X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/4d0f0d5a2c8841d2e7e4553f359bc3322512e6e8..794cc957324de66edab45373053be3e601090f1f:/cookbooks/web/recipes/frontend.rb?ds=inline diff --git a/cookbooks/web/recipes/frontend.rb b/cookbooks/web/recipes/frontend.rb index 44aa0cd5b..f9e733c5b 100644 --- a/cookbooks/web/recipes/frontend.rb +++ b/cookbooks/web/recipes/frontend.rb @@ -34,6 +34,7 @@ apache_module "proxy" apache_module "proxy_fcgi" apache_module "lbmethod_byrequests" apache_module "lbmethod_bybusyness" +apache_module "remoteip" apache_module "reqtimeout" apache_module "rewrite" apache_module "unique_id" @@ -52,9 +53,26 @@ remote_directory "#{node[:web][:base_directory]}/static" do files_mode "644" end +remote_file "#{Chef::Config[:file_cache_path]}/cloudflare-ipv4-list" do + source "https://www.cloudflare.com/ips-v4" + compile_time true + ignore_failure true +end + +cloudflare_ipv4 = IO.read("#{Chef::Config[:file_cache_path]}/cloudflare-ipv4-list").lines.map(&:chomp) + +remote_file "#{Chef::Config[:file_cache_path]}/cloudflare-ipv6-list" do + source "https://www.cloudflare.com/ips-v6" + compile_time true + ignore_failure true +end + +cloudflare_ipv6 = IO.read("#{Chef::Config[:file_cache_path]}/cloudflare-ipv6-list").lines.map(&:chomp) + apache_site "www.openstreetmap.org" do template "apache.frontend.erb" - variables :status => node[:web][:status], + variables :cloudflare => cloudflare_ipv4 + cloudflare_ipv6, + :status => node[:web][:status], :secret_key_base => web_passwords["secret_key_base"] end @@ -75,6 +93,28 @@ fail2ban_jail "apache-request-timeout" do ports [80, 443] end +fail2ban_filter "apache-trackpoints-timeout" do + failregex '^ .* "GET /api/0\.6/trackpoints\?.*" 408 .*$' +end + +fail2ban_jail "apache-trackpoints-timeout" do + filter "apache-trackpoints-timeout" + logpath "/var/log/apache2/access.log" + ports [80, 443] + bantime "12h" + findtime "30m" +end + +fail2ban_filter "apache-notes-search" do + failregex '^ .* "GET /api/0\.6/notes/search\?q=abcde&.*$' +end + +fail2ban_jail "apache-notes-search" do + filter "apache-notes-search" + logpath "/var/log/apache2/access.log" + ports [80, 443] +end + if %w[database_offline database_readonly].include?(node[:web][:status]) service "rails-jobs@mailers" do action :stop