From 3a3994db4860c32e0efd0d8167b84fc155bf3d4a Mon Sep 17 00:00:00 2001 From: Pavel Loginov Date: Tue, 2 Aug 2022 16:38:37 +0300 Subject: [PATCH] v6.1.3.0 Change log: https://roxy-wi.org/changelog.py#6_1_3 --- .../nginx_common/templates/nginx.conf.j2 | 5 ++++- app/scripts/ansible/roles/waf/tasks/main.yml | 19 +++++++------------ .../ansible/roles/waf_nginx/tasks/main.yml | 10 ++-------- 3 files changed, 13 insertions(+), 21 deletions(-) diff --git a/app/scripts/ansible/roles/nginx_common/templates/nginx.conf.j2 b/app/scripts/ansible/roles/nginx_common/templates/nginx.conf.j2 index 2c7f6f0..935ba0e 100644 --- a/app/scripts/ansible/roles/nginx_common/templates/nginx.conf.j2 +++ b/app/scripts/ansible/roles/nginx_common/templates/nginx.conf.j2 @@ -4,7 +4,10 @@ worker_processes 1; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; - +{% if ansible_facts['os_family'] == "RedHat" or ansible_facts['os_family'] == 'CentOS' %} +# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. +include /usr/share/nginx/modules/*.conf; +{% endif %} events { worker_connections 1021; } diff --git a/app/scripts/ansible/roles/waf/tasks/main.yml b/app/scripts/ansible/roles/waf/tasks/main.yml index a62e0bb..de985e2 100644 --- a/app/scripts/ansible/roles/waf/tasks/main.yml +++ b/app/scripts/ansible/roles/waf/tasks/main.yml @@ -78,6 +78,7 @@ - libtool - make - gcc-c++ + - git state: latest when: - ansible_facts['os_family'] == "RedHat" or ansible_facts['os_family'] == 'CentOS' @@ -101,6 +102,7 @@ - automake - g++ - make + - git state: present when: ansible_facts['os_family'] == 'Debian' or ansible_facts['os_family'] == 'Ubuntu' environment: @@ -129,7 +131,7 @@ - name: Set ModSec src foleder set_fact: - mod_sec_src: /tmp/modsecurity-{{ modsec_ver }} + mod_sec_src: /tmp/modsecurity/modsecurity-{{ modsec_ver }} - name: Re configure Modsecurity become: true @@ -160,11 +162,6 @@ - standalone/ - apache2/ - - name: Install git - package: - name: git - state: present - - name: Git clone spoa-modsecurity command: chdir=/tmp/ git clone https://github.com/haproxy/spoa-modsecurity.git @@ -265,12 +262,10 @@ - name: Copy owasp files copy: - src: "/tmp/owasp-modsecurity-crs-2.2.9/{{ item }}" - dest: /tmp/owasp-modsecurity-crs-2.2.9 + src: "/tmp/owasp-modsecurity-crs-2.2.9/owasp-modsecurity-crs-2.2.9/{{ item }}" + dest: "{{ HAPROXY_PATH }}/waf/rules" remote_src: yes with_items: - - owasp-modsecurity-crs-2.2.9/ - - activated_rules/ - base_rules/ - experimental_rules/ - optional_rules/ @@ -278,7 +273,7 @@ - name: Copy Modsec crs conf file copy: - src: /tmp/owasp-modsecurity-crs-2.2.9/modsecurity_crs_10_setup.conf.example + src: /tmp/owasp-modsecurity-crs-2.2.9/owasp-modsecurity-crs-2.2.9/modsecurity_crs_10_setup.conf.example dest: "{{ HAPROXY_PATH }}/waf/rules/modsecurity_crs_10_setup.conf" remote_src: true @@ -346,7 +341,7 @@ state: absent with_items: - /tmp/modsecurity.tar.gz - - "/tmp/modsecurity-{{ modsec_ver }}" + - "{{ mod_sec_dir }}" - "/tmp/haproxy-{{ VERSION }}" - /tmp/owasp.tar.gz - /tmp/owasp-modsecurity-crs-2.2.9 diff --git a/app/scripts/ansible/roles/waf_nginx/tasks/main.yml b/app/scripts/ansible/roles/waf_nginx/tasks/main.yml index 53afd46..9a18160 100644 --- a/app/scripts/ansible/roles/waf_nginx/tasks/main.yml +++ b/app/scripts/ansible/roles/waf_nginx/tasks/main.yml @@ -5,8 +5,6 @@ set_fact: ansible_port: "{{SSH_PORT}}" -# - debug: msg="{{ ansible_facts }}" - - name: Check that WAF has been installed stat: path: "{{ NGINX_PATH }}/waf/modsecurity.conf" @@ -53,6 +51,7 @@ - libevent-dev - libpcre3-dev - libxml2-dev + - libssl-dev - gcc - libpcre3-dev - libcurl4-nss-dev @@ -62,11 +61,8 @@ - autoconf - g++ - make - - openssl-dev - libxslt-dev - - gd-dev - perl-modules - - libmodsecurity3 - libgeoip-dev - libfuzzy2 state: present @@ -79,8 +75,6 @@ ansible.builtin.get_url: url: "http://repo.roxy-wi.org/modsec/modsecv3.0.7-{{ ansible_facts.distribution | lower }}{{ ansible_facts.distribution_major_version }}.tar.gz" dest: /usr/local/modsecv3.tar.gz - when: - - ansible_facts['os_family'] == "RedHat" or ansible_facts['os_family'] == 'CentOS' - name: Untar ModSec unarchive: @@ -221,4 +215,4 @@ - /tmp/nginx-connector - /tmp/OWASP.tar.gz - /usr/local/modsecv3.tar.gz -# - "/tmp/coreruleset-{{ coreruleset_ver }}" + - "/tmp/coreruleset-{{ coreruleset_ver }}"