[MediaWiki-commits] [Gerrit] dynamicproxy: make banning users easier - change (operations/puppet)

Andrew Bogott (Code Review) Wed, 23 Dec 2015 09:55:10 -0800

Andrew Bogott has submitted this change and it was merged.

Change subject: dynamicproxy: make banning users easier
......................................................................



dynamicproxy: make banning users easier

Simply use dynamicproxy::banned_ips: ['1.2.3.4'].

This also refactors the 'technical issues' error page, and
makes enabling/disabling it much easier.

Change-Id: If0f92fc9ecdd1a5ed2fe56037b9b9b333c6fcca3
---
M modules/dynamicproxy/manifests/init.pp
A modules/dynamicproxy/templates/banned.erb
M modules/dynamicproxy/templates/urlproxy.conf
M modules/toollabs/manifests/proxy.pp
4 files changed, 79 insertions(+), 11 deletions(-)

Approvals:
  Andrew Bogott: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/modules/dynamicproxy/manifests/init.pp 
b/modules/dynamicproxy/manifests/init.pp
index 990d833..2c7dd3e 100644
--- a/modules/dynamicproxy/manifests/init.pp
+++ b/modules/dynamicproxy/manifests/init.pp
@@ -23,13 +23,15 @@
     $error_enabled        = false,
     $error_config         = {
         title    => 'Wikimedia Labs Error',
-        logo     => '/labs-logo.png',
-        logo_2x  => '/labs-logo-2x.png',
+        logo     => '/.error/labs-logo.png',
+        logo_2x  => '/.error/labs-logo-2x.png',
         logo_alt => 'Wikimedia Labs',
         favicon  => '//wikitech.wikimedia.org/static/favicon/wikitech.ico',
     },
     $error_description    = 'Our servers are currently experiencing a 
technical problem. This is probably temporary and should be fixed soon. Please 
try again later.',
     $error_details        = undef,
+    $banned_ips           = [],
+    $banned_description   = 'You have been banned from accessing this 
service.',
     $web_domain           = undef,
     $blocked_user_agent_regex = 'TweetmemeBot', # T73120 - misbehaving crawler
 ) {
@@ -111,6 +113,18 @@
         ],
     }
 
+    file { '/var/www/error/banned.html':
+        ensure  => file,
+        content => template('dynamicproxy/banned.erb'),
+        owner   => 'www-data',
+        group   => 'www-data',
+        mode    => '0444',
+        require => [File['/var/www/error'],
+                    File['/var/www/error/labs-logo.png'],
+                    File['/var/www/error/labs-logo-2x.png']
+        ],
+    }
+
     file { '/etc/security/limits.conf':
         ensure  => file,
         source  => 'puppet:///modules/dynamicproxy/limits.conf',
diff --git a/modules/dynamicproxy/templates/banned.erb 
b/modules/dynamicproxy/templates/banned.erb
new file mode 100644
index 0000000..3bf07f0
--- /dev/null
+++ b/modules/dynamicproxy/templates/banned.erb
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html lang=en>
+<link rel="shortcut icon" href="<%= @error_config['favicon'] %>" />
+<title><%= @error_config['title'] %></title>
+<style>
+* { margin: 0; padding: 0; }
+body { background: #fff; font: 14px/1.6 sans-serif; color: #333; }
+.content { margin: 7% auto 0; padding: 2em 1em 1em; max-width: 560px; }
+.footer { clear: both; margin-top: 14%; border-top: 1px solid #e5e5e5; 
padding: 2em 0; background: #f9f9f9; font-size: 0.8em; text-align: center; }
+img { float: left; margin: 0 2em 2em 0; }
+a img { border: 0; }
+h1 { margin-top: 1em; font-size: 1.2em; }
+p { margin: 0.7em 0 1em 0; }
+a { color: #0645AD; text-decoration: none; }
+a:hover { text-decoration: underline; }
+em { font-style: normal; color: #777; }
+</style>
+<div class="content" role="main">
+    <img src="<%= @error_config['logo'] %>" <% if @error_config['logo_2x'] 
%>srcset="<%= @error_config['logo_2x'] %> 2x"<% end %> alt="<% 
@error_config['logo_alt'] %>" width=135></a>
+    <h1>Error</h1>
+    <p><%= @banned_description %></p>
+</div>
+</html>
diff --git a/modules/dynamicproxy/templates/urlproxy.conf 
b/modules/dynamicproxy/templates/urlproxy.conf
index 7bf4c64..a912d48 100644
--- a/modules/dynamicproxy/templates/urlproxy.conf
+++ b/modules/dynamicproxy/templates/urlproxy.conf
@@ -19,6 +19,17 @@
         ''      close;
 }
 
+geo $bad_user {
+  default 0;
+  # 0: OK, 1: banned
+  # 1.2.3.4 1;     # ban single IP
+  # 1.2.3.4/24 1;  # ban IP block
+  <% @banned_ips.each do |val| -%>
+  $val 1;
+  <% end -%>
+}
+
+
 <%- if @https_only -%>
 server {
     listen 80;
@@ -53,12 +64,6 @@
     listen 80;
     <%- end -%>
 
-    # To enable the 'This server is experiencing technical difficulties' 
message:
-    #  a) set Hiera "dynamicproxy::error_enabled": true
-    #  b) or, if puppet doesn't work, remove the # from the next line and 
remove all lines after it (!)
-    <% if !@error_enabled %>#<% end %>root /var/www/error; default_type 
text/html; error_page 503 /errorpage.html; try_files $uri =503;
-    <% if !@error_enabled %>
-
     # People upload large files, and that is okay.
     # We can make this larger if need be.
     client_max_body_size 128m;
@@ -78,7 +83,32 @@
     # See http://www.gnuterrypratchett.com/
     add_header X-Clacks-Overhead "GNU Terry Pratchett";
 
+    location /.error/ {
+        alias /var/www/error/;
+        default_type text/html;
+    }
+
+    location /.error/banned/ {
+        error_page 403 /.error/banned.html;
+        return 403;
+    }
+
+    location /.error/technicalissues/ {
+        error_page 503 /.error/errorpage.html;
+        return 503;
+    }
+
     location / {
+        if ($bad_user) {
+            rewrite ^ /.error/banned/;
+        }
+
+        # To enable the 'This server is experiencing technical difficulties' 
message:
+        #  a) set Hiera "dynamicproxy::error_enabled": true
+        #  b) or, if puppet doesn't work, remove the # from the next line
+
+        <% if !@error_enabled %># <% end %>rewrite ^ /.error/technicalissues/;
+
         # Let errors go through to the client if using a special debug header 
(same as prod)
         # X-Wikimedia-Debug set to 1 to trigger it
         # See https://wikitech.wikimedia.org/wiki/Debugging_in_production for 
more info
diff --git a/modules/toollabs/manifests/proxy.pp 
b/modules/toollabs/manifests/proxy.pp
index 966c444..d6da538 100644
--- a/modules/toollabs/manifests/proxy.pp
+++ b/modules/toollabs/manifests/proxy.pp
@@ -34,11 +34,12 @@
         redis_replication    => $redis_replication,
         error_config         => {
             title    => 'Wikimedia Tool Labs Error',
-            logo     => '/tool-labs-logo.png',
-            logo_2x  => '/tool-labs-logo-2x.png',
+            logo     => '/.error/tool-labs-logo.png',
+            logo_2x  => '/.error/tool-labs-logo-2x.png',
             logo_alt => 'Wikimedia Tool Labs',
-            favicon  => '/favicon.ico',
+            favicon  => '/.error/favicon.ico',
         },
+        banned_description   => 'You have been banned from accessing Tool 
Labs. Please see <a 
href="//wikitech.wikimedia.org/wiki/Help:Tool_Labs/Banned">Help:Tool 
Labs/Banned</a> for more information on why and on how to resolve this.',
         web_domain           => $web_domain,
     }
 

-- 
To view, visit https://gerrit.wikimedia.org/r/260768
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: If0f92fc9ecdd1a5ed2fe56037b9b9b333c6fcca3
Gerrit-PatchSet: 5
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Merlijn van Deen <[email protected]>
Gerrit-Reviewer: Andrew Bogott <[email protected]>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] dynamicproxy: make banning users easier - change (operations/puppet)

Reply via email to