apache: parameterise mod_evasive

Firefishy · Firefishy · commit b4c704180591 · 2024-03-12T12:08:59.000Z
diff --git a/cookbooks/apache/attributes/default.rb b/cookbooks/apache/attributes/default.rb
@@ -30,4 +30,10 @@
 
 default[:apache][:buffered_logs] = true
 
-default[:apache][:evasive] = true
+default[:apache][:evasive][:enable] = true
+default[:apache][:evasive][:dos_hash_table_size] =  65536
+default[:apache][:evasive][:dos_page_count]      =  50
+default[:apache][:evasive][:dos_site_count]      =  250
+default[:apache][:evasive][:dos_page_interval]   =  1
+default[:apache][:evasive][:dos_site_interval]   =  1
+default[:apache][:evasive][:dos_blocking_period] =  60
diff --git a/cookbooks/apache/recipes/default.rb b/cookbooks/apache/recipes/default.rb
@@ -62,13 +62,6 @@
   notifies :restart, "service[apache2]"
 end
 
-service "apache2" do
-  action [:enable, :start]
-  retries 2
-  retry_delay 10
-  supports :status => true, :restart => true, :reload => true
-end
-
 apache_module "info" do
   conf "info.conf.erb"
   variables :hosts => admins["hosts"]
@@ -79,7 +72,7 @@
   variables :hosts => admins["hosts"]
 end
 
-if node[:apache][:evasive]
+if node[:apache][:evasive][:enable]
   apache_module "evasive" do
     conf "evasive.conf.erb"
   end
@@ -104,6 +97,14 @@
   template "ssl.erb"
 end
 
+# Apache should only be started after modules enabled
+service "apache2" do
+  action [:enable, :start]
+  retries 2
+  retry_delay 10
+  supports :status => true, :restart => true, :reload => true
+end
+
 fail2ban_filter "apache-forbidden" do
   action :delete
 end
diff --git a/cookbooks/apache/templates/default/evasive.conf.erb b/cookbooks/apache/templates/default/evasive.conf.erb
@@ -1,10 +1,10 @@
 # DO NOT EDIT - This file is being maintained by Chef
 
 <IfModule mod_evasive20.c>
-    DOSHashTableSize    65536
-    DOSPageCount        50
-    DOSSiteCount        250
-    DOSPageInterval     1
-    DOSSiteInterval     1
-    DOSBlockingPeriod   60
+    DOSHashTableSize <%= node[:apache][:evasive][:dos_hash_table_size] %>
+    DOSPageCount <%= node[:apache][:evasive][:dos_page_count] %>
+    DOSSiteCount <%= node[:apache][:evasive][:dos_site_count] %>
+    DOSPageInterval <%= node[:apache][:evasive][:dos_page_interval] %>
+    DOSSiteInterval <%= node[:apache][:evasive][:dos_site_interval] %>
+    DOSBlockingPeriod <%= node[:apache][:evasive][:dos_blocking_period] %>
 </IfModule>
diff --git a/roles/prometheus.rb b/roles/prometheus.rb
@@ -3,7 +3,9 @@
 
 default_attributes(
   :apache => {
-    :evasive => false
+    :evasive => {
+      :enable => false
+    }
   }
 )
 
diff --git a/roles/tile.rb b/roles/tile.rb
@@ -13,7 +13,9 @@
   :apache => {
     :mpm => "event",
     :timeout => 60,
-    :evasive => false,
+    :evasive => {
+      :enable => false
+    },
     :event => {
       :threads_per_child => 20,
       :min_spare_threads => 300,

Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,9 @@`
`3`	`3`
`4`	`4`	`default_attributes(`
`5`	`5`	`:apache => {`
`6`		`- :evasive => false`
	`6`	`+ :evasive => {`
	`7`	`+ :enable => false`
	`8`	`+ }`
`7`	`9`	`}`
`8`	`10`	`)`
`9`	`11`