
 # Set-Cookie table based on current cookie value
-map $cookie__osm_totp_token $cookie_qos_token_set {
-  include /etc/nginx/conf.d/tile_qos_cookies.map;
-}
+# map $cookie__osm_totp_token $cookie_qos_token_set {
+#  include /etc/nginx/conf.d/tile_qos_cookies.map;
+# }
 
 map $http_user_agent $approved_scraper {
   default                   0; # Not approved
@@ -56,9 +53,23 @@ map $http_user_agent $denied_scraper {
   '~^R$'                 1; # Library Default
   '~^Java\/'             1; # Library Default
   '~^tiles$'             1; # Library Default
-  '~^runtastic'          1; # App
+  '~^okhttp\/'           1; # Library Default
+  '~^Microsoft-ATL-Native\/' 1; #Library Default
+  '/n software IPWorks HTTP/S Component - www.nsoftware.com' 1; #Library default
+  '~^Wget\/'             1; #Library Default
+  'C# TilesDownloader'   1; # Downloader
+  'MapDownloader'        1; # Downloader
+  'Android'              1; # Default or fake
+  'kc_android'           1; # Default or fake
   'Mozilla/4.0'          1; # Fake
   'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)' 1;  # Fake
+  '~^runtastic'          1; # App
+  '~^Where\ my\ children' 1; # App
+  'nossoonibusjp.android.crosswalk' 1; # App
+  'br.com.concisoti.potybus' 1; # App
+  'com.soft373.taptaxi'  1;
+  'com.kradac.ktxcore'   1;
+  'ru.crowdsystems.topcontrol.knd' 1;
 }
 
 map $http_referer $denied_referer {
@@ -71,6 +82,16 @@ map $http_referer $denied_referer {
   'http://www.osm.org'             1; # Faked
   'http://osm.org/'                1; # Faked
   'http://osm.org'                 1; # Faked
+  '~^http://google\.com'           1; # Faked
+  '~^http://www\.google\.com'      1; # Faked
+  '~^https?://pmap\.kuku\.lu/'           1; # Too much traffic
+  '~^https?://[^.]*\.pmap\.kuku\.lu/'    1; # Too much traffic
+  '~^https?://fastpokemap\.com/'         1; # Too much traffic
+  '~^https?://[^.]*\.fastpokemap\.com/'  1; # Too much traffic
+  '~^https?://pkget\.com/'               1; # Too much traffic
+  '~^https?://[^.]*\.pkget\.com/'        1; # Too much traffic
+  '~^https?://twpkinfo\.com/'            1; # Too much traffic
+  '~^https?://[^.]*\.twpkinfo\.com/'     1; # Too much traffic
 }
 
 map $http_referer $osm_referer {
@@ -93,10 +114,16 @@ map $osm_referer$http_user_agent $limit_http_pragma {
 }
 
 server {
+    # IPv4
+    listen       80 deferred backlog=16384 reuseport fastopen=2048 default_server;
     listen       443 ssl deferred backlog=16384 reuseport fastopen=2048 http2 default_server;
+    # IPv6
+    listen       [::]:80 deferred backlog=16384 reuseport fastopen=2048 default_server;
+    listen       [::]:443 ssl deferred backlog=16384 reuseport fastopen=2048 http2 default_server;
     server_name  localhost;
 
     proxy_buffers 8 64k;
+    proxy_busy_buffers_size 64k;
 
     ssl_certificate      /etc/ssl/certs/tile.openstreetmap.org.pem;
     ssl_certificate_key  /etc/ssl/private/tile.openstreetmap.org.key;
@@ -105,11 +132,6 @@ server {
     # See: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data
     ssl_early_data on;
 
-    # Only allow GET / HEAD / OPTIONS (CORS) requests
-    limit_except GET HEAD OPTIONS {
-      deny all;
-    }
-
     # Immediately 404 layers we do not support
 <% for i in 20..99 do %>
     location /<%= i %>/ {
@@ -176,7 +198,7 @@ server {
       return 404;
     }
 
-<% for i in 0..14 do %>
+<% for i in 0..16 do %>
 <% if i == 0 -%>
     # Default Fallback Location Handler (lowest)
     location / {
@@ -184,12 +206,17 @@ server {
     # Dedicated zoom handler for caching
     location /<%= i %>/ {
 <% end %>
+      # Only allow GET / HEAD / OPTIONS (CORS) requests
+      limit_except GET HEAD OPTIONS {
+        deny all;
+      }
+
       proxy_pass http://tile_cache_backend;
       proxy_set_header X-Forwarded-For $remote_addr;
       proxy_http_version 1.1;
       proxy_set_header Connection '';
 
-      proxy_connect_timeout 10s;
+      proxy_connect_timeout 20s;
 
       # Replace host header.
       proxy_set_header Host 'tile.openstreetmap.org';
@@ -221,19 +248,23 @@ server {
       # Caching
       proxy_cache "proxy_cache_zone";
       proxy_cache_lock on;
-      proxy_cache_valid 200 1d;
+      proxy_cache_valid 200 2d;
       proxy_cache_valid 404 15m;
       # Serve stale cache on errors or if updating
-      proxy_cache_use_stale error timeout updating http_500 http_503 http_504;
+      proxy_cache_use_stale error timeout updating http_404 http_500 http_503 http_504;
       # If in cache as stale, serve stale and update in background
       proxy_cache_background_update on;
-      proxy_cache_min_uses 8;
+      # Workaround nginx async bug which causes stale cache replies to wait for the async backend cache update reply (seen in v1.16.0)
+      keepalive_requests 0;
+      # Enable revalidation using If-Modified-Since and If-None-Match for stale items
+      proxy_cache_revalidate on;
+      proxy_cache_min_uses 4;
 
-      add_header X-Nginx-Cache-Status $upstream_cache_status;
+      add_header x-cache-status $upstream_cache_status;
 <% end -%>
 
       # Set a QoS cookie if none presented (uses nginx Map)
-      add_header Set-Cookie $cookie_qos_token_set;
+      # add_header Set-Cookie $cookie_qos_token_set;
 <% if node[:ssl][:strict_transport_security] -%>
       # Ensure Strict-Transport-Security header is removed from proxied server responses
       proxy_hide_header Strict-Transport-Security;
@@ -243,12 +274,12 @@ server {
 <% end -%>
 
       # QoS Traffic Rate see $limit_rate on http://nginx.org/en/docs/http/ngx_http_core_module.html
-      set $limit_rate $limit_rate_qos;
+      # set $limit_rate $limit_rate_qos;
 
       # Allow Higher Traffic Rate from Approved User-Agents which do not support cookies (uses nginx Map)
-      if ($approved_scraper) {
-        set $limit_rate 65536;
-      }
+      # if ($approved_scraper) {
+      #   set $limit_rate 65536;
+      # }
 
       if ($denied_scraper) {
         set $limit_rate 512;