Atlas: ban 47.128.0.0/14

Unusually large amounts of connections from this source network.
Amazon EC2 according to whois, so probably mostly temporary cloud
VMs used for no legitimate purposes.
If more addresses should be banned, this should be refactored to use
a shared file containing them instead of listing them for each
frontend individually.
We might want to implement rate limiting instead of blanket banning
in the future.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>

pillar/cluster/atlas/init.sls

@@ -60,6 +60,7 @@ haproxy:
           - X-Forwarded-Proto http unless is_ssl
           - X-Forwarded-Protocol http unless is_ssl
         - deny:
+          - deny_status 429 if annoying_clients
           - if { fc_http_major 1 } !{ req.body_size 0 } !{ req.hdr(content-length) -m found } !{ req.hdr(transfer-encoding) -m found } !{ method CONNECT }
         - set-var(txn.host): hdr(Host)
       httpresponses:
@@ -85,6 +86,8 @@ haproxy:
       options:
         - http-server-close
       httprequests:
+        - deny:
+          - deny_status 429 if annoying_clients
         - set-var(txn.host): hdr(Host)
 
   listens:

pillar/cluster/atlas/services.sls

@@ -2,6 +2,7 @@ haproxy:
   frontends:
     http:
       acls:
+        - annoying_clients src 47.128.0.0/14  # Amazon EC2
         - no_x-frame-option var(txn.host) -m str chat.opensuse.org
         - no_x-frame-option var(txn.host) -m str dimension.opensuse.org
         - no_x-frame-option var(txn.host) -m str etherpad.opensuse.org
@@ -219,6 +220,7 @@ haproxy:
 
     http-misc:
       acls:
+        - annoying_clients src 47.128.0.0/14  # Amazon EC2
         - is_ssl          dst_port    443
 
         {%- for host_pagure in ['code', 'pages', 'ev', 'releases'] %}