X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fapache2%2Fmanifests%2Finit.pp;h=cfadaf194f4e1f380c39b678c573c83af1c22912;hb=72c9df408d1367a62c858c37ee8375396d78f360;hp=b61b89a5142603ea5fcadb7defbf85a9e11380bd;hpb=5ac06970309d659aaff62b003c05ebb4ea3d5700;p=mirror%2Fdsa-puppet.git diff --git a/modules/apache2/manifests/init.pp b/modules/apache2/manifests/init.pp index b61b89a51..cfadaf194 100644 --- a/modules/apache2/manifests/init.pp +++ b/modules/apache2/manifests/init.pp @@ -136,24 +136,32 @@ class apache2 { command => "/etc/init.d/apache2 force-reload", refreshonly => true; } - case $hostname { - sibelius,stabile: { - @ferm::rule { "dsa-http": - prio => "23", - description => "Allow web access", - rule => "&SERVICE(tcp, (http https))" + chopin,franck,morricone: { + package { + "libapache2-mod-macro": ensure => installed; + } + enable_module { + "macro":; + } + file { + "/etc/apache2/conf.d/puppet-builddlist": + content => template("apache2/conf-builddlist.erb"), + require => Package["apache2"], + notify => Exec["reload-apache2"]; } } - default: { + } + + case $hostname { + busoni,duarte,holter,lindberg,master,powell,rore: { @ferm::rule { "dsa-http-limit": prio => "20", description => "limit HTTP DOS", chain => 'http_limit', rule => ' mod limit limit-burst 60 limit 15/minute jump ACCEPT; - jump DROP; - ' + jump DROP' } @ferm::rule { "dsa-http-soso": prio => "21", @@ -161,8 +169,7 @@ class apache2 { chain => 'limit_sosospider', rule => ' mod connlimit connlimit-above 2 connlimit-mask 21 jump DROP; - jump http_limit; - ' + jump http_limit' } @ferm::rule { "dsa-http-yahoo": prio => "21", @@ -170,8 +177,7 @@ class apache2 { chain => 'limit_yahoo', rule => ' mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP; - jump http_limit; - ' + jump http_limit' } @ferm::rule { "dsa-http-google": prio => "21", @@ -179,8 +185,7 @@ class apache2 { chain => 'limit_google', rule => ' mod connlimit connlimit-above 2 connlimit-mask 19 jump DROP; - jump http_limit; - ' + jump http_limit' } @ferm::rule { "dsa-http-bing": prio => "21", @@ -188,8 +193,15 @@ class apache2 { chain => 'limit_bing', rule => ' mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP; - jump http_limit; - ' + jump http_limit' + } + @ferm::rule { "dsa-http-baidu": + prio => "21", + description => "slow baidu spider", + chain => 'limit_baidu', + rule => ' + mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP; + jump http_limit' } @ferm::rule { "dsa-http-rules": prio => "22", @@ -200,16 +212,23 @@ class apache2 { saddr 124.115.0.0/21 jump limit_sosospider; saddr (65.52.0.0/14 207.46.0.0/16) jump limit_bing; saddr (66.249.64.0/19) jump limit_google; + saddr (119.63.192.0/21 180.76.0.0/16) jump limit_baidu; mod recent name HTTPDOS update seconds 1800 jump log_or_drop; mod hashlimit hashlimit-name HTTPDOS hashlimit-mode srcip hashlimit-burst 600 hashlimit 30/minute jump ACCEPT; - mod recent name HTTPDOS set jump log_or_drop; - ' + mod recent name HTTPDOS set jump log_or_drop' } @ferm::rule { "dsa-http": prio => "23", description => "Allow web access", - rule => "proto tcp dport (http https) jump http;" + rule => "proto tcp dport (http https) jump http" + } + } + default: { + @ferm::rule { "dsa-http": + prio => "23", + description => "Allow web access", + rule => "&SERVICE(tcp, (http https))" } } }