X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Froles%2Fmanifests%2Fsnapshot_web.pp;h=cee2b946624b737211820d1492870510774769e3;hb=faf0b00a7b3ef90757b7fcf9dec93c9987383f8a;hp=e9fd9e3d4c8cdb7f283d77dc08bcb25d0b286dcc;hpb=dd6cf6aa396cb762a80e430b4e38d961a8e124b2;p=mirror%2Fdsa-puppet.git

diff --git a/modules/roles/manifests/snapshot_web.pp b/modules/roles/manifests/snapshot_web.pp
index e9fd9e3d4..cee2b9466 100644
--- a/modules/roles/manifests/snapshot_web.pp
+++ b/modules/roles/manifests/snapshot_web.pp
@@ -1,4 +1,8 @@
+# web service for snapshot.debian.org
+#
 class roles::snapshot_web {
+  include roles::snapshot_secondary
+
   include apache2
   include apache2::rewrite
 
@@ -47,6 +51,19 @@ class roles::snapshot_web {
     rule => 'saddr (61.69.254.110 18.128.0.0/9 3.120.0.0/14 35.156.0.0/14 52.58.0.0/15 99.137.191.34 51.15.215.91 208.91.68.213 198.11.128.0/18 159.226.95.0/24 84.204.194.0/24 211.13.205.0/24 63.32.0.0/14 54.72.0.0/15 95.115.66.23 52.192.0.0/11 54.72.0.0/15 34.192.0.0/10 34.240.0.0/13 52.192.0.0/11 90.44.107.223 195.154.173.12 74.121.137.108) DROP',
   }
 
+  # rate limit accesses.  The chain is set up by the apache module and allow happens at prio 90.
+  ferm::rule { 'dsa-http-snapshot-limit':
+    prio        => '22',
+    description => 'rate limit for snapshot',
+    chain       => 'http',
+    domain      => '(ip ip6)',
+    rule        => '
+        mod hashlimit hashlimit-name HTTPDOSPRE hashlimit-mode srcip hashlimit-burst 10 hashlimit 6/minute jump ACCEPT;
+        mod recent name HTTPDOS update seconds 900 jump log_or_drop;
+        mod hashlimit hashlimit-name HTTPDOS hashlimit-mode srcip hashlimit-burst 200 hashlimit 30/minute jump ACCEPT;
+        mod recent name HTTPDOS set jump log_or_drop'
+  }
+
   ensure_packages ( [
     'libapache2-mod-wsgi',
     ], {