moved nginx, graylog to podman

2022-05-01 03:31:16 -04:00
parent 8e373896a6
commit c5bc5a91ac
49 changed files with 2556 additions and 580 deletions
--- a/ansible/roles/podman/defaults/main.yml
+++ b/ansible/roles/podman/defaults/main.yml
@@ -1,7 +1,148 @@
 ---
 drone_path: "{{ podman_volumes }}/drone"
+graylog_path: "{{ podman_volumes }}/graylog"
 hass_path: "{{ podman_volumes }}/hass"
+nginx_path: "{{ podman_volumes }}/nginx"
 partkeepr_path: "{{ podman_volumes }}/partkeepr"

 drone_server_proto: "https"
 drone_runner_capacity: "4"
+
+# nginx and modsec configuration
+ci_server_name: ci.bdebyl.net
+pi_server_name: pi.bdebyl.net
+assistant_server_name: assistant.bdebyl.net
+home_server_name: home.bdebyl.net
+parts_server_name: parts.bdebyl.net
+video_server_name: video.bdebyl.net
+logs_server_name: logs.bdebyl.net
+
+nginx_conf_path: "{{ nginx_path }}/etc/conf"
+modsec_log_path: /var/log/nginx/modsec_audit.log
+modsec_rules_path: "{{ nginx_conf_path }}/rules"
+modsec_crs_before_rule_conf: "{{ modsec_rules_path }}/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf"
+modsec_crs_after_rule_conf: "{{ modsec_rules_path }}/REQUEST-999-EXCLUSION-RULES-AFTER-CRS.conf"
+
+install_path: /usr/share
+modsec_path: "{{ install_path }}/modsecurity"
+crs_path: "{{ install_path }}/coreruleset"
+crs_rules_path: "{{ crs_path }}/rules"
+
+modsec_whitelist_local_re: >-
+  ^SecRule.*REMOTE_ADDR.*192\.168\.1\.1/24.*$
+
+modsec_whitelist_local: >-
+  SecRule REMOTE_ADDR "@ipMatch 192.168.1.1/24"
+  "id:1,phase:1,nolog,allow,ctl:ruleEngine=Off"
+
+modsec_git_urls:
+  - src: "https://github.com/coreruleset/coreruleset.git"
+    dest: "{{ crs_path }}"
+    ver: "v3.3.2"
+  - src: "https://github.com/SpiderLabs/ModSecurity.git"
+    dest: "{{ modsec_path }}"
+    ver: "v3.0.6"
+
+modsec_conf_replaces:
+  - regex: "^SecRuleEngine"
+    line: "SecRuleEngine On"
+  - regex: "^SecAuditLog"
+    line: "SecAuditLog {{ modsec_log_path }}"
+
+modsec_conf_links:
+  - src: "{{ modsec_path }}/modsecurity.conf-recommended"
+    dest: "{{ nginx_path }}/etc/modsecurity.conf"
+  - src: "{{ modsec_path }}/unicode.mapping"
+    dest: "{{ nginx_path }}/etc/unicode.mapping"
+  - src: "{{ crs_path }}/crs-setup.conf.example"
+    dest: "{{ nginx_conf_path }}/crs-setup.conf"
+  - src: "{{ crs_rules_path }}/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example"
+    dest: "{{ modsec_rules_path }}/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf"
+  - src: "{{ crs_rules_path }}/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example"
+    dest: "{{ modsec_rules_path }}/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf"
+
+crs_rule_links:
+  - name: REQUEST-901-INITIALIZATION
+    enabled: true
+  - name: REQUEST-903.9001-DRUPAL-EXCLUSION-RULES
+    enabled: true
+  - name: REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES
+    enabled: true
+  - name: REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES
+    enabled: true
+  - name: REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES
+    enabled: true
+  - name: REQUEST-903.9005-CPANEL-EXCLUSION-RULES
+    enabled: true
+  - name: REQUEST-903.9006-XENFORO-EXCLUSION-RULES
+    enabled: true
+  - name: REQUEST-905-COMMON-EXCEPTIONS
+    enabled: true
+  - name: REQUEST-910-IP-REPUTATION
+    enabled: true
+  - name: REQUEST-911-METHOD-ENFORCEMENT
+    enabled: true
+  - name: REQUEST-912-DOS-PROTECTION
+    enabled: true
+  - name: REQUEST-913-SCANNER-DETECTION
+    enabled: true
+  - name: REQUEST-920-PROTOCOL-ENFORCEMENT
+    enabled: true
+  - name: REQUEST-921-PROTOCOL-ATTACK
+    enabled: true
+  - name: REQUEST-930-APPLICATION-ATTACK-LFI
+    enabled: true
+  - name: REQUEST-931-APPLICATION-ATTACK-RFI
+    enabled: true
+  - name: REQUEST-932-APPLICATION-ATTACK-RCE
+    enabled: true
+  - name: REQUEST-933-APPLICATION-ATTACK-PHP
+    enabled: true
+  - name: REQUEST-934-APPLICATION-ATTACK-NODEJS
+    enabled: true
+  - name: REQUEST-941-APPLICATION-ATTACK-XSS
+    enabled: true
+  - name: REQUEST-942-APPLICATION-ATTACK-SQLI
+    enabled: true
+  - name: REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION
+    enabled: true
+  - name: REQUEST-944-APPLICATION-ATTACK-JAVA
+    enabled: true
+  - name: REQUEST-949-BLOCKING-EVALUATION
+    enabled: true
+  - name: RESPONSE-950-DATA-LEAKAGES
+    enabled: true
+  - name: RESPONSE-951-DATA-LEAKAGES-SQL
+    enabled: true
+  - name: RESPONSE-952-DATA-LEAKAGES-JAVA
+    enabled: true
+  - name: RESPONSE-953-DATA-LEAKAGES-PHP
+    enabled: true
+  - name: RESPONSE-954-DATA-LEAKAGES-IIS
+    enabled: true
+  - name: RESPONSE-959-BLOCKING-EVALUATION
+    enabled: true
+  - name: RESPONSE-980-CORRELATION
+    enabled: true
+
+crs_data_links:
+  - crawlers-user-agents
+  - iis-errors
+  - java-classes
+  - java-code-leakages
+  - java-errors
+  - lfi-os-files
+  - php-config-directives
+  - php-errors
+  - php-function-names-933150
+  - php-function-names-933151
+  - php-variables
+  - restricted-files
+  - restricted-upload
+  - scanners-headers
+  - scanners-urls
+  - scanners-user-agents
+  - scripting-user-agents
+  - sql-errors
+  - unix-shell
+  - windows-powershell-commands