X-Git-Url: https://git.openstreetmap.org/chef.git/blobdiff_plain/2f921f3394c98b5168666d68449d67e337c90993..c1e6343a081a3a989311deee09ecc66ba78a78f4:/cookbooks/apache/recipes/default.rb

diff --git a/cookbooks/apache/recipes/default.rb b/cookbooks/apache/recipes/default.rb
index f25806fcf..b440dc388 100644
--- a/cookbooks/apache/recipes/default.rb
+++ b/cookbooks/apache/recipes/default.rb
@@ -17,6 +17,7 @@
 # limitations under the License.
 #
 
+include_recipe "fail2ban"
 include_recipe "munin"
 include_recipe "prometheus"
 include_recipe "ssl"
@@ -54,6 +55,13 @@ template "/etc/apache2/ports.conf" do
   mode "644"
 end
 
+systemd_service "apache2" do
+  dropin "chef"
+  memory_high "50%"
+  memory_max "75%"
+  notifies :restart, "service[apache2]"
+end
+
 service "apache2" do
   action [:enable, :start]
   retries 2
@@ -71,20 +79,24 @@ apache_module "status" do
   variables :hosts => admins["hosts"]
 end
 
-apache_module "deflate" do
-  conf "deflate.conf.erb"
-end
-
-if node[:apache][:reqtimeout]
-  apache_module "reqtimeout" do
-    action [:enable]
+if node[:apache][:evasive]
+  apache_module "evasive" do
+    conf "evasive.conf.erb"
   end
 else
-  apache_module "reqtimeout" do
-    action [:disable]
+  apache_module "evasive" do
+    action :disable
   end
 end
 
+apache_module "brotli" do
+  conf "brotli.conf.erb"
+end
+
+apache_module "deflate" do
+  conf "deflate.conf.erb"
+end
+
 apache_module "headers"
 apache_module "ssl"
 
@@ -92,11 +104,29 @@ apache_conf "ssl" do
   template "ssl.erb"
 end
 
+fail2ban_filter "apache-forbidden" do
+  failregex '^<ADDR> .* "[^"]*" 403 .*$'
+end
+
+fail2ban_jail "apache-forbidden" do
+  filter "apache-forbidden"
+  logpath "/var/log/apache2/access.log"
+  ports [80, 443]
+  maxretry 50
+end
+
 munin_plugin "apache_accesses"
 munin_plugin "apache_processes"
 munin_plugin "apache_volume"
 
+template "/var/lib/prometheus/node-exporter/apache.prom" do
+  source "apache.prom.erb"
+  owner "root"
+  group "root"
+  mode "644"
+end
+
 prometheus_exporter "apache" do
   port 9117
-  listen_switch "telemetry.address"
+  options "--scrape_uri=http://localhost/server-status?auto"
 end