CU-251akbj added graylog and additional fixes from discovered logs

2022-04-18 03:15:52 -04:00
parent f6af7e0bb1
commit 2360c82f98
27 changed files with 324 additions and 119 deletions
--- a/ansible/roles/http/templates/nginx/nginx.conf.j2
+++ b/ansible/roles/http/templates/nginx/nginx.conf.j2
@@ -0,0 +1,71 @@
+user http;
+worker_processes 1;
+
+load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
+
+error_log /var/log/nginx/error.log notice;
+error_log syslog:server=localhost:{{ syslog_udp_error }},tag=nginx,severity=info notice;
+
+events {
+  worker_connections 1024;
+}
+
+http {
+  map $http_upgrade $connection_upgrade {
+    default upgrade;
+    '' close;
+  }
+
+  include mime.types;
+
+  default_type application/octet-stream;
+
+  log_format main '$remote_addr - $connection : $connection_requests [$time_iso8601] "$request" '
+    '$status $body_bytes_sent "$http_referer" '
+    '"$http_user_agent" "$http_x_forwarded_for"';
+  log_format graylog_json escape=json '{ "nginx_timestamp": "[$time_iso8601]", '
+    '"remote_addr": "$remote_addr", '
+      '"connection": "$connection", '
+      '"connection_requests": $connection_requests, '
+      '"body_bytes_sent": $body_bytes_sent, '
+      '"request_length": $request_length, '
+      '"request_time": $request_time, '
+      '"response_status": $status, '
+      '"request": "$request", '
+      '"request_method": "$request_method", '
+      '"host": "$host", '
+      '"upstream_cache_status": "$upstream_cache_status", '
+      '"upstream_addr": "$upstream_addr", '
+      '"http_x_forwarded_for": "$http_x_forwarded_for", '
+      '"http_referrer": "$http_referer", '
+      '"http_user_agent": "$http_user_agent", '
+      '"http_version": "$server_protocol", '
+      '"remote_user": "$remote_user", '
+      '"http_x_forwarded_proto": "$http_x_forwarded_proto", '
+      '"upstream_response_time": "$upstream_response_time", '
+      '"nginx_access": true }';
+
+  access_log /var/log/nginx/access.log main;
+  access_log syslog:server=localhost:{{ syslog_udp_default }},tag=nginx,severity=info graylog_json;
+
+  sendfile        on;
+  server_tokens   off;
+  #tcp_nopush     on;
+
+  keepalive_timeout 65;
+
+  gzip on;
+  gzip_disable "mise6";
+  gzip_min_length 1000;
+  gzip_proxied    expired no-cache no-store private auth;
+  gzip_types      text/plain application/xml application/json application/javascript application/octet-stream text/css;
+
+  # client_body_buffer_size     1k;
+  # client_header_buffer_size   1k;
+  # client_max_body_size        2k;
+  # large_client_header_buffers 2 1k;
+
+  limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
+
+  include /etc/nginx/sites-enabled/*.conf;
+}
--- a/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2
+++ b/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2
@@ -2,6 +2,11 @@ upstream drone {
  server 127.0.0.1:8080;
 }

+geo $local_access {
+  default 0;
+  192.168.1.1 1;
+}
+
 server {
  modsecurity on;
  modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf;
@@ -24,7 +29,12 @@ server {
  ssl_stapling              on;
  ssl_stapling_verify       on;

+  resolver 127.0.0.1 127.0.0.53 9.9.9.9 valid=60s;
+
  location / {
+    if ($local_access = 1) {
+      access_log off;
+    }
    add_header Allow                     "GET, POST, HEAD"                                                                                                                                                                        always;
    add_header Content-Security-Policy   "default-src 'self'; img-src 'self' https://*.githubusercontent.com; frame-ancestors 'self'; base-uri 'none',base-uri 'self'; form-action 'self'" always;
    add_header Referrer-Policy           "same-origin"                                                                                                                                                                            always;
--- a/ansible/roles/http/templates/nginx/sites/logs.bdebyl.net.conf.j2
+++ b/ansible/roles/http/templates/nginx/sites/logs.bdebyl.net.conf.j2
@@ -0,0 +1,32 @@
+upstream graylog {
+  server localhost:{{ graylog_port }};
+}
+
+geo $local_access {
+  default 0;
+  192.168.1.0/24 1;
+}
+
+server {
+  modsecurity on;
+  modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf;
+
+  listen 80;
+  server_name {{ logs_server_name }};
+
+  location / {
+    if ($local_access = 1) {
+      access_log off;
+    }
+    allow 192.168.1.0/24;
+    allow 127.0.0.1;
+    deny all;
+
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header Upgrade         $http_upgrade;
+    proxy_set_header Connection      $connection_upgrade;
+
+    proxy_buffering off;
+    proxy_pass http://graylog;
+  }
+}
--- a/ansible/roles/http/templates/nginx/sites/parts.bdebyl.net.https.conf.j2
+++ b/ansible/roles/http/templates/nginx/sites/parts.bdebyl.net.https.conf.j2
@@ -11,6 +11,8 @@ server {
  modsecurity on;
  modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf;

+  resolver 127.0.0.1 127.0.0.53 9.9.9.9 valid=60s;
+
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name {{ parts_server_name }};
--- a/ansible/roles/http/templates/nginx/sites/pi.bdebyl.net.conf.j2
+++ b/ansible/roles/http/templates/nginx/sites/pi.bdebyl.net.conf.j2
@@ -12,7 +12,7 @@ server {
 	listen [::]:80;

 	root /srv/http/pihole;
-	server_name pi.bdebyl.net;
+	server_name {{ pi_server_name }};
 	autoindex off;

 	proxy_intercept_errors on;
@@ -21,6 +21,7 @@ server {
 	index pihole/index.php index.php index.html index.htm;

 	allow 192.168.1.0/24;
+	allow 127.0.0.1;
 	deny all;

 	location / {