Enable mod_evasive for all apache instances except render servers

diff --git a/cookbooks/apache/attributes/default.rb b/cookbooks/apache/attributes/default.rb
index 1aefe9270900a3e5eb167374fc5826c13775073b..31003d6288e060cd4648faf8ba2fdc07f1ebea4f 100644 (file)
--- a/cookbooks/apache/attributes/default.rb
+++ b/cookbooks/apache/attributes/default.rb
@@ -29,3 +29,5 @@ default[:apache][:event][:max_connections_per_child] = 0
 default[:apache][:listen_address] = "*"
 
 default[:apache][:buffered_logs] = true
+
+default[:apache][:evasive] = true

diff --git a/cookbooks/apache/recipes/default.rb b/cookbooks/apache/recipes/default.rb
index 4d91da140e061d30389de52992b3edcc801bcf48..aee5dfcc87564b74dfdb9bbc624a04e1a10c583b 100644 (file)
--- a/cookbooks/apache/recipes/default.rb
+++ b/cookbooks/apache/recipes/default.rb
@@ -78,6 +78,11 @@ apache_module "status" do
   variables :hosts => admins["hosts"]
 end
 
+apache_module "evasive" do
+  conf "evasive.conf.erb"
+  only_if { node[:apache][:evasive] }
+end
+
 apache_module "brotli" do
   conf "brotli.conf.erb"
 end

diff --git a/cookbooks/apache/templates/default/evasive.conf.erb b/cookbooks/apache/templates/default/evasive.conf.erb
new file mode 100644 (file)
index 0000000..af52666
--- /dev/null
+++ b/cookbooks/apache/templates/default/evasive.conf.erb
@@ -0,0 +1,10 @@
+# DO NOT EDIT - This file is being maintained by Chef
+
+<IfModule mod_evasive.c>
+    DOSHashTableSize    65536
+    DOSPageCount        2
+    DOSSiteCount        50
+    DOSPageInterval     1
+    DOSSiteInterval     1
+    DOSBlockingPeriod   60
+</IfModule>

diff --git a/roles/tile.rb b/roles/tile.rb
index 2a4af1a95595aa2ce42d776493cfdaebf557dd06..4c47704dcc378bbeae2361878565d2ba218ba160 100644 (file)
--- a/roles/tile.rb
+++ b/roles/tile.rb
@@ -13,6 +13,7 @@ default_attributes(
   :apache => {
     :mpm => "event",
     :timeout => 60,
+    :evasive => false,
     :event => {
       :threads_per_child => 20,
       :min_spare_threads => 300,