diff --git a/app/scripts/ansible/roles/nginx_common/templates/nginx.conf.j2 b/app/scripts/ansible/roles/nginx_common/templates/nginx.conf.j2 index 2c7f6f09..935ba0e4 100644 --- a/app/scripts/ansible/roles/nginx_common/templates/nginx.conf.j2 +++ b/app/scripts/ansible/roles/nginx_common/templates/nginx.conf.j2 @@ -4,7 +4,10 @@ worker_processes 1; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; - +{% if ansible_facts['os_family'] == "RedHat" or ansible_facts['os_family'] == 'CentOS' %} +# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. +include /usr/share/nginx/modules/*.conf; +{% endif %} events { worker_connections 1021; } diff --git a/app/scripts/ansible/roles/waf/tasks/main.yml b/app/scripts/ansible/roles/waf/tasks/main.yml index a62e0bbe..de985e25 100644 --- a/app/scripts/ansible/roles/waf/tasks/main.yml +++ b/app/scripts/ansible/roles/waf/tasks/main.yml @@ -78,6 +78,7 @@ - libtool - make - gcc-c++ + - git state: latest when: - ansible_facts['os_family'] == "RedHat" or ansible_facts['os_family'] == 'CentOS' @@ -101,6 +102,7 @@ - automake - g++ - make + - git state: present when: ansible_facts['os_family'] == 'Debian' or ansible_facts['os_family'] == 'Ubuntu' environment: @@ -129,7 +131,7 @@ - name: Set ModSec src foleder set_fact: - mod_sec_src: /tmp/modsecurity-{{ modsec_ver }} + mod_sec_src: /tmp/modsecurity/modsecurity-{{ modsec_ver }} - name: Re configure Modsecurity become: true @@ -160,11 +162,6 @@ - standalone/ - apache2/ - - name: Install git - package: - name: git - state: present - - name: Git clone spoa-modsecurity command: chdir=/tmp/ git clone https://github.com/haproxy/spoa-modsecurity.git @@ -265,12 +262,10 @@ - name: Copy owasp files copy: - src: "/tmp/owasp-modsecurity-crs-2.2.9/{{ item }}" - dest: /tmp/owasp-modsecurity-crs-2.2.9 + src: "/tmp/owasp-modsecurity-crs-2.2.9/owasp-modsecurity-crs-2.2.9/{{ item }}" + dest: "{{ HAPROXY_PATH }}/waf/rules" remote_src: yes with_items: - - owasp-modsecurity-crs-2.2.9/ - - activated_rules/ - base_rules/ - experimental_rules/ - optional_rules/ @@ -278,7 +273,7 @@ - name: Copy Modsec crs conf file copy: - src: /tmp/owasp-modsecurity-crs-2.2.9/modsecurity_crs_10_setup.conf.example + src: /tmp/owasp-modsecurity-crs-2.2.9/owasp-modsecurity-crs-2.2.9/modsecurity_crs_10_setup.conf.example dest: "{{ HAPROXY_PATH }}/waf/rules/modsecurity_crs_10_setup.conf" remote_src: true @@ -346,7 +341,7 @@ state: absent with_items: - /tmp/modsecurity.tar.gz - - "/tmp/modsecurity-{{ modsec_ver }}" + - "{{ mod_sec_dir }}" - "/tmp/haproxy-{{ VERSION }}" - /tmp/owasp.tar.gz - /tmp/owasp-modsecurity-crs-2.2.9 diff --git a/app/scripts/ansible/roles/waf_nginx/tasks/main.yml b/app/scripts/ansible/roles/waf_nginx/tasks/main.yml index 53afd46c..9a18160e 100644 --- a/app/scripts/ansible/roles/waf_nginx/tasks/main.yml +++ b/app/scripts/ansible/roles/waf_nginx/tasks/main.yml @@ -5,8 +5,6 @@ set_fact: ansible_port: "{{SSH_PORT}}" -# - debug: msg="{{ ansible_facts }}" - - name: Check that WAF has been installed stat: path: "{{ NGINX_PATH }}/waf/modsecurity.conf" @@ -53,6 +51,7 @@ - libevent-dev - libpcre3-dev - libxml2-dev + - libssl-dev - gcc - libpcre3-dev - libcurl4-nss-dev @@ -62,11 +61,8 @@ - autoconf - g++ - make - - openssl-dev - libxslt-dev - - gd-dev - perl-modules - - libmodsecurity3 - libgeoip-dev - libfuzzy2 state: present @@ -79,8 +75,6 @@ ansible.builtin.get_url: url: "http://repo.roxy-wi.org/modsec/modsecv3.0.7-{{ ansible_facts.distribution | lower }}{{ ansible_facts.distribution_major_version }}.tar.gz" dest: /usr/local/modsecv3.tar.gz - when: - - ansible_facts['os_family'] == "RedHat" or ansible_facts['os_family'] == 'CentOS' - name: Untar ModSec unarchive: @@ -221,4 +215,4 @@ - /tmp/nginx-connector - /tmp/OWASP.tar.gz - /usr/local/modsecv3.tar.gz -# - "/tmp/coreruleset-{{ coreruleset_ver }}" + - "/tmp/coreruleset-{{ coreruleset_ver }}"