X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fapache2%2Fmanifests%2Finit.pp;h=f5c6f80c34dc0890392acac5469439ab4801a362;hb=78d9609794123c96e794ff5201a1aa3e7695ab5a;hp=c72e2b57b94ed97cb3949b305892a1bb64585409;hpb=8bf7a67029f55b8a1a72c09ab367dd53161aec15;p=mirror%2Fdsa-puppet.git diff --git a/modules/apache2/manifests/init.pp b/modules/apache2/manifests/init.pp index c72e2b57b..f5c6f80c3 100644 --- a/modules/apache2/manifests/init.pp +++ b/modules/apache2/manifests/init.pp @@ -136,80 +136,90 @@ class apache2 { command => "/etc/init.d/apache2 force-reload", refreshonly => true; } - - @ferm::rule { "dsa-http-limit": - prio => "20", - description => "limit HTTP DOS", - chain => 'http_limit', - rule => ' - mod limit limit-burst 60 limit 15/minute jump ACCEPT; - jump DROP; - ' - } - @ferm::rule { "dsa-http-soso": - prio => "21", - description => "slow soso spider", - chain => 'limit_sosospider', - rule => ' - mod connlimit connlimit-above 2 connlimit-mask 21 jump DROP; - jump http_limit; - ' - } - @ferm::rule { "dsa-http-yahoo": - prio => "21", - description => "slow yahoo spider", - chain => 'limit_yahoo', - rule => ' - mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP; - jump http_limit; - ' - } - @ferm::rule { "dsa-http-google": - prio => "21", - description => "slow google spider", - chain => 'limit_google', - rule => ' - mod connlimit connlimit-above 2 connlimit-mask 19 jump DROP; - jump http_limit; - ' - } - @ferm::rule { "dsa-http-bing": - prio => "21", - description => "slow bing spider", - chain => 'limit_bing', - rule => ' - mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP; - jump http_limit; - ' - } - @ferm::rule { "dsa-http-rules": - prio => "22", - description => "http subchain", - chain => 'http', - rule => ' - saddr ( 74.6.22.182 74.6.18.240 67.195.0.0/16 ) jump limit_yahoo; - saddr 124.115.0.0/21 jump limit_sosospider; - saddr (65.52.0.0/14 207.46.0.0/16) jump limit_bing; - saddr (66.249.64.0/19) jump limit_google; - - mod recent name HTTPDOS update seconds 1800 jump log_or_drop; - mod hashlimit hashlimit-name HTTPDOS hashlimit-mode srcip hashlimit-burst 600 hashlimit 30/minute jump ACCEPT; - mod recent name HTTPDOS set jump log_or_drop; - ' + case $hostname { + chopin,franck,morricone: { + package { + "libapache2-mod-macro": ensure => installed; + } + enable_module { + "macro":; + } + file { + "/etc/apache2/conf.d/puppet-builddlist": + content => template("apache2/conf-builddlist.erb"), + require => Package["apache2"], + notify => Exec["reload-apache2"]; + } + } } + case $hostname { - sibelius,stabile: { + busoni,duarte,holter,lindberg,master,merkel,powell,rore: { + @ferm::rule { "dsa-http-limit": + prio => "20", + description => "limit HTTP DOS", + chain => 'http_limit', + rule => ' + mod limit limit-burst 60 limit 15/minute jump ACCEPT; + jump DROP' + } + @ferm::rule { "dsa-http-soso": + prio => "21", + description => "slow soso spider", + chain => 'limit_sosospider', + rule => ' + mod connlimit connlimit-above 2 connlimit-mask 21 jump DROP; + jump http_limit' + } + @ferm::rule { "dsa-http-yahoo": + prio => "21", + description => "slow yahoo spider", + chain => 'limit_yahoo', + rule => ' + mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP; + jump http_limit' + } + @ferm::rule { "dsa-http-google": + prio => "21", + description => "slow google spider", + chain => 'limit_google', + rule => ' + mod connlimit connlimit-above 2 connlimit-mask 19 jump DROP; + jump http_limit' + } + @ferm::rule { "dsa-http-bing": + prio => "21", + description => "slow bing spider", + chain => 'limit_bing', + rule => ' + mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP; + jump http_limit' + } + @ferm::rule { "dsa-http-rules": + prio => "22", + description => "http subchain", + chain => 'http', + rule => ' + saddr ( 74.6.22.182 74.6.18.240 67.195.0.0/16 ) jump limit_yahoo; + saddr 124.115.0.0/21 jump limit_sosospider; + saddr (65.52.0.0/14 207.46.0.0/16) jump limit_bing; + saddr (66.249.64.0/19) jump limit_google; + + mod recent name HTTPDOS update seconds 1800 jump log_or_drop; + mod hashlimit hashlimit-name HTTPDOS hashlimit-mode srcip hashlimit-burst 600 hashlimit 30/minute jump ACCEPT; + mod recent name HTTPDOS set jump log_or_drop' + } @ferm::rule { "dsa-http": prio => "23", description => "Allow web access", - rule => "&SERVICE(tcp, (http https))" + rule => "proto tcp dport (http https) jump http" } } default: { @ferm::rule { "dsa-http": prio => "23", description => "Allow web access", - rule => "proto tcp dport (http https) jump http;" + rule => "&SERVICE(tcp, (http https))" } } }