# limitations under the License.
#
+include_recipe "fail2ban"
+include_recipe "munin"
+include_recipe "prometheus"
include_recipe "ssl"
package %w[
source "ports.conf.erb"
owner "root"
group "root"
- mode 0o644
+ mode "644"
+end
+
+systemd_service "apache2" do
+ dropin "chef"
+ memory_high "50%"
+ memory_max "75%"
+ notifies :restart, "service[apache2]"
end
service "apache2" do
variables :hosts => admins["hosts"]
end
-apache_module "deflate" do
- conf "deflate.conf.erb"
+apache_module "evasive" do
+ conf "evasive.conf.erb"
+ only_if { node[:apache][:evasive] }
end
-if node[:apache][:reqtimeout]
- apache_module "reqtimeout" do
- action [:enable]
- end
-else
- apache_module "reqtimeout" do
- action [:disable]
- end
+apache_module "brotli" do
+ conf "brotli.conf.erb"
+end
+
+apache_module "deflate" do
+ conf "deflate.conf.erb"
end
apache_module "headers"
template "ssl.erb"
end
+fail2ban_filter "apache-forbidden" do
+ failregex '^<ADDR> .* "[^"]*" 403 .*$'
+end
+
+fail2ban_jail "apache-forbidden" do
+ filter "apache-forbidden"
+ logpath "/var/log/apache2/access.log"
+ ports [80, 443]
+ maxretry 50
+end
+
munin_plugin "apache_accesses"
munin_plugin "apache_processes"
munin_plugin "apache_volume"
+
+template "/var/lib/prometheus/node-exporter/apache.prom" do
+ source "apache.prom.erb"
+ owner "root"
+ group "root"
+ mode "644"
+end
+
+prometheus_exporter "apache" do
+ port 9117
+ options "--scrape_uri=http://localhost/server-status?auto"
+end
projects / chef.git / blobdiff