Moving from openresty to nginx+modsec for HTTP/2 Rapid Reset reasons
This commit is contained in:
@@ -1,11 +1,14 @@
|
||||
---
|
||||
- name: Install openresty
|
||||
- name: Install components
|
||||
become: yes
|
||||
package:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
loop:
|
||||
- openresty
|
||||
- nginx
|
||||
- libmodsecurity
|
||||
- nginx-mod-modsecurity
|
||||
- php
|
||||
- php-fpm
|
||||
|
||||
- name: Copy PHP config
|
||||
@@ -17,26 +20,11 @@
|
||||
group: root
|
||||
mode: 0755
|
||||
|
||||
- name: Copy Webserver config
|
||||
become: yes
|
||||
copy:
|
||||
src: webserver.service
|
||||
dest: /usr/lib/systemd/system/webserver.service
|
||||
owner: http
|
||||
group: http
|
||||
mode: 0660
|
||||
register: servicefile
|
||||
|
||||
- systemd:
|
||||
daemon_reload: true
|
||||
when: servicefile.changed
|
||||
become: yes
|
||||
|
||||
- name: Copy conf.d
|
||||
become: yes
|
||||
copy:
|
||||
src: "conf.d/{{ inventory_hostname }}/"
|
||||
dest: /opt/openresty/nginx/conf.d/
|
||||
dest: /etc/nginx/conf.d/
|
||||
owner: http
|
||||
group: http
|
||||
mode: 0660
|
||||
@@ -48,38 +36,108 @@
|
||||
become: yes
|
||||
copy:
|
||||
src: conf/
|
||||
dest: /opt/openresty/nginx/conf/
|
||||
dest: /etc/nginx/conf/
|
||||
owner: http
|
||||
group: http
|
||||
mode: 0660
|
||||
follow: true
|
||||
register: conf
|
||||
|
||||
- name: Nginx pidfile
|
||||
become: yes
|
||||
ignore_errors: true
|
||||
file:
|
||||
path: /run/nginx.pid
|
||||
state: file
|
||||
owner: http
|
||||
group: http
|
||||
mode: 0640
|
||||
|
||||
- name: Nginx log folder
|
||||
become: yes
|
||||
file:
|
||||
path: /var/log/nginx
|
||||
state: directory
|
||||
owner: http
|
||||
group: http
|
||||
mode: 0750
|
||||
|
||||
- name: Populate security config
|
||||
become: yes
|
||||
template:
|
||||
src: conf/sec.conf.j2
|
||||
dest: /opt/openresty/nginx/conf/sec.conf
|
||||
dest: /etc/nginx/conf/sec.conf
|
||||
owner: http
|
||||
group: http
|
||||
mode: 0660
|
||||
register: secconf
|
||||
|
||||
|
||||
- name: Ensure default openresty service file is off.
|
||||
- name: Clone OWASP-CRS
|
||||
ignore_errors: true
|
||||
become: yes
|
||||
service:
|
||||
name: openresty
|
||||
state: stopped
|
||||
enabled: no
|
||||
git:
|
||||
repo: https://github.com/coreruleset/coreruleset.git
|
||||
update: yes
|
||||
force: yes
|
||||
single_branch: yes
|
||||
dest: /usr/share/owasp-modsecurity-crs
|
||||
umask: "0022"
|
||||
|
||||
- name: Modsecurity config dir
|
||||
become: yes
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
owner: http
|
||||
group: http
|
||||
mode: 0750
|
||||
loop:
|
||||
- /etc/modsecurity
|
||||
- /var/log/modsec
|
||||
- /var/log/modsec/tmp
|
||||
- /var/log/modsec/data
|
||||
- /var/log/modsec/audit
|
||||
- /var/log/modsec/uploads
|
||||
|
||||
- name: Modsecurity config
|
||||
become: yes
|
||||
register: modsecconf
|
||||
copy:
|
||||
dest: /etc/modsecurity/main.conf
|
||||
src: modsec.conf
|
||||
owner: http
|
||||
group: http
|
||||
mode: 0750
|
||||
validate: /usr/bin/modsec-rules-check %s
|
||||
|
||||
- name: Modsecurity logrotate
|
||||
become: yes
|
||||
copy:
|
||||
dest: /etc/logrotate.d/modsecurity
|
||||
src: logrotate.modsec.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
|
||||
- name: Copy conf
|
||||
become: yes
|
||||
copy:
|
||||
src: nginx.conf
|
||||
dest: /etc/nginx/nginx.conf
|
||||
owner: http
|
||||
group: http
|
||||
mode: 0660
|
||||
follow: true
|
||||
#validate: nginx -t -p /etc/nginx -c %s # Commented due to base pathing issues
|
||||
register: baseconf
|
||||
|
||||
- name: Ensure service is started
|
||||
become: yes
|
||||
when: conf.changed or confd.changed or secconf.changed
|
||||
when: conf.changed or confd.changed or secconf.changed or baseconf.changed or modsecconf.changed
|
||||
service:
|
||||
name: "{{ item }}"
|
||||
enabled: yes
|
||||
state: restarted
|
||||
loop:
|
||||
- php-fpm
|
||||
- webserver
|
||||
- nginx
|
||||
|
||||
Reference in New Issue
Block a user