From 7336d4c74c0bd1af757d39bf9469e452bd1e2b08 Mon Sep 17 00:00:00 2001
From: Grant Slater <github@firefishy.com>
Date: Sun, 16 Nov 2025 16:41:03 +0000
Subject: [PATCH] nominatim: Add fastly IP client support

---
 cookbooks/nominatim/recipes/default.rb          | 9 +++++++++
 cookbooks/nominatim/templates/default/nginx.erb | 7 +++++++
 2 files changed, 16 insertions(+)

diff --git a/cookbooks/nominatim/recipes/default.rb b/cookbooks/nominatim/recipes/default.rb
index 9bdcaaf15..5bbebb44e 100644
--- a/cookbooks/nominatim/recipes/default.rb
+++ b/cookbooks/nominatim/recipes/default.rb
@@ -231,11 +231,20 @@ end
 
 frontends = search(:node, "recipes:web\\:\\:frontend").sort_by(&:name)
 
+remote_file "#{Chef::Config[:file_cache_path]}/fastly-ip-list.json" do
+  source "https://api.fastly.com/public-ip-list"
+  compile_time true
+  ignore_failure true
+end
+
+fastlyips = JSON.parse(IO.read("#{Chef::Config[:file_cache_path]}/fastly-ip-list.json"))
+
 nginx_site "nominatim" do
   template "nginx.erb"
   directory project_directory
   variables :pools => node[:nominatim][:fpm_pools],
             :frontends => frontends,
+            :fastly => fastlyips["addresses"] + fastlyips["ipv6_addresses"],
             :confdir => "#{basedir}/etc",
             :ui_directory => ui_directory
 end
diff --git a/cookbooks/nominatim/templates/default/nginx.erb b/cookbooks/nominatim/templates/default/nginx.erb
index ebecaa389..d39cafeb9 100644
--- a/cookbooks/nominatim/templates/default/nginx.erb
+++ b/cookbooks/nominatim/templates/default/nginx.erb
@@ -117,6 +117,13 @@ limit_req_zone $limit_tarpit zone=tarpit:10m rate=1r/s;
 limit_req_zone $binary_remote_addr zone=blocked:10m rate=20r/m;
 limit_req_zone $limit_reverse zone=reverse:10m rate=10r/m;
 
+# Fastly CDN IPs
+<% @fastly.sort.each do |address| -%>
+set_real_ip_from <%= address %>;
+<% end -%>
+real_ip_header Fastly-Client-IP;
+real_ip_recursive off;
+
 server {
     listen 80 default_server;
     listen [::]:80 default_server;
-- 
2.39.5