Merge pull request #1 from bdebyl/CU-cunmby
CU-cunmby Added nginx mod_security to http role
This commit is contained in:
bdebyl
@@ -11,3 +11,8 @@ steps:
|
||||
image: bdebyl/yamllint
|
||||
command:
|
||||
- make lint-ci
|
||||
|
||||
trigger:
|
||||
event:
|
||||
- pull_request
|
||||
- push
|
||||
|
||||
@@ -1,8 +1,31 @@
|
||||
---
|
||||
ci_server_email: bastian@bdebyl.net
|
||||
ci_server_name: ci.bdebyl.net
|
||||
|
||||
deps: [
|
||||
certbot,
|
||||
nginx
|
||||
nginx,
|
||||
nginx-mod-modsecurity
|
||||
]
|
||||
|
||||
nginx_dir: /etc/nginx
|
||||
nginx_conf_dir: "{{ nginx_dir }}/conf"
|
||||
modsec_rules_dir: "{{ nginx_conf_dir }}/rules"
|
||||
modsec_crs_before_rule_conf:
|
||||
"{{ modsec_rules_dir }}/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf"
|
||||
modsec_crs_after_rule_conf:
|
||||
"{{ modsec_rules_dir }}/REQUEST-999-EXCLUSION-RULES-AFTER-CRS.conf"
|
||||
|
||||
ci_server_name: ci.bdebyl.net
|
||||
|
||||
modsec_conf_url:
|
||||
https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
|
||||
|
||||
modsec_unicode_url:
|
||||
https://github.com/SpiderLabs/ModSecurity/raw/v3/master/unicode.mapping
|
||||
|
||||
crs_setup_url:
|
||||
https://github.com/coreruleset/coreruleset/raw/v3.4/dev/crs-setup.conf.example
|
||||
|
||||
crs_before_url:
|
||||
https://github.com/coreruleset/coreruleset/raw/v3.4/dev/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
|
||||
|
||||
crs_after_url:
|
||||
https://github.com/coreruleset/coreruleset/raw/v3.4/dev/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
|
||||
|
||||
3
ansible/roles/http/files/nginx/modsec_includes.conf
Normal file
3
ansible/roles/http/files/nginx/modsec_includes.conf
Normal file
@@ -0,0 +1,3 @@
|
||||
include modsecurity.conf
|
||||
include conf/crs-setup.conf
|
||||
include conf/rules/*.conf
|
||||
@@ -1,7 +1,9 @@
|
||||
user http;
|
||||
worker_processes 1;
|
||||
|
||||
error_log /var/log/nginx/error.log;
|
||||
load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
|
||||
|
||||
error_log /var/log/nginx/error.log info;
|
||||
|
||||
events {
|
||||
worker_connections 1024;
|
||||
@@ -9,6 +11,7 @@ events {
|
||||
|
||||
http {
|
||||
include mime.types;
|
||||
|
||||
default_type application/octet-stream;
|
||||
|
||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||
@@ -18,6 +21,7 @@ http {
|
||||
access_log /var/log/nginx/access.log main;
|
||||
|
||||
sendfile on;
|
||||
server_tokens off;
|
||||
#tcp_nopush on;
|
||||
|
||||
keepalive_timeout 65;
|
||||
@@ -25,6 +29,11 @@ http {
|
||||
gzip on;
|
||||
gzip_disable "mise6";
|
||||
|
||||
client_body_buffer_size 1k;
|
||||
client_header_buffer_size 1k;
|
||||
client_max_body_size 2k;
|
||||
large_client_header_buffers 2 1k;
|
||||
|
||||
add_header X-Frame-Options SAMEORIGIN;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
---
|
||||
- import_tasks: deps.yml
|
||||
- import_tasks: modsec.yml
|
||||
- import_tasks: http.yml
|
||||
- import_tasks: ssl.yml
|
||||
- import_tasks: cron.yml
|
||||
|
||||
51
ansible/roles/http/tasks/modsec.yml
Normal file
51
ansible/roles/http/tasks/modsec.yml
Normal file
@@ -0,0 +1,51 @@
|
||||
---
|
||||
- name: create nginx/conf directory
|
||||
become: true
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
with_items:
|
||||
- "{{ nginx_conf_dir }}"
|
||||
- "{{ modsec_rules_dir }}"
|
||||
tags: modsec
|
||||
|
||||
- name: create modsec_includes.conf
|
||||
become: true
|
||||
copy:
|
||||
src: files/nginx/modsec_includes.conf
|
||||
dest: "{{ nginx_dir }}/modsec_includes.conf"
|
||||
mode: 0644
|
||||
notify: restart_nginx
|
||||
tags: modsec
|
||||
|
||||
- name: fetch core rule set files for mod-security
|
||||
become: true
|
||||
get_url:
|
||||
url: "{{ item.url }}"
|
||||
dest: "{{ item.dest }}"
|
||||
mode: 0644
|
||||
with_items:
|
||||
- {"url": "{{ modsec_conf_url }}",
|
||||
"dest": "{{ nginx_dir }}/modsecurity.conf"}
|
||||
- {"url": "{{ modsec_unicode_url }}",
|
||||
"dest": "{{ nginx_dir }}/unicode.mapping"}
|
||||
- {"url": "{{ crs_setup_url }}",
|
||||
"dest": "{{ nginx_conf_dir }}/crs-setup.conf"}
|
||||
- {"url": "{{ crs_before_url }}",
|
||||
"dest": "{{ modsec_crs_before_rule_conf }}"}
|
||||
- {"url": "{{ crs_after_url }}",
|
||||
"dest": "{{ modsec_crs_after_rule_conf }}"}
|
||||
notify: restart_nginx
|
||||
tags: modsec
|
||||
|
||||
- name: activate mod-security
|
||||
become: true
|
||||
lineinfile:
|
||||
path: /etc/nginx/modsecurity.conf
|
||||
regexp: '^SecRuleEngine'
|
||||
line: 'SecRuleEngine On'
|
||||
notify: restart_nginx
|
||||
tags: modsec
|
||||
@@ -10,7 +10,7 @@ server {
|
||||
add_header Strict-Transport-Security max-age=6307200;
|
||||
add_header Allow "GET, POST, HEAD" always;
|
||||
|
||||
limit_except GET POST { deny all; }
|
||||
#limit_except GET POST { deny all; }
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/{{ ci_server_name }}/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/{{ ci_server_name }}/privkey.pem;
|
||||
@@ -28,6 +28,9 @@ server {
|
||||
ssl_prefer_server_ciphers off;
|
||||
|
||||
location / {
|
||||
modsecurity on;
|
||||
modsecurity_rules_file {{ nginx_dir }}/modsec_includes.conf;
|
||||
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $http_host;
|
||||
|
||||
Binary file not shown.
Reference in New Issue
Block a user