github
/
haproxy-wi
mirror of https://github.com/Aidaho12/haproxy-wi
1
0
Fork 0
Code Issues Releases Wiki Activity
haproxy-wi/app/scripts/ansible/roles/waf_nginx/tasks/main.yml

228 lines
6.8 KiB
YAML
Raw Blame History

---
- name: Installing WAF
block:
- name: Set SSH port
set_fact:
ansible_port: "{{SSH_PORT}}"
- name: Check that WAF has been installed
stat:
path: "{{ NGINX_PATH }}/waf/modsecurity.conf"
register: stat_result
- name: Fail if has been installed
fail:
msg="info NGINX WAF has already installed"
when: stat_result.stat.exists
- name: install the common RPMS for NGINX
yum:
name:
- libtool
- libxml2-devel
- gcc
- curl-devel
- pcre-devel
- automake
- autoconf
- libevent-devel
- libtool
- make
- gcc-c++
- git
- redhat-rpm-config
- openssl-devel
- libxslt-devel
- gd-devel
- perl-ExtUtils-Embed
- GeoIP-devel
- ssdeep-devel
state: latest
when:
- ansible_facts['os_family'] == "RedHat" or ansible_facts['os_family'] == 'CentOS'
environment:
http_proxy: "{{PROXY}}"
https_proxy: "{{PROXY}}"
- name: Install needed packages
apt:
name:
- libtool
- libevent-dev
- libxml2-dev
- libssl-dev
- gcc
- libpcre3
- libpcre3-dev
- libcurl4-nss-dev
- libyajl-dev
- libxml2
- automake
- autoconf
- g++
- make
- libxslt-dev
- perl-modules
- libgeoip-dev
- libfuzzy2
- git
- zlib1g
- zlib1g-dev
state: present
when: ansible_facts['os_family'] == 'Debian' or ansible_facts['os_family'] == 'Ubuntu'
environment:
http_proxy: "{{PROXY}}"
https_proxy: "{{PROXY}}"
- name: Download ModSec
ansible.builtin.get_url:
url: "http://repo.roxy-wi.org/modsec/modsecv3.0.7-{{ ansible_facts.distribution | lower }}{{ ansible_facts.distribution_major_version }}.tar.gz"
dest: /usr/local/modsecv3.tar.gz
- name: Untar ModSec
unarchive:
src: /usr/local/modsecv3.tar.gz
dest: /usr/local/
remote_src: true
- name: Get NGINX version
shell: /usr/sbin/nginx -v
register: nginx_version
- name: Get NGINX parameters
shell: /usr/sbin/nginx -V 2>&1 |grep configu |awk -F":" '{print $2}'
register: nginx_params
- name: Clone NGINX connector
shell: git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git /tmp/nginx-connector
- name: Download NGINX
ansible.builtin.get_url:
url: "http://nginx.org/download/nginx-{{ nginx_version.stderr.split('/')[1] }}.tar.gz"
dest: /tmp/nginx_src.tar.gz
- name: Create nginx_src directory
become: false
file:
path: /tmp/nginx_src/
state: directory
- name: Untar NGINX
become: false
unarchive:
src: /tmp/nginx_src.tar.gz
dest: /tmp/nginx_src/
remote_src: true
- name: Configure NGINX
become: true
command: "chdir=/tmp/nginx_src/nginx-{{ nginx_version.stderr.split('/')[1] }} ./configure {{ nginx_params.stdout }} --add-dynamic-module=../../nginx-connector"
environment:
CFLAGS: -Wno-error
- name: Make NGINX modules
become: true
command: "chdir=/tmp/nginx_src/nginx-{{ nginx_version.stderr.split('/')[1] }} make modules"
- name: Copy module for CentOS
become: true
command: "chdir=/tmp/nginx_src/nginx-{{ nginx_version.stderr.split('/')[1] }} cp objs/ngx_http_modsecurity_module.so /usr/lib64/nginx/modules/"
when:
- ansible_facts['os_family'] == "RedHat" or ansible_facts['os_family'] == 'CentOS'
- name: Copy module for Ubuntu
become: true
command: "chdir=/tmp/nginx_src/nginx-{{ nginx_version.stderr.split('/')[1] }} cp objs/ngx_http_modsecurity_module.so /usr/lib/nginx/modules/"
when: ansible_facts['os_family'] == 'Debian' or ansible_facts['os_family'] == 'Ubuntu'
- name: Create modules directory
become: true
file:
path: /usr/share/nginx/modules/
state: directory
- name: Enable module for Centos
become: true
shell: echo 'load_module "modules/ngx_http_modsecurity_module.so";' > /usr/share/nginx/modules/mod-waf-connector.conf
when:
- ansible_facts['os_family'] == "RedHat" or ansible_facts['os_family'] == 'CentOS'
- name: Enable module for Ubuntu
lineinfile:
path: "{{ NGINX_PATH }}/nginx.conf"
line: load_module modules/ngx_http_modsecurity_module.so;
insertbefore: BOF
when: ansible_facts['os_family'] == 'Debian' or ansible_facts['os_family'] == 'Ubuntu'
- name: Create WAF directory
become: false
file:
path: "{{ NGINX_PATH }}/waf/"
state: directory
- name: Create WAF rules directory
become: false
file:
path: "{{ NGINX_PATH }}/waf/rules"
state: directory
- name: Download modsecurity.conf
ansible.builtin.get_url:
url: https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
dest: "{{ NGINX_PATH }}/waf/modsecurity.conf"
- name: Download unicode.mapping
ansible.builtin.get_url:
url: https://github.com/SpiderLabs/ModSecurity/blob/v3/master/unicode.mapping
dest: "{{ NGINX_PATH }}/waf/unicode.mapping"
- name: Create WAF config
template:
src: waf.conf.j2
dest: "{{ NGINX_PATH }}/waf/waf.conf"
- name: Download OWASP rules
ansible.builtin.get_url:
url: "https://github.com/coreruleset/coreruleset/archive/v{{ coreruleset_ver }}.tar.gz"
dest: /tmp/OWASP.tar.gz
- name: Untar NGINX
become: false
unarchive:
src: /tmp/OWASP.tar.gz
dest: /tmp/
remote_src: true
- name: Copy Modsec crs activated_rules files
copy:
src: "/tmp/coreruleset-{{ coreruleset_ver }}/rules/"
dest: "{{ NGINX_PATH }}/waf/rules/"
remote_src: yes
- name: Copy module
become: true
command: "chdir=/tmp/coreruleset-{{ coreruleset_ver }} cp crs-setup.conf.example {{ NGINX_PATH }}/waf/rulescrs-setup.conf"
- name: Add waf Mod on
ansible.builtin.blockinfile:
path: "{{ NGINX_PATH }}/nginx.conf"
marker: "#-- {mark} WAF BLOCK --#"
insertafter: "http {"
block: |
modsecurity off;
modsecurity_rules_file /etc/nginx/waf/waf.conf;
notify: reload NGINX
always:
- name: Clean up
ansible.builtin.file:
path: "{{ item }}"
state: absent
with_items:
- /tmp/nginx_src/
- /tmp/nginx_src.tar.gz
- /tmp/nginx-connector
- /tmp/OWASP.tar.gz
- /usr/local/modsecv3.tar.gz
- "/tmp/coreruleset-{{ coreruleset_ver }}"
Reference in New Issue View Git Blame Copy Permalink