X-Git-Url: https://git.openstreetmap.org/chef.git/blobdiff_plain/85711462acec260c1c9b7be89e5c81c72d4908d4..15d02990717b0535a2b37633d65b5559c796fd02:/cookbooks/web/templates/default/apache.frontend.erb

diff --git a/cookbooks/web/templates/default/apache.frontend.erb b/cookbooks/web/templates/default/apache.frontend.erb
index 9fbb7919d..00adb4b59 100644
--- a/cookbooks/web/templates/default/apache.frontend.erb
+++ b/cookbooks/web/templates/default/apache.frontend.erb
@@ -18,7 +18,11 @@
   #
   # Setup logging
   #
-  LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %Dus %{UNIQUE_ID}e %{SSL_PROTOCOL}x %{SSL_CIPHER}x" combined_with_time
+  SetEnvIfNoCase Authorization "^Basic " AUTH_METHOD=basic
+  SetEnvIfNoCase Authorization "^OAuth " AUTH_METHOD=oauth1
+  SetEnvIfExpr "%{QUERY_STRING} =~ /(^|&)oauth_signature=/" AUTH_METHOD=oauth1
+  SetEnvIfNoCase Authorization "^Bearer " AUTH_METHOD=oauth2
+  LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %Dus %{UNIQUE_ID}e %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{AUTH_METHOD}e" combined_with_time
   CustomLog /var/log/apache2/access.log combined_with_time
   ErrorLog /var/log/apache2/error.log
 
@@ -28,6 +32,11 @@
   ExpiresActive On
   RewriteEngine on
 
+  #
+  # Configure timeouts
+  #
+  RequestReadTimeout handshake=20-40,MinRate=500 header=20-40,MinRate=500 body=20,MinRate=500
+
   #
   # Add the unique ID to the request headers
   #
@@ -78,7 +87,7 @@
   # https://gist.github.com/Firefishy/86ed5b86991b225179b54bbafbcd769e
   #
   RewriteCond "%{QUERY_STRING}" "^q=abcde&t=20"
-  RewriteRule "^/api/0\.6/notes/search$" - [R=204,L]
+  RewriteRule "^/api/0\.6/notes/search$" - [R=429,L]
 
   #
   # Force special MIME type for crossdomain.xml files
@@ -139,9 +148,7 @@
   SetEnv SECRET_KEY_BASE <%= @secret_key_base %>
   Alias /favicon.ico <%= node[:web][:base_directory] %>/rails/app/assets/favicons/favicon.ico
   Alias /openlayers <%= node[:web][:base_directory] %>/static/openlayers
-  Alias /stats /store/rails/stats
-  Alias /user/image /store/rails/user/image
-  Alias /attachments /store/rails/attachments
+  RedirectPermanent /stats https://planet.openstreetmap.org/statistics
 
   #
   # Pass authentication related headers to cgimap
@@ -176,13 +183,13 @@
   RedirectPermanent /images/cc_button.png https://www.openstreetmap.org/assets/cc_button.png
 
   #
-  # Redirect api requests made to www.osm.org to api.osm.org
+  # Redirect api requests made to www.openstreetmap.org to api.openstreetmap.org
   #
 #  RewriteCond %{HTTP_HOST} =www.openstreetmap.org
 #  RewriteRule ^/api/(.*)$ https://api.openstreetmap.org/api/$1 [L,NE,R=permanent]
 
   #
-  # Redirect non-api requests made to api.osm.org to www.osm.org
+  # Redirect non-api requests made to api.openstreetmap.org to www.openstreetmap.org
   #
   RewriteCond %{HTTP_HOST} =api.openstreetmap.org
   RewriteCond %{REQUEST_URI} !^/api/
@@ -199,6 +206,34 @@
   RedirectPermanent / https://www.openstreetmap.org/
 </VirtualHost>
 
+<VirtualHost *:80>
+  ServerName osm.org
+
+  Header always set Cache-Control "max-age=31536000"
+  Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT"
+
+  RewriteEngine on
+
+  RewriteRule ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 [R=permanent,L]
+
+  RewriteCond %{REQUEST_URI} !^/server-status$
+  RewriteRule ^(.*)$ https://osm.org$1 [L,NE,R=permanent]
+</VirtualHost>
+
+<VirtualHost *:80>
+  ServerName www.osm.org
+
+  Header always set Cache-Control "max-age=31536000"
+  Header always set Expires "Tue, 19 Jan 2038 03:14:07 GMT"
+
+  RewriteEngine on
+
+  RewriteRule ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 [R=permanent,L]
+
+  RewriteCond %{REQUEST_URI} !^/server-status$
+  RewriteRule ^(.*)$ https://www.osm.org$1 [L,NE,R=permanent]
+</VirtualHost>
+
 <VirtualHost *:80>
   ServerName openstreetmap.org
 
@@ -245,16 +280,25 @@
 <Directory <%= node[:web][:base_directory] %>/rails/public>
   Require all granted
 
+  RewriteCond "%{HTTP:Accept-encoding}" "br"
+  RewriteCond "%{REQUEST_FILENAME}\.br" -s
+  RewriteRule "^(.*)\.(css|ico|js|json|svg|xml)$" "$1\.$2\.br" [QSA]
+
   RewriteCond "%{HTTP:Accept-encoding}" "gzip"
   RewriteCond "%{REQUEST_FILENAME}\.gz" -s
   RewriteRule "^(.*)\.(css|ico|js|json|svg|xml)$" "$1\.$2\.gz" [QSA]
 
-  RewriteRule "\.css\.gz$" "-" [T=text/css,E=no-gzip:1]
-  RewriteRule "\.ico\.gz$"  "-" [T=image/vnd.microsoft.icon,E=no-gzip:1]
-  RewriteRule "\.js\.gz$"  "-" [T=text/javascript,E=no-gzip:1]
-  RewriteRule "\.json\.gz$"  "-" [T=application/json,E=no-gzip:1]
-  RewriteRule "\.svg\.gz$"  "-" [T=image/svg+xml,E=no-gzip:1]
-  RewriteRule "\.xml\.gz$"  "-" [T=application/xml,E=no-gzip:1]
+  RewriteRule "\.css\.(br|gz)$" "-" [T=text/css,E=no-gzip:1,E=no-brotli:1]
+  RewriteRule "\.ico\.(br|gz)$"  "-" [T=image/vnd.microsoft.icon,E=no-gzip:1,E=no-brotli:1]
+  RewriteRule "\.js\.(br|gz)$"  "-" [T=text/javascript,E=no-gzip:1,E=no-brotli:1]
+  RewriteRule "\.json\.(br|gz)$"  "-" [T=application/json,E=no-gzip:1,E=no-brotli:1]
+  RewriteRule "\.svg\.(br|gz)$"  "-" [T=image/svg+xml,E=no-gzip:1,E=no-brotli:1]
+  RewriteRule "\.xml\.(br|gz)$"  "-" [T=application/xml,E=no-gzip:1,E=no-brotli:1]
+
+  <FilesMatch "\.(css|ico|js|json|svg|xml)\.br$">
+    Header append Content-Encoding br
+    Header append Vary Accept-Encoding
+  </FilesMatch>
 
   <FilesMatch "\.(css|ico|js|json|svg|xml)\.gz$">
     Header append Content-Encoding gzip
@@ -273,15 +317,3 @@
 <Directory /srv/www.openstreetmap.org/rails/vendor/assets>
   Require all granted
 </Directory>
-
-<Directory /store/rails/stats>
-  Require all granted
-</Directory>
-
-<Directory /store/rails/user/image>
-  Require all granted
-</Directory>
-
-<Directory /store/rails/attachments>
-  Require all granted
-</Directory>