Changing ssl_ratelimit variable

diff --git a/manifests/subsystems/firewall.pp b/manifests/subsystems/firewall.pp
index 6d31461f475242bf52267ad51d8ed44034564177..293b827f24e397fa9100806e9fe2e0ae122f126a 100644 (file)
--- a/manifests/subsystems/firewall.pp
+++ b/manifests/subsystems/firewall.pp
@@ -118,7 +118,7 @@ class firewall {
     destination     => '$FW',
     proto           => '-',
     destinationport => '-',
-    ratelimit       => hiera("firewall_ssl_ratelimit", '-'),
+    ratelimit       => hiera("nodo::firewall::ssl_ratelimit", '-'),
     order           => 103,
   }
 

diff --git a/manifests/subsystems/firewall/vserver.pp b/manifests/subsystems/firewall/vserver.pp
index a51324e65aebaa08e58c42158d82a4ef19b5d842..97571a93234e71606b857171187c4d7059935ba4 100644 (file)
--- a/manifests/subsystems/firewall/vserver.pp
+++ b/manifests/subsystems/firewall/vserver.pp
@@ -28,7 +28,7 @@ class firewall::vserver::https($destination, $zone = 'vm') {
     destination     => "$zone:$destination:443",
     proto           => 'tcp',
     destinationport => '443',
-    ratelimit       => hiera("firewall_ssl_ratelimit", '-'),
+    ratelimit       => hiera("nodo::firewall::ssl_ratelimit", '-'),
     order           => 602,
   }
 
@@ -39,7 +39,7 @@ class firewall::vserver::https($destination, $zone = 'vm') {
     proto           => 'tcp',
     destinationport => '443',
     originaldest    => "$ipaddress",
-    ratelimit       => hiera("firewall_ssl_ratelimit", '-'),
+    ratelimit       => hiera("nodo::firewall::ssl_ratelimit", '-'),
     order           => 602,
   }
 }
@@ -51,7 +51,7 @@ class firewall::vserver::puppetmaster($destination, $puppetmaster_port = '8140',
     destination     => "$zone:$destination:$puppetmaster_port",
     proto           => 'tcp',
     destinationport => "$puppetmaster_port",
-    ratelimit       => hiera("firewall_ssl_ratelimit", '-'),
+    ratelimit       => hiera("nodo::firewall::ssl_ratelimit", '-'),
     order           => 700,
   }
 
@@ -61,7 +61,7 @@ class firewall::vserver::puppetmaster($destination, $puppetmaster_port = '8140',
     destination     => "$zone:$destination:$puppetmaster_port",
     proto           => 'udp',
     destinationport => "$puppetmaster_port",
-    ratelimit       => hiera("firewall_ssl_ratelimit", '-'),
+    ratelimit       => hiera("nodo::firewall::ssl_ratelimit", '-'),
     order           => 701,
   }
 
@@ -72,7 +72,7 @@ class firewall::vserver::puppetmaster($destination, $puppetmaster_port = '8140',
     proto           => 'tcp',
     destinationport => "$puppetmaster_port",
     originaldest    => "$ipaddress",
-    ratelimit       => hiera("firewall_ssl_ratelimit", '-'),
+    ratelimit       => hiera("nodo::firewall::ssl_ratelimit", '-'),
     order           => 702,
   }
 
@@ -83,7 +83,7 @@ class firewall::vserver::puppetmaster($destination, $puppetmaster_port = '8140',
     proto           => 'udp',
     destinationport => "$puppetmaster_port",
     originaldest    => "$ipaddress",
-    ratelimit       => hiera("firewall_ssl_ratelimit", '-'),
+    ratelimit       => hiera("nodo::firewall::ssl_ratelimit", '-'),
     order           => 703,
   }
 
@@ -204,7 +204,7 @@ class firewall::vserver::mail($destination, $zone = 'fw') {
     destination     => "$zone:$destination:993",
     proto           => 'tcp',
     destinationport => '993',
-    ratelimit       => hiera("firewall_ssl_ratelimit", '-'),
+    ratelimit       => hiera("nodo::firewall::ssl_ratelimit", '-'),
     order           => 1002,
   }
 
@@ -215,7 +215,7 @@ class firewall::vserver::mail($destination, $zone = 'fw') {
     proto           => 'tcp',
     destinationport => '993',
     originaldest    => "$ipaddress",
-    ratelimit       => hiera("firewall_ssl_ratelimit", '-'),
+    ratelimit       => hiera("nodo::firewall::ssl_ratelimit", '-'),
     order           => 1003,
   }
 
@@ -225,7 +225,7 @@ class firewall::vserver::mail($destination, $zone = 'fw') {
     destination     => "$zone:$destination:587",
     proto           => 'tcp',
     destinationport => '587',
-    ratelimit       => hiera("firewall_ssl_ratelimit", '-'),
+    ratelimit       => hiera("nodo::firewall::ssl_ratelimit", '-'),
     order           => 1004,
   }
 
@@ -236,7 +236,7 @@ class firewall::vserver::mail($destination, $zone = 'fw') {
     proto           => 'tcp',
     destinationport => '587',
     originaldest    => "$ipaddress",
-    ratelimit       => hiera("firewall_ssl_ratelimit", '-'),
+    ratelimit       => hiera("nodo::firewall::ssl_ratelimit", '-'),
     order           => 1005,
   }
 }

diff --git a/manifests/vserver/instance.pp b/manifests/vserver/instance.pp
index 7593c3f782553e7e50b855d0ee6232cf3ab5a05b..90b0b0ad9ca5086be046b45e7ccf1d4a8318bcbb 100644 (file)
--- a/manifests/vserver/instance.pp
+++ b/manifests/vserver/instance.pp
@@ -85,16 +85,6 @@ define nodo::vserver::instance($context, $ensure = 'running', $proxy = false,
     }
   }
 
-  # SSL computational DoS mitigation
-  # See http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html
-  $firewall_ssl_ratelimit = $firewall_ssl_ratelimit ? {
-    ''      => $firewall_global_ssl_ratelimit ? {
-      ''      => '-',
-      default => $firewall_global_ssl_ratelimit,
-    },
-    default => $firewall_ssl_ratelimit,
-  }
-
   # Apply firewall rules just for running vservers
   case $ensure {
     'running': {