From: Tom Hughes Date: Mon, 11 Mar 2024 17:15:10 +0000 (+0000) Subject: Enable mod_evasive for all apache instances except render servers X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/2c9527844e884db26c83395ac4068d76507c7999 Enable mod_evasive for all apache instances except render servers --- diff --git a/cookbooks/apache/attributes/default.rb b/cookbooks/apache/attributes/default.rb index 1aefe9270..31003d628 100644 --- a/cookbooks/apache/attributes/default.rb +++ b/cookbooks/apache/attributes/default.rb @@ -29,3 +29,5 @@ default[:apache][:event][:max_connections_per_child] = 0 default[:apache][:listen_address] = "*" default[:apache][:buffered_logs] = true + +default[:apache][:evasive] = true diff --git a/cookbooks/apache/recipes/default.rb b/cookbooks/apache/recipes/default.rb index 4d91da140..aee5dfcc8 100644 --- a/cookbooks/apache/recipes/default.rb +++ b/cookbooks/apache/recipes/default.rb @@ -78,6 +78,11 @@ apache_module "status" do variables :hosts => admins["hosts"] end +apache_module "evasive" do + conf "evasive.conf.erb" + only_if { node[:apache][:evasive] } +end + apache_module "brotli" do conf "brotli.conf.erb" end diff --git a/cookbooks/apache/templates/default/evasive.conf.erb b/cookbooks/apache/templates/default/evasive.conf.erb new file mode 100644 index 000000000..af5266685 --- /dev/null +++ b/cookbooks/apache/templates/default/evasive.conf.erb @@ -0,0 +1,10 @@ +# DO NOT EDIT - This file is being maintained by Chef + + + DOSHashTableSize 65536 + DOSPageCount 2 + DOSSiteCount 50 + DOSPageInterval 1 + DOSSiteInterval 1 + DOSBlockingPeriod 60 + diff --git a/roles/tile.rb b/roles/tile.rb index 2a4af1a95..4c47704dc 100644 --- a/roles/tile.rb +++ b/roles/tile.rb @@ -13,6 +13,7 @@ default_attributes( :apache => { :mpm => "event", :timeout => 60, + :evasive => false, :event => { :threads_per_child => 20, :min_spare_threads => 300,