Merlijn van Deen has uploaded a new change for review.
https://gerrit.wikimedia.org/r/260768
Change subject: dynamicproxy: make banning users easier
......................................................................
dynamicproxy: make banning users easier
Simply use dynamicproxy::banned_ips: ['1.2.3.4'].
This also refactors the 'technical issues' error page, and
makes enabling/disabling it much easier.
Change-Id: If0f92fc9ecdd1a5ed2fe56037b9b9b333c6fcca3
---
M modules/dynamicproxy/manifests/init.pp
A modules/dynamicproxy/templates/banned.erb
M modules/dynamicproxy/templates/urlproxy.conf
3 files changed, 75 insertions(+), 8 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/68/260768/1
diff --git a/modules/dynamicproxy/manifests/init.pp
b/modules/dynamicproxy/manifests/init.pp
index 990d833..2c7dd3e 100644
--- a/modules/dynamicproxy/manifests/init.pp
+++ b/modules/dynamicproxy/manifests/init.pp
@@ -23,13 +23,15 @@
$error_enabled = false,
$error_config = {
title => 'Wikimedia Labs Error',
- logo => '/labs-logo.png',
- logo_2x => '/labs-logo-2x.png',
+ logo => '/.error/labs-logo.png',
+ logo_2x => '/.error/labs-logo-2x.png',
logo_alt => 'Wikimedia Labs',
favicon => '//wikitech.wikimedia.org/static/favicon/wikitech.ico',
},
$error_description = 'Our servers are currently experiencing a
technical problem. This is probably temporary and should be fixed soon. Please
try again later.',
$error_details = undef,
+ $banned_ips = [],
+ $banned_description = 'You have been banned from accessing this
service.',
$web_domain = undef,
$blocked_user_agent_regex = 'TweetmemeBot', # T73120 - misbehaving crawler
) {
@@ -111,6 +113,18 @@
],
}
+ file { '/var/www/error/banned.html':
+ ensure => file,
+ content => template('dynamicproxy/banned.erb'),
+ owner => 'www-data',
+ group => 'www-data',
+ mode => '0444',
+ require => [File['/var/www/error'],
+ File['/var/www/error/labs-logo.png'],
+ File['/var/www/error/labs-logo-2x.png']
+ ],
+ }
+
file { '/etc/security/limits.conf':
ensure => file,
source => 'puppet:///modules/dynamicproxy/limits.conf',
diff --git a/modules/dynamicproxy/templates/banned.erb
b/modules/dynamicproxy/templates/banned.erb
new file mode 100644
index 0000000..3bf07f0
--- /dev/null
+++ b/modules/dynamicproxy/templates/banned.erb
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html lang=en>
+<link rel="shortcut icon" href="<%= @error_config['favicon'] %>" />
+<title><%= @error_config['title'] %></title>
+<style>
+* { margin: 0; padding: 0; }
+body { background: #fff; font: 14px/1.6 sans-serif; color: #333; }
+.content { margin: 7% auto 0; padding: 2em 1em 1em; max-width: 560px; }
+.footer { clear: both; margin-top: 14%; border-top: 1px solid #e5e5e5;
padding: 2em 0; background: #f9f9f9; font-size: 0.8em; text-align: center; }
+img { float: left; margin: 0 2em 2em 0; }
+a img { border: 0; }
+h1 { margin-top: 1em; font-size: 1.2em; }
+p { margin: 0.7em 0 1em 0; }
+a { color: #0645AD; text-decoration: none; }
+a:hover { text-decoration: underline; }
+em { font-style: normal; color: #777; }
+</style>
+<div class="content" role="main">
+ <img src="<%= @error_config['logo'] %>" <% if @error_config['logo_2x']
%>srcset="<%= @error_config['logo_2x'] %> 2x"<% end %> alt="<%
@error_config['logo_alt'] %>" width=135></a>
+ <h1>Error</h1>
+ <p><%= @banned_description %></p>
+</div>
+</html>
diff --git a/modules/dynamicproxy/templates/urlproxy.conf
b/modules/dynamicproxy/templates/urlproxy.conf
index 7bf4c64..a912d48 100644
--- a/modules/dynamicproxy/templates/urlproxy.conf
+++ b/modules/dynamicproxy/templates/urlproxy.conf
@@ -19,6 +19,17 @@
'' close;
}
+geo $bad_user {
+ default 0;
+ # 0: OK, 1: banned
+ # 1.2.3.4 1; # ban single IP
+ # 1.2.3.4/24 1; # ban IP block
+ <% @banned_ips.each do |val| -%>
+ $val 1;
+ <% end -%>
+}
+
+
<%- if @https_only -%>
server {
listen 80;
@@ -53,12 +64,6 @@
listen 80;
<%- end -%>
- # To enable the 'This server is experiencing technical difficulties'
message:
- # a) set Hiera "dynamicproxy::error_enabled": true
- # b) or, if puppet doesn't work, remove the # from the next line and
remove all lines after it (!)
- <% if !@error_enabled %>#<% end %>root /var/www/error; default_type
text/html; error_page 503 /errorpage.html; try_files $uri =503;
- <% if !@error_enabled %>
-
# People upload large files, and that is okay.
# We can make this larger if need be.
client_max_body_size 128m;
@@ -78,7 +83,32 @@
# See http://www.gnuterrypratchett.com/
add_header X-Clacks-Overhead "GNU Terry Pratchett";
+ location /.error/ {
+ alias /var/www/error/;
+ default_type text/html;
+ }
+
+ location /.error/banned/ {
+ error_page 403 /.error/banned.html;
+ return 403;
+ }
+
+ location /.error/technicalissues/ {
+ error_page 503 /.error/errorpage.html;
+ return 503;
+ }
+
location / {
+ if ($bad_user) {
+ rewrite ^ /.error/banned/;
+ }
+
+ # To enable the 'This server is experiencing technical difficulties'
message:
+ # a) set Hiera "dynamicproxy::error_enabled": true
+ # b) or, if puppet doesn't work, remove the # from the next line
+
+ <% if !@error_enabled %># <% end %>rewrite ^ /.error/technicalissues/;
+
# Let errors go through to the client if using a special debug header
(same as prod)
# X-Wikimedia-Debug set to 1 to trigger it
# See https://wikitech.wikimedia.org/wiki/Debugging_in_production for
more info
--
To view, visit https://gerrit.wikimedia.org/r/260768
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: If0f92fc9ecdd1a5ed2fe56037b9b9b333c6fcca3
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Merlijn van Deen <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
