From: Tom Hughes <tom@compton.nu>
Date: Fri, 27 Nov 2020 10:45:31 +0000 (+0000)
Subject: Whitelist web frontends in nominatim fail2ban jail
X-Git-Url: https://git.openstreetmap.org./chef.git/commitdiff_plain/1ece13ea17003cdc2679d8511b258c4b64197d13

Whitelist web frontends in nominatim fail2ban jail
---

diff --git a/cookbooks/nominatim/recipes/default.rb b/cookbooks/nominatim/recipes/default.rb
index 75c357902..fc6d2e9e3 100644
--- a/cookbooks/nominatim/recipes/default.rb
+++ b/cookbooks/nominatim/recipes/default.rb
@@ -412,11 +412,13 @@ nginx_site "default" do
   action [:delete]
 end
 
+frontends = search(:node, "recipes:web\\:\\:frontend")
+
 nginx_site "nominatim" do
   template "nginx.erb"
   directory build_directory
   variables :pools => node[:nominatim][:fpm_pools],
-            :frontends => search(:node, "recipes:web\\:\\:frontend"),
+            :frontends => frontends,
             :confdir => "#{basedir}/etc",
             :ui_directory => ui_directory
 end
@@ -454,9 +456,12 @@ end
 
 include_recipe "fail2ban"
 
+frontend_addresses = frontends.collect { |f| f.ipaddresses(:role => :external) }
+
 fail2ban_jail "nominatim_limit_req" do
   filter "nginx-limit-req"
   logpath "#{node[:nominatim][:logdir]}/nominatim.openstreetmap.org-error.log"
   ports [80, 443]
   maxretry 5
+  ignoreips frontend_addresses.flatten
 end