--- - name: Installing WAF block: - name: Set SSH port set_fact: ansible_port: "{{SSH_PORT}}" - name: Check that WAF has been installed stat: path: "{{ NGINX_PATH }}/waf/modsecurity.conf" register: stat_result - name: Fail if has been installed fail: msg="info NGINX WAF has already installed" when: stat_result.stat.exists - name: install the common RPMS for NGINX yum: name: - libtool - libxml2-devel - gcc - curl-devel - pcre-devel - automake - autoconf - libevent-devel - libtool - make - gcc-c++ - git - redhat-rpm-config - openssl-devel - libxslt-devel - gd-devel - perl-ExtUtils-Embed - GeoIP-devel - ssdeep-devel state: latest when: - ansible_facts['os_family'] == "RedHat" or ansible_facts['os_family'] == 'CentOS' environment: http_proxy: "{{PROXY}}" https_proxy: "{{PROXY}}" - name: Install needed packages apt: name: - libtool - libevent-dev - libxml2-dev - libssl-dev - gcc - libpcre3 - libpcre3-dev - libcurl4-nss-dev - libyajl-dev - libxml2 - automake - autoconf - g++ - make - libxslt-dev - perl-modules - libgeoip-dev - libfuzzy2 - git - zlib1g - zlib1g-dev state: present when: ansible_facts['os_family'] == 'Debian' or ansible_facts['os_family'] == 'Ubuntu' environment: http_proxy: "{{PROXY}}" https_proxy: "{{PROXY}}" - name: Download ModSec ansible.builtin.get_url: url: "http://repo.roxy-wi.org/modsec/modsecv3.0.7-{{ ansible_facts.distribution | lower }}{{ ansible_facts.distribution_major_version }}.tar.gz" dest: /usr/local/modsecv3.tar.gz - name: Untar ModSec unarchive: src: /usr/local/modsecv3.tar.gz dest: /usr/local/ remote_src: true - name: Get NGINX version shell: /usr/sbin/nginx -v register: nginx_version - name: Get NGINX parameters shell: /usr/sbin/nginx -V 2>&1 |grep configu |awk -F":" '{print $2}' register: nginx_params - name: Clone NGINX connector shell: git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git /tmp/nginx-connector - name: Download NGINX ansible.builtin.get_url: url: "http://nginx.org/download/nginx-{{ nginx_version.stderr.split('/')[1] }}.tar.gz" dest: /tmp/nginx_src.tar.gz - name: Create nginx_src directory become: false file: path: /tmp/nginx_src/ state: directory - name: Untar NGINX become: false unarchive: src: /tmp/nginx_src.tar.gz dest: /tmp/nginx_src/ remote_src: true - name: Configure NGINX become: true command: "chdir=/tmp/nginx_src/nginx-{{ nginx_version.stderr.split('/')[1] }} ./configure {{ nginx_params.stdout }} --add-dynamic-module=../../nginx-connector" environment: CFLAGS: -Wno-error - name: Make NGINX modules become: true command: "chdir=/tmp/nginx_src/nginx-{{ nginx_version.stderr.split('/')[1] }} make modules" - name: Copy module for CentOS become: true command: "chdir=/tmp/nginx_src/nginx-{{ nginx_version.stderr.split('/')[1] }} cp objs/ngx_http_modsecurity_module.so /usr/lib64/nginx/modules/" when: - ansible_facts['os_family'] == "RedHat" or ansible_facts['os_family'] == 'CentOS' - name: Copy module for Ubuntu become: true command: "chdir=/tmp/nginx_src/nginx-{{ nginx_version.stderr.split('/')[1] }} cp objs/ngx_http_modsecurity_module.so /usr/lib/nginx/modules/" when: ansible_facts['os_family'] == 'Debian' or ansible_facts['os_family'] == 'Ubuntu' - name: Create modules directory become: true file: path: /usr/share/nginx/modules/ state: directory - name: Enable module for Centos become: true shell: echo 'load_module "modules/ngx_http_modsecurity_module.so";' > /usr/share/nginx/modules/mod-waf-connector.conf when: - ansible_facts['os_family'] == "RedHat" or ansible_facts['os_family'] == 'CentOS' - name: Enable module for Ubuntu lineinfile: path: "{{ NGINX_PATH }}/nginx.conf" line: load_module modules/ngx_http_modsecurity_module.so; insertbefore: BOF when: ansible_facts['os_family'] == 'Debian' or ansible_facts['os_family'] == 'Ubuntu' - name: Create WAF directory become: false file: path: "{{ NGINX_PATH }}/waf/" state: directory - name: Create WAF rules directory become: false file: path: "{{ NGINX_PATH }}/waf/rules" state: directory - name: Download modsecurity.conf ansible.builtin.get_url: url: https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended dest: "{{ NGINX_PATH }}/waf/modsecurity.conf" - name: Download unicode.mapping ansible.builtin.get_url: url: https://github.com/SpiderLabs/ModSecurity/blob/v3/master/unicode.mapping dest: "{{ NGINX_PATH }}/waf/unicode.mapping" - name: Create WAF config template: src: waf.conf.j2 dest: "{{ NGINX_PATH }}/waf/waf.conf" - name: Download OWASP rules ansible.builtin.get_url: url: "https://github.com/coreruleset/coreruleset/archive/v{{ coreruleset_ver }}.tar.gz" dest: /tmp/OWASP.tar.gz - name: Untar NGINX become: false unarchive: src: /tmp/OWASP.tar.gz dest: /tmp/ remote_src: true - name: Copy Modsec crs activated_rules files copy: src: "/tmp/coreruleset-{{ coreruleset_ver }}/rules/" dest: "{{ NGINX_PATH }}/waf/rules/" remote_src: yes - name: Copy module become: true command: "chdir=/tmp/coreruleset-{{ coreruleset_ver }} cp crs-setup.conf.example {{ NGINX_PATH }}/waf/rulescrs-setup.conf" - name: Add waf Mod on ansible.builtin.blockinfile: path: "{{ NGINX_PATH }}/nginx.conf" marker: "#-- {mark} WAF BLOCK --#" insertafter: "http {" block: | modsecurity off; modsecurity_rules_file /etc/nginx/waf/waf.conf; notify: reload NGINX always: - name: Clean up ansible.builtin.file: path: "{{ item }}" state: absent with_items: - /tmp/nginx_src/ - /tmp/nginx_src.tar.gz - /tmp/nginx-connector - /tmp/OWASP.tar.gz - /usr/local/modsecv3.tar.gz - "/tmp/coreruleset-{{ coreruleset_ver }}"