- seger.debian.org
- snapshotdb-manda-01.debian.org
- vittoria.debian.org
- apache_ratelimited:
- - beach.debian.org
- - buxtehude.debian.org
- - lw07.debian.org
- - picconi.debian.org
- - pkgmirror-csail.debian.org
- - sallinen.debian.org
snapshot_web:
- lw07.debian.org
- sallinen.debian.org
jump http_limit'
}
- if has_role('snapshot_web') {
- ferm::rule { 'dsa-http-rules':
- prio => '22',
- description => 'http subchain',
- chain => 'http',
- domain => '(ip ip6)',
- rule => '
- mod hashlimit hashlimit-name HTTPDOSPRE hashlimit-mode srcip hashlimit-burst 10 hashlimit 6/minute jump ACCEPT;
- mod recent name HTTPDOS update seconds 900 jump log_or_drop;
- mod hashlimit hashlimit-name HTTPDOS hashlimit-mode srcip hashlimit-burst 200 hashlimit 30/minute jump ACCEPT;
- mod recent name HTTPDOS set jump log_or_drop'
- }
- } else {
- ferm::rule { 'dsa-http-rules':
- prio => '22',
- description => 'http subchain',
- chain => 'http',
- domain => '(ip ip6)',
- rule => '
- saddr (74.6.22.182 74.6.18.240 67.195.0.0/16) jump limit_yahoo;
- saddr (124.115.0.0/21 119.63.192.0/21) jump limit_sosospider;
- saddr (65.52.0.0/14 207.46.0.0/16) jump limit_bing;
- saddr (66.249.64.0/19) jump limit_google;
- saddr (123.125.71.0/24 119.63.192.0/21 180.76.0.0/16 220.181.0.0/16) jump limit_baidu;
- saddr (119.235.237.024) jump limit_nhn;
-
- mod recent name HTTPDOS update seconds 1800 jump log_or_drop;
- mod hashlimit hashlimit-name HTTPDOS hashlimit-mode srcip hashlimit-burst 600 hashlimit 30/minute jump ACCEPT;
- mod recent name HTTPDOS set jump log_or_drop'
- }
- }
-
- ferm::rule { 'dsa-http':
- prio => '23',
- description => 'Allow web access',
+ ferm::rule { 'dsa-http-rules':
+ prio => '22',
+ description => 'http subchain',
+ chain => 'http',
domain => '(ip ip6)',
- rule => 'proto tcp dport (http https 6081) jump http'
+ rule => '
+ saddr (74.6.22.182 74.6.18.240 67.195.0.0/16) jump limit_yahoo;
+ saddr (124.115.0.0/21 119.63.192.0/21) jump limit_sosospider;
+ saddr (65.52.0.0/14 207.46.0.0/16) jump limit_bing;
+ saddr (66.249.64.0/19) jump limit_google;
+ saddr (123.125.71.0/24 119.63.192.0/21 180.76.0.0/16 220.181.0.0/16) jump limit_baidu;
+ saddr (119.235.237.024) jump limit_nhn;
+
+ mod recent name HTTPDOS update seconds 1800 jump log_or_drop;
+ mod hashlimit hashlimit-name HTTPDOS hashlimit-mode srcip hashlimit-burst 600 hashlimit 30/minute jump ACCEPT;
+ mod recent name HTTPDOS set jump log_or_drop'
}
}
# Sets appropriate firewall rules and optionally rate limits.
# @param mpm Which Multi-Processing Modules to use. Defaults to worker;
# the alternative is prefork.
+# @param rate_limit Rate limit incoming connections at the netfilter level. If false,
+# (and public is true), all incoming connections to the http
+# and https ports get sent to the http chain, and accepted at
+# ferm prio 90, so other things can be done to web traffic
+# before that.
class apache2(
Boolean $smaller_number_of_threads = false,
Integer $rlimitnproc = 256,
Integer $rlimitmem = 192 * 1024 * 1024,
Boolean $public = true,
Enum['prefork','worker'] $mpm = 'worker',
+ Boolean $rate_limit = false,
) {
include webserver
}
if $public {
- if has_role('apache_ratelimited') {
+ ferm::rule { 'dsa-http':
+ prio => '23',
+ description => 'A web subchain',
+ domain => '(ip ip6)',
+ rule => 'proto tcp dport (http https 6081) jump http'
+ }
+
+ if $rate_limit {
include apache2::dynamic
} else {
ferm::rule { 'dsa-http':
+ description => 'http subchain, allow everything',
+ prio => '90',
+ chain => 'http',
domain => '(ip ip6)',
- prio => '23',
- description => 'Allow web access',
- rule => '&SERVICE(tcp, (http https))'
+ rule => 'jump ACCEPT',
}
}
}
class roles::bugs_web {
- include apache2
+ class { 'apache2':
+ rate_limit => true,
+ }
ssl::service { 'bugs.debian.org':
notify => Exec['service apache2 reload'],
class roles::packages {
- include apache2
+ class { 'apache2':
+ rate_limit => true,
+ }
+
ssl::service { 'packages.debian.org': notify => Exec['service apache2 reload'], key => true, }
}
rule => 'saddr (61.69.254.110 18.128.0.0/9 3.120.0.0/14 35.156.0.0/14 52.58.0.0/15 99.137.191.34 51.15.215.91 208.91.68.213 198.11.128.0/18 159.226.95.0/24 84.204.194.0/24 211.13.205.0/24 63.32.0.0/14 54.72.0.0/15 95.115.66.23 52.192.0.0/11 54.72.0.0/15 34.192.0.0/10 34.240.0.0/13 52.192.0.0/11 90.44.107.223 195.154.173.12 74.121.137.108) DROP',
}
+ # rate limit accesses. The chain is set up by the apache module and allow happens at prio 90.
+ ferm::rule { 'dsa-http-snapshot-limit':
+ prio => '22',
+ description => 'rate limit for snapshot',
+ chain => 'http',
+ domain => '(ip ip6)',
+ rule => '
+ mod hashlimit hashlimit-name HTTPDOSPRE hashlimit-mode srcip hashlimit-burst 10 hashlimit 6/minute jump ACCEPT;
+ mod recent name HTTPDOS update seconds 900 jump log_or_drop;
+ mod hashlimit hashlimit-name HTTPDOS hashlimit-mode srcip hashlimit-burst 200 hashlimit 30/minute jump ACCEPT;
+ mod recent name HTTPDOS set jump log_or_drop'
+ }
+
ensure_packages ( [
'libapache2-mod-wsgi',
], {