improved core rule set for modsec adjustment, wiki page fixes

2022-07-19 18:42:03 -04:00
parent a916194a9d
commit 7727897835
5 changed files with 28 additions and 6 deletions
--- a/ansible/roles/podman/defaults/main.yml
+++ b/ansible/roles/podman/defaults/main.yml
@@ -112,7 +112,7 @@ crs_rule_links:
  - name: REQUEST-944-APPLICATION-ATTACK-JAVA
    enabled: true
  - name: REQUEST-949-BLOCKING-EVALUATION
-    enabled: true
+    enabled: false
  - name: RESPONSE-950-DATA-LEAKAGES
    enabled: true
  - name: RESPONSE-951-DATA-LEAKAGES-SQL
--- a/ansible/roles/podman/tasks/configuration-nginx-modsec.yml
+++ b/ansible/roles/podman/tasks/configuration-nginx-modsec.yml
@@ -48,7 +48,9 @@
    mode: 0644
    remote_src: true
  loop: "{{ modsec_conf_links }}"
-  notify: restorecon podman
+  notify:
+    - restorecon podman
+    - restart nginx
  tags: modsec

 - name: setup coreruleset rules
@@ -63,7 +65,23 @@
    remote_src: true
  when: item.enabled
  loop: "{{ crs_rule_links }}"
-  notify: restorecon podman
+  notify:
+    - restorecon podman
+    - restart nginx
+  tags:
+    - modsec
+    - modsec_rules
+
+- name: removed disabled coreruleset rules
+  become: true
+  ansible.builtin.file:
+    path: "{{ modsec_rules_path }}/{{ item.name }}.conf"
+    state: absent
+  when: not item.enabled
+  loop: "{{ crs_rule_links }}"
+  notify:
+    - restorecon podman
+    - restart nginx
  tags:
    - modsec
    - modsec_rules
@@ -79,7 +97,9 @@
    mode: 0644
    remote_src: true
  loop: "{{ crs_data_links }}"
-  notify: restorecon podman
+  notify:
+    - restorecon podman
+    - restart nginx
  tags:
    - modsec
    - modsec_rules
--- a/ansible/roles/podman/tasks/container-bookstack.yml
+++ b/ansible/roles/podman/tasks/container-bookstack.yml
@@ -60,7 +60,7 @@
  containers.podman.podman_container:
    name: bookstack
    image: docker.io/solidnerd/bookstack:22.04
-    recreate: false
+    recreate: true
    restart: false
    restart_policy: on-failure
    log_driver: journald
--- a/ansible/roles/podman/tasks/podman.yml
+++ b/ansible/roles/podman/tasks/podman.yml
@@ -85,6 +85,8 @@
  become_user: "{{ podman_user }}"
  containers.podman.podman_network:
    name: shared
+    internal: false
+    disable_dns: false
  tags: podman

 - name: allow unprivileged ports to lower number
--- a/ansible/roles/podman/templates/nginx/sites/wiki.skudakrennsport.com.https.conf.j2
+++ b/ansible/roles/podman/templates/nginx/sites/wiki.skudakrennsport.com.https.conf.j2
@@ -6,7 +6,7 @@ server {
  modsecurity on;
  modsecurity_rules_file /etc/nginx/modsec_includes.conf;

-  resolver 127.0.0.1 127.0.0.53 9.9.9.9 valid=60s;
+  resolver 9.9.9.9 valid=60s;

  listen 443 ssl http2;
  server_name {{ bookstack_server_name }};