[MediaWiki-commits] [Gerrit] operations/puppet[production]: Enable banning clients by IP by setting wdqs::gui::bad_clients

Mon, 17 Jul 2017 14:05:50 -0700 

Smalyshev has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/365821 )

Change subject: Enable banning clients by IP by setting wdqs::gui::bad_clients
......................................................................

Enable banning clients by IP by setting wdqs::gui::bad_clients

Banned client will be given 403.

Bug: T170860
Change-Id: I131bebfa198c202aade4e3b68bec24b596672512
---
M hieradata/role/common/wdqs.yaml
M modules/wdqs/manifests/gui.pp
A modules/wdqs/templates/bad_clients.erb
M modules/wdqs/templates/nginx.erb
4 files changed, 13 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/21/365821/1

diff --git a/hieradata/role/common/wdqs.yaml b/hieradata/role/common/wdqs.yaml
index 1dbf8d2..b59e5d4 100644
--- a/hieradata/role/common/wdqs.yaml
+++ b/hieradata/role/common/wdqs.yaml
@@ -9,3 +9,4 @@
 debdeploy::grains:
   debdeploy-wdqs:
     value: standard
+wdqs::gui::bad_clients: []
\ No newline at end of file
diff --git a/modules/wdqs/manifests/gui.pp b/modules/wdqs/manifests/gui.pp
index 66eb659..8c98f1f 100644
--- a/modules/wdqs/manifests/gui.pp
+++ b/modules/wdqs/manifests/gui.pp
@@ -12,9 +12,15 @@
     $package_dir = $::wdqs::package_dir,
     $port = 80,
     $additional_port = 8888,
+    $bad_clients = undef,
 ) {
+    file { '/etc/nginx/bad_clients.conf':
+        content => template('wdqs/bad_clients.erb'),
+    }
+
     ::nginx::site { 'wdqs':
         content => template('wdqs/nginx.erb'),
+        require => File['/etc/nginx/bad_clients.conf']
     }
 
     # The directory for operator-controlled nginx flags
diff --git a/modules/wdqs/templates/bad_clients.erb 
b/modules/wdqs/templates/bad_clients.erb
new file mode 100644
index 0000000..e1ab601
--- /dev/null
+++ b/modules/wdqs/templates/bad_clients.erb
@@ -0,0 +1,4 @@
+<% @bad_clients.each -%>
+<% |client| { %> 
+deny <%= client %>;
+<% } -%>
\ No newline at end of file
diff --git a/modules/wdqs/templates/nginx.erb b/modules/wdqs/templates/nginx.erb
index 6e047be..7b91b25 100644
--- a/modules/wdqs/templates/nginx.erb
+++ b/modules/wdqs/templates/nginx.erb
@@ -54,6 +54,8 @@
     rewrite ^/sparql$ /bigdata/namespace/wdq/sparql last;
 
     location ~ ^/bigdata/(namespace/wdq/sparql|ldf|assets) {
+        include /etc/nginx/bad_clients.conf;
+
         if ( $uri ~ ^/bigdata/assets ) {
             add_header Cache-Control "public, max-age=604800, s-maxage=604800";
         }

-- 
To view, visit https://gerrit.wikimedia.org/r/365821
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I131bebfa198c202aade4e3b68bec24b596672512
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Smalyshev <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to