add option to disable apache ddos prevention

2420561d · Sven enniK · df549146 · 2420561d · 2420561d
Commit 2420561d authored Jun 09, 2020 by Sven enniK
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 1 deletion

salt/freifunk/base/apache2/init.sls salt/freifunk/base/apache2/init.sls +13 -1

salt/freifunk/base/uci/etc/config/ffdd salt/freifunk/base/uci/etc/config/ffdd +2 -0

No files found.
--- a/salt/freifunk/base/apache2/init.sls
+++ b/salt/freifunk/base/apache2/init.sls
+{%- set apache_ddos_prevent = salt['cmd.shell']('/usr/local/sbin/uci -qX get ffdd.sys.apache_ddos_prevent') %}
+
 {# Apache2 Webserver #}
 apache2:
  pkg.installed:
@@ -5,7 +7,6 @@ apache2:
    - names:
      - apache2
      - apache2-utils
-      - libapache2-mod-evasive
      - libapache2-mod-fcgid
      - libapache2-mod-auth-plain
      - libapache2-mod-authnz-pam
@@ -33,6 +34,7 @@ apache2:
      - apache2_mod_disable
      - apache2_mod_enable
      - apache2_mod_php
+      - libapache2-mod-evasive
    - require:
      - pkg: apache2
      - service: S40network
@@ -43,6 +45,16 @@ apache2:
      - apache2_site_enable_freifunk


+{% if apache_ddos_prevent == '1' %}
+libapache2-mod-evasive:
+  pkg.installed:
+    - refresh: True
+{% else %}
+libapache2-mod-evasive:
+  pkg.removed
+{% endif %}
+
+
 {# disable default page #}
 apache2_site_disable_default:
  apache_site.disabled:

--- a/salt/freifunk/base/uci/etc/config/ffdd
+++ b/salt/freifunk/base/uci/etc/config/ffdd
@@ -40,6 +40,8 @@ config 'ffdd' 'sys'
 	# To disable tunneled clear text passwords and allow only pub-key auth.
 	option 'ssh_pwauth' '1'

+	option 'apache_ddos_prevent' '1'
+
 	# DNS-Server
 	list 'default_dns' '194.150.168.168'
 	list 'default_dns' '46.182.19.48'