bastian/deploy_home
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
798c3bbb8055dbe4a071732170f5f48ea57dc12c
deploy_home/ansible/roles/http/tasks/modsec.yml
Bastian de Byl 798c3bbb80 CU-cyk0dp Added more rules to modsecurity
2020-09-30 22:58:33 -04:00

99 lines
2.4 KiB
YAML
Raw Blame History

---
- name: create nginx/conf directory
become: true
file:
path: "{{ item }}"
state: directory
owner: root
group: root
mode: 0644
with_items:
- "{{ nginx_conf_path }}"
- "{{ modsec_rules_path }}"
tags: modsec
- name: create modsec_includes.conf
become: true
copy:
src: files/nginx/modsec_includes.conf
dest: "{{ nginx_path }}/modsec_includes.conf"
mode: 0644
notify: restart_nginx
tags: modsec
- name: clone coreruleset and modsecurity
become: true
git:
repo: "{{ item.src }}"
dest: "{{ item.dest }}"
update: false
version: "{{ item.ver }}"
with_items: "{{ modsec_git_urls }}"
notify: restart_nginx
tags: modsec
- name: setup modsec and coreruleset configs
become: true
file:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
state: link
force: true
mode: 0644
with_items: "{{ modsec_conf_links }}"
notify: restart_nginx
tags: modsec
- name: setup coreruleset rules
become: true
file:
src: "{{ crs_rules_path }}/{{ item.name }}.conf"
dest: "{{ modsec_rules_path }}/{{ item.name }}.conf"
state: "{{ item.enabled | ternary('link', 'absent') }}"
force: true
mode: 0644
with_items: "{{ crs_rule_links }}"
notify: restart_nginx
tags: modsec, modsec_rules
- name: setup coreruleset data
become: true
file:
src: "{{ crs_rules_path }}/{{ item }}.data"
dest: "{{ modsec_rules_path }}/{{ item }}.data"
state: link
force: true
mode: 0644
with_items: "{{ crs_data_links }}"
notify: restart_nginx
tags: modsec, modsec_rules
# name: fetch core rule set files for mod-security
# become: true
# get_url:
# url: "{{ item.url }}"
# dest: "{{ item.dest }}"
# mode: 0644
# with_items:
# - {"url": "{{ modsec_conf_url }}",
# "dest": "{{ nginx_path }}/modsecurity.conf"}
# - {"url": "{{ modsec_unicode_url }}",
# "dest": "{{ nginx_path }}/unicode.mapping"}
# - {"url": "{{ crs_setup_url }}",
# "dest": "{{ nginx_conf_path }}/crs-setup.conf"}
# - {"url": "{{ crs_before_url }}",
# "dest": "{{ modsec_crs_before_rule_conf }}"}
# - {"url": "{{ crs_after_url }}",
# "dest": "{{ modsec_crs_after_rule_conf }}"}
# notify: restart_nginx
# tags: modsec
- name: activate mod-security
become: true
lineinfile:
path: /etc/nginx/modsecurity.conf
regexp: '^SecRuleEngine'
line: 'SecRuleEngine On'
notify: restart_nginx
tags: modsec
Reference in New Issue View Git Blame Copy Permalink