rule => 'saddr (61.69.254.110 18.128.0.0/9 3.120.0.0/14 35.156.0.0/14 52.58.0.0/15 99.137.191.34 51.15.215.91 208.91.68.213 198.11.128.0/18 159.226.95.0/24 84.204.194.0/24 211.13.205.0/24 63.32.0.0/14 54.72.0.0/15 95.115.66.23 52.192.0.0/11 54.72.0.0/15 34.192.0.0/10 34.240.0.0/13 52.192.0.0/11 90.44.107.223 195.154.173.12 74.121.137.108) DROP',
}
+ # rate limit accesses. The chain is set up by the apache module and allow happens at prio 90.
+ ferm::rule { 'dsa-http-snapshot-limit':
+ prio => '22',
+ description => 'rate limit for snapshot',
+ chain => 'http',
+ domain => '(ip ip6)',
+ rule => '
+ mod hashlimit hashlimit-name HTTPDOSPRE hashlimit-mode srcip hashlimit-burst 10 hashlimit 6/minute jump ACCEPT;
+ mod recent name HTTPDOS update seconds 900 jump log_or_drop;
+ mod hashlimit hashlimit-name HTTPDOS hashlimit-mode srcip hashlimit-burst 200 hashlimit 30/minute jump ACCEPT;
+ mod recent name HTTPDOS set jump log_or_drop'
+ }
+
ensure_packages ( [
'libapache2-mod-wsgi',
], {