From d89fe1b590ccfbc6d88b7d304c2fb84889004e54 Mon Sep 17 00:00:00 2001
From: Chris Croome <chris@webarchitects.co.uk>
Date: Mon, 13 May 2019 15:49:12 +0100
Subject: [PATCH] support for ratelimit added

---
 .gitignore                    |  2 +
 README.md                     |  5 ++-
 tasks/main.yml                | 70 ++++++++++++++++++++++-------------
 templates/envvars.j2          |  3 +-
 templates/mpm_prefork.conf.j2 |  1 +
 templates/ratelimit.conf.j2   | 15 ++++++++
 templates/webarch.conf.j2     |  2 +
 7 files changed, 70 insertions(+), 28 deletions(-)
 create mode 100644 .gitignore
 create mode 100644 templates/ratelimit.conf.j2

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..0f05cf3
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+*.retry
+*.swp
diff --git a/README.md b/README.md
index 965473f..a35566c 100644
--- a/README.md
+++ b/README.md
@@ -15,7 +15,7 @@ To use this role you need to use Ansible Galaxy to install it into another repos
 To pull this repo in run:
 
 ```bash
-ansible-galaxy install -r requirements.yml --force -p roles 
+ansible-galaxy install -r requirements.yml --force -p galaxy/roles 
 ```
 
 The other repo should also contain a `.yml` file that contains something like this:
@@ -37,6 +37,7 @@ The other repo should also contain a `.yml` file that contains something like th
       - mime
       - rewrite
       - ssl
+      - mpm_event
     apache_mods_disabled:
       - suexec
       - mpm-itk
@@ -49,6 +50,8 @@ The other repo should also contain a `.yml` file that contains something like th
     apache_ulimit: 65536
     apache_mpm_max_request_workers: 128
     apache_mpm_max_connections_per_child: 10000
+    apache_apache_rate_limit: 64
+    apache_rate_initial_burst: 256
 
   roles:
     - apache
diff --git a/tasks/main.yml b/tasks/main.yml
index ecc23a7..b23e2a5 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -17,24 +17,47 @@
     mode: 0755
     owner: root
     group: root
+  tags:
+    - apache
 
-- name: Apache ITK MPM package present
+- name: Apache ITK MPM package absent
   apt:
     pkg:
       - libapache2-mpm-itk
-    state: present
+    state: absent
     update_cache: false
-  when: apache_mods_enabled is defined and "mpm-itk" in apache_mods_enabled
+  when: ( apache_mods_enabled is defined ) and ( "mpm-itk" in apache_mods_disabled )
   tags:
     - apache
 
-- name: Apache ITK MPM package absent
+- name: Apache ITK MPM configuration
+  block:
+
+    - name: Apache ITK MPM package present
+      apt:
+        pkg:
+          - libapache2-mpm-itk
+        state: present
+        update_cache: false
+      tags:
+        - apache
+
+    - name: Apache mpm_prefork.conf in place
+      template:
+        src: templates/mpm_prefork.conf.j2
+        dest: /etc/apache2/mods-available/mpm_prefork.conf
+      tags:
+        - apache
+
+  when: ( apache_mods_enabled is defined ) and ( "mpm-itk" in apache_mods_enabled )
+
+- name: Apache suEXEC package absent
   apt:
     pkg:
-      - libapache2-mpm-itk
+      - apache2-suexec-pristine
     state: absent
     update_cache: false
-  when: apache_mods_enabled is defined and "mpm-itk" in apache_mods_disabled
+  when: ( apache_mods_enabled is defined ) and ( "suexec" in apache_mods_disabled )
   tags:
     - apache
 
@@ -44,17 +67,17 @@
       - apache2-suexec-pristine
     state: present
     update_cache: false
-  when: apache_mods_enabled is defined and "suexec" in apache_mods_enabled
+  when: ( apache_mods_enabled is defined ) and ( "suexec" in apache_mods_enabled )
   tags:
     - apache
 
-- name: Apache suEXEC package absent
+- name: Apache FastCGI absent
   apt:
     pkg:
-      - apache2-suexec-pristine
+      - libapache2-mod-fcgid
     state: absent
     update_cache: false
-  when: apache_mods_enabled is defined and "suexec" in apache_mods_disabled
+  when: ( apache_mods_enabled is defined ) and ( "fcgid" not in apache_mods_disabled )
   tags:
     - apache
 
@@ -64,22 +87,24 @@
       - libapache2-mod-fcgid
     state: present
     update_cache: false
-  when: apache_mods_enabled is defined and "fcgid" in apache_mods_enabled
+  when: ( apache_mods_enabled is defined ) and ( "fcgid" in apache_mods_enabled )
   tags:
     - apache
 
-- name: Apache FastCGI absent
-  apt:
-    pkg:
-      - libapache2-mod-fcgid
-    state: absent
-    update_cache: false
-  when: apache_mods_enabled is defined and "fcgid" not in apache_mods_disabled
+- name: Apache ratelimit conf present
+  template:
+    src: templates/ratelimit.conf.j2
+    dest: /etc/apache2/mods-available/ratelimit.conf
+  when: ( apache_mods_enabled is defined ) and ( "ratelimit" in apache_mods_enabled )
+  tags:
+    - apache
 
 - name: Check we we have a HTTPS cert
   stat:
     path: "/etc/ssl/le/{{ inventory_hostname }}.cert.pem"
   register: apache_cert
+  tags:
+    - apache
 
 - name: Conditionally include Webarchitects config
   include_tasks: webarch.yml
@@ -87,13 +112,6 @@
   tags:
     - apache
 
-- name: Apache mpm_prefork.conf in place
-  template:
-    src: templates/mpm_prefork.conf.j2
-    dest: /etc/apache2/mods-enabled/mpm_prefork.conf
-  tags:
-    - apache
-
 - name: Custom Apache ssl.conf in place
   copy:
     src: files/ssl.conf
@@ -116,7 +134,7 @@
     - apache
 
 - name: Apache conf disabled
-  include_tasks: a2disconf.yml
+a include_tasks: a2disconf.yml
   with_items: "{{ apache_conf_disabled }}"
   when: apache_conf_disabled is defined
   tags:
diff --git a/templates/envvars.j2 b/templates/envvars.j2
index b6552d3..d2fc8e9 100644
--- a/templates/envvars.j2
+++ b/templates/envvars.j2
@@ -1,3 +1,4 @@
+# {{ ansible_managed }}
 # envvars - default environment variables for apache2ctl
   
 # this won't be correct after changing uid
@@ -45,4 +46,4 @@ APACHE_ULIMIT_MAX_FILES='ulimit -n {{ apache_ulimit | default('8192') }}'
 ## This will produce a verbose output on package installations of web server modules and web application
 ## installations which interact with Apache
 #export APACHE2_MAINTSCRIPT_DEBUG=1
-
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/templates/mpm_prefork.conf.j2 b/templates/mpm_prefork.conf.j2
index 7731a87..f3697ae 100644
--- a/templates/mpm_prefork.conf.j2
+++ b/templates/mpm_prefork.conf.j2
@@ -1,3 +1,4 @@
+# {{ ansible_managed }}
 # prefork MPM
 # StartServers: number of server processes to start
 # MinSpareServers: minimum number of server processes which are kept spare
diff --git a/templates/ratelimit.conf.j2 b/templates/ratelimit.conf.j2
new file mode 100644
index 0000000..183c8b6
--- /dev/null
+++ b/templates/ratelimit.conf.j2
@@ -0,0 +1,15 @@
+# {{ ansible_managed }}
+# https://httpd.apache.org/docs/trunk/mod/mod_ratelimit.html
+{% if apache_rate_limit is defined %}
+SetOutputFilter RATE_LIMIT
+SetEnv rate-limit {{ apache_rate_limit }}
+{% else %}
+# rate-limit not set as apache_rate_limit was not defined
+{% endif %}
+{% if apache_rate_initial_burst is defined %}
+SetEnv rate-initial-burst {{ apache_rate_initial_burst }}
+{% else %}
+# rate-initial-burst not set as apache_rate_initial_burst was not defined
+{% endif %}
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
+
diff --git a/templates/webarch.conf.j2 b/templates/webarch.conf.j2
index e55b4bb..10263ef 100644
--- a/templates/webarch.conf.j2
+++ b/templates/webarch.conf.j2
@@ -1,3 +1,4 @@
+# {{ ansible_managed }}
 # WSH Settings for all sites
 # Ansible Generated
 
@@ -272,3 +273,4 @@ ErrorDocument 403 /wsh/403.shtml
     </IfModule>
   </Directory>
 </VirtualHost>
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
-- 
GitLab