From 6cd11592f10a9294b671b06b8641df66354dae52 Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Sun, 15 Sep 2019 19:59:31 +0200 Subject: [PATCH] Retire the apache_ratelimited role And introduce a rate_limit param to the apache2 class. The bugs_web role sets that option to true on inclusion, as does the packages role. The snapshot role had slightly different rate limiting in the apache class. This has now been removed in favor of rate limiting in the snapshot_web class. To enable this, all web traffic (even on not-ratelimited systems) is sent to the http chain. At the end, all traffic gets accepted and services that want to interfere can do things before prio 90. --- hieradata/common.yaml | 7 ---- modules/apache2/manifests/dynamic.pp | 51 ++++++++----------------- modules/apache2/manifests/init.pp | 22 +++++++++-- modules/roles/manifests/bugs_web.pp | 4 +- modules/roles/manifests/packages.pp | 5 ++- modules/roles/manifests/snapshot_web.pp | 13 +++++++ 6 files changed, 53 insertions(+), 49 deletions(-) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index dde9b7634..f54f24cea 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -181,13 +181,6 @@ roles: - seger.debian.org - snapshotdb-manda-01.debian.org - vittoria.debian.org - apache_ratelimited: - - beach.debian.org - - buxtehude.debian.org - - lw07.debian.org - - picconi.debian.org - - pkgmirror-csail.debian.org - - sallinen.debian.org snapshot_web: - lw07.debian.org - sallinen.debian.org diff --git a/modules/apache2/manifests/dynamic.pp b/modules/apache2/manifests/dynamic.pp index 4d181d6aa..35a936076 100644 --- a/modules/apache2/manifests/dynamic.pp +++ b/modules/apache2/manifests/dynamic.pp @@ -61,42 +61,21 @@ class apache2::dynamic { jump http_limit' } - if has_role('snapshot_web') { - ferm::rule { 'dsa-http-rules': - prio => '22', - description => 'http subchain', - chain => 'http', - domain => '(ip ip6)', - rule => ' - mod hashlimit hashlimit-name HTTPDOSPRE hashlimit-mode srcip hashlimit-burst 10 hashlimit 6/minute jump ACCEPT; - mod recent name HTTPDOS update seconds 900 jump log_or_drop; - mod hashlimit hashlimit-name HTTPDOS hashlimit-mode srcip hashlimit-burst 200 hashlimit 30/minute jump ACCEPT; - mod recent name HTTPDOS set jump log_or_drop' - } - } else { - ferm::rule { 'dsa-http-rules': - prio => '22', - description => 'http subchain', - chain => 'http', - domain => '(ip ip6)', - rule => ' - saddr (74.6.22.182 74.6.18.240 67.195.0.0/16) jump limit_yahoo; - saddr (124.115.0.0/21 119.63.192.0/21) jump limit_sosospider; - saddr (65.52.0.0/14 207.46.0.0/16) jump limit_bing; - saddr (66.249.64.0/19) jump limit_google; - saddr (123.125.71.0/24 119.63.192.0/21 180.76.0.0/16 220.181.0.0/16) jump limit_baidu; - saddr (119.235.237.024) jump limit_nhn; - - mod recent name HTTPDOS update seconds 1800 jump log_or_drop; - mod hashlimit hashlimit-name HTTPDOS hashlimit-mode srcip hashlimit-burst 600 hashlimit 30/minute jump ACCEPT; - mod recent name HTTPDOS set jump log_or_drop' - } - } - - ferm::rule { 'dsa-http': - prio => '23', - description => 'Allow web access', + ferm::rule { 'dsa-http-rules': + prio => '22', + description => 'http subchain', + chain => 'http', domain => '(ip ip6)', - rule => 'proto tcp dport (http https 6081) jump http' + rule => ' + saddr (74.6.22.182 74.6.18.240 67.195.0.0/16) jump limit_yahoo; + saddr (124.115.0.0/21 119.63.192.0/21) jump limit_sosospider; + saddr (65.52.0.0/14 207.46.0.0/16) jump limit_bing; + saddr (66.249.64.0/19) jump limit_google; + saddr (123.125.71.0/24 119.63.192.0/21 180.76.0.0/16 220.181.0.0/16) jump limit_baidu; + saddr (119.235.237.024) jump limit_nhn; + + mod recent name HTTPDOS update seconds 1800 jump log_or_drop; + mod hashlimit hashlimit-name HTTPDOS hashlimit-mode srcip hashlimit-burst 600 hashlimit 30/minute jump ACCEPT; + mod recent name HTTPDOS set jump log_or_drop' } } diff --git a/modules/apache2/manifests/init.pp b/modules/apache2/manifests/init.pp index 77f4c03c6..9cd01c49d 100644 --- a/modules/apache2/manifests/init.pp +++ b/modules/apache2/manifests/init.pp @@ -16,12 +16,18 @@ # Sets appropriate firewall rules and optionally rate limits. # @param mpm Which Multi-Processing Modules to use. Defaults to worker; # the alternative is prefork. +# @param rate_limit Rate limit incoming connections at the netfilter level. If false, +# (and public is true), all incoming connections to the http +# and https ports get sent to the http chain, and accepted at +# ferm prio 90, so other things can be done to web traffic +# before that. class apache2( Boolean $smaller_number_of_threads = false, Integer $rlimitnproc = 256, Integer $rlimitmem = 192 * 1024 * 1024, Boolean $public = true, Enum['prefork','worker'] $mpm = 'worker', + Boolean $rate_limit = false, ) { include webserver @@ -139,14 +145,22 @@ class apache2( } if $public { - if has_role('apache_ratelimited') { + ferm::rule { 'dsa-http': + prio => '23', + description => 'A web subchain', + domain => '(ip ip6)', + rule => 'proto tcp dport (http https 6081) jump http' + } + + if $rate_limit { include apache2::dynamic } else { ferm::rule { 'dsa-http': + description => 'http subchain, allow everything', + prio => '90', + chain => 'http', domain => '(ip ip6)', - prio => '23', - description => 'Allow web access', - rule => '&SERVICE(tcp, (http https))' + rule => 'jump ACCEPT', } } } diff --git a/modules/roles/manifests/bugs_web.pp b/modules/roles/manifests/bugs_web.pp index b62fc40b5..2a5bfda2e 100644 --- a/modules/roles/manifests/bugs_web.pp +++ b/modules/roles/manifests/bugs_web.pp @@ -1,5 +1,7 @@ class roles::bugs_web { - include apache2 + class { 'apache2': + rate_limit => true, + } ssl::service { 'bugs.debian.org': notify => Exec['service apache2 reload'], diff --git a/modules/roles/manifests/packages.pp b/modules/roles/manifests/packages.pp index 26022c37d..a4f14a617 100644 --- a/modules/roles/manifests/packages.pp +++ b/modules/roles/manifests/packages.pp @@ -1,4 +1,7 @@ class roles::packages { - include apache2 + class { 'apache2': + rate_limit => true, + } + ssl::service { 'packages.debian.org': notify => Exec['service apache2 reload'], key => true, } } diff --git a/modules/roles/manifests/snapshot_web.pp b/modules/roles/manifests/snapshot_web.pp index e9fd9e3d4..9e71efd1e 100644 --- a/modules/roles/manifests/snapshot_web.pp +++ b/modules/roles/manifests/snapshot_web.pp @@ -47,6 +47,19 @@ class roles::snapshot_web { rule => 'saddr (61.69.254.110 18.128.0.0/9 3.120.0.0/14 35.156.0.0/14 52.58.0.0/15 99.137.191.34 51.15.215.91 208.91.68.213 198.11.128.0/18 159.226.95.0/24 84.204.194.0/24 211.13.205.0/24 63.32.0.0/14 54.72.0.0/15 95.115.66.23 52.192.0.0/11 54.72.0.0/15 34.192.0.0/10 34.240.0.0/13 52.192.0.0/11 90.44.107.223 195.154.173.12 74.121.137.108) DROP', } + # rate limit accesses. The chain is set up by the apache module and allow happens at prio 90. + ferm::rule { 'dsa-http-snapshot-limit': + prio => '22', + description => 'rate limit for snapshot', + chain => 'http', + domain => '(ip ip6)', + rule => ' + mod hashlimit hashlimit-name HTTPDOSPRE hashlimit-mode srcip hashlimit-burst 10 hashlimit 6/minute jump ACCEPT; + mod recent name HTTPDOS update seconds 900 jump log_or_drop; + mod hashlimit hashlimit-name HTTPDOS hashlimit-mode srcip hashlimit-burst 200 hashlimit 30/minute jump ACCEPT; + mod recent name HTTPDOS set jump log_or_drop' + } + ensure_packages ( [ 'libapache2-mod-wsgi', ], { -- 2.20.1