8f1550d7ff
This includes some clouds that are just completely hammering us. Signed-off-by: Kevin Fenzi <kevin@scrye.com>
122 lines
6.8 KiB
Text
122 lines
6.8 KiB
Text
---
|
|
# Define resources for this group of hosts here.
|
|
blocked_ip_v6: []
|
|
blocked_ips: ['14.102.69.78', '104.219.54.236', '103.38.177.2', '110.172.140.98', '183.80.131.253', '113.190.178.137', '115.76.39.108', '116.109.31.204', '209.64.155.56']
|
|
collectd_apache: true
|
|
# For the MOTD
|
|
custom_rules: [
|
|
# Need for rsync from log01 for logs.
|
|
'-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 209.132.181.102 --dport 873 -j ACCEPT',
|
|
# allow varnish from localhost
|
|
'-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6081 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6082 -j ACCEPT',
|
|
# also allow varnish from internal for purge requests
|
|
'-A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 6081 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.3.163.0/24 --dport 6081 -j ACCEPT',
|
|
'-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.120 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.121 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.122 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.123 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.124 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.125 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.126 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.65 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.127 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.128 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.129 -j ACCEPT']
|
|
nft_block_rules:
|
|
- 'add rule ip filter INPUT ip saddr 81.69.171.38 counter reject'
|
|
- 'add rule ip filter INPUT ip saddr 175.24.248.206 counter reject'
|
|
- 'add rule ip filter INPUT ip saddr 47.76.0.0/14 counter reject'
|
|
- 'add rule ip filter INPUT ip saddr 47.80.0.0/13 counter reject'
|
|
- 'add rule ip filter INPUT ip saddr 47.74.0.0/15 counter reject'
|
|
- 'add rule ip filter INPUT ip saddr 66.249.64.0/24 counter reject'
|
|
- 'add rule ip filter INPUT ip saddr 43.134.64.0/18 counter reject'
|
|
- 'add rule ip filter INPUT ip saddr 43.134.0.0/18 counter reject'
|
|
- 'add rule ip filter INPUT ip saddr 43.134.224.0/19 counter reject'
|
|
- 'add rule ip filter INPUT ip saddr 43.159.41.0/24 counter reject'
|
|
- 'add rule ip filter INPUT ip saddr 43.163.8.0/24 counter reject'
|
|
- 'add rule ip filter INPUT ip saddr 43.128.64.0/18 counter reject'
|
|
- 'add rule ip filter INPUT ip saddr 43.156.0.0/18 counter reject'
|
|
- 'add rule ip filter INPUT ip saddr 43.128.64.0/18 counter reject'
|
|
- 'add rule ip filter INPUT ip saddr 43.133.32.0/19 counter reject'
|
|
- 'add rule ip filter INPUT ip saddr 43.134.128.0/18 counter reject'
|
|
- 'add rule ip filter INPUT ip saddr 43.159.37.0/24 counter reject'
|
|
- 'add rule ip filter INPUT ip saddr 43.153.192.0/18 counter reject'
|
|
- 'add rule ip filter INPUT ip saddr 43.159.32.0/24 counter reject'
|
|
- 'add rule ip filter INPUT ip saddr 43.156.64.0/18 counter reject'
|
|
- 'add rule ip filter INPUT ip saddr 43.163.0.0/24 counter reject'
|
|
- 'add rule ip filter INPUT ip saddr 14.153.15.174 counter reject'
|
|
nft_custom_rules:
|
|
# Need for rsync from log01 for logs.
|
|
- 'add rule ip filter INPUT ip saddr 10.3.163.39 tcp dport 873 counter accept'
|
|
- 'add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept'
|
|
- 'add rule ip filter INPUT ip saddr 209.132.181.102 tcp dport 873 counter accept'
|
|
# allow varnish from localhost
|
|
- 'add rule ip filter INPUT ip saddr 127.0.0.1 tcp dport 6081 counter accept'
|
|
- 'add rule ip filter INPUT ip saddr 127.0.0.1 tcp dport 6082 counter accept'
|
|
# also allow varnish from internal for purge requests
|
|
- 'add rule ip filter INPUT ip saddr 192.168.1.0/24 tcp dport 6081 counter accept'
|
|
- 'add rule ip filter INPUT ip saddr 10.3.163.0/24 tcp dport 6081 counter accept'
|
|
- 'add rule ip filter INPUT ip saddr 10.3.163.120 tcp dport 22623 counter accept'
|
|
- 'add rule ip filter INPUT ip saddr 10.3.163.121 tcp dport 22623 counter accept'
|
|
- 'add rule ip filter INPUT ip saddr 10.3.163.122 tcp dport 22623 counter accept'
|
|
- 'add rule ip filter INPUT ip saddr 10.3.163.123 tcp dport 22623 counter accept'
|
|
- 'add rule ip filter INPUT ip saddr 10.3.163.124 tcp dport 22623 counter accept'
|
|
- 'add rule ip filter INPUT ip saddr 10.3.163.125 tcp dport 22623 counter accept'
|
|
- 'add rule ip filter INPUT ip saddr 10.3.163.126 tcp dport 22623 counter accept'
|
|
- 'add rule ip filter INPUT ip saddr 10.3.163.65 tcp dport 22623 counter accept'
|
|
- 'add rule ip filter INPUT ip saddr 10.3.163.127 tcp dport 22623 counter accept'
|
|
- 'add rule ip filter INPUT ip saddr 10.3.163.128 tcp dport 22623 counter accept'
|
|
- 'add rule ip filter INPUT ip saddr 10.3.163.129 tcp dport 22623 counter accept'
|
|
external: true
|
|
ipa_client_shell_groups:
|
|
- fi-apprentice
|
|
- sysadmin-noc
|
|
- sysadmin-veteran
|
|
- sysadmin-web
|
|
ipa_client_sudo_groups:
|
|
- sysadmin-web
|
|
ipa_host_group: proxies
|
|
ipa_host_group_desc: Proxies between internal hosts and the Internet
|
|
lvm_size: 100000
|
|
# This is used in the httpd.conf to determine the value for serverlimit and
|
|
# maxrequestworkers. On 8gb proxies, 900 seems fine. But on 4gb proxies, this
|
|
# should be lowered in the host vars for that proxy.
|
|
maxrequestworkers: 2500
|
|
mem_size: 8192
|
|
nagios_Check_Services:
|
|
swap: false
|
|
num_cpus: 6
|
|
ocp_masters:
|
|
#- bootstrap.ocp.iad2.fedoraproject.org
|
|
- ocp01.ocp.iad2.fedoraproject.org
|
|
- ocp02.ocp.iad2.fedoraproject.org
|
|
- ocp03.ocp.iad2.fedoraproject.org
|
|
# we override this here to point to the vpn endpoints of the ocp_nodes instead of
|
|
# The real internal hostnames. This is because proxies access them via vpn.
|
|
ocp_nodes:
|
|
- worker01.vpn.fedoraproject.org
|
|
- worker02.vpn.fedoraproject.org
|
|
- worker03.vpn.fedoraproject.org
|
|
- worker04.vpn.fedoraproject.org
|
|
- worker05.vpn.fedoraproject.org
|
|
- worker06.vpn.fedoraproject.org
|
|
postvpnservices:
|
|
- haproxy
|
|
- varnish
|
|
primary_auth_source: ipa
|
|
tcp_ports: [
|
|
# For apache, generally.
|
|
80, 443,
|
|
# This is for TCP krb5
|
|
1088,
|
|
# This is for RabbitMQ public access
|
|
5671,
|
|
# openshift 4 api
|
|
6443,
|
|
# This is for RabbitMQ internal-public access
|
|
15671,
|
|
# This is for TOTP
|
|
8443,
|
|
]
|
|
varnish_group: proxies
|
|
zabbix_templates:
|
|
- group: "proxies" # Ansible group
|
|
template: "external_hosts_http.json" # Template name in roles/zabbix/zabbix_templates/files/templatename.json
|
|
custom_template: true # Is the template official template bundled with Zabbix or one of our custom templates
|
|
hostgroup: "fedora external hosts" # Zabbix hostgroup
|
|
|
|
notes: |
|
|
* Provides frontend (reverse) proxy for most web applications
|
|
* Using Apache -> haproxy, these hosts contact app servers and other various hosts to provide web applications at sites like
|
|
fedoraproject.org and admin.fedoraproject.org.
|
|
* The proxy servers are balanced via dns and geoIP and are spread all over the place.
|