X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Froles%2Fmanifests%2Fsnapshot_web.pp;h=bcaa7050eddab14ac811089abb7a0a5d6c495397;hb=29cbe59430d1e7d7d5575579b48513c56227e2f7;hp=a20fb381f7e58c7f037b53fc294bb2dc9ab68a07;hpb=3b3433e2054bf8885d7ea0bd97c57a7ce0004563;p=mirror%2Fdsa-puppet.git diff --git a/modules/roles/manifests/snapshot_web.pp b/modules/roles/manifests/snapshot_web.pp index a20fb381f..bcaa7050e 100644 --- a/modules/roles/manifests/snapshot_web.pp +++ b/modules/roles/manifests/snapshot_web.pp @@ -1,7 +1,51 @@ class roles::snapshot_web { include apache2 include apache2::rewrite - include stretch::network_online + + # snapshot abusers + # 61.69.254.110 - 20180705, mirroring with wget + # 20180821 large amount of requests way too fast from some amazon AWS instances + # 18.185.157.46 + # 18.194.174.202 + # 18.184.181.169 + # 18.184.5.230 + # 18.194.137.96 + # 18.197.147.183 + # 3.120.39.137 + # 3.120.41.69 + # 35.158.129.130 + # 52.59.199.25 + # 52.59.228.158 + # 52.59.245.42 + # 52.59.253.41 + # 52.59.71.13 + # 20180821 mirroring + # 99.137.191.34 + # 20181110 crawler + # 51.15.215.91 + # 20181222, excessive number of requests + # 208.91.68.213 + # 198.11.128.0/18 + # running jugdo against snapshot + # 159.226.95.0/24 + # 84.204.194.0/24 + # 211.13.205.0/24 + # 20190512 tens of thousands of queries + # 63.32.0.0/14 + # 54.72.0.0/15 + # 95.115.66.23 + # 52.192.0.0/11 + # 54.72.0.0/15 + # 34.192.0.0/10 + # 34.240.0.0/13 + # 52.192.0.0/11 + # 90.44.107.223 + # 195.154.173.12 + # 74.121.137.108 + ferm::rule { 'dsa-snapshot-abusers': + prio => "005", + rule => "saddr (61.69.254.110 18.128.0.0/9 3.120.0.0/14 35.156.0.0/14 52.58.0.0/15 99.137.191.34 51.15.215.91 208.91.68.213 198.11.128.0/18 159.226.95.0/24 84.204.194.0/24 211.13.205.0/24 63.32.0.0/14 54.72.0.0/15 95.115.66.23 52.192.0.0/11 54.72.0.0/15 34.192.0.0/10 34.240.0.0/13 52.192.0.0/11 90.44.107.223 195.154.173.12 74.121.137.108) DROP", + } ensure_packages ( [ "libapache2-mod-wsgi", @@ -15,6 +59,11 @@ class roles::snapshot_web { } case $::hostname { + 'lw07': { + $ipv4addr = '185.17.185.185' + $ipv6addr = '2001:1af8:4020:b030:deb::185' + $ipv6addr_apache = '2001:1af8:4020:b030:deb::187' + } 'sallinen': { $ipv4addr = '193.62.202.27' $ipv6addr = '2001:630:206:4000:1a1a:0:c13e:ca1b' @@ -25,10 +74,17 @@ class roles::snapshot_web { } } - @ferm::rule { 'dsa-snapshot-varnish-v4': - rule => '&SERVICE(tcp, 6081)', + ferm::rule { 'dsa-snapshot-connlimit': + domain => '(ip ip6)', + prio => "005", + rule => "proto tcp mod state state (NEW) interface ! lo daddr (${ipv4addr} ${ipv6addr}) mod multiport destination-ports (80 443) mod connlimit connlimit-above 3 DROP; + proto tcp mod state state (NEW) interface ! lo dport 6081 mod connlimit connlimit-above 3 DROP + ", } - @ferm::rule { 'dsa-nat-snapshot-varnish-v4': + + # varnish cache + ############### + ferm::rule { 'dsa-nat-snapshot-varnish-v4': table => 'nat', chain => 'PREROUTING', rule => "proto tcp daddr ${ipv4addr} dport 80 REDIRECT to-ports 6081", @@ -43,6 +99,7 @@ class roles::snapshot_web { content => template('roles/snapshot/snapshot.debian.org.vcl.erb'), } + # the ipv6 port 80 is owned by varnish file { '/etc/apache2/ports.conf': content => @("EOF"), Listen 0.0.0.0:80 @@ -51,4 +108,17 @@ class roles::snapshot_web { require => Package['apache2'], notify => Service['apache2'], } + + # haproxy ssl termination + ######################### + include haproxy + file { '/etc/haproxy/haproxy.cfg': + content => template('roles/snapshot/haproxy.cfg.erb'), + require => Package['haproxy'], + notify => Service['haproxy'], + } + ssl::service { 'snapshot.debian.org': + notify => Service['haproxy'], + key => true, + } }