SSL computational DoS mitigation (2)

author Silvio Rhatto <rhatto@riseup.net>

Thu, 10 Nov 2011 19:50:33 +0000 (17:50 -0200)

committer Silvio Rhatto <rhatto@riseup.net>

Thu, 10 Nov 2011 19:50:33 +0000 (17:50 -0200)
author Silvio Rhatto <rhatto@riseup.net>
Thu, 10 Nov 2011 19:50:33 +0000 (17:50 -0200)
committer Silvio Rhatto <rhatto@riseup.net>
Thu, 10 Nov 2011 19:50:33 +0000 (17:50 -0200)
diff --git a/manifests/vserver.pp b/manifests/vserver.pp

index 02448da494d182ecf03ada86652d2e15554c90d3..67ece436b7b05f5c271d1fdffcfec20001940977 100644 (file)
--- a/manifests/vserver.pp
+++ b/manifests/vserver.pp
@@ -3,6 +3,16 @@ class nodo::vserver inherits nodo {
    include timezone
    include syslog-ng::vserver
  
+  # SSL computational DoS mitigation
+  # See http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html
+  $firewall_ssl_ratelimit = $firewall_ssl_ratelimit ? {
+    ''      => $firewall_global_ssl_ratelimit ? {
+      ''      => '-',
+      default => $firewall_global_ssl_ratelimit,
+    },
+    default => $firewall_ssl_ratelimit,
+  }
+
    backupninja::sys { "sys":
      ensure     => present,
      partitions => false,
author	Silvio Rhatto <rhatto@riseup.net>
	Thu, 10 Nov 2011 19:50:33 +0000 (17:50 -0200)
committer	Silvio Rhatto <rhatto@riseup.net>
	Thu, 10 Nov 2011 19:50:33 +0000 (17:50 -0200)