opendev/puppet-zuul
Code Issues Proposed changes

Allow for ability to block status.json referers

Browse Source 
This adds a parameter that takes a list of HTTP referers to status.json
to block. Useful for blocking hosts that are DOSing zuul.

Change-Id: I410e919ee7e2e4491d1cea40d9f3c0af4c6c86cb
This commit is contained in:
Clark Boylan 2015-04-07 15:34:25 -07:00
parent 7dc84053fe
commit e158c98edd
2 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
manifests/init.pp
View File

@ -51,6 +51,7 @@ class zuul (
$proxy_ssl_cert_file_contents = '', $proxy_ssl_cert_file_contents = '',
$proxy_ssl_key_file_contents = '', $proxy_ssl_key_file_contents = '',
$proxy_ssl_chain_file_contents = '', $proxy_ssl_chain_file_contents = '',
$block_referers = [],
) { ) {
include apache include apache
include pip include pip

8
templates/zuul.vhost.erb
View File

@ -19,6 +19,10 @@
CustomLog ${APACHE_LOG_DIR}/<%= @vhost_name %>-access.log combined CustomLog ${APACHE_LOG_DIR}/<%= @vhost_name %>-access.log combined
RewriteEngine on RewriteEngine on
<% @block_referers.each do |referer| -%>
RewriteCond %{HTTP_REFERER} =<%= referer %>
RewriteRule ^/status.json - [F]
<% end -%>
RewriteRule ^/status.json$ http://127.0.0.1:8001/status.json [P] RewriteRule ^/status.json$ http://127.0.0.1:8001/status.json [P]
AddOutputFilterByType DEFLATE application/json AddOutputFilterByType DEFLATE application/json
@ -79,6 +83,10 @@
CustomLog ${APACHE_LOG_DIR}/<%= @vhost_name %>-access.log combined CustomLog ${APACHE_LOG_DIR}/<%= @vhost_name %>-access.log combined
RewriteEngine on RewriteEngine on
<% @block_referers.each do |referer| -%>
RewriteCond %{HTTP_REFERER} =<%= referer %>
RewriteRule ^/status.json - [F]
<% end -%>
RewriteRule ^/status.json$ http://127.0.0.1:8001/status.json [P] RewriteRule ^/status.json$ http://127.0.0.1:8001/status.json [P]
AddOutputFilterByType DEFLATE application/json AddOutputFilterByType DEFLATE application/json