X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/9528de07d836fa814fd5b66dbe55aea20c9cff6c..8668f1a536f86f7a586dd343ff06aaf9bc2ec502:/cookbooks/apache/recipes/default.rb?ds=inline diff --git a/cookbooks/apache/recipes/default.rb b/cookbooks/apache/recipes/default.rb index 80e9e473f..d1a0aac1d 100644 --- a/cookbooks/apache/recipes/default.rb +++ b/cookbooks/apache/recipes/default.rb @@ -18,7 +18,6 @@ # include_recipe "fail2ban" -include_recipe "munin" include_recipe "prometheus" include_recipe "ssl" @@ -62,13 +61,6 @@ systemd_service "apache2" do notifies :restart, "service[apache2]" end -service "apache2" do - action [:enable, :start] - retries 2 - retry_delay 10 - supports :status => true, :restart => true, :reload => true -end - apache_module "info" do conf "info.conf.erb" variables :hosts => admins["hosts"] @@ -79,7 +71,7 @@ apache_module "status" do variables :hosts => admins["hosts"] end -if node[:apache][:evasive] +if node[:apache][:evasive][:enable] apache_module "evasive" do conf "evasive.conf.erb" end @@ -104,6 +96,14 @@ apache_conf "ssl" do template "ssl.erb" end +# Apache should only be started after modules enabled +service "apache2" do + action [:enable, :start] + retries 2 + retry_delay 10 + supports :status => true, :restart => true, :reload => true +end + fail2ban_filter "apache-forbidden" do action :delete end @@ -113,22 +113,18 @@ fail2ban_jail "apache-forbidden" do end fail2ban_filter "apache-evasive" do - failregex "^Blacklisting address : possible DoS attack\.$" + failregex ": Blacklisting address : possible DoS attack\.$" end fail2ban_jail "apache-evasive" do filter "apache-evasive" backend "systemd" - journalmatch "SYSLOG_IDENTIFIER=mod_evasive" + journalmatch "_SYSTEMD_UNIT=apache2.service SYSLOG_IDENTIFIER=mod_evasive" ports [80, 443] - findtime "1m" - maxretry 50 + findtime "10m" + maxretry 3 end -munin_plugin "apache_accesses" -munin_plugin "apache_processes" -munin_plugin "apache_volume" - template "/var/lib/prometheus/node-exporter/apache.prom" do source "apache.prom.erb" owner "root"