bastian/deploy_home
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #1 from bdebyl/CU-cunmby

Browse Source 
CU-cunmby Added nginx mod_security to http role
This commit is contained in:
bdebyl
2020-09-25 23:48:20 -04:00
committed by GitHub
parent 304902fafe a22cbd440c
commit 05c5cf39bb
8 changed files with 108 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
.drone.yml
View File

@@ -11,3 +11,8 @@ steps:
image: bdebyl/yamllint image: bdebyl/yamllint
command: command:
- make lint-ci - make lint-ci
trigger:
event:
- pull_request
- push

31
ansible/roles/http/defaults/main.yml
View File

@@ -1,8 +1,31 @@
--- ---
ci_server_email: bastian@bdebyl.net
ci_server_name: ci.bdebyl.net
deps: [ deps: [
certbot, certbot,
nginx nginx,
nginx-mod-modsecurity
] ]
nginx_dir: /etc/nginx
nginx_conf_dir: "{{ nginx_dir }}/conf"
modsec_rules_dir: "{{ nginx_conf_dir }}/rules"
modsec_crs_before_rule_conf:
"{{ modsec_rules_dir }}/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf"
modsec_crs_after_rule_conf:
"{{ modsec_rules_dir }}/REQUEST-999-EXCLUSION-RULES-AFTER-CRS.conf"
ci_server_name: ci.bdebyl.net
modsec_conf_url:
https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
modsec_unicode_url:
https://github.com/SpiderLabs/ModSecurity/raw/v3/master/unicode.mapping
crs_setup_url:
https://github.com/coreruleset/coreruleset/raw/v3.4/dev/crs-setup.conf.example
crs_before_url:
https://github.com/coreruleset/coreruleset/raw/v3.4/dev/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
crs_after_url:
https://github.com/coreruleset/coreruleset/raw/v3.4/dev/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example

3
ansible/roles/http/files/nginx/modsec_includes.conf Normal file
View File

@@ -0,0 +1,3 @@
include modsecurity.conf
include conf/crs-setup.conf
include conf/rules/*.conf

11
ansible/roles/http/files/nginx/nginx.conf
View File

@@ -1,7 +1,9 @@
user http; user http;
worker_processes 1; worker_processes 1;
error_log /var/log/nginx/error.log; load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
error_log /var/log/nginx/error.log info;
events { events {
worker_connections 1024; worker_connections 1024;
@@ -9,6 +11,7 @@ events {
http { http {
include mime.types; include mime.types;
default_type application/octet-stream; default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" ' log_format main '$remote_addr - $remote_user [$time_local] "$request" '
@@ -18,6 +21,7 @@ http {
access_log /var/log/nginx/access.log main; access_log /var/log/nginx/access.log main;
sendfile on; sendfile on;
server_tokens off;
#tcp_nopush on; #tcp_nopush on;
keepalive_timeout 65; keepalive_timeout 65;
@@ -25,6 +29,11 @@ http {
gzip on; gzip on;
gzip_disable "mise6"; gzip_disable "mise6";
client_body_buffer_size 1k;
client_header_buffer_size 1k;
client_max_body_size 2k;
large_client_header_buffers 2 1k;
add_header X-Frame-Options SAMEORIGIN; add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block"; add_header X-XSS-Protection "1; mode=block";

1
ansible/roles/http/tasks/main.yml
View File

@@ -1,5 +1,6 @@
--- ---
- import_tasks: deps.yml - import_tasks: deps.yml
- import_tasks: modsec.yml
- import_tasks: http.yml - import_tasks: http.yml
- import_tasks: ssl.yml - import_tasks: ssl.yml
- import_tasks: cron.yml - import_tasks: cron.yml

51
ansible/roles/http/tasks/modsec.yml Normal file
View File

@@ -0,0 +1,51 @@
---
- name: create nginx/conf directory
become: true
file:
path: "{{ item }}"
state: directory
owner: root
group: root
mode: 0644
with_items:
- "{{ nginx_conf_dir }}"
- "{{ modsec_rules_dir }}"
tags: modsec
- name: create modsec_includes.conf
become: true
copy:
src: files/nginx/modsec_includes.conf
dest: "{{ nginx_dir }}/modsec_includes.conf"
mode: 0644
notify: restart_nginx
tags: modsec
- name: fetch core rule set files for mod-security
become: true
get_url:
url: "{{ item.url }}"
dest: "{{ item.dest }}"
mode: 0644
with_items:
- {"url": "{{ modsec_conf_url }}",
"dest": "{{ nginx_dir }}/modsecurity.conf"}
- {"url": "{{ modsec_unicode_url }}",
"dest": "{{ nginx_dir }}/unicode.mapping"}
- {"url": "{{ crs_setup_url }}",
"dest": "{{ nginx_conf_dir }}/crs-setup.conf"}
- {"url": "{{ crs_before_url }}",
"dest": "{{ modsec_crs_before_rule_conf }}"}
- {"url": "{{ crs_after_url }}",
"dest": "{{ modsec_crs_after_rule_conf }}"}
notify: restart_nginx
tags: modsec
- name: activate mod-security
become: true
lineinfile:
path: /etc/nginx/modsecurity.conf
regexp: '^SecRuleEngine'
line: 'SecRuleEngine On'
notify: restart_nginx
tags: modsec

5
ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2
View File

@@ -10,7 +10,7 @@ server {
add_header Strict-Transport-Security max-age=6307200; add_header Strict-Transport-Security max-age=6307200;
add_header Allow "GET, POST, HEAD" always; add_header Allow "GET, POST, HEAD" always;
limit_except GET POST { deny all; } #limit_except GET POST { deny all; }
ssl_certificate /etc/letsencrypt/live/{{ ci_server_name }}/fullchain.pem; ssl_certificate /etc/letsencrypt/live/{{ ci_server_name }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ ci_server_name }}/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/{{ ci_server_name }}/privkey.pem;
@@ -28,6 +28,9 @@ server {
ssl_prefer_server_ciphers off; ssl_prefer_server_ciphers off;
location / { location / {
modsecurity on;
modsecurity_rules_file {{ nginx_dir }}/modsec_includes.conf;
proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host; proxy_set_header Host $http_host;

BIN
ansible/vars/vault.yml
View File

Binary file not shown.