Set up ssh between snapshot nodes

[mirror/dsa-puppet.git] / modules / roles / manifests / snapshot_web.pp

diff --git a/modules/roles/manifests/snapshot_web.pp b/modules/roles/manifests/snapshot_web.pp
index e9fd9e3..cee2b94 100644 (file)
--- a/modules/roles/manifests/snapshot_web.pp
+++ b/modules/roles/manifests/snapshot_web.pp
@@ -1,4 +1,8 @@
+# web service for snapshot.debian.org
+#
 class roles::snapshot_web {
+  include roles::snapshot_secondary
+
   include apache2
   include apache2::rewrite
 
@@ -47,6 +51,19 @@ class roles::snapshot_web {
     rule => 'saddr (61.69.254.110 18.128.0.0/9 3.120.0.0/14 35.156.0.0/14 52.58.0.0/15 99.137.191.34 51.15.215.91 208.91.68.213 198.11.128.0/18 159.226.95.0/24 84.204.194.0/24 211.13.205.0/24 63.32.0.0/14 54.72.0.0/15 95.115.66.23 52.192.0.0/11 54.72.0.0/15 34.192.0.0/10 34.240.0.0/13 52.192.0.0/11 90.44.107.223 195.154.173.12 74.121.137.108) DROP',
   }
 
+  # rate limit accesses.  The chain is set up by the apache module and allow happens at prio 90.
+  ferm::rule { 'dsa-http-snapshot-limit':
+    prio        => '22',
+    description => 'rate limit for snapshot',
+    chain       => 'http',
+    domain      => '(ip ip6)',
+    rule        => '
+        mod hashlimit hashlimit-name HTTPDOSPRE hashlimit-mode srcip hashlimit-burst 10 hashlimit 6/minute jump ACCEPT;
+        mod recent name HTTPDOS update seconds 900 jump log_or_drop;
+        mod hashlimit hashlimit-name HTTPDOS hashlimit-mode srcip hashlimit-burst 200 hashlimit 30/minute jump ACCEPT;
+        mod recent name HTTPDOS set jump log_or_drop'
+  }
+
   ensure_packages ( [
     'libapache2-mod-wsgi',
     ], {