X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/ee603acb6bce130b494f41fd79da3a36f79de017..794cc957324de66edab45373053be3e601090f1f:/cookbooks/web/recipes/frontend.rb diff --git a/cookbooks/web/recipes/frontend.rb b/cookbooks/web/recipes/frontend.rb index 4c50df668..f9e733c5b 100644 --- a/cookbooks/web/recipes/frontend.rb +++ b/cookbooks/web/recipes/frontend.rb @@ -1,14 +1,14 @@ # -# Cookbook Name:: web +# Cookbook:: web # Recipe:: frontend # -# Copyright 2011, OpenStreetMap Foundation +# Copyright:: 2011, OpenStreetMap Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # -# http://www.apache.org/licenses/LICENSE-2.0 +# https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, @@ -17,74 +17,143 @@ # limitations under the License. # +node.default[:memcached][:ip_address] = node.internal_ipaddress || "127.0.0.1" + include_recipe "memcached" -include_recipe "apache::ssl" +include_recipe "apache" +include_recipe "fail2ban" include_recipe "web::rails" include_recipe "web::cgimap" web_passwords = data_bag_item("web", "passwords") apache_module "alias" -apache_module "deflate" apache_module "expires" apache_module "headers" +apache_module "proxy" apache_module "proxy_fcgi" -apache_module "proxy_http" -apache_module "proxy_balancer" apache_module "lbmethod_byrequests" apache_module "lbmethod_bybusyness" +apache_module "remoteip" +apache_module "reqtimeout" apache_module "rewrite" +apache_module "unique_id" apache_site "default" do action [:disable] end +remote_directory "#{node[:web][:base_directory]}/static" do + source "static" + owner "root" + group "root" + mode "755" + files_owner "root" + files_group "root" + files_mode "644" +end + +remote_file "#{Chef::Config[:file_cache_path]}/cloudflare-ipv4-list" do + source "https://www.cloudflare.com/ips-v4" + compile_time true + ignore_failure true +end + +cloudflare_ipv4 = IO.read("#{Chef::Config[:file_cache_path]}/cloudflare-ipv4-list").lines.map(&:chomp) + +remote_file "#{Chef::Config[:file_cache_path]}/cloudflare-ipv6-list" do + source "https://www.cloudflare.com/ips-v6" + compile_time true + ignore_failure true +end + +cloudflare_ipv6 = IO.read("#{Chef::Config[:file_cache_path]}/cloudflare-ipv6-list").lines.map(&:chomp) + apache_site "www.openstreetmap.org" do template "apache.frontend.erb" - variables :secret_key_base => web_passwords["secret_key_base"] + variables :cloudflare => cloudflare_ipv4 + cloudflare_ipv6, + :status => node[:web][:status], + :secret_key_base => web_passwords["secret_key_base"] end -gem_package "hpricot" -gem_package "home_run" -gem_package "apachelogregex" - template "/etc/logrotate.d/apache2" do source "logrotate.apache.erb" owner "root" group "root" - mode 0644 + mode "644" +end + +fail2ban_filter "apache-request-timeout" do + failregex '^ .* "-" 408 .*$' end -munin_plugin "api_calls_num" do - action :delete +fail2ban_jail "apache-request-timeout" do + filter "apache-request-timeout" + logpath "/var/log/apache2/access.log" + ports [80, 443] end -munin_plugin "api_calls_#{node[:hostname]}" do - target "api_calls_" +fail2ban_filter "apache-trackpoints-timeout" do + failregex '^ .* "GET /api/0\.6/trackpoints\?.*" 408 .*$' end -munin_plugin "api_waits_#{node[:hostname]}" do - target "api_waits_" +fail2ban_jail "apache-trackpoints-timeout" do + filter "apache-trackpoints-timeout" + logpath "/var/log/apache2/access.log" + ports [80, 443] + bantime "12h" + findtime "30m" end -node.set[:memcached][:ip_address] = node.external_ipaddress +fail2ban_filter "apache-notes-search" do + failregex '^ .* "GET /api/0\.6/notes/search\?q=abcde&.*$' +end -firewall_rule "accept-memcache-tcp" do - action :accept - family "inet" - source "ic" - dest "fw" - proto "tcp" - dest_ports "11211" - source_ports "1024:" +fail2ban_jail "apache-notes-search" do + filter "apache-notes-search" + logpath "/var/log/apache2/access.log" + ports [80, 443] end -firewall_rule "accept-memcache-udp" do - action :accept - family "inet" - source "ic" - dest "fw" - proto "udp" - dest_ports "11211" - source_ports "1024:" +if %w[database_offline database_readonly].include?(node[:web][:status]) + service "rails-jobs@mailers" do + action :stop + end + + service "rails-jobs@storage" do + action :stop + end + + service "rails-jobs@traces" do + action :stop + end +else + service "rails-jobs@mailers" do + action [:enable, :start] + supports :restart => true + subscribes :restart, "rails_port[www.openstreetmap.org]" + subscribes :restart, "systemd_service[rails-jobs@]" + end + + service "rails-jobs@storage" do + action [:enable, :start] + supports :restart => true + subscribes :restart, "rails_port[www.openstreetmap.org]" + subscribes :restart, "systemd_service[rails-jobs@]" + end + + service "rails-jobs@traces" do + action [:enable, :start] + supports :restart => true + subscribes :restart, "rails_port[www.openstreetmap.org]" + subscribes :restart, "systemd_service[rails-jobs@]" + end +end + +template "/usr/local/bin/deliver-message" do + source "deliver-message.erb" + owner "rails" + group "rails" + mode "0700" + variables :secret_key_base => web_passwords["secret_key_base"] end