added ssl/qos suport

Author: abessiari

docker-vars.yaml

@@ -9,4 +9,4 @@ repo_map:
 
 tag: latest 
 docker_hub_user: "{{ lookup('env', 'USER')|lower }}"
-apache_proxy_image: geneontology/apache-proxy:v2
+apache_proxy_image: geneontology/apache-proxy:v3

files/qos-noop.conf

@@ -0,0 +1,13 @@
+<IfModule qos_module>
+  # minimum request rate (bytes/sec at request reading):
+  #QS_SrvRequestRate                                 120
+
+  # limits the connections for this virtual host:
+  #QS_SrvMaxConn                                     100
+
+  # allows keep-alive support till the server reaches 600 connections:
+  #QS_SrvMaxConnClose                                600
+
+  # allows max 50 connections from a single ip address:
+  #QS_SrvMaxConnPerIP                                 50
+</IfModule>

production/README.md

@@ -1,5 +1,6 @@
 # Noctua Production Deployment
 
+
 This repository enables the deployment of the noctua stack to AWS. It includes 
 minerva, barista, and noctua and it points to an external amigo instance.     
 
@@ -8,14 +9,18 @@ minerva, barista, and noctua and it points to an external amigo instance.
     - vars.yaml
     - docker-vars.yaml
     - s3-vars.yaml
+    - ssl-vars.yaml
     - stage.yaml
+    - qos-vars.yaml
     - start_services.yaml
 
 ## Artifacts Deployed To Staging directory On AWS:
   - blazegraph.jnl
   - Cloned repositories:
     - noctua-form, noctua-landing-page, noctua-models, go-site and noctua-visual-pathway-editor.
   - s3 credentials used to push apache logs to s3 buckets
+  - s3 credentials used to download ssl credentials from s3 buckets
+  - qos.conf and robots.txt for apache mitigation
   - github OAUTH client id and secret
   - docker-production-compose and various configuration files from template directory
 
@@ -79,7 +84,9 @@ Check list:
 - [ ] <b>Make DNS names for barista and noctua point to public ip address on AWS Route 53.</b> 
 - [ ] Location of SSH keys need to be replaced after copying config-stack.yaml.sample
 - [ ] Github credentials will need to be replaced in config-stack.yaml.sample
-- [ ] s3 credntials are placed in a file using format described above
+- [ ] s3 credentials are placed in a file using format described above
+- [ ] s3 uri if ssl is enabled. Location of ssl certs/key
+- [ ] qos mitigation if qos is enabled
 - [ ] Location of blazegraph.jnl. This assumes you have generated the journal using steps above
 - [ ] Use same workspace name as in previous step
 - [ ] Remember you can use the -dry-run option

production/config-instance.yaml.sample

@@ -9,4 +9,5 @@ instance:
     open_ports:
        - 80
        - 22
+       - 443
     disk_size: 100 

production/config-stack.yaml.sample

@@ -14,16 +14,11 @@ stack:
      docker_hub_user: geneontology
      tag: v2 
 
-     # For production the proxy will listen on port 80
-     noctua_proxy_port: 80
-
      # DNS hostname for noctua
      noctua_host: aes-test-noctua.geneontology.io
-     noctua_lookup_url: http://aes-test-noctua.geneontology.io
 
      # DNS hostname for barista
      barista_lookup_host: aes-test-barista.geneontology.io
-     barista_lookup_url: http://aes-test-barista.geneontology.io
 
      # url for golr 
      golr_lookup_url: http://noctua-golr.berkeleybop.org 
@@ -32,6 +27,16 @@ stack:
      S3_CRED_FILE: REPLACE_ME
      S3_BUCKET: go-service-logs
 
+     # Used to download ssl credentials from s3 buckets. (full s3 uri .tar.gz)
+     USE_SSL: 1
+     S3_SSL_CRED_FILE: REPLACE_ME
+     S3_SSL_CERTS_LOCATION: REPLACE_ME
+
+     # Enable QOS
+     USE_QOS: 1
+     QS_ClientEventBlockCount: "350 300"
+     QS_ClientEventBlockExcludeIP: "REPLACE_ME_ADDR1 REPLACE_ME_ADDR2"
+
      # OAUTH
      github_client_id: 'REPLACE_ME'
      github_client_secret: 'REPLACE_ME'

qos-vars.yaml

@@ -0,0 +1,11 @@
+---
+###############
+# download ssl certs
+################
+USE_QOS: 1 
+QS_ClientEntries 200000
+QS_SrvMaxConnPerIP: 50
+QS_ClientEventPerSecLimit: 150
+QS_ClientEventRequestLimit: 150
+QS_ClientEventBlockCount: "350 300"
+QS_ClientEventBlockExcludeIP: "9.9.9.9"

ssl-vars.yaml

@@ -0,0 +1,8 @@
+---
+###############
+# download ssl certs
+################
+USE_SSL: 0 
+S3_SSL_CERTS_LOCATION: REPLACE_ME 
+S3_SSL_CRED_FILE: REPLACE_ME
+

stage.yaml

@@ -3,6 +3,8 @@
   - vars.yaml
   - docker-vars.yaml
   - s3-vars.yaml
+  - ssl-vars.yaml
+  - qos-vars.yaml
 
   tasks:
   - name: Create stage directories
@@ -13,13 +15,7 @@
       - conf
       - barista
       - httpd-confs
-
-  - name: install configs from templates directory
-    template:
-      src: '{{ item.file }}'
-      dest: '{{ stage_dir }}/{{ item.dir }}'
-    with_items:
-      - { file: 'httpd.conf', dir: 'httpd-confs' }
+      - credentials
 
   - name: Check if repo is staged
     stat:
@@ -53,14 +49,42 @@
           - { file: 'httpd-vhosts-prod-noctua.conf', dir: 'httpd-confs' }
           - { file: 'github.yaml', dir: 'barista' }
           - { file: 'startup.yaml', dir: 'conf' }
+
+      - name: install ssl configs from templates directory
+        template:
+          src: '{{ item.file }}'
+          dest: '{{ stage_dir }}/{{ item.dir }}'
+        with_items:
+          - { file: 'httpd-vhosts-prod-barista-ssl.conf', dir: 'httpd-confs' }
+          - { file: 'httpd-vhosts-prod-noctua-ssl.conf', dir: 'httpd-confs' }
+        when: USE_SSL | bool
+
+      - name: install qos config from templates directory
+        template:
+          src: qos.conf
+          dest: '{{ stage_dir }}/qos.conf'
+        when: USE_QOS | bool
+
       - name: copy s3cfg
         copy:
           src: "{{ S3_CRED_FILE }}"
-          dest: "{{ stage_dir }}/s3cfg"
+          dest: "{{ stage_dir }}/credentials/s3cfg"
+
+      - name: copy s3cfg
+        copy:
+          src: "{{ S3_SSL_CRED_FILE }}"
+          dest: "{{ stage_dir }}/credentials/ssl-s3cfg"
+
+      - name: copy noop qos.conf 
+        copy:
+          src: "files/qos-noop.conf"
+          dest: '{{ stage_dir }}/qos.conf'
+        when: not USE_QOS | bool
+
       - name: copy robots.txt 
         copy:
           src: "files/robots.txt"
-          dest: "{{ stage_dir }}/httpd-confs/robots.txt"
+          dest: "{{ stage_dir }}/robots.txt"
       - name: copy blazegraph.jnl 
         copy:
           src: "{{ BLAZEGRAPH_JOURNAL }}"

templates/docker-compose-production.yaml

@@ -56,17 +56,19 @@ services:
     container_name: apache_noctua
     image: {{ apache_proxy_image }}
     volumes:
-      - {{ stage_dir }}/httpd-confs/httpd-vhosts-prod-noctua.conf:/etc/apache2/sites-enabled/httpd-vhosts-noctua.conf
-      - {{ stage_dir }}/httpd-confs/httpd-vhosts-prod-barista.conf:/etc/apache2/sites-enabled/httpd-vhosts-barista.conf
-      - {{ stage_dir }}/httpd-confs/robots.txt:/var/www/html/robots.txt
+      - {{ stage_dir }}/httpd-confs:/etc/apache2/sites-enabled
+      - {{ stage_dir }}/qos.conf:/etc/apache2/mods-enabled/qos.conf
+      - {{ stage_dir }}/robots.txt:/var/www/html/robots.txt
       - {{ stage_dir }}/apache_logs:/var/log/apache2
-      - {{ stage_dir }}/s3cfg:/opt/credentials/s3cfg
+      - {{ stage_dir }}/credentials:/opt/credentials
     ports:
-      - "{{ noctua_proxy_port }}:80"
+      - "80:80"
+      - "443:443"
     environment:
-      - USE_S3=1
       - S3_PATH={{ S3_PATH }}/noctua
       - S3_BUCKET={{ S3_BUCKET }}
+      - USE_SSL={{ USE_SSL }}
+      - S3_SSL_CERTS_LOCATION={{ S3_SSL_CERTS_LOCATION }}
     init: true
     restart: unless-stopped
     depends_on:

templates/httpd-vhosts-amigo.conf

@@ -1,6 +1,6 @@
 <VirtualHost *:80>
-    ErrorLog "/var/log/apache2/amigo-error_log"
-    CustomLog "/var/log/apache2/amigo-access_log" common
+    ErrorLog "/var/log/apache2/amigo-error.log"
+    CustomLog "/var/log/apache2/amigo-access.log" common
     ProxyPass / http://amigo:8080/
     ProxyPassReverse / http://amigo:8080/
     RewriteEngine on

templates/httpd-vhosts-barista.conf

@@ -1,6 +1,6 @@
 <VirtualHost *:80>
-    ErrorLog "/var/log/apache2/barista-error_log"
-    CustomLog "/var/log/apache2/barista-access_log" common
+    ErrorLog "/var/log/apache2/barista-error.log"
+    CustomLog "/var/log/apache2/barista-access.log" common
     ProxyPass / http://barista:3400/
     ProxyPassReverse / http://barista:3400/
 </VirtualHost>

templates/httpd-vhosts-golr.conf

@@ -1,6 +1,6 @@
 <VirtualHost *:80>
-    ErrorLog "/var/log/apache2/solr-error_log"
-    CustomLog "/var/log/apache2/solr-access_log" common
+    ErrorLog "/var/log/apache2/solr-error.log"
+    CustomLog "/var/log/apache2/solr-access.log" common
     ProxyPass / http://golr:8080/
     ProxyPassReverse / http://golr:8080/
     RewriteEngine on

templates/httpd-vhosts-noctua.conf

@@ -1,6 +1,6 @@
 <VirtualHost *:80>
-    ErrorLog "/var/log/apache2/noctua-error_log"
-    CustomLog "/var/log/apache2/noctua-access_log" common
+    ErrorLog "/var/log/apache2/noctua-error.log"
+    CustomLog "/var/log/apache2/noctua-access.log" common
     ProxyPass / http://noctua:8910/
     ProxyPassReverse / http://noctua:8910/
 </VirtualHost>

templates/httpd-vhosts-prod-barista-ssl.conf

@@ -0,0 +1,38 @@
+<VirtualHost *:443>
+    ServerAdmin admin@localhost
+    ServerName {{ barista_lookup_host  }}
+    ServerAlias {{ barista_lookup_host_alias }}
+
+    Alias /robots.txt /var/www/html/robots.txt
+    RewriteEngine On
+    RewriteRule ^/robots.txt /robots.txt
+
+    ## Get aggressive with badly behaving bots.
+    RewriteCond %{HTTP_USER_AGENT}  ^.*Adsbot.*$ [OR]
+    RewriteCond %{HTTP_USER_AGENT}  ^.*AhrefsBot.*$ [OR]
+    RewriteCond %{HTTP_USER_AGENT}  ^.*Amazonbot.*$ [OR]
+    RewriteCond %{HTTP_USER_AGENT}  ^.*Applebot.*$ [OR]
+    RewriteCond %{HTTP_USER_AGENT}  ^.*BingBot.*$ [OR]
+    RewriteCond %{HTTP_USER_AGENT}  ^.*DotBot.*$ [OR]
+    RewriteCond %{HTTP_USER_AGENT}  ^.*Googlebot.*$ [OR]
+    RewriteCond %{HTTP_USER_AGENT}  ^.*infotiger.*$ [OR]
+    RewriteCond %{HTTP_USER_AGENT}  ^.*MauiBot.*$ [OR]
+    RewriteCond %{HTTP_USER_AGENT}  ^.*PetalBot.*$ [OR]
+    RewriteCond %{HTTP_USER_AGENT}  ^.*semrush.*$ [OR]
+    RewriteCond %{HTTP_USER_AGENT}  ^.*WhatWeb.*$ [OR]
+    RewriteCond %{HTTP_USER_AGENT}  ^.*WhatWeb.*$
+    RewriteRule . - [R=403,L]
+
+
+    ErrorLog "/var/log/apache2/barista-error.log"
+    CustomLog "/var/log/apache2/barista-access.log" common
+    ## Proxy.
+    ProxyPreserveHost On
+    ProxyRequests Off
+    ProxyPass / http://barista:3400/
+    ProxyPassReverse / http://barista:3400/
+
+    SSLEngine on
+    SSLCertificateFile /opt/credentials/fullchain.pem
+    SSLCertificateKeyFile /opt/credentials/privkey.pem
+</VirtualHost>

templates/httpd-vhosts-prod-barista.conf

@@ -24,8 +24,8 @@
     RewriteRule . - [R=403,L]
 
 
-    ErrorLog "/var/log/apache2/barista-error_log"
-    CustomLog "/var/log/apache2/barista-access_log" common
+    ErrorLog "/var/log/apache2/barista-error.log"
+    CustomLog "/var/log/apache2/barista-access.log" common
     ## Proxy.
     ProxyPreserveHost On
     ProxyRequests Off

templates/httpd-vhosts-prod-noctua-ssl.conf

@@ -0,0 +1,41 @@
+<VirtualHost *:443>
+    ServerAdmin admin@localhost
+    ServerName {{ noctua_host }}
+    ServerAlias {{ noctua_host_alias }}
+
+    ## Setup robots.txt.
+    DocumentRoot /var/www/html
+    Alias /robots.txt /var/www/html/robots.txt
+    RewriteEngine On
+    RewriteRule ^/robots.txt /robots.txt
+
+    ## Get aggressive with badly behaving bots.
+    RewriteCond %{HTTP_USER_AGENT}  ^.*Adsbot.*$ [OR]
+    RewriteCond %{HTTP_USER_AGENT}  ^.*AhrefsBot.*$ [OR]
+    RewriteCond %{HTTP_USER_AGENT}  ^.*Amazonbot.*$ [OR]
+    RewriteCond %{HTTP_USER_AGENT}  ^.*Applebot.*$ [OR]
+    RewriteCond %{HTTP_USER_AGENT}  ^.*BingBot.*$ [OR]
+    RewriteCond %{HTTP_USER_AGENT}  ^.*DotBot.*$ [OR]
+    RewriteCond %{HTTP_USER_AGENT}  ^.*Googlebot.*$ [OR]
+    RewriteCond %{HTTP_USER_AGENT}  ^.*infotiger.*$ [OR]
+    RewriteCond %{HTTP_USER_AGENT}  ^.*MauiBot.*$ [OR]
+    RewriteCond %{HTTP_USER_AGENT}  ^.*PetalBot.*$ [OR]
+    RewriteCond %{HTTP_USER_AGENT}  ^.*semrush.*$ [OR]
+    RewriteCond %{HTTP_USER_AGENT}  ^.*WhatWeb.*$ [OR]
+    RewriteCond %{HTTP_USER_AGENT}  ^.*WhatWeb.*$
+    RewriteRule . - [R=403,L]
+
+
+    ErrorLog "/var/log/apache2/noctua-error.log"
+    CustomLog "/var/log/apache2/noctua-access.log" common
+
+    ## Proxy.
+    ProxyPreserveHost On
+    ProxyRequests Off
+    ProxyPass / http://noctua:8910/
+    ProxyPassReverse / http://noctua:8910/
+
+    SSLEngine on
+    SSLCertificateFile /opt/credentials/fullchain.pem
+    SSLCertificateKeyFile /opt/credentials/privkey.pem
+</VirtualHost>

templates/httpd-vhosts-prod-noctua.conf

@@ -26,8 +26,8 @@
     RewriteRule . - [R=403,L]
 
 
-    ErrorLog "/var/log/apache2/noctua-error_log"
-    CustomLog "/var/log/apache2/noctua-access_log" common
+    ErrorLog "/var/log/apache2/noctua-error.log"
+    CustomLog "/var/log/apache2/noctua-access.log" common
 
     ## Proxy.
     ProxyPreserveHost On