mode 0o775
end
-file "#{basedir}/etc/nginx_blocked_user_agent.conf" do
- action :create_if_missing
- owner "nominatim"
- group "adm"
- mode 0o664
-end
-
-file "#{basedir}/etc/nginx_blocked_referrer.conf" do
- action :create_if_missing
- owner "nominatim"
- group "adm"
- mode 0o664
+%w[user_agent referer email].each do |name|
+ file "#{basedir}/etc/nginx_blocked_#{name}.conf" do
+ action :create_if_missing
+ owner "nominatim"
+ group "adm"
+ mode 0o664
+ end
end
service "php7.2-fpm" do
+upstream nominatim_service {
+ server 127.0.0.1:<%= @pools[:www][:port ]%>;
+}
+
map $uri $nominatim_script_name {
~^(.+?\.php) $1;
~^/([^/]+) $1.php;
~(^|&)email=([^&]+) $2;
}
-upstream nominatim_service {
- server 127.0.0.1:<%= @pools[:www][:port ]%>;
+map $email_id $missing_email {
+ default "";
+ "" 1;
+}
+
+map $http_user_agent $missing_ua {
+ default "";
+ "" 1;
+}
+
+map $http_referer $missing_referer {
+ default "";
+ "" 1;
}
# Whitelisted IPs
8.43.85.23 1; # gnome
}
-map $http_user_agent $blocked_user_agent {
+map $missing_email$missing_referer$http_user_agent $blocked_user_agent {
default 0;
+ "11" 2; # block any requests without identifier
include <%= @confdir %>/nginx_blocked_user_agent.conf;
}
-map $http_referer $blocked_referrer {
+map $missing_email$missing_ua$http_referer $blocked_referrer {
default 0;
include <%= @confdir %>/nginx_blocked_referrer.conf;
}
+map $missing_referer$missing_ua$http_referer $blocked_email {
+ default 0;
+ include <%= @confdir %>/nginx_blocked_email.conf;
+}
+
map $whitelisted $limit_www {
1 "";
0 $binary_remote_addr;
}
location / {
- set $anyid $http_referer$http_user_agent$email_id;
- if ($anyid = "")
- { return 403; }
if ($blocked_user_agent ~ ^2$)
{ return 403; }
if ($blocked_referrer)
{ return 403; }
+ if ($blocked_email)
+ { return 403; }
try_files $uri $uri/ @php;
}
projects / chef.git / commitdiff