--- # Define resources for this group of hosts here. blocked_ip_v6: [] blocked_ips: ['14.102.69.78', '104.219.54.236', '103.38.177.2', '110.172.140.98', '183.80.131.253', '113.190.178.137', '115.76.39.108', '116.109.31.204', '209.64.155.56'] collectd_apache: true # For the MOTD custom_rules: [ # Need for rsync from log01 for logs. '-A INPUT -p tcp -m tcp -s 10.16.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 209.132.181.102 --dport 873 -j ACCEPT', # allow varnish from localhost '-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6081 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6082 -j ACCEPT', # also allow varnish from internal for purge requests '-A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 6081 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.16.163.0/24 --dport 6081 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.163.120 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.163.121 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.163.122 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.163.123 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.163.124 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.163.125 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.163.126 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.163.65 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.163.127 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.163.128 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.163.129 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.163.120 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.163.121 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.163.122 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.163.123 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.163.124 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.163.125 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.163.126 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.163.65 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.163.127 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.163.128 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.163.129 -j ACCEPT'] nft_block_rules: - 'add rule ip filter INPUT ip saddr 81.69.171.38 counter reject' - 'add rule ip filter INPUT ip saddr 175.24.248.206 counter reject' - 'add rule ip filter INPUT ip saddr 47.76.0.0/14 counter reject' - 'add rule ip filter INPUT ip saddr 47.80.0.0/13 counter reject' - 'add rule ip filter INPUT ip saddr 47.74.0.0/15 counter reject' - 'add rule ip filter INPUT ip saddr 66.249.64.0/24 counter reject' - 'add rule ip filter INPUT ip saddr 43.134.64.0/18 counter reject' - 'add rule ip filter INPUT ip saddr 43.134.0.0/18 counter reject' - 'add rule ip filter INPUT ip saddr 43.134.224.0/19 counter reject' - 'add rule ip filter INPUT ip saddr 43.159.41.0/24 counter reject' - 'add rule ip filter INPUT ip saddr 43.163.8.0/24 counter reject' - 'add rule ip filter INPUT ip saddr 43.128.64.0/18 counter reject' - 'add rule ip filter INPUT ip saddr 43.156.0.0/18 counter reject' - 'add rule ip filter INPUT ip saddr 43.128.64.0/18 counter reject' - 'add rule ip filter INPUT ip saddr 43.133.32.0/19 counter reject' - 'add rule ip filter INPUT ip saddr 43.134.128.0/18 counter reject' - 'add rule ip filter INPUT ip saddr 43.159.37.0/24 counter reject' - 'add rule ip filter INPUT ip saddr 43.153.192.0/18 counter reject' - 'add rule ip filter INPUT ip saddr 43.159.32.0/24 counter reject' - 'add rule ip filter INPUT ip saddr 43.156.64.0/18 counter reject' - 'add rule ip filter INPUT ip saddr 43.163.0.0/24 counter reject' - 'add rule ip filter INPUT ip saddr 14.153.15.174 counter reject' - 'add rule ip filter INPUT ip saddr 47.246.0.0/16 counter reject' - 'add rule ip filter INPUT ip saddr 47.236.0.0/14 counter reject' - 'add rule ip filter INPUT ip saddr 47.235.0.0/16 counter reject' - 'add rule ip filter INPUT ip saddr 47.240.0.0/14 counter reject' - 'add rule ip filter INPUT ip saddr 47.244.0.0/15 counter reject' - 'add rule ip filter INPUT ip saddr 152.53.36.0/24 counter reject' - 'add rule ip filter INPUT ip saddr 66.249.69.0/24 counter reject' - 'add rule ip filter INPUT ip saddr 159.138.218.0/24 counter reject' - 'add rule ip filter INPUT ip saddr 188.75.180.46/32 counter reject' - 'add rule ip filter INPUT ip saddr 2.57.121.144/32 counter reject' - 'add rule ip filter INPUT ip saddr 45.78.192.0/18 counter reject' - 'add rule ip filter INPUT ip saddr 101.47.0.0/19 counter reject' - 'add rule ip filter INPUT ip saddr 101.47.32.0/21 counter reject' - 'add rule ip filter INPUT ip saddr 101.47.40.0/21 counter reject' - 'add rule ip filter INPUT ip saddr 101.47.48.0/20 counter reject' - 'add rule ip filter INPUT ip saddr 101.47.64.0/20 counter reject' - 'add rule ip filter INPUT ip saddr 101.47.80.0/21 counter reject' - 'add rule ip filter INPUT ip saddr 101.47.88.0/22 counter reject' - 'add rule ip filter INPUT ip saddr 101.47.92.0/23 counter reject' - 'add rule ip filter INPUT ip saddr 101.47.95.0/24 counter reject' - 'add rule ip filter INPUT ip saddr 101.47.96.0/23 counter reject' - 'add rule ip filter INPUT ip saddr 101.47.98.0/24 counter reject' - 'add rule ip filter INPUT ip saddr 101.47.128.0/19 counter reject' - 'add rule ip filter INPUT ip saddr 101.47.160.0/20 counter reject' - 'add rule ip filter INPUT ip saddr 101.47.176.0/21 counter reject' - 'add rule ip filter INPUT ip saddr 101.47.184.0/21 counter reject' - 'add rule ip filter INPUT ip saddr 101.47.185.0/24 counter reject' - 'add rule ip filter INPUT ip saddr 101.47.186.0/23 counter reject' - 'add rule ip filter INPUT ip saddr 34.159.191.146/32 counter reject' nft_custom_rules: # Need for rsync from log01 for logs. - 'add rule ip filter INPUT ip saddr 10.16.163.39 tcp dport 873 counter accept' - 'add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept' - 'add rule ip filter INPUT ip saddr 209.132.181.102 tcp dport 873 counter accept' # allow varnish from localhost - 'add rule ip filter INPUT ip saddr 127.0.0.1 tcp dport 6081 counter accept' - 'add rule ip filter INPUT ip saddr 127.0.0.1 tcp dport 6082 counter accept' # also allow varnish from internal for purge requests - 'add rule ip filter INPUT ip saddr 192.168.1.0/24 tcp dport 6081 counter accept' - 'add rule ip filter INPUT ip saddr 10.16.163.0/24 tcp dport 6081 counter accept' - 'add rule ip filter INPUT ip saddr 10.16.163.120 tcp dport 22623 counter accept' - 'add rule ip filter INPUT ip saddr 10.16.163.121 tcp dport 22623 counter accept' - 'add rule ip filter INPUT ip saddr 10.16.163.122 tcp dport 22623 counter accept' - 'add rule ip filter INPUT ip saddr 10.16.163.123 tcp dport 22623 counter accept' - 'add rule ip filter INPUT ip saddr 10.16.163.124 tcp dport 22623 counter accept' - 'add rule ip filter INPUT ip saddr 10.16.163.125 tcp dport 22623 counter accept' - 'add rule ip filter INPUT ip saddr 10.16.163.126 tcp dport 22623 counter accept' - 'add rule ip filter INPUT ip saddr 10.16.163.65 tcp dport 22623 counter accept' - 'add rule ip filter INPUT ip saddr 10.16.163.127 tcp dport 22623 counter accept' - 'add rule ip filter INPUT ip saddr 10.16.163.128 tcp dport 22623 counter accept' - 'add rule ip filter INPUT ip saddr 10.16.163.129 tcp dport 22623 counter accept' - 'add rule ip filter INPUT ip saddr 10.16.163.120 tcp dport 22623 counter accept' - 'add rule ip filter INPUT ip saddr 10.16.163.121 tcp dport 22623 counter accept' - 'add rule ip filter INPUT ip saddr 10.16.163.122 tcp dport 22623 counter accept' - 'add rule ip filter INPUT ip saddr 10.16.163.123 tcp dport 22623 counter accept' - 'add rule ip filter INPUT ip saddr 10.16.163.124 tcp dport 22623 counter accept' - 'add rule ip filter INPUT ip saddr 10.16.163.125 tcp dport 22623 counter accept' - 'add rule ip filter INPUT ip saddr 10.16.163.126 tcp dport 22623 counter accept' - 'add rule ip filter INPUT ip saddr 10.16.163.65 tcp dport 22623 counter accept' - 'add rule ip filter INPUT ip saddr 10.16.163.127 tcp dport 22623 counter accept' - 'add rule ip filter INPUT ip saddr 10.16.163.128 tcp dport 22623 counter accept' - 'add rule ip filter INPUT ip saddr 10.16.163.129 tcp dport 22623 counter accept' external: true ipa_client_shell_groups: - fi-apprentice - sysadmin-noc - sysadmin-veteran - sysadmin-web ipa_client_sudo_groups: - sysadmin-web ipa_host_group: proxies ipa_host_group_desc: Proxies between internal hosts and the Internet lvm_size: 100000 # This is used in the httpd.conf to determine the value for serverlimit and # maxrequestworkers. On proxies with 8 cpus it should be 300 * 8 = 3200 maxrequestworkers: 3200 mem_size: 8192 nagios_Check_Services: swap: false num_cpus: 6 ocp_masters: #- bootstrap.ocp.rdu3.fedoraproject.org - ocp01.ocp.rdu3.fedoraproject.org - ocp02.ocp.rdu3.fedoraproject.org - ocp03.ocp.rdu3.fedoraproject.org # we override this here to point to the vpn endpoints of the ocp_nodes instead of # The real internal hostnames. This is because proxies access them via vpn. ocp_nodes: - worker01.vpn.fedoraproject.org - worker02.vpn.fedoraproject.org - worker03.vpn.fedoraproject.org - worker04.vpn.fedoraproject.org - worker05.vpn.fedoraproject.org # On most proxies we want to use the vpn to access the rdu3 compute nodes. # We override this for the rdu3 proxies themseleves, they go direct. ocp_nodes_rdu3: - worker01-rdu3.vpn.fedoraproject.org - worker02-rdu3.vpn.fedoraproject.org - worker03-rdu3.vpn.fedoraproject.org - worker04-rdu3.vpn.fedoraproject.org - worker05-rdu3.vpn.fedoraproject.org postvpnservices: - haproxy - varnish primary_auth_source: ipa tcp_ports: [ # For apache, generally. 80, 443, # This is for TCP krb5 1088, # This is for RabbitMQ public access 5671, # openshift 4 api 6443, # This is for RabbitMQ internal-public access 15671, # This is for TOTP 8443, ] varnish_group: proxies # Proxies are (mostly) external, use vpn for monitoring zabbix_host: zabbix01.vpn.fedoraproject.org zabbix_macros: 'APACHE.STATUS.PORT': 443 # Proxies appear to ignore port 80 for apache-status 'APACHE.STATUS.SCHEME': https # but https://localhost seems to work instead notes: | * Provides frontend (reverse) proxy for most web applications * Using Apache -> haproxy, these hosts contact app servers and other various hosts to provide web applications at sites like fedoraproject.org and admin.fedoraproject.org. * The proxy servers are balanced via dns and geoIP and are spread all over the place.