# limitations under the License.
#
-include_recipe "munin"
+include_recipe "fail2ban"
include_recipe "prometheus"
include_recipe "ssl"
notifies :restart, "service[apache2]"
end
-service "apache2" do
- action [:enable, :start]
- retries 2
- retry_delay 10
- supports :status => true, :restart => true, :reload => true
-end
-
apache_module "info" do
conf "info.conf.erb"
variables :hosts => admins["hosts"]
variables :hosts => admins["hosts"]
end
-apache_module "evasive" do
- conf "evasive.conf.erb"
- only_if { node[:apache][:evasive] }
+if node[:apache][:evasive][:enable]
+ apache_module "evasive" do
+ conf "evasive.conf.erb"
+ end
+else
+ apache_module "evasive" do
+ action :disable
+ end
end
apache_module "brotli" do
template "ssl.erb"
end
-munin_plugin "apache_accesses"
-munin_plugin "apache_processes"
-munin_plugin "apache_volume"
+# Apache should only be started after modules enabled
+service "apache2" do
+ action [:enable, :start]
+ retries 2
+ retry_delay 10
+ supports :status => true, :restart => true, :reload => true
+end
+
+fail2ban_filter "apache-forbidden" do
+ action :delete
+end
+
+fail2ban_jail "apache-forbidden" do
+ action :delete
+end
+
+fail2ban_filter "apache-evasive" do
+ failregex ": Blacklisting address <ADDR>: possible DoS attack\.$"
+end
+
+fail2ban_jail "apache-evasive" do
+ filter "apache-evasive"
+ backend "systemd"
+ journalmatch "_SYSTEMD_UNIT=apache2.service SYSLOG_IDENTIFIER=mod_evasive"
+ ports [80, 443]
+ findtime "10m"
+ maxretry 3
+end
template "/var/lib/prometheus/node-exporter/apache.prom" do
source "apache.prom.erb"
projects / chef.git / blobdiff