Retire the apache_ratelimited role

[mirror/dsa-puppet.git] / modules / apache2 / manifests / init.pp

diff --git a/modules/apache2/manifests/init.pp b/modules/apache2/manifests/init.pp
index 77f4c03..9cd01c4 100644 (file)
--- a/modules/apache2/manifests/init.pp
+++ b/modules/apache2/manifests/init.pp
@@ -16,12 +16,18 @@
 #               Sets appropriate firewall rules and optionally rate limits.
 # @param mpm Which Multi-Processing Modules to use. Defaults to worker;
 #            the alternative is prefork.
+# @param rate_limit Rate limit incoming connections at the netfilter level.  If false,
+#                   (and public is true), all incoming connections to the http
+#                   and https ports get sent to the http chain, and accepted at
+#                   ferm prio 90, so other things can be done to web traffic
+#                   before that.
 class apache2(
   Boolean $smaller_number_of_threads = false,
   Integer $rlimitnproc = 256,
   Integer $rlimitmem = 192 * 1024 * 1024,
   Boolean $public = true,
   Enum['prefork','worker'] $mpm = 'worker',
+  Boolean $rate_limit = false,
 ) {
   include webserver
 
@@ -139,14 +145,22 @@ class apache2(
   }
 
   if $public {
-    if has_role('apache_ratelimited') {
+    ferm::rule { 'dsa-http':
+      prio        => '23',
+      description => 'A web subchain',
+      domain      => '(ip ip6)',
+      rule        => 'proto tcp dport (http https 6081) jump http'
+    }
+
+    if $rate_limit {
       include apache2::dynamic
     } else {
       ferm::rule { 'dsa-http':
+        description => 'http subchain, allow everything',
+        prio        => '90',
+        chain       => 'http',
         domain      => '(ip ip6)',
-        prio        => '23',
-        description => 'Allow web access',
-        rule        => '&SERVICE(tcp, (http https))'
+        rule        => 'jump ACCEPT',
       }
     }
   }