From b4c704180591e1acb8de6b1a2c96d91c1665783d Mon Sep 17 00:00:00 2001 From: Grant Slater Date: Tue, 12 Mar 2024 12:08:59 +0000 Subject: [PATCH] apache: parameterise mod_evasive --- cookbooks/apache/attributes/default.rb | 8 +++++++- cookbooks/apache/recipes/default.rb | 17 +++++++++-------- .../apache/templates/default/evasive.conf.erb | 12 ++++++------ roles/prometheus.rb | 4 +++- roles/tile.rb | 4 +++- 5 files changed, 28 insertions(+), 17 deletions(-) diff --git a/cookbooks/apache/attributes/default.rb b/cookbooks/apache/attributes/default.rb index 31003d628..557085b56 100644 --- a/cookbooks/apache/attributes/default.rb +++ b/cookbooks/apache/attributes/default.rb @@ -30,4 +30,10 @@ default[:apache][:listen_address] = "*" default[:apache][:buffered_logs] = true -default[:apache][:evasive] = true +default[:apache][:evasive][:enable] = true +default[:apache][:evasive][:dos_hash_table_size] = 65536 +default[:apache][:evasive][:dos_page_count] = 50 +default[:apache][:evasive][:dos_site_count] = 250 +default[:apache][:evasive][:dos_page_interval] = 1 +default[:apache][:evasive][:dos_site_interval] = 1 +default[:apache][:evasive][:dos_blocking_period] = 60 diff --git a/cookbooks/apache/recipes/default.rb b/cookbooks/apache/recipes/default.rb index 0a8962b53..6fdafa02e 100644 --- a/cookbooks/apache/recipes/default.rb +++ b/cookbooks/apache/recipes/default.rb @@ -62,13 +62,6 @@ systemd_service "apache2" do notifies :restart, "service[apache2]" end -service "apache2" do - action [:enable, :start] - retries 2 - retry_delay 10 - supports :status => true, :restart => true, :reload => true -end - apache_module "info" do conf "info.conf.erb" variables :hosts => admins["hosts"] @@ -79,7 +72,7 @@ apache_module "status" do variables :hosts => admins["hosts"] end -if node[:apache][:evasive] +if node[:apache][:evasive][:enable] apache_module "evasive" do conf "evasive.conf.erb" end @@ -104,6 +97,14 @@ apache_conf "ssl" do template "ssl.erb" end +# Apache should only be started after modules enabled +service "apache2" do + action [:enable, :start] + retries 2 + retry_delay 10 + supports :status => true, :restart => true, :reload => true +end + fail2ban_filter "apache-forbidden" do action :delete end diff --git a/cookbooks/apache/templates/default/evasive.conf.erb b/cookbooks/apache/templates/default/evasive.conf.erb index ef5607679..2670f3e15 100644 --- a/cookbooks/apache/templates/default/evasive.conf.erb +++ b/cookbooks/apache/templates/default/evasive.conf.erb @@ -1,10 +1,10 @@ # DO NOT EDIT - This file is being maintained by Chef - DOSHashTableSize 65536 - DOSPageCount 50 - DOSSiteCount 250 - DOSPageInterval 1 - DOSSiteInterval 1 - DOSBlockingPeriod 60 + DOSHashTableSize <%= node[:apache][:evasive][:dos_hash_table_size] %> + DOSPageCount <%= node[:apache][:evasive][:dos_page_count] %> + DOSSiteCount <%= node[:apache][:evasive][:dos_site_count] %> + DOSPageInterval <%= node[:apache][:evasive][:dos_page_interval] %> + DOSSiteInterval <%= node[:apache][:evasive][:dos_site_interval] %> + DOSBlockingPeriod <%= node[:apache][:evasive][:dos_blocking_period] %> diff --git a/roles/prometheus.rb b/roles/prometheus.rb index 8828a40e5..0f83e8201 100644 --- a/roles/prometheus.rb +++ b/roles/prometheus.rb @@ -3,7 +3,9 @@ description "Role applied to all prometheus servers" default_attributes( :apache => { - :evasive => false + :evasive => { + :enable => false + } } ) diff --git a/roles/tile.rb b/roles/tile.rb index 4c47704dc..b5ab16932 100644 --- a/roles/tile.rb +++ b/roles/tile.rb @@ -13,7 +13,9 @@ default_attributes( :apache => { :mpm => "event", :timeout => 60, - :evasive => false, + :evasive => { + :enable => false + }, :event => { :threads_per_child => 20, :min_spare_threads => 300, -- 2.45.1