projects
/
mirror
/
dsa-puppet.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Keep postgresql-client-9.6 on backuphost
[mirror/dsa-puppet.git]
/
modules
/
apache2
/
manifests
/
dynamic.pp
diff --git
a/modules/apache2/manifests/dynamic.pp
b/modules/apache2/manifests/dynamic.pp
index
b39e559
..
3a790b2
100644
(file)
--- a/
modules/apache2/manifests/dynamic.pp
+++ b/
modules/apache2/manifests/dynamic.pp
@@
-3,6
+3,7
@@
class apache2::dynamic {
prio => '20',
description => 'limit HTTP DOS',
chain => 'http_limit',
prio => '20',
description => 'limit HTTP DOS',
chain => 'http_limit',
+ domain => '(ip ip6)',
rule => 'mod limit limit-burst 60 limit 15/minute jump ACCEPT;
jump DROP'
}
rule => 'mod limit limit-burst 60 limit 15/minute jump ACCEPT;
jump DROP'
}
@@
-11,6
+12,7
@@
class apache2::dynamic {
prio => '21',
description => 'slow soso spider',
chain => 'limit_sosospider',
prio => '21',
description => 'slow soso spider',
chain => 'limit_sosospider',
+ domain => '(ip ip6)',
rule => 'mod connlimit connlimit-above 2 connlimit-mask 21 jump DROP;
jump http_limit'
}
rule => 'mod connlimit connlimit-above 2 connlimit-mask 21 jump DROP;
jump http_limit'
}
@@
-19,6
+21,7
@@
class apache2::dynamic {
prio => '21',
description => 'slow yahoo spider',
chain => 'limit_yahoo',
prio => '21',
description => 'slow yahoo spider',
chain => 'limit_yahoo',
+ domain => '(ip ip6)',
rule => 'mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP;
jump http_limit'
}
rule => 'mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP;
jump http_limit'
}
@@
-27,6
+30,7
@@
class apache2::dynamic {
prio => '21',
description => 'slow google spider',
chain => 'limit_google',
prio => '21',
description => 'slow google spider',
chain => 'limit_google',
+ domain => '(ip ip6)',
rule => 'mod connlimit connlimit-above 2 connlimit-mask 19 jump DROP;
jump http_limit'
}
rule => 'mod connlimit connlimit-above 2 connlimit-mask 19 jump DROP;
jump http_limit'
}
@@
-35,6
+39,7
@@
class apache2::dynamic {
prio => '21',
description => 'slow bing spider',
chain => 'limit_bing',
prio => '21',
description => 'slow bing spider',
chain => 'limit_bing',
+ domain => '(ip ip6)',
rule => 'mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP;
jump http_limit'
}
rule => 'mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP;
jump http_limit'
}
@@
-43,6
+48,7
@@
class apache2::dynamic {
prio => '21',
description => 'slow baidu spider',
chain => 'limit_baidu',
prio => '21',
description => 'slow baidu spider',
chain => 'limit_baidu',
+ domain => '(ip ip6)',
rule => 'mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP;
jump http_limit'
}
rule => 'mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP;
jump http_limit'
}
@@
-50,6
+56,7
@@
class apache2::dynamic {
prio => '21',
description => 'slow nhn spider',
chain => 'limit_nhn',
prio => '21',
description => 'slow nhn spider',
chain => 'limit_nhn',
+ domain => '(ip ip6)',
rule => 'mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP;
jump http_limit'
}
rule => 'mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP;
jump http_limit'
}
@@
-59,6
+66,7
@@
class apache2::dynamic {
prio => '22',
description => 'http subchain',
chain => 'http',
prio => '22',
description => 'http subchain',
chain => 'http',
+ domain => '(ip ip6)',
rule => '
mod hashlimit hashlimit-name HTTPDOSPRE hashlimit-mode srcip hashlimit-burst 10 hashlimit 6/minute jump ACCEPT;
mod recent name HTTPDOS update seconds 900 jump log_or_drop;
rule => '
mod hashlimit hashlimit-name HTTPDOSPRE hashlimit-mode srcip hashlimit-burst 10 hashlimit 6/minute jump ACCEPT;
mod recent name HTTPDOS update seconds 900 jump log_or_drop;
@@
-70,6
+78,7
@@
class apache2::dynamic {
prio => '22',
description => 'http subchain',
chain => 'http',
prio => '22',
description => 'http subchain',
chain => 'http',
+ domain => '(ip ip6)',
rule => '
saddr (74.6.22.182 74.6.18.240 67.195.0.0/16) jump limit_yahoo;
saddr (124.115.0.0/21 119.63.192.0/21) jump limit_sosospider;
rule => '
saddr (74.6.22.182 74.6.18.240 67.195.0.0/16) jump limit_yahoo;
saddr (124.115.0.0/21 119.63.192.0/21) jump limit_sosospider;
@@
-87,6
+96,7
@@
class apache2::dynamic {
@ferm::rule { 'dsa-http':
prio => '23',
description => 'Allow web access',
@ferm::rule { 'dsa-http':
prio => '23',
description => 'Allow web access',
+ domain => '(ip ip6)',
rule => 'proto tcp dport (http https 6081) jump http'
}
}
rule => 'proto tcp dport (http https 6081) jump http'
}
}