diff --git a/roles/GeoIP/README.md b/roles/GeoIP/README.md new file mode 100644 index 0000000..b888620 --- /dev/null +++ b/roles/GeoIP/README.md @@ -0,0 +1,30 @@ +Geolocation by IP is a methodology + +# Etymology + +GeoIP is a shortening of geolocation by IP. + +# Relevant Files and Software + +This content is derived & packed by Arch, pulling regularly from [MaxMind](https://maxmind.com). + +# Available Clients + +The Python `geoip2` library can be used with snippets like below: + +``` +#!/usr/bin/env python3 + +import geoip2.database +import sys + +with geoip2.database.Reader('/etc/nginx/conf/maxmind-geoip2.mmdb') as reader: + response = reader.country(sys.argv[1]) + print(response.country.iso_code) +``` + +We also install the `geoiplookup` client from the GeoIP client. + +# Equivalents or Competition + +Whois and other tools can also provide corroboration or alternate responses for these queries. diff --git a/roles/GeoIP/tasks/main.yml b/roles/GeoIP/tasks/main.yml new file mode 100644 index 0000000..05d6296 --- /dev/null +++ b/roles/GeoIP/tasks/main.yml @@ -0,0 +1,22 @@ +--- + + - name: Install components + become: yes + package: + name: "{{ item }}" + state: present + loop: + - geoip + - geoip-database + - geoip-database-extra + - libmaxminddb + + # This is a hack while geoip-database only provides the legacy version. + - name: Ensure GeoIP2 database is present + become: yes + file: + path: /usr/share/GeoIP/GeoIP2.mmdb + owner: root + group: root + mode: 0755 + state: file diff --git a/roles/WebServer/files/conf.d/Yggdrasil/aaa_default.conf b/roles/WebServer/files/conf.d/Yggdrasil/aaa_default.conf index 1dd1267..8c69993 100644 --- a/roles/WebServer/files/conf.d/Yggdrasil/aaa_default.conf +++ b/roles/WebServer/files/conf.d/Yggdrasil/aaa_default.conf @@ -1,5 +1,6 @@ server { - listen 443 ssl http2; + listen 443 ssl; + http2 on; server_name default_server; include conf/sec.conf; @@ -7,6 +8,9 @@ server { include conf/letsencrypt.conf; + # GeoIP block + if ($deny) { return 503; } + location / { rewrite ^/martialarts(\/)*(\/index.html)*$ /assets/martialarts/index.html; @@ -65,7 +69,8 @@ server { } server { - listen 443 ssl http2; + listen 443 ssl; + http2 on; server_name foundation.aninix.net; include conf/sec.conf; include conf/letsencrypt.conf; diff --git a/roles/WebServer/files/conf.d/Yggdrasil/adhan.conf b/roles/WebServer/files/conf.d/Yggdrasil/adhan.conf deleted file mode 100644 index f084942..0000000 --- a/roles/WebServer/files/conf.d/Yggdrasil/adhan.conf +++ /dev/null @@ -1,12 +0,0 @@ -server { - listen 443 ssl http2; - server_name adhan.aninix.net; - - include conf/sec.conf; - include conf/default.csp.conf; - - location / - { - root /srv/adhan/; - } -} diff --git a/roles/WebServer/files/conf.d/Yggdrasil/cyberbrain.conf b/roles/WebServer/files/conf.d/Yggdrasil/cyberbrain.conf index 3ba5855..ccfcbd8 100644 --- a/roles/WebServer/files/conf.d/Yggdrasil/cyberbrain.conf +++ b/roles/WebServer/files/conf.d/Yggdrasil/cyberbrain.conf @@ -2,6 +2,9 @@ server { listen 443 ssl; server_name cyberbrain.aninix.net; + # GeoIP block + if ($deny) { return 503; } + location ^~ /admin { deny all; } diff --git a/roles/WebServer/files/conf.d/Yggdrasil/graylog.conf b/roles/WebServer/files/conf.d/Yggdrasil/graylog.conf deleted file mode 100644 index cb7e12d..0000000 --- a/roles/WebServer/files/conf.d/Yggdrasil/graylog.conf +++ /dev/null @@ -1,18 +0,0 @@ -server { - #listen 443 ssl http2; - listen 444 ssl http2; - server_name sharingan.aninix.net; - - include conf/sec.conf; - # include conf/default.csp.conf; - - location / - { - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Graylog-Server-URL https://$server_name/; - proxy_pass http://10.0.1.5:9000; - } -} diff --git a/roles/WebServer/files/conf.d/Yggdrasil/irc.conf b/roles/WebServer/files/conf.d/Yggdrasil/irc.conf index ef7a955..e23159f 100644 --- a/roles/WebServer/files/conf.d/Yggdrasil/irc.conf +++ b/roles/WebServer/files/conf.d/Yggdrasil/irc.conf @@ -1,11 +1,15 @@ server { - listen 443 ssl http2; + listen 443 ssl; + http2 on; server_name irc.aninix.net; include conf/sec.conf; include conf/default.csp.conf; include conf/letsencrypt.conf; + # GeoIP block + if ($deny) { return 503; } + location / { root /usr/share/kiwiirc; diff --git a/roles/WebServer/files/conf.d/Yggdrasil/lykos-wiki.conf b/roles/WebServer/files/conf.d/Yggdrasil/lykos-wiki.conf index 4231a9d..76d4225 100644 --- a/roles/WebServer/files/conf.d/Yggdrasil/lykos-wiki.conf +++ b/roles/WebServer/files/conf.d/Yggdrasil/lykos-wiki.conf @@ -4,6 +4,9 @@ server { # include conf/local.conf; + # GeoIP block + if ($deny) { return 503; } + root /usr/share/webapps/; client_max_body_size 5m; diff --git a/roles/WebServer/files/conf.d/Yggdrasil/maat.conf b/roles/WebServer/files/conf.d/Yggdrasil/maat.conf index 65a7f7c..f70be16 100644 --- a/roles/WebServer/files/conf.d/Yggdrasil/maat.conf +++ b/roles/WebServer/files/conf.d/Yggdrasil/maat.conf @@ -1,11 +1,15 @@ server { - listen 443 ssl http2; + listen 443 ssl; + http2 on; server_name maat.aninix.net; include conf/sec.conf; include conf/default.csp.conf; include conf/letsencrypt.conf; + # GeoIP block + if ($deny) { return 503; } + location / { proxy_set_header Host $http_host; diff --git a/roles/WebServer/files/conf.d/Yggdrasil/password.conf b/roles/WebServer/files/conf.d/Yggdrasil/password.conf index b216f3b..36eef77 100644 --- a/roles/WebServer/files/conf.d/Yggdrasil/password.conf +++ b/roles/WebServer/files/conf.d/Yggdrasil/password.conf @@ -1,11 +1,15 @@ server { - listen 443 ssl http2; + listen 443 ssl; + http2 on; server_name password.aninix.net; include conf/sec.conf; include conf/default.csp.conf; include conf/letsencrypt.conf; + # GeoIP block + if ($deny) { return 503; } + location / { root /usr/share/webapps/self-service-password/htdocs/; diff --git a/roles/WebServer/files/conf.d/Yggdrasil/sharingan.conf b/roles/WebServer/files/conf.d/Yggdrasil/sharingan.conf index 581d8f0..b60a7a2 100644 --- a/roles/WebServer/files/conf.d/Yggdrasil/sharingan.conf +++ b/roles/WebServer/files/conf.d/Yggdrasil/sharingan.conf @@ -1,6 +1,7 @@ server { - listen 443 ssl http2; + listen 443 ssl; + http2 on; server_name sharingan.aninix.net; include conf/sec.conf; @@ -8,6 +9,10 @@ server { include conf/local.conf; include conf/letsencrypt.conf; + # GeoIP block + if ($deny) { + return 503; + } location / { diff --git a/roles/WebServer/files/conf.d/Yggdrasil/singularity.conf b/roles/WebServer/files/conf.d/Yggdrasil/singularity.conf index f62f191..55a11f9 100644 --- a/roles/WebServer/files/conf.d/Yggdrasil/singularity.conf +++ b/roles/WebServer/files/conf.d/Yggdrasil/singularity.conf @@ -8,6 +8,9 @@ server { include conf.d/fastcgi.config; + # GeoIP block + if ($deny) { return 503; } + root /usr/share/webapps/tt-rss/; index index.php; diff --git a/roles/WebServer/files/conf.d/Yggdrasil/superintendent.conf b/roles/WebServer/files/conf.d/Yggdrasil/superintendent.conf index 8995c77..36539b7 100644 --- a/roles/WebServer/files/conf.d/Yggdrasil/superintendent.conf +++ b/roles/WebServer/files/conf.d/Yggdrasil/superintendent.conf @@ -4,7 +4,7 @@ map $http_upgrade $connection_upgrade { } server { - #listen 443 ssl http2; + listen 443 ssl; server_name superintendent.aninix.net; @@ -14,9 +14,7 @@ server { include conf/letsencrypt.conf; # GeoIP block - if ($deny) { - return 503; - } + if ($deny) { return 503; } # Handle the location location / diff --git a/roles/WebServer/files/conf.d/Yggdrasil/travelpawscvt.com.conf b/roles/WebServer/files/conf.d/Yggdrasil/travelpawscvt.com.conf index 4fb694f..11cf750 100644 --- a/roles/WebServer/files/conf.d/Yggdrasil/travelpawscvt.com.conf +++ b/roles/WebServer/files/conf.d/Yggdrasil/travelpawscvt.com.conf @@ -6,6 +6,9 @@ server { include conf/letsencrypt.conf; include conf.d/fastcgi.config; + # GeoIP block + if ($deny) { return 503; } + root /opt/travelpawscvt; client_max_body_size 5m; diff --git a/roles/WebServer/files/conf.d/Yggdrasil/yggdrasil.conf b/roles/WebServer/files/conf.d/Yggdrasil/yggdrasil.conf index 166fd36..2798b42 100644 --- a/roles/WebServer/files/conf.d/Yggdrasil/yggdrasil.conf +++ b/roles/WebServer/files/conf.d/Yggdrasil/yggdrasil.conf @@ -1,12 +1,15 @@ server { - #listen 443 ssl http2; - listen 443 ssl http2; + listen 443 ssl; + http2 on; server_name yggdrasil.aninix.net; include conf/sec.conf; include conf/letsencrypt.conf; # include conf/default.csp.conf; + # GeoIP block + if ($deny) { return 503; } + location / { proxy_set_header Host $http_host; diff --git a/roles/WebServer/tasks/main.yml b/roles/WebServer/tasks/main.yml index 6cc61b4..1c3efe2 100644 --- a/roles/WebServer/tasks/main.yml +++ b/roles/WebServer/tasks/main.yml @@ -44,14 +44,11 @@ - name: Copy conf.d become: yes - copy: + become_user: http + ansible.posix.synchronize: src: "conf.d/{{ inventory_hostname }}/" dest: /etc/nginx/conf.d/ - owner: http - group: http - mode: 0660 - directory_mode: 0770 - follow: true + delete: true register: confd - name: Copy conf @@ -114,17 +111,6 @@ mode: 0660 register: geoipconf - - name: Ensure MaxMindDB is present - become: yes - file: - path: /etc/nginx/conf/maxmind-geoip2.mmdb - state: file - owner: http - group: http - mode: 0440 - # This requires a https://maxmind.com/ account, so the source will have to come from that site. - # This file should be the current country database. - - name: Clone OWASP-CRS ignore_errors: true become: yes @@ -168,6 +154,11 @@ #validate: nginx -t -p /etc/nginx -c %s # Commented due to base pathing issues register: baseconf + - name: Safety test on nginx + become: yes + command: 'nginx -t' + ignore_errors: false + - name: Ensure service is started become: yes when: conf.changed or confd.changed or geoipconf.changed or secconf.changed or baseconf.changed or modsecconf.changed diff --git a/roles/WebServer/templates/conf/geoip.conf.j2 b/roles/WebServer/templates/conf/geoip.conf.j2 index 04ddff5..fe7eb53 100644 --- a/roles/WebServer/templates/conf/geoip.conf.j2 +++ b/roles/WebServer/templates/conf/geoip.conf.j2 @@ -1,5 +1,5 @@ # Load database and set variables from the database. -geoip2 /etc/nginx/conf/maxmind-geoip2.mmdb { +geoip2 /usr/share/GeoIP/GeoIP2.mmdb { auto_reload 60m; $geoip2_metadata_country_build metadata build_epoch; $geoip2_data_country_code country iso_code;