From df7604e2815548f808ecd5f2f9cb122cbc7c233d Mon Sep 17 00:00:00 2001
From: Grant Slater <github@firefishy.com>
Date: Wed, 24 Sep 2025 19:05:37 +0100
Subject: [PATCH] web: Trust fastly proxy IPs

---
 cookbooks/web/recipes/frontend.rb                   | 9 +++++++++
 cookbooks/web/templates/default/apache.frontend.erb | 4 ++++
 2 files changed, 13 insertions(+)

diff --git a/cookbooks/web/recipes/frontend.rb b/cookbooks/web/recipes/frontend.rb
index f9e733c5b..c7309b7f3 100644
--- a/cookbooks/web/recipes/frontend.rb
+++ b/cookbooks/web/recipes/frontend.rb
@@ -69,9 +69,18 @@ end
 
 cloudflare_ipv6 = IO.read("#{Chef::Config[:file_cache_path]}/cloudflare-ipv6-list").lines.map(&:chomp)
 
+remote_file "#{Chef::Config[:file_cache_path]}/fastly-ip-list.json" do
+  source "https://api.fastly.com/public-ip-list"
+  compile_time true
+  ignore_failure true
+end
+
+fastlyips = JSON.parse(IO.read("#{Chef::Config[:file_cache_path]}/fastly-ip-list.json"))
+
 apache_site "www.openstreetmap.org" do
   template "apache.frontend.erb"
   variables :cloudflare => cloudflare_ipv4 + cloudflare_ipv6,
+            :fastly => fastlyips["addresses"] + fastlyips["ipv6_addresses"],
             :status => node[:web][:status],
             :secret_key_base => web_passwords["secret_key_base"]
 end
diff --git a/cookbooks/web/templates/default/apache.frontend.erb b/cookbooks/web/templates/default/apache.frontend.erb
index f05b99b5c..e8c36f59c 100644
--- a/cookbooks/web/templates/default/apache.frontend.erb
+++ b/cookbooks/web/templates/default/apache.frontend.erb
@@ -31,6 +31,10 @@ ErrorLog /var/log/apache2/error.log
 <% @cloudflare.sort.each do |address| -%>
   RemoteIPTrustedProxy <%= address %>
 <% end -%>
+  # Fastly POPs
+<% @fastly.sort.each do |address| -%>
+  RemoteIPTrustedProxy <%= address %>
+<% end -%>
 
   #
   # Turn on various features
-- 
2.39.5