X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fapache2%2Fmanifests%2Fdynamic.pp;h=55a26130b6b74bfbe2cb1761fd456e2e86be41bc;hb=2d1ec427e3c71ed97101e3dc53b8ece95624d67f;hp=75b3fb9d9ced0c61abb802c6c9411471c250c6dc;hpb=c145ce1571a90464c010a8753b0158e49024193b;p=mirror%2Fdsa-puppet.git diff --git a/modules/apache2/manifests/dynamic.pp b/modules/apache2/manifests/dynamic.pp index 75b3fb9d9..55a26130b 100644 --- a/modules/apache2/manifests/dynamic.pp +++ b/modules/apache2/manifests/dynamic.pp @@ -1,91 +1,81 @@ class apache2::dynamic { - @ferm::rule { 'dsa-http-limit': - prio => '20', - description => 'limit HTTP DOS', - chain => 'http_limit', - rule => 'mod limit limit-burst 60 limit 15/minute jump ACCEPT; - jump DROP' - } + ferm::rule { 'dsa-http-limit': + prio => '20', + description => 'limit HTTP DOS', + chain => 'http_limit', + domain => '(ip ip6)', + rule => 'mod limit limit-burst 60 limit 15/minute jump ACCEPT; + jump DROP' + } - @ferm::rule { 'dsa-http-soso': - prio => '21', - description => 'slow soso spider', - chain => 'limit_sosospider', - rule => 'mod connlimit connlimit-above 2 connlimit-mask 21 jump DROP; - jump http_limit' - } + ferm::rule { 'dsa-http-soso': + prio => '21', + description => 'slow soso spider', + chain => 'limit_sosospider', + domain => '(ip ip6)', + rule => 'mod connlimit connlimit-above 2 connlimit-mask 21 jump DROP; + jump http_limit' + } - @ferm::rule { 'dsa-http-yahoo': - prio => '21', - description => 'slow yahoo spider', - chain => 'limit_yahoo', - rule => 'mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP; - jump http_limit' - } + ferm::rule { 'dsa-http-yahoo': + prio => '21', + description => 'slow yahoo spider', + chain => 'limit_yahoo', + domain => '(ip ip6)', + rule => 'mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP; + jump http_limit' + } - @ferm::rule { 'dsa-http-google': - prio => '21', - description => 'slow google spider', - chain => 'limit_google', - rule => 'mod connlimit connlimit-above 2 connlimit-mask 19 jump DROP; - jump http_limit' - } + ferm::rule { 'dsa-http-google': + prio => '21', + description => 'slow google spider', + chain => 'limit_google', + domain => '(ip ip6)', + rule => 'mod connlimit connlimit-above 2 connlimit-mask 19 jump DROP; + jump http_limit' + } - @ferm::rule { 'dsa-http-bing': - prio => '21', - description => 'slow bing spider', - chain => 'limit_bing', - rule => 'mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP; - jump http_limit' - } + ferm::rule { 'dsa-http-bing': + prio => '21', + description => 'slow bing spider', + chain => 'limit_bing', + domain => '(ip ip6)', + rule => 'mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP; + jump http_limit' + } - @ferm::rule { 'dsa-http-baidu': - prio => '21', - description => 'slow baidu spider', - chain => 'limit_baidu', - rule => 'mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP; - jump http_limit' - } - @ferm::rule { 'dsa-http-nhn': - prio => '21', - description => 'slow nhn spider', - chain => 'limit_nhn', - rule => 'mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP; - jump http_limit' - } + ferm::rule { 'dsa-http-baidu': + prio => '21', + description => 'slow baidu spider', + chain => 'limit_baidu', + domain => '(ip ip6)', + rule => 'mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP; + jump http_limit' + } + ferm::rule { 'dsa-http-nhn': + prio => '21', + description => 'slow nhn spider', + chain => 'limit_nhn', + domain => '(ip ip6)', + rule => 'mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP; + jump http_limit' + } - if has_role('snapshot_web') { - @ferm::rule { 'dsa-http-rules': - prio => '22', - description => 'http subchain', - chain => 'http', - rule => ' - mod recent name HTTPDOS update seconds 1800 jump log_or_drop; - mod hashlimit hashlimit-name HTTPDOS hashlimit-mode srcip hashlimit-burst 30 hashlimit 20/minute jump ACCEPT; - mod recent name HTTPDOS set jump log_or_drop' - } - } else { - @ferm::rule { 'dsa-http-rules': - prio => '22', - description => 'http subchain', - chain => 'http', - rule => ' - saddr (74.6.22.182 74.6.18.240 67.195.0.0/16) jump limit_yahoo; - saddr (124.115.0.0/21 119.63.192.0/21) jump limit_sosospider; - saddr (65.52.0.0/14 207.46.0.0/16) jump limit_bing; - saddr (66.249.64.0/19) jump limit_google; - saddr (123.125.71.0/24 119.63.192.0/21 180.76.0.0/16 220.181.0.0/16) jump limit_baidu; - saddr (119.235.237.024) jump limit_nhn; + ferm::rule { 'dsa-http-rules': + prio => '22', + description => 'http subchain', + chain => 'http', + domain => '(ip ip6)', + rule => ' + saddr (74.6.22.182 74.6.18.240 67.195.0.0/16) jump limit_yahoo; + saddr (124.115.0.0/21 119.63.192.0/21) jump limit_sosospider; + saddr (65.52.0.0/14 207.46.0.0/16) jump limit_bing; + saddr (66.249.64.0/19) jump limit_google; + saddr (123.125.71.0/24 119.63.192.0/21 180.76.0.0/16 220.181.0.0/16) jump limit_baidu; + saddr (119.235.237.024) jump limit_nhn; - mod recent name HTTPDOS update seconds 1800 jump log_or_drop; - mod hashlimit hashlimit-name HTTPDOS hashlimit-mode srcip hashlimit-burst 600 hashlimit 30/minute jump ACCEPT; - mod recent name HTTPDOS set jump log_or_drop' - } - } - - @ferm::rule { 'dsa-http': - prio => '23', - description => 'Allow web access', - rule => 'proto tcp dport (http https 6081) jump http' - } + mod recent name HTTPDOS update seconds 1800 jump log_or_drop; + mod hashlimit hashlimit-name HTTPDOS hashlimit-mode srcip hashlimit-burst 600 hashlimit 30/minute jump ACCEPT; + mod recent name HTTPDOS set jump log_or_drop' + } }