apache: parameterise mod_evasive

diff --git a/cookbooks/apache/attributes/default.rb b/cookbooks/apache/attributes/default.rb
index 31003d6288e060cd4648faf8ba2fdc07f1ebea4f..557085b56b1f64c8923a1df367bc2cd901bf8a91 100644 (file)
--- a/cookbooks/apache/attributes/default.rb
+++ b/cookbooks/apache/attributes/default.rb
@@ -30,4 +30,10 @@ default[:apache][:listen_address] = "*"
 
 default[:apache][:buffered_logs] = true
 
-default[:apache][:evasive] = true
+default[:apache][:evasive][:enable] = true
+default[:apache][:evasive][:dos_hash_table_size] =  65536
+default[:apache][:evasive][:dos_page_count]      =  50
+default[:apache][:evasive][:dos_site_count]      =  250
+default[:apache][:evasive][:dos_page_interval]   =  1
+default[:apache][:evasive][:dos_site_interval]   =  1
+default[:apache][:evasive][:dos_blocking_period] =  60

diff --git a/cookbooks/apache/recipes/default.rb b/cookbooks/apache/recipes/default.rb
index 0a8962b5347cbdb3143257ed7cbe033bdd04fc89..6fdafa02ef2a9a83f8c127d87d61234ba7145ba0 100644 (file)
--- a/cookbooks/apache/recipes/default.rb
+++ b/cookbooks/apache/recipes/default.rb
@@ -62,13 +62,6 @@ systemd_service "apache2" do
   notifies :restart, "service[apache2]"
 end
 
-service "apache2" do
-  action [:enable, :start]
-  retries 2
-  retry_delay 10
-  supports :status => true, :restart => true, :reload => true
-end
-
 apache_module "info" do
   conf "info.conf.erb"
   variables :hosts => admins["hosts"]
@@ -79,7 +72,7 @@ apache_module "status" do
   variables :hosts => admins["hosts"]
 end
 
-if node[:apache][:evasive]
+if node[:apache][:evasive][:enable]
   apache_module "evasive" do
     conf "evasive.conf.erb"
   end
@@ -104,6 +97,14 @@ apache_conf "ssl" do
   template "ssl.erb"
 end
 
+# Apache should only be started after modules enabled
+service "apache2" do
+  action [:enable, :start]
+  retries 2
+  retry_delay 10
+  supports :status => true, :restart => true, :reload => true
+end
+
 fail2ban_filter "apache-forbidden" do
   action :delete
 end

diff --git a/cookbooks/apache/templates/default/evasive.conf.erb b/cookbooks/apache/templates/default/evasive.conf.erb
index ef56076796ec0baed7b45fb1b50e6f53f255b48d..2670f3e15c18e62f43104d698324f21cdcfc945d 100644 (file)
--- a/cookbooks/apache/templates/default/evasive.conf.erb
+++ b/cookbooks/apache/templates/default/evasive.conf.erb
@@ -1,10 +1,10 @@
 # DO NOT EDIT - This file is being maintained by Chef
 
 <IfModule mod_evasive20.c>
-    DOSHashTableSize    65536
-    DOSPageCount        50
-    DOSSiteCount        250
-    DOSPageInterval     1
-    DOSSiteInterval     1
-    DOSBlockingPeriod   60
+    DOSHashTableSize <%= node[:apache][:evasive][:dos_hash_table_size] %>
+    DOSPageCount <%= node[:apache][:evasive][:dos_page_count] %>
+    DOSSiteCount <%= node[:apache][:evasive][:dos_site_count] %>
+    DOSPageInterval <%= node[:apache][:evasive][:dos_page_interval] %>
+    DOSSiteInterval <%= node[:apache][:evasive][:dos_site_interval] %>
+    DOSBlockingPeriod <%= node[:apache][:evasive][:dos_blocking_period] %>
 </IfModule>

diff --git a/roles/prometheus.rb b/roles/prometheus.rb
index 8828a40e51d40bb7dc3128e0a088004cf4defb38..0f83e8201a08690ddcef163c5696ccea4418521a 100644 (file)
--- a/roles/prometheus.rb
+++ b/roles/prometheus.rb
@@ -3,7 +3,9 @@ description "Role applied to all prometheus servers"
 
 default_attributes(
   :apache => {
-    :evasive => false
+    :evasive => {
+      :enable => false
+    }
   }
 )
 

diff --git a/roles/tile.rb b/roles/tile.rb
index 4c47704dcc378bbeae2361878565d2ba218ba160..b5ab1693263151759bab58dd458ac092496e603c 100644 (file)
--- a/roles/tile.rb
+++ b/roles/tile.rb
@@ -13,7 +13,9 @@ default_attributes(
   :apache => {
     :mpm => "event",
     :timeout => 60,
-    :evasive => false,
+    :evasive => {
+      :enable => false
+    },
     :event => {
       :threads_per_child => 20,
       :min_spare_threads => 300,