humph

[dsa-puppet.git] / modules / apache2 / manifests / init.pp

diff --git a/modules/apache2/manifests/init.pp b/modules/apache2/manifests/init.pp
index 9c5481cc4f071f48137f648415078a629928453f..519fa208e91e18566e2e2c36246fc576d682cffb 100644 (file)
--- a/modules/apache2/manifests/init.pp
+++ b/modules/apache2/manifests/init.pp
@@ -6,6 +6,20 @@ class apache2 {
                "logrotate": ensure => installed;
        }
 
+        case $php5 {
+                "true": { package {
+                               "php5-suhosin": ensure => installed;
+                       }
+                          file { "/etc/php5/conf.d/suhosin.ini":
+                                       source  => [ "puppet:///apache2/per-host/$fqdn/etc/php5/conf.d/suhosin.ini",
+                                                    "puppet:///apache2/common/etc/php5/conf.d/suhosin.ini" ],
+                                       require => Package["apache2", "php5-suhosin"],
+                                        notify  => Exec["force-reload-apache2"];
+                       }
+               }
+       }
+
+
         define activate_apache_site($ensure=present, $site=$name) {
                 case $site {
                         "": { $base = $name }
@@ -58,16 +72,6 @@ class apache2 {
                 "000-default": ensure => absent;
         }
 
-        case $php5suhosin {
-                "true": { file { "/etc/php5/conf.d/suhosin.ini":
-                                       source  => [ "puppet:///apache2/per-host/$fqdn/etc/php5/conf.d/suhosin.ini",
-                                                    "puppet:///apache2/common/etc/php5/conf.d/suhosin.ini" ],
-                                       require => Package["apache2", "php5-suhosin"],
-                                        notify  => Exec["force-reload-apache2"];
-                               }
-                 }
-        }
-
        file {
                "/etc/apache2/conf.d/ressource-limits":
                        content => template("apache2/ressource-limits.erb"),
@@ -125,4 +129,35 @@ class apache2 {
                command => "/etc/init.d/apache2 force-reload",
                refreshonly => true,
        }
+        @ferm::rule { "dsa-http-limit":
+                prio            => "20",
+                description     => "limit HTTP DOS",
+                rule            => "chain 'http_limit' { mod limit limit-burst 60 limit 15/minute jump ACCEPT; jump DROP; }"
+        }
+        @ferm::rule { "dsa-http-soso":
+                prio            => "21",
+                description     => "slow yahoo spider",
+                rule            => "chain 'limit_sosospider' { mod connlimit connlimit-above 2 connlimit-mask 21 jump DROP; jump http_limit; }"
+        }
+        @ferm::rule { "dsa-http-yahoo":
+                prio            => "21",
+                description     => "slow yahoo spider",
+                rule            => "chain 'limit_yahoo' { mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP; jump http_limit; }"
+        }
+        @ferm::rule { "dsa-http-rules":
+                prio            => "22",
+                description     => "http subchain",
+                rule            => "chain 'http' { saddr ( 74.6.22.182 74.6.18.240 ) jump limit_yahoo; saddr 124.115.0.0/21 jump limit_sosospider; mod recent name HTTPDOS update seconds 1800 jump log_or_drop; mod hashlimit hashlimit-name HTTPDOS hashlimit-mode srcip hashlimit-burst 600 hashlimit 30/minute jump ACCEPT; mod recent name HTTPDOS set jump log_or_drop; }"
+        }
+        @ferm::rule { "dsa-http":
+                prio            => "23",
+                description     => "Allow web access",
+                rule            => "proto tcp dport http jump http;"
+        }
+        @ferm::rule { "dsa-http-v6":
+                domain          => "(ip6)",
+                prio            => "23",
+                description     => "Allow web access",
+                rule            => "&SERVICE(tcp, 80)"
+        }
 }