From: Tom Hughes Date: Sun, 25 Sep 2016 14:18:26 +0000 (+0100) Subject: Add a per-IP connection limit on planet.osm.org X-Git-Url: https://git.openstreetmap.org./chef.git/commitdiff_plain/eae9091a7de8aa4ebd28957f9b3837ee2b7496ad Add a per-IP connection limit on planet.osm.org --- diff --git a/cookbooks/networking/attributes/default.rb b/cookbooks/networking/attributes/default.rb index a672bee7e..88a4091f5 100644 --- a/cookbooks/networking/attributes/default.rb +++ b/cookbooks/networking/attributes/default.rb @@ -1,5 +1,6 @@ default[:networking][:firewall][:inet] = [] default[:networking][:firewall][:inet6] = [] +default[:networking][:firewall][:http_connection_limit] = "-" default[:networking][:interfaces] = {} default[:networking][:nameservers] = [] default[:networking][:search] = [] diff --git a/cookbooks/networking/definitions/firewall_rule.rb b/cookbooks/networking/definitions/firewall_rule.rb index 388470b9c..eb60a684c 100644 --- a/cookbooks/networking/definitions/firewall_rule.rb +++ b/cookbooks/networking/definitions/firewall_rule.rb @@ -25,7 +25,8 @@ define :firewall_rule, :action => :accept do :proto => params[:proto], :dest_ports => params[:dest_ports] || "-", :source_ports => params[:source_ports] || "-", - :rate_limit => params[:rate_limit] || "-" + :rate_limit => params[:rate_limit] || "-", + :connection_limit => params[:connection_limit] || "-" ] if params[:family].nil? diff --git a/cookbooks/networking/recipes/default.rb b/cookbooks/networking/recipes/default.rb index 0ed0841bf..16dd48269 100644 --- a/cookbooks/networking/recipes/default.rb +++ b/cookbooks/networking/recipes/default.rb @@ -336,6 +336,7 @@ firewall_rule "accept-http" do dest "fw" proto "tcp:syn" dest_ports "http" + connection_limit node[:networking][:firewall][:http_connection_limit] end firewall_rule "accept-https" do @@ -344,4 +345,5 @@ firewall_rule "accept-https" do dest "fw" proto "tcp:syn" dest_ports "https" + connection_limit node[:networking][:firewall][:http_connection_limit] end diff --git a/cookbooks/networking/templates/default/shorewall-rules.erb b/cookbooks/networking/templates/default/shorewall-rules.erb index 7cda2fbf1..0b13f7ba0 100644 --- a/cookbooks/networking/templates/default/shorewall-rules.erb +++ b/cookbooks/networking/templates/default/shorewall-rules.erb @@ -6,8 +6,8 @@ SECTION NEW <% end -%> -# ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE +# ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER MARK CONNLIMIT # PORTS PORTS DEST LIMIT <% node[:networking][:firewall][@family].each do |r| # ~FC034 -%> -<%= r[:action] %> <%= r[:source] %> <%= r[:dest] %> <%= r[:proto] %> <%= r[:dest_ports] %> <%= r[:source_ports] %> - <%= r[:rate_limit] %> +<%= r[:action] %> <%= r[:source] %> <%= r[:dest] %> <%= r[:proto] %> <%= r[:dest_ports] %> <%= r[:source_ports] %> - <%= r[:rate_limit] %> - - <%= r[:connection_limit] %> <% end -%> diff --git a/roles/planet.rb b/roles/planet.rb index 8ee1ce9e9..8c2870767 100644 --- a/roles/planet.rb +++ b/roles/planet.rb @@ -31,6 +31,11 @@ default_attributes( } } }, + :networking => { + :firewall => { + :http_connection_limit => 10 + } + }, :apache => { :mpm => "event", :keepalive => true,