X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/29312d8acdaae23bf07bcb5fc0627ffc2d53e4e6..da3e292dc325b96df2c805d729427c8bf6741b81:/cookbooks/apache/recipes/default.rb diff --git a/cookbooks/apache/recipes/default.rb b/cookbooks/apache/recipes/default.rb index ebf404945..d1a0aac1d 100644 --- a/cookbooks/apache/recipes/default.rb +++ b/cookbooks/apache/recipes/default.rb @@ -1,14 +1,14 @@ # -# Cookbook Name:: apache +# Cookbook:: apache # Recipe:: default # -# Copyright 2011, OpenStreetMap Foundation +# Copyright:: 2011, OpenStreetMap Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # -# http://www.apache.org/licenses/LICENSE-2.0 +# https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, @@ -17,41 +17,48 @@ # limitations under the License. # -package "apache2" -package "apache2-mpm-#{node[:apache][:mpm]}" - -#In Apache 2.4 mpm have become runtime loadable modules -#Diable all mpm except the required mpm -if node[:lsb][:release].to_f >= 14.04 - mpms = ['event', 'itk', 'prefork', 'worker'] - mpms.reject{|u| u == node[:apache][:mpm]}.each do |mpm| - apache_module mpm do - action [ :disable ] - end +include_recipe "fail2ban" +include_recipe "prometheus" +include_recipe "ssl" + +package %w[ + apache2 + libwww-perl +] + +%w[event itk prefork worker].each do |mpm| + next if mpm == node[:apache][:mpm] + + apache_module "mpm_#{mpm}" do + action [:disable] end end +apache_module "mpm_#{node[:apache][:mpm]}" do + action [:enable] +end + +apache_module "http2" + admins = data_bag_item("apache", "admins") -template "/etc/apache2/httpd.conf" do - source "httpd.conf.erb" - owner "root" - group "root" - mode 0644 +apache_conf "httpd" do + template "httpd.conf.erb" + notifies :reload, "service[apache2]" end template "/etc/apache2/ports.conf" do source "ports.conf.erb" owner "root" group "root" - mode 0644 + mode "644" end -service "apache2" do - action [ :enable, :start ] - supports :status => true, :restart => true, :reload => true - subscribes :restart, "package[apache2-mpm-#{node[:apache][:mpm]}]" - subscribes :reload, "template[/etc/apache2/httpd.conf]" +systemd_service "apache2" do + dropin "chef" + memory_high "50%" + memory_max "75%" + notifies :restart, "service[apache2]" end apache_module "info" do @@ -64,10 +71,68 @@ apache_module "status" do variables :hosts => admins["hosts"] end -apache_module "reqtimeout" do - action [ :disable ] +if node[:apache][:evasive][:enable] + apache_module "evasive" do + conf "evasive.conf.erb" + end +else + apache_module "evasive" do + action :disable + end +end + +apache_module "brotli" do + conf "brotli.conf.erb" +end + +apache_module "deflate" do + conf "deflate.conf.erb" +end + +apache_module "headers" +apache_module "ssl" + +apache_conf "ssl" do + template "ssl.erb" +end + +# Apache should only be started after modules enabled +service "apache2" do + action [:enable, :start] + retries 2 + retry_delay 10 + supports :status => true, :restart => true, :reload => true +end + +fail2ban_filter "apache-forbidden" do + action :delete +end + +fail2ban_jail "apache-forbidden" do + action :delete end -munin_plugin "apache_accesses" -munin_plugin "apache_processes" -munin_plugin "apache_volume" +fail2ban_filter "apache-evasive" do + failregex ": Blacklisting address : possible DoS attack\.$" +end + +fail2ban_jail "apache-evasive" do + filter "apache-evasive" + backend "systemd" + journalmatch "_SYSTEMD_UNIT=apache2.service SYSLOG_IDENTIFIER=mod_evasive" + ports [80, 443] + findtime "10m" + maxretry 3 +end + +template "/var/lib/prometheus/node-exporter/apache.prom" do + source "apache.prom.erb" + owner "root" + group "root" + mode "644" +end + +prometheus_exporter "apache" do + port 9117 + options "--scrape_uri=http://localhost/server-status?auto" +end