Deploy common-ssl.inc to all apache hosts. where needed it may be included.

[mirror/dsa-puppet.git] / modules / apache2 / manifests / init.pp
diff --git a/modules/apache2/manifests/init.pp b/modules/apache2/manifests/init.pp

index b61b89a..ade26fb 100644 (file)
--- a/modules/apache2/manifests/init.pp
+++ b/modules/apache2/manifests/init.pp
@@ -106,6 +106,12 @@ class apache2 {
              require => Package["apache2"],
              notify  => Exec["reload-apache2"];
  
+        "/etc/apache2/sites-available/common-ssl.inc":
+            source  => [ "puppet:///modules/apache2/per-host/$fqdn//etc/apache2/sites-available/common-ssl.inc",
+                         "puppet:///modules/apache2/common/etc/apache2/sites-available/common-ssl.inc" ],
+            require => Package["apache2"],
+            notify  => Exec["reload-apache2"];
+
          "/etc/logrotate.d/apache2":
              source  => [ "puppet:///modules/apache2/per-host/$fqdn/etc/logrotate.d/apache2",
                           "puppet:///modules/apache2/common/etc/logrotate.d/apache2" ];
@@ -136,24 +142,32 @@ class apache2 {
              command => "/etc/init.d/apache2 force-reload",
              refreshonly => true;
      }
-
      case $hostname {
-        sibelius,stabile: {
-            @ferm::rule { "dsa-http":
-                prio            => "23",
-                description     => "Allow web access",
-                rule            => "&SERVICE(tcp, (http https))"
+        chopin,franck,morricone,bizet: {
+            package {
+                "libapache2-mod-macro": ensure => installed;
+            }
+            enable_module {
+                "macro":;
+            }
+            file {
+                "/etc/apache2/conf.d/puppet-builddlist":
+                    content => template("apache2/conf-builddlist.erb"),
+                    require => Package["apache2"],
+                    notify  => Exec["reload-apache2"];
              }
          }
-        default: {
+    }
+
+    case $hostname {
+        busoni,duarte,holter,lindberg,master,powell,rore: {
              @ferm::rule { "dsa-http-limit":
                  prio            => "20",
                  description     => "limit HTTP DOS",
                  chain           => 'http_limit',
                  rule            => '
                                      mod limit limit-burst 60 limit 15/minute jump ACCEPT;
-                                    jump DROP;
-                                   '
+                                    jump DROP'
              }
              @ferm::rule { "dsa-http-soso":
                  prio            => "21",
@@ -161,8 +175,7 @@ class apache2 {
                  chain           => 'limit_sosospider',
                  rule            => '
                                      mod connlimit connlimit-above 2 connlimit-mask 21 jump DROP;
-                                    jump http_limit;
-                                   '
+                                    jump http_limit'
              }
              @ferm::rule { "dsa-http-yahoo":
                  prio            => "21",
@@ -170,8 +183,7 @@ class apache2 {
                  chain           => 'limit_yahoo',
                  rule            => '
                                      mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP;
-                                    jump http_limit;
-                                   '
+                                    jump http_limit'
              }
              @ferm::rule { "dsa-http-google":
                  prio            => "21",
@@ -179,8 +191,7 @@ class apache2 {
                  chain           => 'limit_google',
                  rule            => '
                                      mod connlimit connlimit-above 2 connlimit-mask 19 jump DROP;
-                                    jump http_limit;
-                                   '
+                                    jump http_limit'
              }
              @ferm::rule { "dsa-http-bing":
                  prio            => "21",
@@ -188,8 +199,15 @@ class apache2 {
                  chain           => 'limit_bing',
                  rule            => '
                                      mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP;
-                                    jump http_limit;
-                                   '
+                                    jump http_limit'
+            }
+            @ferm::rule { "dsa-http-baidu":
+                prio            => "21",
+                description     => "slow baidu spider",
+                chain           => 'limit_baidu',
+                rule            => '
+                                    mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP;
+                                    jump http_limit'
              }
              @ferm::rule { "dsa-http-rules":
                  prio            => "22",
@@ -200,16 +218,23 @@ class apache2 {
                                      saddr 124.115.0.0/21 jump limit_sosospider;
                                      saddr (65.52.0.0/14 207.46.0.0/16) jump limit_bing;
                                      saddr (66.249.64.0/19) jump limit_google;
+                                    saddr (123.125.71.0/24 119.63.192.0/21 180.76.0.0/16) jump limit_baidu;
  
                                      mod recent name HTTPDOS update seconds 1800 jump log_or_drop;
                                      mod hashlimit hashlimit-name HTTPDOS hashlimit-mode srcip hashlimit-burst 600 hashlimit 30/minute jump ACCEPT;
-                                    mod recent name HTTPDOS set jump log_or_drop;
-                                   '
+                                    mod recent name HTTPDOS set jump log_or_drop'
              }
              @ferm::rule { "dsa-http":
                  prio            => "23",
                  description     => "Allow web access",
-                rule            => "proto tcp dport (http https) jump http;"
+                rule            => "proto tcp dport (http https) jump http"
+            }
+        }
+        default: {
+            @ferm::rule { "dsa-http":
+                prio            => "23",
+                description     => "Allow web access",
+                rule            => "&SERVICE(tcp, (http https))"
              }
          }
      }