operations
operations copied to clipboard
Restrict render server traffic to from CDN only
Currently users can directly hit the render servers (e.g. odin.openstreetmap.org) and request tiles. This proved to be a problem when someone set up a caching proxy that pointed directly at the render servers. This was only noticed because they were directing traffic at unused render servers.
This was an issue for a few minor reasons, and one major one
- it bypasses CDN caching,
- it doesn't work with logging,
- it bypasses load balancing and health checks
- and, most importantly, it bypasses the even/odd metatile balancing in Europe, meaning 50% will go to the wrong server which does not have the metatile already rendered.
We should block access to the tile servers except for
- non-tile pages (debug, etc)
- tile status and dirty pages
- Fastly IP ranges
- Statuscake healthcheck IP ranges
- OSMF IP ranges, including the dev server
- Admin IP ranges
For 3, https://developer.fastly.com/reference/api/utils/public-ip-list/
Change will happen at https://github.com/openstreetmap/chef/pull/514
I can't remember what the status of this is, since https://github.com/openstreetmap/chef/pull/514 won't work since the IP address is already rewritten by the time it reaches that part of the http server.
Could a secret key in a custom header added by the fastly proxies let us distinguish requests that are coming from fastly?
As I told you last time you asked, that is the first attempt, and https://github.com/openstreetmap/chef/pull/528 is the replacement.