Restrict render server traffic to from CDN only

[pnorman]

Currently users can directly hit the render servers (e.g. odin.openstreetmap.org) and request tiles. This proved to be a problem when someone set up a caching proxy that pointed directly at the render servers. This was only noticed because they were directing traffic at unused render servers.

This was an issue for a few minor reasons, and one major one

1. it bypasses CDN caching,
2. it doesn't work with logging,
3. it bypasses load balancing and health checks
4. and, most importantly, it bypasses the even/odd metatile balancing in Europe, meaning 50% will go to the wrong server which does not have the metatile already rendered.

We should block access to the tile servers except for

1. non-tile pages (debug, etc)
2. tile status and dirty pages
3. Fastly IP ranges
4. Statuscake healthcheck IP ranges
5. OSMF IP ranges, including the dev server
6. Admin IP ranges

[grischard]

For 3, https://developer.fastly.com/reference/api/utils/public-ip-list/

[grischard]

Change will happen at https://github.com/openstreetmap/chef/pull/514

[grischard]

I can't remember what the status of this is, since https://github.com/openstreetmap/chef/pull/514 won't work since the IP address is already rewritten by the time it reaches that part of the http server.

Could a secret key in a custom header added by the fastly proxies let us distinguish requests that are coming from fastly?

[tomhughes]

As I told you last time you asked, that is the first attempt, and https://github.com/openstreetmap/chef/pull/528 is the replacement.