X-Git-Url: https://git.openstreetmap.org/chef.git/blobdiff_plain/c1e6343a081a3a989311deee09ecc66ba78a78f4..35121a86ed40085562cb3012fa0441549b0689ec:/cookbooks/apache/recipes/default.rb diff --git a/cookbooks/apache/recipes/default.rb b/cookbooks/apache/recipes/default.rb index b440dc388..d1a0aac1d 100644 --- a/cookbooks/apache/recipes/default.rb +++ b/cookbooks/apache/recipes/default.rb @@ -18,7 +18,6 @@ # include_recipe "fail2ban" -include_recipe "munin" include_recipe "prometheus" include_recipe "ssl" @@ -62,13 +61,6 @@ systemd_service "apache2" do notifies :restart, "service[apache2]" end -service "apache2" do - action [:enable, :start] - retries 2 - retry_delay 10 - supports :status => true, :restart => true, :reload => true -end - apache_module "info" do conf "info.conf.erb" variables :hosts => admins["hosts"] @@ -79,7 +71,7 @@ apache_module "status" do variables :hosts => admins["hosts"] end -if node[:apache][:evasive] +if node[:apache][:evasive][:enable] apache_module "evasive" do conf "evasive.conf.erb" end @@ -104,20 +96,34 @@ apache_conf "ssl" do template "ssl.erb" end +# Apache should only be started after modules enabled +service "apache2" do + action [:enable, :start] + retries 2 + retry_delay 10 + supports :status => true, :restart => true, :reload => true +end + fail2ban_filter "apache-forbidden" do - failregex '^ .* "[^"]*" 403 .*$' + action :delete end fail2ban_jail "apache-forbidden" do - filter "apache-forbidden" - logpath "/var/log/apache2/access.log" - ports [80, 443] - maxretry 50 + action :delete end -munin_plugin "apache_accesses" -munin_plugin "apache_processes" -munin_plugin "apache_volume" +fail2ban_filter "apache-evasive" do + failregex ": Blacklisting address : possible DoS attack\.$" +end + +fail2ban_jail "apache-evasive" do + filter "apache-evasive" + backend "systemd" + journalmatch "_SYSTEMD_UNIT=apache2.service SYSLOG_IDENTIFIER=mod_evasive" + ports [80, 443] + findtime "10m" + maxretry 3 +end template "/var/lib/prometheus/node-exporter/apache.prom" do source "apache.prom.erb"