From: Sarah Hoffmann <lonvia@denofr.de>
Date: Tue, 26 Mar 2024 19:47:44 +0000 (+0100)
Subject: nominatim: disallow details requests without referer
X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/683aff351010f9bcfc7154ecb0ca91e0c0e0591c

nominatim: disallow details requests without referer
---

diff --git a/cookbooks/nominatim/templates/default/nginx.erb b/cookbooks/nominatim/templates/default/nginx.erb
index fe583d720..6aa07dbe1 100644
--- a/cookbooks/nominatim/templates/default/nginx.erb
+++ b/cookbooks/nominatim/templates/default/nginx.erb
@@ -7,9 +7,9 @@ upstream nominatim_service {
 }
 
 map $uri $nominatim_script_name {
-    ~^(.+?\.php)         $1;
-    ~^/([^/]+)           $1.php;
-    ^$                   search.php;
+    ~^/*(.+?)\.php        $1;
+    ~^/*([^/]+)           $1;
+    ^$                   search;
 }
 
 map $uri $nominatim_path_info {
@@ -85,6 +85,11 @@ map $missing_referer$missing_ua$email_id $blocked_email {
    include <%= @confdir %>/nginx_blocked_email.conf;
 }
 
+map $nominatim_script_name$missing_referer $blocked_path {
+   default 0;
+   "details1" 1;
+}
+
 map $whitelisted $limit_www {
     1 "";
     0 $binary_remote_addr;
@@ -194,6 +199,8 @@ server {
         { return 403; }
         if ($blocked_email)
         { return 403; }
+        if ($blocked_path)
+        { return 403; }
         include <%= @confdir %>/nginx_blocked_generic.conf;
 
         limit_req zone=www burst=10;