]> git.openstreetmap.org Git - chef.git/blobdiff - cookbooks/web/recipes/frontend.rb
projects / chef.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Look through cloudflare to get real client IPs
[chef.git] / cookbooks / web / recipes / frontend.rb
diff --git a/cookbooks/web/recipes/frontend.rb b/cookbooks/web/recipes/frontend.rb
index 6c1f0f761f321a2df84a4b071790bd8d59a9af6c..f9e733c5b97f7eb8e1e0f01f7159d7a6e4e1cd21 100644 (file)
--- a/cookbooks/web/recipes/frontend.rb
+++ b/cookbooks/web/recipes/frontend.rb
@@ -34,6 +34,7 @@ apache_module "proxy"
 apache_module "proxy_fcgi"
 apache_module "lbmethod_byrequests"
 apache_module "lbmethod_bybusyness"
 apache_module "proxy_fcgi"
 apache_module "lbmethod_byrequests"
 apache_module "lbmethod_bybusyness"
+apache_module "remoteip"
 apache_module "reqtimeout"
 apache_module "rewrite"
 apache_module "unique_id"
 apache_module "reqtimeout"
 apache_module "rewrite"
 apache_module "unique_id"
@@ -52,9 +53,26 @@ remote_directory "#{node[:web][:base_directory]}/static" do
   files_mode "644"
 end
 
   files_mode "644"
 end
 
+remote_file "#{Chef::Config[:file_cache_path]}/cloudflare-ipv4-list" do
+  source "https://www.cloudflare.com/ips-v4"
+  compile_time true
+  ignore_failure true
+end
+
+cloudflare_ipv4 = IO.read("#{Chef::Config[:file_cache_path]}/cloudflare-ipv4-list").lines.map(&:chomp)
+
+remote_file "#{Chef::Config[:file_cache_path]}/cloudflare-ipv6-list" do
+  source "https://www.cloudflare.com/ips-v6"
+  compile_time true
+  ignore_failure true
+end
+
+cloudflare_ipv6 = IO.read("#{Chef::Config[:file_cache_path]}/cloudflare-ipv6-list").lines.map(&:chomp)
+
 apache_site "www.openstreetmap.org" do
   template "apache.frontend.erb"
 apache_site "www.openstreetmap.org" do
   template "apache.frontend.erb"
-  variables :status => node[:web][:status],
+  variables :cloudflare => cloudflare_ipv4 + cloudflare_ipv6,
+            :status => node[:web][:status],
             :secret_key_base => web_passwords["secret_key_base"]
 end
 
             :secret_key_base => web_passwords["secret_key_base"]
 end
 
@@ -75,6 +93,18 @@ fail2ban_jail "apache-request-timeout" do
   ports [80, 443]
 end
 
   ports [80, 443]
 end
 
+fail2ban_filter "apache-trackpoints-timeout" do
+  failregex '^<ADDR> .* "GET /api/0\.6/trackpoints\?.*" 408 .*$'
+end
+
+fail2ban_jail "apache-trackpoints-timeout" do
+  filter "apache-trackpoints-timeout"
+  logpath "/var/log/apache2/access.log"
+  ports [80, 443]
+  bantime "12h"
+  findtime "30m"
+end
+
 fail2ban_filter "apache-notes-search" do
   failregex '^<ADDR> .* "GET /api/0\.6/notes/search\?q=abcde&.*$'
 end
 fail2ban_filter "apache-notes-search" do
   failregex '^<ADDR> .* "GET /api/0\.6/notes/search\?q=abcde&.*$'
 end
Chef configuration management public repo for configuring & maintaining the OpenStreetMap servers.