X-Git-Url: https://git.openstreetmap.org/chef.git/blobdiff_plain/661556ea2d43e05e079275ec1dfe6e17b09f891e..93e92b84438ecf5422bdd9c685ae986be229068d:/cookbooks/tile/templates/default/apache.erb?ds=sidebyside

diff --git a/cookbooks/tile/templates/default/apache.erb b/cookbooks/tile/templates/default/apache.erb
index 2f2488232..6588ab0b1 100644
--- a/cookbooks/tile/templates/default/apache.erb
+++ b/cookbooks/tile/templates/default/apache.erb
@@ -1,11 +1,22 @@
 # DO NOT EDIT - This file is being maintained by Chef
 
-<VirtualHost *:80>
+<% [80, 443].each do |port| -%>
+<VirtualHost *:<%= port %>>
   # Basic server configuration
   ServerName <%= node[:fqdn] %>
-  ServerAlias tile.openstreetmap.org
-  ServerAlias parent.tile.openstreetmap.org
+  ServerAlias render.openstreetmap.org
+  ServerAlias *.render.openstreetmap.org
   ServerAdmin webmaster@openstreetmap.org
+<% if port == 443 -%>
+
+  #
+  # Enable SSL
+  #
+  SSLEngine on
+  SSLProxyEngine on
+  SSLCertificateFile /etc/ssl/certs/<%= node[:fqdn] %>.pem
+  SSLCertificateKeyFile /etc/ssl/private/<%= node[:fqdn] %>.key
+<% end -%>
 
   # Configure location of static files and CGI scripts
   DocumentRoot /srv/tile.openstreetmap.org/html
@@ -14,37 +25,50 @@
   # Get the real remote IP for requests via a trusted proxy
   RemoteIPHeader X-Forwarded-For
 <% @caches.each do |cache| -%>
-<% cache.ipaddresses(:role => :external) do |address| -%>
+<% cache.ipaddresses(:role => :external).sort.each do |address| -%>
   RemoteIPTrustedProxy <%= address %>
 <% end -%>
 <% end -%>
 
   # Setup logging
-  CustomLog /var/log/apache2/access.log combined
+  LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined_with_remoteip
+  CustomLog /var/log/apache2/access.log combined_with_remoteip
   ErrorLog /var/log/apache2/error.log
   BufferedLogs on
 
+  # Always set Access-Control-Allow-Origin so that simple CORS requests
+  # will always work and can be cached
+  Header set Access-Control-Allow-Origin "*"
+
+  # Remove Proxy request header to mitigate https://httpoxy.org/
+  RequestHeader unset Proxy early
+
   # Enable the rewrite engine
   RewriteEngine on
 
-  # Rewrite tile status or tile dirty requests to default style
+  # Rewrite tile requests to the default style
+  RewriteRule ^/(-?\d+)/(-?\d+)/(-?\d+)\.png$ /default/$1/$2/$3.png [PT,T=image/png,L]
   RewriteRule ^/(-?\d+)/(-?\d+)/(-?\d+)\.png/status/?$  /default/$1/$2/$3.png/status [PT,T=text/plain,L]
   RewriteRule ^/(-?\d+)/(-?\d+)/(-?\d+)\.png/dirty/?$   /default/$1/$2/$3.png/dirty  [PT,T=text/plain,L]
 
-  # Rewrite tile requests to the default style
-  RewriteRule ^/(-?\d+)/(-?\d+)/(-?\d+)\.png$ /default/$1/$2/$3.png [PT,T=image/png,L]
+  # Historical Files redirect
+  RedirectPermanent /processed_p.tar.bz2 https://planet.openstreetmap.org/historical-shapefiles/processed_p.tar.bz2
+  RedirectPermanent /shoreline_300.tar.bz2 https://planet.openstreetmap.org/historical-shapefiles/shoreline_300.tar.bz2
+  RedirectPermanent /world_boundaries-spherical.tgz https://planet.openstreetmap.org/historical-shapefiles/world_boundaries-spherical.tgz
+
+  # Redirect ACME certificate challenges
+  RedirectPermanent /.well-known/acme-challenge/ http://acme.openstreetmap.org/.well-known/acme-challenge/
 </VirtualHost>
 
+<% end -%>
 <Directory /srv/tile.openstreetmap.org/html>
   Options None
   AllowOverride None
-  Order allow,deny
-  Allow from all
+  Require all granted
 </Directory>
 
 <Directory /srv/tile.openstreetmap.org/cgi-bin>
   Options ExecCGI
   AllowOverride None
-  Order allow,deny
-  Allow from all
+  Require all granted
 </Directory>