blacklist 95.115.66.23

[mirror/dsa-puppet.git] / modules / roles / manifests / snapshot_web.pp

diff --git a/modules/roles/manifests/snapshot_web.pp b/modules/roles/manifests/snapshot_web.pp
index 3067981..8476478 100644 (file)
--- a/modules/roles/manifests/snapshot_web.pp
+++ b/modules/roles/manifests/snapshot_web.pp
@@ -2,16 +2,48 @@ class roles::snapshot_web {
        include apache2
        include apache2::rewrite
 
+       # snapshot abusers
+       #  61.69.254.110 - 20180705, mirroring with wget
+       # 20180821 large amount of requests way too fast from some amazon AWS instances
+       #  18.185.157.46
+       #  18.194.174.202
+       #  18.184.181.169
+       #  18.184.5.230
+       #  18.194.137.96
+       #  18.197.147.183
+       #  3.120.39.137
+       #  3.120.41.69
+       #  35.158.129.130
+       #  52.59.199.25
+       #  52.59.228.158
+       #  52.59.245.42
+       #  52.59.253.41
+       #  52.59.71.13
+       # 20180821 mirroring
+       #  99.137.191.34
+       # 20181110 crawler
+       #  51.15.215.91
+       # 20181222, excessive number of requests
+       #  208.91.68.213
+       # 198.11.128.0/18
+       # running jugdo against snapshot
+       #  159.226.95.0/24
+       #  84.204.194.0/24
+       #  211.13.205.0/24
+       # 20190512 tens of thousands of queries
+       #  63.32.0.0/14
+       #  95.115.66.23
+       @ferm::rule { 'dsa-snapshot-abusers':
+               prio  => "005",
+               rule  => "saddr (61.69.254.110 18.128.0.0/9 3.120.0.0/14 35.156.0.0/14 52.58.0.0/15 99.137.191.34 51.15.215.91 208.91.68.213 198.11.128.0/18 159.226.95.0/24 84.204.194.0/24 211.13.205.0/24 63.32.0.0/14 95.115.66.23) DROP",
+       }
+
        ensure_packages ( [
                "libapache2-mod-wsgi",
                ], {
                ensure => 'installed',
        })
 
-       ssl::service { 'snapshot.debian.org':
-               notify  => Exec['service apache2 reload'],
-               key => true,
-       }
        apache2::site { '020-snapshot.debian.org':
                site   => 'snapshot.debian.org',
                content => template('roles/snapshot/snapshot.debian.org.conf.erb')
@@ -33,9 +65,16 @@ class roles::snapshot_web {
                }
        }
 
-       @ferm::rule { 'dsa-snapshot-varnish-v4':
-               rule  => '&SERVICE(tcp, 6081)',
+       @ferm::rule { 'dsa-snapshot-connlimit':
+               domain => '(ip ip6)',
+               prio  => "005",
+               rule  => "proto tcp mod state state (NEW) interface ! lo daddr (${ipv4addr} ${ipv6addr})  mod multiport destination-ports (80 443) mod connlimit connlimit-above 3 DROP;
+                         proto tcp mod state state (NEW) interface ! lo                                                dport 6081                 mod connlimit connlimit-above 3 DROP
+                          ",
        }
+
+       # varnish cache
+       ###############
        @ferm::rule { 'dsa-nat-snapshot-varnish-v4':
                table => 'nat',
                chain => 'PREROUTING',
@@ -51,6 +90,7 @@ class roles::snapshot_web {
                content => template('roles/snapshot/snapshot.debian.org.vcl.erb'),
        }
 
+       # the ipv6 port 80 is owned by varnish
        file { '/etc/apache2/ports.conf':
                content  => @("EOF"),
                        Listen 0.0.0.0:80
@@ -59,4 +99,17 @@ class roles::snapshot_web {
                require => Package['apache2'],
                notify  => Service['apache2'],
        }
+
+       # haproxy ssl termination
+       #########################
+       include haproxy
+       file { '/etc/haproxy/haproxy.cfg':
+               content => template('roles/snapshot/haproxy.cfg.erb'),
+               require => Package['haproxy'],
+               notify  => Service['haproxy'],
+       }
+       ssl::service { 'snapshot.debian.org':
+               notify  => Service['haproxy'],
+               key => true,
+       }
 }