6 files changed, 116 insertions, 5 deletions

diff --git a/files/etc/nginx/sites-available/webmap b/files/etc/nginx/sites-available/webmap
index 57368cb..d5e005a 100644
--- a/files/etc/nginx/sites-available/webmap
+++ b/files/etc/nginx/sites-available/webmap
@@ -54,7 +54,7 @@ server {
     add_header X-XSS-Protection "1; mode=block";
     add_header Strict-Transport-Security "max-age=31557600; includeSubDomains" always;
     add_header Content-Security-Policy "default-src 'none'; frame-ancestors 'none'; form-action 'none'; base-uri 'self'";
-    #add_header Access-Control-Allow-Origin "*" always;
+    #add_header Access-Control-Allow-Origin $http_origin always;
 
     include mime.types;
     types {
@@ -69,12 +69,30 @@ server {
         try_files $uri =404;
     }
     location ^~ /tiles/ {
-        expires 8h;
+        expires 30m;
         brotli_static on;
         try_files $uri =404;
         # service an empty payload to save bandwidth
         error_page 404 /_.txt;
     }
+    location = /q {
+        expires epoch;
+        limit_except POST { deny all; }
+        #if ($request_method = OPTIONS) {
+        #    add_header Strict-Transport-Security "max-age=31557600; includeSubDomains";
+        #    add_header Access-Control-Allow-Origin $http_origin;
+        #    add_header Access-Control-Allow-Methods "POST, GET, OPTIONS";
+        #    add_header Access-Control-Allow-Headers "Accept, Content-Type";
+        #    add_header Access-Control-Max-Age 28800;
+        #    return 204;
+        #}
+        client_max_body_size 64k;
+        gzip on;
+        gzip_types application/json text/plain;
+        include uwsgi_params;
+        uwsgi_buffering off;
+        uwsgi_pass unix:/run/webmap-cgi.socket;
+    }
     location = /tiles/metadata.json {
         expires epoch;
         brotli_static on;
@@ -82,10 +100,10 @@ server {
     }
 
     location = /_.txt {
-        # cache 404 responses for 8h like for valid tiles
+        # cache 404 responses for 30m like for valid tiles
         add_header Strict-Transport-Security "max-age=31557600; includeSubDomains" always;
-        add_header Cache-Control "public; max-age=28800" always;
-        #add_header Access-Control-Allow-Origin "*" always;
+        add_header Cache-Control "public; max-age=1800" always;
+        #add_header Access-Control-Allow-Origin $http_origin always;
         internal;
     }
 
diff --git a/files/etc/systemd/system/webmap-cgi.service b/files/etc/systemd/system/webmap-cgi.service
new file mode 100644
index 0000000..88f22e5
--- /dev/null
+++ b/files/etc/systemd/system/webmap-cgi.service
@@ -0,0 +1,36 @@
+[Unit]
+Description=Webmap CGI (Common Gateway Interface)
+After=syslog.target network.target postgresql.service
+
+[Service]
+DynamicUser=yes
+User=_webmap-cgi
+# Note: the "WARNING: you have enabled harakiri without post buffering" can
+# be ignored because body requests are in fact buffered on the nginx side
+ExecStart=/usr/bin/uwsgi -M -p2 \
+    --single-interpreter --die-on-term \
+    --close-on-exec --close-on-exec2 \
+    --max-requests 1000 \
+    --max-worker-lifetime 86400 \
+    --max-worker-lifetime-delta 11 \
+    --harakiri 60 \
+    --lazy-apps \
+    --plugins python3 \
+    --pythonpath /usr/local/share/webmap \
+    --wsgi-file /usr/libexec/webmap-cgi
+Nice=10
+RestartSec=15s
+Restart=always
+
+# Hardening
+NoNewPrivileges=yes
+ProtectHome=yes
+ProtectSystem=strict
+PrivateDevices=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX
+
+[Install]
+WantedBy=multi-user.target
diff --git a/files/etc/systemd/system/webmap-cgi.socket b/files/etc/systemd/system/webmap-cgi.socket
new file mode 100644
index 0000000..2828985
--- /dev/null
+++ b/files/etc/systemd/system/webmap-cgi.socket
@@ -0,0 +1,11 @@
+[Unit]
+Description=Webmap CGI (Common Gateway Interface) activation socket
+After=syslog.target network.target
+
+[Socket]
+ListenStream=%t/webmap-cgi.socket
+SocketUser=www-data
+SocketMode=0666
+
+[Install]
+WantedBy=sockets.target
diff --git a/handlers/main.yml b/handlers/main.yml
index 281951b..b6ee548 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -55,3 +55,6 @@
 
 - name: Reload PostgreSQL
   service: name=postgresql.service state=reloaded
+
+- name: Stop webmap-cgi.service
+  service: name=webmap-cgi.service state=stopped
diff --git a/tasks/webmap.yml b/tasks/webmap.yml
index 92bb58f..d694387 100644
--- a/tasks/webmap.yml
+++ b/tasks/webmap.yml
@@ -372,3 +372,46 @@
     - systemd-tmpfiles --create
 
 - meta: flush_handlers
+
+
+- name: Install Python/WSGI dependencies
+  apt: pkg={{ packages }}
+  vars:
+    packages:
+    - uwsgi-core
+    - uwsgi-plugin-python3
+    # TODO[trixie]: install python3-psycopg-c instead
+    - python3-psycopg
+
+- name: Copy webmap-cgi.socket
+  copy: src=etc/systemd/system/webmap-cgi.socket
+        dest=/etc/systemd/system/webmap-cgi.socket
+        owner=root group=root
+        mode=0644
+  notify:
+    - systemctl daemon-reload
+
+- name: Copy webmap-cgi.service
+  copy: src=etc/systemd/system/webmap-cgi.service
+        dest=/etc/systemd/system/webmap-cgi.service
+        owner=root group=root
+        mode=0644
+  notify:
+    - systemctl daemon-reload
+    - Stop webmap-cgi.service
+
+- name: Copy /usr/libexec/webmap-cgi
+  copy: src=./webmap-tools/webmap-cgi
+        dest=/usr/libexec/webmap-cgi
+        owner=root group=root
+        mode=0755
+  notify:
+    - Stop webmap-cgi.service
+
+- meta: flush_handlers
+
+- name: Enable webmap-cgi.socket
+  service: name=webmap-cgi.socket state=started enabled=true
+
+- name: Disable webmap-cgi.service
+  service: name=webmap-cgi.service enabled=false
diff --git a/webmap-tools b/webmap-tools
-Subproject 643b952a2259543427d5cb25a399f393bb77d29
+Subproject b9b9eef91e5c33e6938b64e4e60f066c36201de