]> git.openstreetmap.org Git - chef.git/commitdiff
projects / chef.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3f4b1ed)
Use fail2ban to block hosts with repeated request timeouts
authorTom Hughes <tom@compton.nu>
Sun, 3 Dec 2023 20:20:21 +0000 (20:20 +0000)
committerTom Hughes <tom@compton.nu>
Sun, 3 Dec 2023 20:20:21 +0000 (20:20 +0000)
cookbooks/web/metadata.rb patch | blob | history
cookbooks/web/recipes/frontend.rb patch | blob | history

diff --git a/cookbooks/web/metadata.rb b/cookbooks/web/metadata.rb
index fc262fd5ea16333ca93f9dcb12b4347b65638f3e..a0e3e87791a3f314a5d58aa16951e6193f689cf1 100644 (file)
--- a/cookbooks/web/metadata.rb
+++ b/cookbooks/web/metadata.rb
@@ -10,6 +10,7 @@ depends           "accounts"
 depends           "apache"
 depends           "apt"
 depends           "chef"
+depends           "fail2ban"
 depends           "geoipupdate"
 depends           "git"
 depends           "memcached"
diff --git a/cookbooks/web/recipes/frontend.rb b/cookbooks/web/recipes/frontend.rb
index f27b029c93fa8df76ec5278656ca899c982a5073..44aa0cd5b22cfdc02ce686c97a147b212e2da363 100644 (file)
--- a/cookbooks/web/recipes/frontend.rb
+++ b/cookbooks/web/recipes/frontend.rb
@@ -21,6 +21,7 @@ node.default[:memcached][:ip_address] = node.internal_ipaddress || "127.0.0.1"
 
 include_recipe "memcached"
 include_recipe "apache"
+include_recipe "fail2ban"
 include_recipe "web::rails"
 include_recipe "web::cgimap"
 
@@ -64,6 +65,16 @@ template "/etc/logrotate.d/apache2" do
   mode "644"
 end
 
+fail2ban_filter "apache-request-timeout" do
+  failregex '^<ADDR> .* "-" 408 .*$'
+end
+
+fail2ban_jail "apache-request-timeout" do
+  filter "apache-request-timeout"
+  logpath "/var/log/apache2/access.log"
+  ports [80, 443]
+end
+
 if %w[database_offline database_readonly].include?(node[:web][:status])
   service "rails-jobs@mailers" do
     action :stop
Chef configuration management public repo for configuring & maintaining the OpenStreetMap servers.