X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/db9651c7d0eceda2f608ca82571c6cdc4cf17ebe..55d3ae09e912b8627faa004e8f7fb7dab5d1c7f2:/cookbooks/web/recipes/frontend.rb?ds=inline diff --git a/cookbooks/web/recipes/frontend.rb b/cookbooks/web/recipes/frontend.rb index 1c71a2fd0..ec7ce92f5 100644 --- a/cookbooks/web/recipes/frontend.rb +++ b/cookbooks/web/recipes/frontend.rb @@ -17,18 +17,24 @@ # limitations under the License. # +node.default[:memcached][:ip_address] = node.internal_ipaddress || "127.0.0.1" + +include_recipe "memcached" include_recipe "apache" +include_recipe "fail2ban" include_recipe "web::rails" +include_recipe "web::cgimap" web_passwords = data_bag_item("web", "passwords") apache_module "alias" apache_module "expires" apache_module "headers" -apache_module "proxy_http" -apache_module "proxy_balancer" +apache_module "proxy" +apache_module "proxy_fcgi" apache_module "lbmethod_byrequests" apache_module "lbmethod_bybusyness" +apache_module "reqtimeout" apache_module "rewrite" apache_module "unique_id" @@ -36,8 +42,6 @@ apache_site "default" do action [:disable] end -# Static legacy files used by external websites -# eg: OpenLayers remote_directory "#{node[:web][:base_directory]}/static" do source "static" owner "root" @@ -45,7 +49,7 @@ remote_directory "#{node[:web][:base_directory]}/static" do mode "755" files_owner "root" files_group "root" - files_mode 0o644 + files_mode "644" end apache_site "www.openstreetmap.org" do @@ -61,9 +65,77 @@ template "/etc/logrotate.d/apache2" do mode "644" end -service "rails-jobs@mailers" do - action [:enable, :start] - supports :restart => true - subscribes :restart, "rails_port[www.openstreetmap.org]" - subscribes :restart, "systemd_service[rails-jobs]" +fail2ban_filter "apache-request-timeout" do + failregex '^ .* "-" 408 .*$' +end + +fail2ban_jail "apache-request-timeout" do + filter "apache-request-timeout" + logpath "/var/log/apache2/access.log" + ports [80, 443] +end + +fail2ban_filter "apache-trackpoints-timeout" do + failregex '^ .* "GET /api/0\.6/trackpoints\?.*" 408 .*$' +end + +fail2ban_jail "apache-trackpoints-timeout" do + filter "apache-trackpoints-timeout" + logpath "/var/log/apache2/access.log" + ports [80, 443] + bantime "12h" + findtime "30m" +end + +fail2ban_filter "apache-notes-search" do + failregex '^ .* "GET /api/0\.6/notes/search\?q=abcde&.*$' +end + +fail2ban_jail "apache-notes-search" do + filter "apache-notes-search" + logpath "/var/log/apache2/access.log" + ports [80, 443] +end + +if %w[database_offline database_readonly].include?(node[:web][:status]) + service "rails-jobs@mailers" do + action :stop + end + + service "rails-jobs@storage" do + action :stop + end + + service "rails-jobs@traces" do + action :stop + end +else + service "rails-jobs@mailers" do + action [:enable, :start] + supports :restart => true + subscribes :restart, "rails_port[www.openstreetmap.org]" + subscribes :restart, "systemd_service[rails-jobs@]" + end + + service "rails-jobs@storage" do + action [:enable, :start] + supports :restart => true + subscribes :restart, "rails_port[www.openstreetmap.org]" + subscribes :restart, "systemd_service[rails-jobs@]" + end + + service "rails-jobs@traces" do + action [:enable, :start] + supports :restart => true + subscribes :restart, "rails_port[www.openstreetmap.org]" + subscribes :restart, "systemd_service[rails-jobs@]" + end +end + +template "/usr/local/bin/deliver-message" do + source "deliver-message.erb" + owner "rails" + group "rails" + mode "0700" + variables :secret_key_base => web_passwords["secret_key_base"] end