SSL computational DoS mitigation (3)

author Silvio Rhatto <rhatto@riseup.net>

Thu, 10 Nov 2011 20:03:10 +0000 (18:03 -0200)

committer Silvio Rhatto <rhatto@riseup.net>

Thu, 10 Nov 2011 20:03:10 +0000 (18:03 -0200)
author Silvio Rhatto <rhatto@riseup.net>
Thu, 10 Nov 2011 20:03:10 +0000 (18:03 -0200)
committer Silvio Rhatto <rhatto@riseup.net>
Thu, 10 Nov 2011 20:03:10 +0000 (18:03 -0200)
diff --git a/manifests/vserver.pp b/manifests/vserver.pp

index 67ece436b7b05f5c271d1fdffcfec20001940977..d59bcd6ac2a1397d79e5dbe18650f1991afe32e7 100644 (file)
--- a/manifests/vserver.pp
+++ b/manifests/vserver.pp
@@ -3,16 +3,6 @@ class nodo::vserver inherits nodo {
    include timezone
    include syslog-ng::vserver
  
-  # SSL computational DoS mitigation
-  # See http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html
-  $firewall_ssl_ratelimit = $firewall_ssl_ratelimit ? {
-    ''      => $firewall_global_ssl_ratelimit ? {
-      ''      => '-',
-      default => $firewall_global_ssl_ratelimit,
-    },
-    default => $firewall_ssl_ratelimit,
-  }
-
    backupninja::sys { "sys":
      ensure     => present,
      partitions => false,
@@ -130,6 +120,16 @@ class nodo::vserver inherits nodo {
        }
      }
  
+    # SSL computational DoS mitigation
+    # See http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html
+    $firewall_ssl_ratelimit = $firewall_ssl_ratelimit ? {
+      ''      => $firewall_global_ssl_ratelimit ? {
+        ''      => '-',
+        default => $firewall_global_ssl_ratelimit,
+      },
+      default => $firewall_ssl_ratelimit,
+    }
+
      # Apply firewall rules just for running vservers
      case $ensure {
        'running': {
author	Silvio Rhatto <rhatto@riseup.net>
	Thu, 10 Nov 2011 20:03:10 +0000 (18:03 -0200)
committer	Silvio Rhatto <rhatto@riseup.net>
	Thu, 10 Nov 2011 20:03:10 +0000 (18:03 -0200)