bastian/deploy_home
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c89079b8105dfa50cb413f7f76d2f87c388d7f72
deploy_home/ansible/roles/http/tasks/modsec.yml
Bastian de Byl c89079b810 ansible_fixes Replaced 'with_items' with 'loop'
2020-10-02 22:31:52 -04:00

89 lines
2.0 KiB
YAML
Raw Blame History

---
- name: create nginx/conf directory
become: true
file:
path: "{{ item }}"
state: directory
owner: root
group: root
mode: 0644
loop:
- "{{ nginx_conf_path }}"
- "{{ modsec_rules_path }}"
tags: modsec
- name: create modsec_includes.conf
become: true
copy:
src: files/nginx/modsec_includes.conf
dest: "{{ nginx_path }}/modsec_includes.conf"
mode: 0644
notify: restart_nginx
tags: modsec
- name: clone coreruleset and modsecurity
become: true
git:
repo: "{{ item.src }}"
dest: "{{ item.dest }}"
update: false
version: "{{ item.ver }}"
loop: "{{ modsec_git_urls }}"
notify: restart_nginx
tags: modsec
- name: setup modsec and coreruleset configs
become: true
file:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
state: link
force: true
mode: 0644
loop: "{{ modsec_conf_links }}"
notify: restart_nginx
tags: modsec
- name: setup coreruleset rules
become: true
file:
src: "{{ crs_rules_path }}/{{ item.name }}.conf"
dest: "{{ modsec_rules_path }}/{{ item.name }}.conf"
state: "{{ item.enabled | ternary('link', 'absent') }}"
force: true
mode: 0644
loop: "{{ crs_rule_links }}"
notify: restart_nginx
tags: modsec, modsec_rules
- name: setup coreruleset data
become: true
file:
src: "{{ crs_rules_path }}/{{ item }}.data"
dest: "{{ modsec_rules_path }}/{{ item }}.data"
state: link
force: true
mode: 0644
loop: "{{ crs_data_links }}"
notify: restart_nginx
tags: modsec, modsec_rules
- name: whitelist local ip addresses
become: true
lineinfile:
path: "{{ nginx_path }}/modsecurity.conf"
regexp: "{{ modsec_whitelist_local_re }}"
line: "{{ modsec_whitelist_local }}"
mode: 0644
notify: restart_nginx
tags: modsec, modsec_rules, modsec_whitelist
- name: activate mod-security
become: true
lineinfile:
path: /etc/nginx/modsecurity.conf
regexp: '^SecRuleEngine'
line: 'SecRuleEngine On'
notify: restart_nginx
tags: modsec
Reference in New Issue View Git Blame Copy Permalink