# Sets appropriate firewall rules and optionally rate limits.
# @param mpm Which Multi-Processing Modules to use. Defaults to worker;
# the alternative is prefork.
+# @param rate_limit Rate limit incoming connections at the netfilter level. If false,
+# (and public is true), all incoming connections to the http
+# and https ports get sent to the http chain, and accepted at
+# ferm prio 90, so other things can be done to web traffic
+# before that.
class apache2(
Boolean $smaller_number_of_threads = false,
Integer $rlimitnproc = 256,
Integer $rlimitmem = 192 * 1024 * 1024,
Boolean $public = true,
Enum['prefork','worker'] $mpm = 'worker',
+ Boolean $rate_limit = false,
) {
include webserver
ensure => absent,
}
- if has_role('udd') {
- $memlimit = 512 * 1024 * 1024
- } elsif has_role('popcon') {
- $memlimit = 512 * 1024 * 1024
- } else {
- $memlimit = $rlimitmem
- }
-
apache2::config { 'resource-limits':
content => template('apache2/resource-limits.erb'),
}
}
if $public {
- if has_role('apache_ratelimited') {
+ ferm::rule { 'dsa-http':
+ prio => '23',
+ description => 'A web subchain',
+ domain => '(ip ip6)',
+ rule => 'proto tcp dport (http https 6081) jump http'
+ }
+
+ if $rate_limit {
include apache2::dynamic
} else {
- ferm::rule { 'dsa-http':
+ ferm::rule { 'dsa-http-allow':
+ description => 'http subchain, allow everything',
+ prio => '90',
+ chain => 'http',
domain => '(ip ip6)',
- prio => '23',
- description => 'Allow web access',
- rule => '&SERVICE(tcp, (http https))'
+ rule => 'jump ACCEPT',
}
}
}
}
apache2::config { 'local-scheduled-shutdown':
- source => 'puppet:///modules/apache2/local-scheduled-shutdown',
+ ensure => 'absent',
}
}
projects / mirror / dsa-puppet.git / blobdiff