From: Silvio Rhatto <rhatto@riseup.net>
Date: Thu, 10 Nov 2011 19:50:33 +0000 (-0200)
Subject: SSL computational DoS mitigation (2)
X-Git-Url: https://gitweb.fluxo.info/?a=commitdiff_plain;h=d548cdb7acb8d8ffaf7bdfae14dc9cf3f16fcdbc;p=puppet-nodo.git

SSL computational DoS mitigation (2)
---

diff --git a/manifests/vserver.pp b/manifests/vserver.pp
index 02448da..67ece43 100644
--- a/manifests/vserver.pp
+++ b/manifests/vserver.pp
@@ -3,6 +3,16 @@ class nodo::vserver inherits nodo {
   include timezone
   include syslog-ng::vserver
 
+  # SSL computational DoS mitigation
+  # See http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html
+  $firewall_ssl_ratelimit = $firewall_ssl_ratelimit ? {
+    ''      => $firewall_global_ssl_ratelimit ? {
+      ''      => '-',
+      default => $firewall_global_ssl_ratelimit,
+    },
+    default => $firewall_ssl_ratelimit,
+  }
+
   backupninja::sys { "sys":
     ensure     => present,
     partitions => false,