apache: set our correct defaults for mod_evasive

[chef.git] / cookbooks / apache / recipes / default.rb

diff --git a/cookbooks/apache/recipes/default.rb b/cookbooks/apache/recipes/default.rb
index b440dc38886e501552ec29a876761624b9e39f3d..6fdafa02ef2a9a83f8c127d87d61234ba7145ba0 100644 (file)
--- a/cookbooks/apache/recipes/default.rb
+++ b/cookbooks/apache/recipes/default.rb
@@ -62,13 +62,6 @@ systemd_service "apache2" do
   notifies :restart, "service[apache2]"
 end
 
   notifies :restart, "service[apache2]"
 end
 

-service "apache2" do
-  action [:enable, :start]
-  retries 2
-  retry_delay 10
-  supports :status => true, :restart => true, :reload => true
-end
-

 apache_module "info" do
   conf "info.conf.erb"
   variables :hosts => admins["hosts"]
 apache_module "info" do
   conf "info.conf.erb"
   variables :hosts => admins["hosts"]


@@ -79,7 +72,7 @@ apache_module "status" do
   variables :hosts => admins["hosts"]
 end
 
   variables :hosts => admins["hosts"]
 end
 

-if node[:apache][:evasive]
+if node[:apache][:evasive][:enable]

   apache_module "evasive" do
     conf "evasive.conf.erb"
   end
   apache_module "evasive" do
     conf "evasive.conf.erb"
   end


@@ -104,15 +97,33 @@ apache_conf "ssl" do
   template "ssl.erb"
 end
 
   template "ssl.erb"
 end
 

+# Apache should only be started after modules enabled
+service "apache2" do
+  action [:enable, :start]
+  retries 2
+  retry_delay 10
+  supports :status => true, :restart => true, :reload => true
+end
+

 fail2ban_filter "apache-forbidden" do
 fail2ban_filter "apache-forbidden" do

-  failregex '^<ADDR> .* "[^"]*" 403 .*$'
+  action :delete

 end
 
 fail2ban_jail "apache-forbidden" do
 end
 
 fail2ban_jail "apache-forbidden" do

-  filter "apache-forbidden"
-  logpath "/var/log/apache2/access.log"
+  action :delete
+end
+
+fail2ban_filter "apache-evasive" do
+  failregex "^Blacklisting address <ADDR>: possible DoS attack\.$"
+end
+
+fail2ban_jail "apache-evasive" do
+  filter "apache-evasive"
+  backend "systemd"
+  journalmatch "_SYSTEMD_UNIT=apache2.service SYSLOG_IDENTIFIER=mod_evasive"

   ports [80, 443]
   ports [80, 443]

-  maxretry 50
+  findtime "10m"
+  maxretry 3

 end
 
 munin_plugin "apache_accesses"
 end
 
 munin_plugin "apache_accesses"