From 2f173e2335ecbbca19d34b6ddb1036a190cd7805 Mon Sep 17 00:00:00 2001 From: Olivier Navas Date: Wed, 2 Mar 2022 00:41:53 +0100 Subject: [PATCH] commit initial --- README.md | 25 +- defaults/main.yml | 5 + files/maintenance.sh | 39 ++ files/modsechelper.sh | 98 +++ files/purge-apache2-tmp | 4 + files/purge-apache2-tmp.sh | 14 + files/rp_ressources_images/400.svg | 1 + files/rp_ressources_images/401.svg | 1 + files/rp_ressources_images/403.svg | 1 + files/rp_ressources_images/404.svg | 623 ++++++++++++++++++ files/rp_ressources_images/410.svg | 2 + files/rp_ressources_images/500.svg | 1 + files/rp_ressources_images/502.svg | 1 + files/rp_ressources_images/503.svg | 1 + files/rp_ressources_images/504.svg | 1 + files/rp_ressources_images/maintenance.svg | 1 + files/vhosts.d.template/0_vhost.conf | 38 ++ .../1_vhost_additional.conf.exemple | 112 ++++ .../2_mds_exclusion.conf.exemple | 10 + handlers/main.yml | 5 + meta/main.yml | 7 + tasks/main.yml | 170 +++++ templates/custom_reverse_proxy.conf | 497 ++++++++++++++ templates/custom_ssl.conf | 43 ++ templates/httpd.conf | 366 ++++++++++ templates/jail.local | 49 ++ templates/rp_maintenance/auth/index.html | 47 ++ .../rp_maintenance/maintenance-generique.html | 42 ++ templates/rp_ressources/400.html | 41 ++ templates/rp_ressources/401.html | 40 ++ templates/rp_ressources/403.html | 40 ++ templates/rp_ressources/404.html | 40 ++ templates/rp_ressources/410.html | 42 ++ templates/rp_ressources/500.html | 41 ++ templates/rp_ressources/502.html | 39 ++ templates/rp_ressources/503.html | 41 ++ templates/rp_ressources/504.html | 41 ++ templates/rp_ressources/customization.css | 43 ++ templates/rp_ressources/header.html | 21 + templates/rp_ressources/robots_disabled.txt | 3 + templates/rp_ressources/robots_enabled.txt | 3 + tests/inventory | 2 + tests/test.yml | 5 + vars/main.yml | 1 + 44 files changed, 2646 insertions(+), 1 deletion(-) create mode 100644 defaults/main.yml create mode 100755 files/maintenance.sh create mode 100755 files/modsechelper.sh create mode 100644 files/purge-apache2-tmp create mode 100755 files/purge-apache2-tmp.sh create mode 100644 files/rp_ressources_images/400.svg create mode 100644 files/rp_ressources_images/401.svg create mode 100644 files/rp_ressources_images/403.svg create mode 100644 files/rp_ressources_images/404.svg create mode 100644 files/rp_ressources_images/410.svg create mode 100644 files/rp_ressources_images/500.svg create mode 100644 files/rp_ressources_images/502.svg create mode 100644 files/rp_ressources_images/503.svg create mode 100644 files/rp_ressources_images/504.svg create mode 100644 files/rp_ressources_images/maintenance.svg create mode 100644 files/vhosts.d.template/0_vhost.conf create mode 100644 files/vhosts.d.template/1_vhost_additional.conf.exemple create mode 100644 files/vhosts.d.template/2_mds_exclusion.conf.exemple create mode 100644 handlers/main.yml create mode 100644 meta/main.yml create mode 100644 tasks/main.yml create mode 100644 templates/custom_reverse_proxy.conf create mode 100644 templates/custom_ssl.conf create mode 100644 templates/httpd.conf create mode 100644 templates/jail.local create mode 100644 templates/rp_maintenance/auth/index.html create mode 100644 templates/rp_maintenance/maintenance-generique.html create mode 100644 templates/rp_ressources/400.html create mode 100644 templates/rp_ressources/401.html create mode 100644 templates/rp_ressources/403.html create mode 100644 templates/rp_ressources/404.html create mode 100644 templates/rp_ressources/410.html create mode 100644 templates/rp_ressources/500.html create mode 100644 templates/rp_ressources/502.html create mode 100644 templates/rp_ressources/503.html create mode 100644 templates/rp_ressources/504.html create mode 100644 templates/rp_ressources/customization.css create mode 100644 templates/rp_ressources/header.html create mode 100644 templates/rp_ressources/robots_disabled.txt create mode 100644 templates/rp_ressources/robots_enabled.txt create mode 100644 tests/inventory create mode 100644 tests/test.yml create mode 100644 vars/main.yml diff --git a/README.md b/README.md index c3130cc..2b18d58 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,25 @@ -# ansible-role-reverse_proxy +Role : reverse_proxy +==================== +Services fournis +---------------- + +Configure un reverse proxy public pour rediriger les flux vers les applications internes. +Prend en charge la gestion des certificats letsencrypt, des stratégies d'accès, les pages de maintenance, la sécurité via modsecurity. + + +Variables +--------- + +Le rôle peut s'utiliser sans paramètre. Il est néanmoins possible d'utiliser les paramètres optionnels suivants : + +| Option | Valeur par défaut | Description | +|-------------------------------------------------|-----------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------| +| reverse_proxy_SSLProtocol_ | all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 | Surcharge la valeur de SSLProtocol pour ajuster au niveau de sécurité souhaité | +| reverse_proxy_SSLCipherSuite_ | cf. defaults/main.yml | Surcharge la valeur de SSLCipherSuite pour ajuster au niveau de sécurité souhaité | + + +```yaml +reverse_proxy_enable_port_1443: true +reverse_proxy_SSLProtocol: all -SSLv2 -SSLv3 +``` diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..50e77e9 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,5 @@ +reverse_proxy_SSLProtocol: "all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1" +reverse_proxy_SSLCipherSuite: "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4" +reverse_proxy_default_serveradmin_email: olivier+admin@navas.rocks +reverse_proxy_default_website: https://libretic.fr +reverse_proxy_default_issue_url: https://libretic.fr/contact diff --git a/files/maintenance.sh b/files/maintenance.sh new file mode 100755 index 0000000..7c85db4 --- /dev/null +++ b/files/maintenance.sh @@ -0,0 +1,39 @@ +#!/bin/bash + +# FICHIER SOUS CONTROLE D'ANSIBLE, NE PAS MODIFIER DIRECTEMENT + +VHOSTS_DIR=/etc/apache2/vhosts.d/ +MAINTENANCE_DIR=/var/www/html/rp_maintenance/ + +TMP=$(mktemp) + + +while true; do + LISTE_VHOSTS="" + + for i in $(ls $VHOSTS_DIR); do + LISTE_VHOSTS="$LISTE_VHOSTS $i" + if [ -f "$MAINTENANCE_DIR/$i" ]; then + LISTE_VHOSTS="$LISTE_VHOSTS (maintenance)" + else + LISTE_VHOSTS="$LISTE_VHOSTS (normal)" + fi + done + + echo $LISTE_VHOSTS | xargs dialog --title "Gestion page de maintenance" --menu "Modifier le statut de maintenance du virtualhost :" 0 0 0 2> $TMP + ERR=$? + VHOST=$(cat $TMP) + rm $TMP + + if [ "$ERR" == "0" ]; then + if [ -f "$MAINTENANCE_DIR/$VHOST" ]; then + rm $MAINTENANCE_DIR/$VHOST +# dialog --title "Gestion page de maintenance" --msgbox "$VHOST n'est plus en maintenance" 0 0 + else + ln -s $MAINTENANCE_DIR/maintenance-generique.html $MAINTENANCE_DIR/$VHOST +# dialog --title "Gestion page de maintenance" --msgbox "$VHOST est mis en maintenance" 0 0 + fi + else + exit + fi +done diff --git a/files/modsechelper.sh b/files/modsechelper.sh new file mode 100755 index 0000000..d1d9b60 --- /dev/null +++ b/files/modsechelper.sh @@ -0,0 +1,98 @@ +#!/bin/bash + +PROGRAM=$(basename $0) + +usage() { + echo "Usage: $PROGRAM [-n fichier ] [ -c ] [ -u ] [ file(s) ]" + echo "Liste les erreurs modsecurity rencontrées depuis un fichier d'erreurs apache. Si aucun fichier n'est précisé, utilise l'entrée standard." + echo " -n : uniquement les erreurs plus récentes que la date du fichier indiqué" + echo " -c : a la place la liste, génère la configuration des exceptions pour le reverse proxy pour éviter les erreurs modsecurity detectées" + echo " -u : si combiné avec -c, génère la configuration des exceptions par url plutôt que globalement" + exit 1 +} + + +while getopts "cum:" o; do + case "${o}" in + n) + file=${OPTARG} + echo "option -n non implemente" + exit + ;; + c) + conf="true" + ;; + u) + byurl="true" + ;; + *) + usage + ;; + esac +done + +shift $((OPTIND-1)) + + +TMP=$(mktemp /tmp/$PROGRAM.XXXXXXX) +TMP_NOPHASE=$(mktemp /tmp/$PROGRAM.XXXXXXX) + +if [ "$*" == "" ]; then + FILES="-" +else + FILES="$*" +fi + +# retient les lignes modsecurity avec id et uri et conserve les colonnes timestamp, fichier de règle, id, et uri +cat $FILES | grep ModSecurity | grep "\[id" | grep "\[uri" | egrep -o '^\[[A-Za-z0-9:\. ]*\]|\[id "[0-9]*"\]|\[file "[^"]*"\]|\[uri\ "[^"]*"\]' | paste -d "|" - - - - > $TMP_NOPHASE + +# formate et ajoute la phase de la regle +while read line +do + TIMESTAMP=$(echo $line | cut -d '|' -f 1 | cut -c 2- | head -c -2) + RULEFILE=$(echo $line | cut -d '|' -f 2 | cut -d '"' -f 2) + ID=$(echo $line | cut -d '|' -f 3 | cut -d '"' -f 2) + URI=$(echo $line | cut -d '|' -f 4 | cut -d '"' -f 2) + PHASE=$(cat "$RULEFILE" | grep -E 'SecRule|id:|phase:' | sed ':a;N;$!ba;s/\n//g' | sed 's/SecRule/\nSecRule/g' | grep $ID | egrep -o 'phase:[^,^"]*?' | paste -) + echo "$TIMESTAMP|$RULEFILE|$ID|$URI|$PHASE" >> $TMP +done < $TMP_NOPHASE +rm $TMP_NOPHASE + + +if [ "$conf" == "true" ]; then + echo + echo "### Configuration des exclusions mod_security pour le reverse proxy" + + + if [ "$byurl" == "true" ]; then + echo "# Regles phase 1" + for id in $(cat $TMP | grep "phase:1" | cut -d '|' -f 3 | sort | uniq) + do + echo SecRuleRemoveById $id + done + echo "# Fin regles phase 1" + + for url in $(cat $TMP | grep -v "phase:1" | cut -d '|' -f 4 | sort | uniq) + do + echo "" + + for id in $(cat $TMP | grep -v "phase:1" | grep $url | cut -d '|' -f 3 | sort | uniq) + do + echo " SecRuleRemoveById $id" + done + + echo "" + echo + done + else + for id in $(cat $TMP | cut -d '|' -f 3 | sort | uniq) + do + echo SecRuleRemoveById $id + done + fi +else + cat $TMP +fi + + +rm $TMP diff --git a/files/purge-apache2-tmp b/files/purge-apache2-tmp new file mode 100644 index 0000000..6ce3a72 --- /dev/null +++ b/files/purge-apache2-tmp @@ -0,0 +1,4 @@ +SHELL=/bin/bash +PATH=/sbin:/bin:/usr/sbin:/usr/bin +MAILTO= +*/30 * * * * root /usr/local/bin/purge-apache2-tmp.sh diff --git a/files/purge-apache2-tmp.sh b/files/purge-apache2-tmp.sh new file mode 100755 index 0000000..6751e9e --- /dev/null +++ b/files/purge-apache2-tmp.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +MMIN=15 + +# Il arrive (bug) qu'httpd créée un fichier temporaire qu'il ne supprime pas ensuite +# Ce script supprime ceux plus anciens que MMIN minutes + +for dir in $(ls /tmp/*httpd.service* -d) +do + COUNT_ALL=$(find $dir -name 'modproxy.tmp.*' | wc -l) + COUNT_RM=$(find $dir -name 'modproxy.tmp.*' -mmin +$MMIN | wc -l) + logger -t purge-apache2-tmp.sh "Nb total fichiers temporaires : $COUNT_ALL, suppression de $COUNT_RM fichiers de plus de $MMIN minutes" + find $dir -name 'modproxy.tmp.*' -mmin +$MMIN -exec rm -f {} \; +done diff --git a/files/rp_ressources_images/400.svg b/files/rp_ressources_images/400.svg new file mode 100644 index 0000000..1fed2ff --- /dev/null +++ b/files/rp_ressources_images/400.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/files/rp_ressources_images/401.svg b/files/rp_ressources_images/401.svg new file mode 100644 index 0000000..9e0340b --- /dev/null +++ b/files/rp_ressources_images/401.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/files/rp_ressources_images/403.svg b/files/rp_ressources_images/403.svg new file mode 100644 index 0000000..e605f91 --- /dev/null +++ b/files/rp_ressources_images/403.svg @@ -0,0 +1 @@ + diff --git a/files/rp_ressources_images/404.svg b/files/rp_ressources_images/404.svg new file mode 100644 index 0000000..1f1911e --- /dev/null +++ b/files/rp_ressources_images/404.svg @@ -0,0 +1,623 @@ + + + + + + image/svg+xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/files/rp_ressources_images/410.svg b/files/rp_ressources_images/410.svg new file mode 100644 index 0000000..a5683a1 --- /dev/null +++ b/files/rp_ressources_images/410.svg @@ -0,0 +1,2 @@ + + diff --git a/files/rp_ressources_images/500.svg b/files/rp_ressources_images/500.svg new file mode 100644 index 0000000..1a78737 --- /dev/null +++ b/files/rp_ressources_images/500.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/files/rp_ressources_images/502.svg b/files/rp_ressources_images/502.svg new file mode 100644 index 0000000..7b1b551 --- /dev/null +++ b/files/rp_ressources_images/502.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/files/rp_ressources_images/503.svg b/files/rp_ressources_images/503.svg new file mode 100644 index 0000000..9bf6b88 --- /dev/null +++ b/files/rp_ressources_images/503.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/files/rp_ressources_images/504.svg b/files/rp_ressources_images/504.svg new file mode 100644 index 0000000..40be28b --- /dev/null +++ b/files/rp_ressources_images/504.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/files/rp_ressources_images/maintenance.svg b/files/rp_ressources_images/maintenance.svg new file mode 100644 index 0000000..0a4930d --- /dev/null +++ b/files/rp_ressources_images/maintenance.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/files/vhosts.d.template/0_vhost.conf b/files/vhosts.d.template/0_vhost.conf new file mode 100644 index 0000000..7796eb2 --- /dev/null +++ b/files/vhosts.d.template/0_vhost.conf @@ -0,0 +1,38 @@ +# RETIRER TOUS LES COMMENTAIRES, CONSERVER LA LIGNE UTILE PARMI CELLES CI-DESSOUS ET REMPLACER LES CHAMPS EN S'AIDANT DE LA DOCUMENTATION CI-DESSOUS +# +# Use vhost_HTTP_Generic $vhostFQDN $protoDest $urlDest $logPolicy $accessPolicy $indexingConf $modsecurityStatus +# Use vhost_HTTPS_Generic $vhostFQDN $cert $protoDest $urlDest $logPolicy $accessPolicy $indexingConf $modsecurityStatus +# + + +## DOCUMENTAION D'UTILISATION +# +# L'activation de le fonction reverse proxy pour un virtualhost se fait par l'utilisation d'une des macros disponibles +# +# vhost_HTTP_Generic : mandataire HTTP vers un serveur mandate interne +# vhost_HTTPS_Generic : mandataire HTTPS avec support des certificats région et redirection automatique HTTP -> HTTPS +# +# +## PARAMETRES +# +# Chaque macro nécessite plusieurs paramètres qui signifient +# +# $vhostFQDN : FQDN du virtualhost ; il est impératif qu'il corresponde au nom du répertoire dans lequel se trouve la configuration +# $cert : Si HTTPS, le certificat à presenter au navigateur : LE = letsencrypt +# $protoDest : Mode d'acces au mandaté : http | https | balancer +# $urlDest : En mode http et https, indiquer l'url du serveur mandaté, sans le protocole +# En mode balancer, répéter le FQDN pour utiliser comme nom de balancer. Il doit aussi figurer dans la configuration supplémentaire +# $logPolicy : Niveau de log souhaité : debug | info | notice | warn | error | crit | alert | emerg ou combinaison, avec guillemets "debug ssl:warn authz_core:crit dumpio:trace7 rewrite:trace6" +# $accessPolicy : Accessibilite du virtualhost : OpenAccessPolicy | InternalAccessPolicy | ManagementAccessPolicy | LDAPAccessPolicy +# $indexingConf : Stratégie vis a vis des moteurs de recherche : AllowCrawlerIndexing | BlockCrawlerIndexing +# $modsecurityStatus : Activation ou pas du module mod_security pour le virtualhost : On | Off | DetectionOnly +# La valeur "On" est preferable en production mais peut amener à gerer une liste d'exclusions +# La valeur "DetectionOnly" est a utiliser pendant la phase d'apprentissage + +## CONFIGURATION FACULTATIVE +# si nécessaire, créer un de ces fichiers de configuration facultatifs, au même niveau que le fichier 00_vhost.conf parmi les choix suivants : +# 01_vhost_additional.conf : permet de préciser des directives de configuration supplémentaires pour le virtualhost +# 02_mds_exclusion.conf : permet de définir les exclusions modsecurity ; le programme modsechelper.sh peut aider à les déterminer + + + diff --git a/files/vhosts.d.template/1_vhost_additional.conf.exemple b/files/vhosts.d.template/1_vhost_additional.conf.exemple new file mode 100644 index 0000000..0139e53 --- /dev/null +++ b/files/vhosts.d.template/1_vhost_additional.conf.exemple @@ -0,0 +1,112 @@ +# RETIRER TOUS LES COMMENTAIRES, ET NE LAISSER QUE CE QUI EST UTILE + +### Pour désactiver la réutilisation des connections http avec le navigateur +#KeepAlive Off + +### Pour désactiver la réutilisation des connections http avec le serveur mandaté +#SetEnv proxy-nokeepalive 1 + +### Réécriture des URLS +#RewriteEngine On +#RewriteRule ^/$ /moncontexte/index.php [L,R] + +### Si l'application utilise des frames, autorise l'ouverture des frames de l'application par elle même +#Header set X-Frame-Options SAMEORIGIN + +### pour autoriser que les pages du site soient imbriquées dans un frame d'un autre site +# pour les navigateurs qui ne supportent pas CSP +#Header append X-Frame-Options "ALLOW-FROM https://url-du-site-parent" +# pour les navigateurs qui supportent CSP +#Header set Content-Security-Policy "frame-ancestors 'self' https://url-du-site-parent;" + + +### Utile si l'application est mal foutue et ne positionne pas correctement ses types MIME +#Header unset X-Content-Type-Options + + +# Si l'application fournit des urls référencées dans des pages d'une autre application, +# et a besoin de ses propres cookies, force attribut SameSite=None pour tous ses cookies +# Header edit Set-Cookie ^(.*)$ $1;SameSite=None;Secure + + +### exemple pour fichier de log spécifique pour certains motifs d'url +#SetEnvIf Request_URI ^/motifatrouver(/|$) monenv +#ErrorLog ${APACHE_LOG_DIR}/$vhostFQDN-monenv-error.log env=monenv +#CustomLog ${APACHE_LOG_DIR}/$vhostFQDN-monenv-access.log combined env=monenv + + +### Debug des flux +# En cas de besoin de debug des flux chiffres, permet d'enregistrer les IO dans le error.log +# à combiner avec dumpio:trace7 dans loglevel ; attention à la quantité de logs, ne pas laisser actif au dela du debug +#DumpIOInput On +#DumpIOOutput On + + +### En cas de serveur mandaté en https, désactive les contrôles SSL du serveur mandaté si ce dernier utilise un certificat autosigné +#SSLProxyVerify none +#SSLProxyCheckPeerCN off +#SSLProxyCheckPeerName off +#SSLProxyCheckPeerExpire off + + +### Augmente les timeouts si le serveur mandaté a besoin de beaucoup de temps pour répondre +#Timeout 600 + + +### Exemple de configuration de load balancer ; remplacer FQDN par le FQDN du virtualhost, et utiliser ça comme nom de balancer dans la macro de configuration +## stickysession: le nom du cookie utilisé pour stocker la route vers le backend +## retry : délai pendant lequel un serveur backend ne sera pas retenté s'il est considéré en défaut +## connectiontimeout : délai accordé pour créer la connexion vers le serveur backend avant de le considérer en défaut +## lbmethod : méthode d'équilibrage entre les balancermembers +## failonstatus : les codes d'erreur http qui peuvent être retournés par le backend et qu'on va considérer comme un défaut du backend +#Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED +# +# BalancerMember "http://fqdn1" route=1 retry=10 connectiontimeout=5 +# BalancerMember "http://fqdn2" route=2 retry=10 connectiontimeout=5 +# ProxySet lbmethod=byrequests failonstatus=500,503 stickysession=ROUTEID +# + + +### Pour utiliser des accesspolicy différentes par portion d'URL +# +# Use InternalAccessPolicy +# + +### Pour donner accès à des utilisateurs en plus de ceux acceptés par la policy +# +# Use InternalAccessPolicy +# +# Authname "Acces restreint" +# Authtype Basic +# AuthBasicProvider ldap-interne +# Use ConnexionLdapInterne +# Require ldap-user login1 +# Require ldap-user login2 +# Require ldap-attribute "memberof=cn=xxxxx" +# + + +### Si une API du site mandaté utilise des codes d'erreur HTTP pour communiquer une information fonctionnelle à son client (beurk) +# +# ProxyErrorOverride off +# + + +### Si l'application utilise des URLs avec des slashes encodés +#AllowEncodedSlashes On + + +### Pour utiliser les websockets. Principe général : il faut détecter la nécessité d'activer les websockets. +## Soit parce que le client a déjà inséré dans ses entêtes des attributs en rapport : +#RewriteEngine On +#RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC,OR] +#RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC] +#RewriteRule .* ws://%{SERVER_NAME}%{REQUEST_URI} [P,QSA,L] +## Soit parce que l'url demandée est d'une forme qui permet de détecter que le client s'adresse à une partie serveur développée avec des websockets +# +# ProxyPass ws://$urlDest/websockify +# ProxyPassReverse ws://$vhostFQDN/websockify +# + diff --git a/files/vhosts.d.template/2_mds_exclusion.conf.exemple b/files/vhosts.d.template/2_mds_exclusion.conf.exemple new file mode 100644 index 0000000..f99c11e --- /dev/null +++ b/files/vhosts.d.template/2_mds_exclusion.conf.exemple @@ -0,0 +1,10 @@ +# RETIRER TOUS LES COMMENTAIRES, GENERER LA CONFIGURATION AVEC modsechelper.sh + +## Exceptions applicables a tout le virtualhost +#SecRuleRemoveById id + +# Exceptions applicables par chemin de l'url +# +# SecRuleRemoveById id +# + diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..4c3a8b0 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,5 @@ +- name: restart fail2ban + service: name=fail2ban state=restarted + +- name: restart apache2 + service: name=apache2 state=restarted diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..c1ea999 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,7 @@ +galaxy_info: + author: Olivier Navas + description: installe et configure un reverse proxy + license: GPL-3.0-or-later + min_ansible_version: 2.9 + galaxy_tags: [] + diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..b00eb35 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,170 @@ +#- name: install - Allow Apache to listen on tcp port 9090 +# tags: install +# seport: +# ports: 9090 +# proto: tcp +# setype: http_port_t +# state: present + +#- name: install - enable module openid +# tags: install +# shell: dnf module enable -y mod_auth_openidc +# changed_when: false + +- name: install - packages + tags: install + package: + state: present + name: + - apache2 + - apache2-utils + - modsecurity-crs + - libapache2-mod-security2 + - libapache2-mod-auth-openid + - libapache2-mod-perl2 + - fail2ban + - whois + - dialog + +- name: install - enable fail2ban + tags: install + service: name=fail2ban state=started enabled=yes + +- name: install - dossier vhosts.d + tags: install + file: + path: /etc/apache2/vhosts.d + state: directory + mode: 0660 + +- name: install - supprime vhost par défaut + tags: install + file: + path: "{{ item }}" + state: absent + with_items: + - /etc/apache2/sites-enabled/000-default.conf + - /etc/apache2/sites-enabled/default-ssl.conf + +- name: configure - fail2ban + tags: configure + template: + src: jail.local + dest: /etc/fail2ban/jail.d/ + notify: + - restart fail2ban + +- name: configure - apache modules + community.general.apache2_module: + state: present + ignore_configcheck: yes + force: yes + name: "{{ item }}" + failed_when: false + with_items: + - access_compat + - alias + - auth_basic +# - auth_openid + - authn_core + - authn_file + - authnz_ldap + - authz_core + - authz_host + - authz_user + - autoindex + - deflate + - dir +# - dump_io + - env + - filter + - headers + - include + - macro + - md + - mime + - mpm_event + - negotiation + - proxy + - proxy_ajp + - proxy_balancer + - proxy_connect + - proxy_http + - proxy_wstunnel + - remoteip + - reqtimeout + - rewrite + - security2 + - setenvif + - ssl + - status + - unique_id + +- name: configure - apache2 templates + tags: configure + template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + with_items: + - { src: custom_reverse_proxy.conf, dest: /etc/apache2/conf-enabled/ } + - { src: custom_ssl.conf, dest: /etc/apache2/conf-enabled/ } + notify: + - restart apache2 + +- name: configure - apache2 fichiers + tags: configure + copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + with_items: + - { src: vhosts.d.template, dest: /etc/apache2/ } + - { src: purge-apache2-tmp, dest: /etc/cron.d/ } + notify: + - restart apache2 + +- name: configure - httpd pages statiques + tags: configure + copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + with_items: + - { src: rp_ressources_images, dest: /var/www/html/rp_ressources/images } + +- name: configure - httpd pages statiques templates + tags: configure + template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + with_items: + - { src: rp_ressources/400.html, dest: /var/www/html/rp_ressources/ } + - { src: rp_ressources/401.html, dest: /var/www/html/rp_ressources/ } + - { src: rp_ressources/403.html, dest: /var/www/html/rp_ressources/ } + - { src: rp_ressources/404.html, dest: /var/www/html/rp_ressources/ } + - { src: rp_ressources/410.html, dest: /var/www/html/rp_ressources/ } + - { src: rp_ressources/500.html, dest: /var/www/html/rp_ressources/ } + - { src: rp_ressources/502.html, dest: /var/www/html/rp_ressources/ } + - { src: rp_ressources/503.html, dest: /var/www/html/rp_ressources/ } + - { src: rp_ressources/504.html, dest: /var/www/html/rp_ressources/ } + - { src: rp_ressources/customization.css, dest: /var/www/html/rp_ressources/ } + - { src: rp_ressources/header.html, dest: /var/www/html/rp_ressources/ } + - { src: rp_ressources/robots_disabled.txt, dest: /var/www/html/rp_ressources/ } + - { src: rp_ressources/robots_enabled.txt, dest: /var/www/html/rp_ressources/ } + - { src: rp_maintenance/maintenance-generique.html, dest: /var/www/html/rp_maintenance/ } + - { src: rp_maintenance/auth/index.html, dest: /var/www/html/rp_maintenance/auth } + + +- name: configure - scripts et pages statiques + tags: configure + copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + mode: 0775 + with_items: + - { src: modsechelper.sh, dest: /usr/local/bin/ } + - { src: maintenance.sh, dest: /usr/local/bin/ } + - { src: purge-apache2-tmp.sh, dest: /usr/local/bin/ } + +- name: install - active apache2 + tags: install + service: name=apache2 state=started enabled=yes + diff --git a/templates/custom_reverse_proxy.conf b/templates/custom_reverse_proxy.conf new file mode 100644 index 0000000..1882d1f --- /dev/null +++ b/templates/custom_reverse_proxy.conf @@ -0,0 +1,497 @@ +# {{ ansible_managed }} + + +BufferedLogs Off +TraceEnable Off +Timeout 300 +KeepAlive On +MaxKeepAliveRequests 512 +KeepAliveTimeout 15 + +# Configuration MPM Event +ServerLimit 64 +ThreadsPerChild 32 +AsyncRequestWorkerFactor 2 +MaxRequestWorkers 2048 +MaxRequestsPerChild 16384 +GracefulShutdownTimeout 2 + + +# Supprime les informations version +ServerTokens ProductOnly +ServerSignature Off +SecServerSignature ";-)" + + +# Configuration headers +Header unset X-Powered-By +Header unset X-AspNet-Version +Header unset Server +Header set X-Frame-Options SAMEORIGIN +Header set X-XSS-Protection 1;mode=block +Header set X-Content-Type-Options nosniff +Header set Strict-Transport-Security "max-age=16070400" + + + +# Configuration modsecurity +SecTmpDir /var/lib/mod_security +SecDataDir /var/lib/mod_security +# ModSecurity Core Rules Set configuration +IncludeOptional modsecurity.d/*.conf +IncludeOptional modsecurity.d/activated_rules/*.conf + +# Default recommended configuration +SecRuleEngine On +SecRequestBodyAccess On +SecRule REQUEST_HEADERS:Content-Type "text/xml" \ +"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" + +# 300 Mo +SecRequestBodyLimit 314572800 + +# 128 Ko +SecRequestBodyNoFilesLimit 131072 +SecRequestBodyInMemoryLimit 131072 + +SecRequestBodyLimitAction Reject +SecRule REQBODY_ERROR "!@eq 0" \ +"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2" +SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ +"id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \ +failed strict validation: \ +PE %{REQBODY_PROCESSOR_ERROR}, \ +BQ %{MULTIPART_BOUNDARY_QUOTED}, \ +BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ +DB %{MULTIPART_DATA_BEFORE}, \ +DA %{MULTIPART_DATA_AFTER}, \ +HF %{MULTIPART_HEADER_FOLDING}, \ +LF %{MULTIPART_LF_LINE}, \ +SM %{MULTIPART_MISSING_SEMICOLON}, \ +IQ %{MULTIPART_INVALID_QUOTING}, \ +IP %{MULTIPART_INVALID_PART}, \ +IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ +FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'" + +SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ +"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'" + +#SecPcreMatchLimit 50000 +#SecPcreMatchLimitRecursion 50000 +SecPcreMatchLimit 250000000 +SecPcreMatchLimitRecursion 250000000 + +SecRule TX:/^MSC_/ "!@streq 0" \ +"id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'" + +SecResponseBodyAccess Off +SecDebugLog /var/log/apache2/modsec_debug.log +#SecDebugLogLevel 4 +SecDebugLogLevel 0 +#SecAuditEngine RelevantOnly +SecAuditEngine Off +SecAuditLogRelevantStatus "^(?:5|4(?!04))" +SecAuditLogParts ABIJDEFHZ +SecAuditLogType Serial +SecAuditLog /var/log/apache2/modsec_audit.log +SecArgumentSeparator & +SecCookieFormat 0 + + + + +# Macros + + ProxyRequests Off + ProxyVia Off + ProxyPreserveHost On + + + + Require all granted + + + + Require ip 10.0.0.0/8 + Require ip 172.16.0.0/12 + Require ip 192.168.0.0/16 + + + + Require ip 192.168.3.11/32 + + + + Authname "Acces reserve aux utilisateurs disposant d'un compte valide" + Authtype Basic + AuthBasicProvider ldap + AuthLDAPBindAuthoritative on + AuthLDAPUrl ldap://{{ reverse_proxy_ldap_srv }}/{{ reverse_proxy_ldap_basedn }}?{{ reverse_proxy_ldap_userdn }} + Require valid-user + + + + Authname "Acces reserve aux administrateurs" + Authtype Basic + AuthBasicProvider ldap + AuthLDAPBindAuthoritative on + AuthLDAPUrl ldap://{{ reverse_proxy_ldap_srv }}/{{ reverse_proxy_ldap_basedn }}?{{ reverse_proxy_ldap_userdn }} + Require valid-user + Require ldap-user {{ reverse_proxy_ldap_admins }} + + + + + Header set X-Robots-Tag "noindex, nofollow" + ProxyPass /robots.txt ! + RewriteEngine On + RewriteRule ^/robots\.txt$ /rp_ressources/robots_disabled.txt [L] + + + + Header set X-Robots-Tag "all" + ProxyPass /robots.txt ! + RewriteEngine On + RewriteRule ^/robots\.txt$ /rp_ressources/robots_enabled.txt [L] + + + + + ProxyErrorOverride On + ErrorDocument 400 /rp_ressources/400.html + ErrorDocument 401 /rp_ressources/401.html + ErrorDocument 403 /rp_ressources/403.html + ErrorDocument 404 /rp_ressources/404.html + ErrorDocument 500 /rp_ressources/500.html + ErrorDocument 502 /rp_ressources/502.html + ErrorDocument 503 /rp_ressources/503.html + ErrorDocument 504 /rp_ressources/504.html + ErrorDocument {{ reverse_proxy_http_modsecurity_error_code }} /rp_ressources/{{ reverse_proxy_http_modsecurity_error_code }}.html + + + + + RewriteEngine On + + + Use LDAPAdminAccessPolicy + + + # Si on est en maintenance + + RewriteCond %{REMOTE_ADDR} !127.0.0.1 + RewriteCond %{REQUEST_URI} !^/rp_ressources/* + RewriteCond %{REQUEST_URI} !^/rp_maintenance/* + RewriteCond %{HTTP_COOKIE} !rp_acces_maintenance=([^;]+) + RewriteRule ^.*$ %{DOCUMENT_ROOT}/maintenance/${VHOST_FQDN} + Header Set Cache-Control "no-store" + + + + + +# Redirige un domaine http vers https + + + ServerName $domain + Redirect permanent / https://$domain/ + + + + +# Redirige un domaine http vers n'importe qu'elle autre adresse http où https + + + ServerName $domainSource + Redirect permanent / $domainDest/ + + #Restriction configuration + + Use $accessPolicy + Use ErrorDocumentPages + + + + + + + + +Use vhost_redirect_http-https $vhostFQDN + +Define VHOST_FQDN $vhostFQDN + + + if ( $cert eq "LE" ) + { + print "------- Utilisation d'un certificat LetsEncrypt pour $vhostFQDN -------\n"; + $MDomain{"$vhostFQDN"} = { + MDCertificateAgreement => 'accepted', + MDContactEmail => '{{ reverse_proxy_default_serveradmin_email }}', + MDStapling => 'on', + }; + } + + + + + $ENV{'PERL_CONF_DEBUG'} and print "------- Generation du vhosts $vhostFQDN -------\n"; + + + # Definition du virtualhost + ServerName $vhostFQDN + DocumentRoot "/var/www/html" + + # Configuration SSL avec le bon certificat +# Include conf.patterns.d/01_ssl_$cert.conf + SSLEngine on + + # Niveau de log souhaite + LogLevel $logPolicy + ErrorLog ${APACHE_LOG_DIR}/$vhostFQDN-error.log + CustomLog ${APACHE_LOG_DIR}/$vhostFQDN-access.log combined + + # Politique vis a vis des moteurs de recherche + Use $indexingConf + + # Configuration de l'accessibilite du virtualhost (public, interne, restreint) + + Use $accessPolicy + + + # Inclusion de la configuration additionnelle + + my $dir=$ENV{"$vhostFQDN"}; + my $config_file="$dir/1_vhost_additional.conf"; + if( -f $config_file) + { + $ENV{'PERL_CONF_DEBUG'} and print "Inclusion du fichier '$config_file'\n"; + push @Include, "$config_file"; + } + + + # Configuration du chemin vers la page de status du load balancer + + SecRuleEngine off + SetHandler balancer-manager + Use InternalAdminAccessPolicy + + # Configuration du chemin vers les ressources reverse proxy + + SecRuleEngine off + Use OpenAccessPolicy + + # Configuration de la fonction reverse proxy + Use ProxyCommon + ProxyPass /rp_ressources ! + ProxyPass /rp_maintenance ! + ProxyPass /balancer-manager ! + ProxyPass / $protoDest://$urlDest/ + ProxyPassReverse / $protoDest://$vhostFQDN/ + + + RequestHeader set X-Forwarded-Proto "https" + + + # Definition des pages d'erreur + Use ErrorDocumentPages + + # Gestion de la page de maintenance + Use CheckMaintenancePage + + # Gestion mod_security et inclusion des exceptions + + SecRuleEngine $modsecurityStatus + + my $dir=$ENV{"$vhostFQDN"}; + my $config_file="$dir/2_mds_exclusion.conf"; + if( -f $config_file) + { + $ENV{'PERL_CONF_DEBUG'} and print "Inclusion du fichier '$config_file'\n"; + push @Include, "$config_file"; + } + + + + + $ENV{'PERL_CONF_DEBUG'} and print "----------------------------------------------\n"; + + + +Undefine VHOST_FQDN + + + + + + + +Define VHOST_FQDN $vhostFQDN + + + $ENV{'PERL_CONF_DEBUG'} and print "------- Generation du vhosts $vhostFQDN -------\n"; + + + # Definition du virtualhost + ServerName $vhostFQDN + DocumentRoot "/var/www/html" + + # Niveau de log souhaite + LogLevel $logPolicy + ErrorLog ${APACHE_LOG_DIR}/$vhostFQDN-error.log + CustomLog ${APACHE_LOG_DIR}/$vhostFQDN-access.log combined + + # Politique vis a vis des moteurs de recherche + Use $indexingConf + + # Configuration de l'accessibilite du virtualhost (public, interne, restreint) + + Use $accessPolicy + + + # Inclusion de la configuration additionnelle + + my $dir=$ENV{"$vhostFQDN"}; + my $config_file="$dir/1_vhost_additional.conf"; + if( -f $config_file) + { + $ENV{'PERL_CONF_DEBUG'} and print "Inclusion du fichier '$config_file'\n"; + push @Include, "$config_file"; + } + + + # Configuration du chemin vers la page de status du load balancer + + SecRuleEngine off + SetHandler balancer-manager + Use InternalAdminAccessPolicy + + # Configuration du chemin vers les ressources reverse proxy + + SecRuleEngine off + Use OpenAccessPolicy + + # Configuration de la fonction reverse proxy + Use ProxyCommon + ProxyPass /rp_ressources ! + ProxyPass /rp_maintenance ! + ProxyPass /balancer-manager ! + ProxyPass / $protoDest://$urlDest/ + ProxyPassReverse / $protoDest://$vhostFQDN/ + + + RequestHeader set X-Forwarded-Proto "http" + + + # Definition des pages d'erreur + Use ErrorDocumentPages + + # Gestion de la page de maintenance + Use CheckMaintenancePage + + # Gestion mod_security et inclusion des exceptions + + SecRuleEngine $modsecurityStatus + + my $dir=$ENV{"$vhostFQDN"}; + my $config_file="$dir/2_mds_exclusion.conf"; + if( -f $config_file) + { + $ENV{'PERL_CONF_DEBUG'} and print "Inclusion du fichier '$config_file'\n"; + push @Include, "$config_file"; + } + + + + + $ENV{'PERL_CONF_DEBUG'} and print "----------------------------------------------\n"; + + + +Undefine VHOST_FQDN + + + + + +# Virtualhosts techniques + +# Fait en sorte que si fqdn demandé ne correspond a aucun connu apache ne serve pas le 1er + + Redirect / http://erreur.libretic.fr/ + + + +# Permet l'acces a des pages d'info apache +ExtendedStatus on +Listen 9090 http + + ServerName localhost + DocumentRoot /var/www/html/ + + SetHandler server-info + Use InternalAdminAccessPolicy + Require host localhost + + + SetHandler server-status + Use InternalAdminAccessPolicy + Require host localhost + + LogLevel info + ErrorLog ${APACHE_LOG_DIR}/monitoring-page-error.log + CustomLog ${APACHE_LOG_DIR}/monitoring-page-access.log combined + + + + +# Perl scan vhosts.d +PerlSetEnv VHOSTS_DIR /etc/apache2/vhosts.d +PerlSetEnv VHOST_DEFAULT_FILE 0_vhost.conf +PerlSetEnv PERL_CONF_DEBUG 1 + +PerlSetVar StatusOptionsAll On +PerlSetVar StatusDeparseOptions "-p -sC" + + + $Apache2::Server::SaveConfig = 1 + + + + my $VHOSTS_REGEX='^\s*Use\s+vhost.+?\s+(.+?)\s+?'; + my @vhosts_sub_dirs=`find $ENV{'VHOSTS_DIR'} -mindepth 1 -maxdepth 1 -type d`; + $ENV{'PERL_CONF_DEBUG'} and print "------ Pre-Traitement ------\n"; + for my $subdir (@vhosts_sub_dirs) + { + chomp $subdir; + my $config_file="${subdir}/$ENV{'VHOST_DEFAULT_FILE'}"; + open my $vhost_file, "<", $config_file or die; + while(my $line = <$vhost_file>) + { + if(my @matches = $line =~ /$VHOSTS_REGEX/) + { + my $vhost_name=${matches[0]}; + $ENV{'PERL_CONF_DEBUG'} and print "Identification du vhost: $vhost_name\n"; + push @PerlSetEnv, ["$vhost_name" => "$subdir"]; + } + } + close $config_file; + } + $ENV{'PERL_CONF_DEBUG'} and print "----------------------------\n"; + + + + use Apache2::PerlSections ( ); + $ENV{'PERL_CONF_DEBUG'} and print "------ Chargement des vhosts ------\n"; + foreach my $key (keys %ENV) { + my $subdir=$ENV{$key}; + my $config_file="${subdir}/$ENV{'VHOST_DEFAULT_FILE'}"; + if( -f $config_file ) + { + $ENV{'PERL_CONF_DEBUG'} and print "Ajout du vhost: $key\n"; + push @Include, "$config_file"; + } + } + $ENV{'PERL_CONF_DEBUG'} and print "-----------------------------------\n"; + print STDERR Apache::PerlSections->dump( ); + diff --git a/templates/custom_ssl.conf b/templates/custom_ssl.conf new file mode 100644 index 0000000..b5fbcf8 --- /dev/null +++ b/templates/custom_ssl.conf @@ -0,0 +1,43 @@ +# {{ ansible_managed }} + +## +## SSL Global Context +## +## All SSL configuration in this context applies both to +## the main server and all SSL-enabled virtual hosts. +## + +# Inter-Process Session Cache: +# Configure the SSL Session Cache: First the mechanism +# to use and second the expiring timeout (in seconds). +SSLSessionCache shmcb:/run/httpd/sslcache(512000) +SSLSessionCacheTimeout 300 + +# Pseudo Random Number Generator (PRNG): +# Configure one or more sources to seed the PRNG of the +# SSL library. The seed data should be of good random quality. +# WARNING! On some platforms /dev/random blocks if not enough entropy +# is available. This means you then cannot use the /dev/random device +# because it would lead to very long connection times (as long as +# it requires to make more entropy available). But usually those +# platforms additionally provide a /dev/urandom device which doesn't +# block. So, if available, use this one instead. Read the mod_ssl User +# Manual for more details. +SSLRandomSeed startup file:/dev/urandom 256 +SSLRandomSeed connect builtin + +# +# Use "SSLCryptoDevice" to enable any supported hardware +# accelerators. Use "openssl engine -v" to list supported +# engine names. NOTE: If you enable an accelerator and the +# server does not start, consult the error logs and ensure +# your accelerator is functioning properly. +# +SSLCryptoDevice builtin +#SSLCryptoDevice ubsec + +SSLProtocol {{ reverse_proxy_SSLProtocol }} +SSLHonorCipherOrder on +SSLCompression Off +SSLCipherSuite "{{ reverse_proxy_SSLCipherSuite }}" + diff --git a/templates/httpd.conf b/templates/httpd.conf new file mode 100644 index 0000000..c175a69 --- /dev/null +++ b/templates/httpd.conf @@ -0,0 +1,366 @@ +# {{ ansible_managed }} + +# +# This is the main Apache HTTP server configuration file. It contains the +# configuration directives that give the server its instructions. +# See for detailed information. +# In particular, see +# +# for a discussion of each configuration directive. +# +# Do NOT simply read the instructions in here without understanding +# what they do. They're here only as hints or reminders. If you are unsure +# consult the online docs. You have been warned. +# +# Configuration and logfile names: If the filenames you specify for many +# of the server's control files begin with "/" (or "drive:/" for Win32), the +# server will use that explicit path. If the filenames do *not* begin +# with "/", the value of ServerRoot is prepended -- so 'log/access_log' +# with ServerRoot set to '/www' will be interpreted by the +# server as '/www/log/access_log', where as '/log/access_log' will be +# interpreted as '/log/access_log'. + +# +# ServerRoot: The top of the directory tree under which the server's +# configuration, error, and log files are kept. +# +# Do not add a slash at the end of the directory path. If you point +# ServerRoot at a non-local disk, be sure to specify a local disk on the +# Mutex directive, if file-based mutexes are used. If you wish to share the +# same ServerRoot for multiple httpd daemons, you will need to change at +# least PidFile. +# +ServerRoot "/etc/httpd" +ServerName {{ ansible_fqdn }} +# +# Listen: Allows you to bind Apache to specific IP addresses and/or +# ports, instead of the default. See also the +# directive. +# +# Change this to Listen on specific IP addresses as shown below to +# prevent Apache from glomming onto all bound IP addresses. +# +#Listen 12.34.56.78:80 +Listen 80 + +# +# Dynamic Shared Object (DSO) Support +# +# To be able to use the functionality of a module which was built as a DSO you +# have to place corresponding `LoadModule' lines at this location so the +# directives contained in it are actually available _before_ they are used. +# Statically compiled modules (those listed by `httpd -l') do not need +# to be loaded here. +# +# Example: +# LoadModule foo_module modules/mod_foo.so +# +Include conf.modules.d/*.conf + +# +# If you wish httpd to run as a different user or group, you must run +# httpd as root initially and it will switch. +# +# User/Group: The name (or #number) of the user/group to run httpd as. +# It is usually good practice to create a dedicated user and group for +# running httpd, as with most system services. +# +User apache +Group apache + +ServerTokens Prod +ServerSignature Off +FileETag None +TraceEnable off +HostnameLookups Off + +# 'Main' server configuration +# +# The directives in this section set up the values used by the 'main' +# server, which responds to any requests that aren't handled by a +# definition. These values also provide defaults for +# any containers you may define later in the file. +# +# All of these directives may appear inside containers, +# in which case these default settings will be overridden for the +# virtual host being defined. +# + +# +# ServerAdmin: Your address, where problems with the server should be +# e-mailed. This address appears on some server-generated pages, such +# as error documents. e.g. admin@your-domain.com +# +ServerAdmin {{ reverse_proxy_serveradmin_email }} + +# +# ServerName gives the name and port that the server uses to identify itself. +# This can often be determined automatically, but we recommend you specify +# it explicitly to prevent problems during startup. +# +# If your host doesn't have a registered DNS name, enter its IP address here. +# +#ServerName www.example.com:80 + +# +# Deny access to the entirety of your server's filesystem. You must +# explicitly permit access to web content directories in other +# blocks below. +# + + AllowOverride none + Require all denied + + +# +# Note that from this point forward you must specifically allow +# particular features to be enabled - so if something's not working as +# you might expect, make sure that you have specifically enabled it +# below. +# + +# +# DocumentRoot: The directory out of which you will serve your +# documents. By default, all requests are taken from this directory, but +# symbolic links and aliases may be used to point to other locations. +# +#DocumentRoot "/var/www/html" + +# +# Relax access to content within /var/www. +# +# +# AllowOverride None + # Allow open access: +# Require all granted +# + +# Further relax access to the default document root: +# + # + # Possible values for the Options directive are "None", "All", + # or any combination of: + # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews + # + # Note that "MultiViews" must be named *explicitly* --- "Options All" + # doesn't give it to you. + # + # The Options directive is both complicated and important. Please see + # http://httpd.apache.org/docs/2.4/mod/core.html#options + # for more information. + # +# Options Indexes FollowSymLinks + + # + # AllowOverride controls what directives may be placed in .htaccess files. + # It can be "All", "None", or any combination of the keywords: + # Options FileInfo AuthConfig Limit + # +# AllowOverride None + + # + # Controls who can get stuff from this server. + # +# Require all granted +# + +# +# DirectoryIndex: sets the file that Apache will serve if a directory +# is requested. +# + + DirectoryIndex index.html + + +# +# The following lines prevent .htaccess and .htpasswd files from being +# viewed by Web clients. +# + + Require all denied + + +# +# ErrorLog: The location of the error log file. +# If you do not specify an ErrorLog directive within a +# container, error messages relating to that virtual host will be +# logged here. If you *do* define an error logfile for a +# container, that host's errors will be logged there and not here. +# +ErrorLog "logs/error_log" + +# +# LogLevel: Control the number of messages logged to the error_log. +# Possible values include: debug, info, notice, warn, error, crit, +# alert, emerg. +# +LogLevel warn +SetEnvIf Remote_Addr "127\.0\.0\.1" loopback + +# BufferedLogs On + # + # The following directives define some format nicknames for use with + # a CustomLog directive (see below). + # + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined + LogFormat "%h %l %u %t \"%r\" %>s %b" common + + + # You need to enable mod_logio.c to use %I and %O + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio + + + # + # The location and format of the access logfile (Common Logfile Format). + # If you do not define any access logfiles within a + # container, they will be logged here. Contrariwise, if you *do* + # define per- access logfiles, transactions will be + # logged therein and *not* in this file. + # + #CustomLog "logs/access_log" common + + # + # If you prefer a logfile with access, agent, and referer information + # (Combined Logfile Format) you can use the following directive. + # + CustomLog "logs/access_log" combined env=!loopback + + +# + # + # Redirect: Allows you to tell clients about documents that used to + # exist in your server's namespace, but do not anymore. The client + # will make a new request for the document at its new location. + # Example: + # Redirect permanent /foo http://www.example.com/bar + + # + # Alias: Maps web paths into filesystem paths and is used to + # access content that does not live under the DocumentRoot. + # Example: + # Alias /webpath /full/filesystem/path + # + # If you include a trailing / on /webpath then the server will + # require it to be present in the URL. You will also likely + # need to provide a section to allow access to + # the filesystem path. + + # + # ScriptAlias: This controls which directories contain server scripts. + # ScriptAliases are essentially the same as Aliases, except that + # documents in the target directory are treated as applications and + # run by the server when requested rather than as documents sent to the + # client. The same rules about trailing "/" apply to ScriptAlias + # directives as to Alias. + # +# ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" + +# + +# +# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased +# CGI directory exists, if you have that configured. +# +# +# AllowOverride None +# Options None +# Require all granted +# + + + # + # TypesConfig points to the file containing the list of mappings from + # filename extension to MIME-type. + # + TypesConfig /etc/mime.types + + # + # AddType allows you to add to or override the MIME configuration + # file specified in TypesConfig for specific file types. + # + #AddType application/x-gzip .tgz + # + # AddEncoding allows you to have certain browsers uncompress + # information on the fly. Note: Not all browsers support this. + # + #AddEncoding x-compress .Z + #AddEncoding x-gzip .gz .tgz + # + # If the AddEncoding directives above are commented-out, then you + # probably should define those extensions to indicate media types: + # + AddType application/x-compress .Z + AddType application/x-gzip .gz .tgz + + # + # AddHandler allows you to map certain file extensions to "handlers": + # actions unrelated to filetype. These can be either built into the server + # or added with the Action directive (see below) + # + # To use CGI scripts outside of ScriptAliased directories: + # (You will also need to add "ExecCGI" to the "Options" directive.) + # + #AddHandler cgi-script .cgi + + # For type maps (negotiated resources): + #AddHandler type-map var + + # + # Filters allow you to process content before it is sent to the client. + # + # To parse .shtml files for server-side includes (SSI): + # (You will also need to add "Includes" to the "Options" directive.) + # + AddType text/html .shtml + AddOutputFilter INCLUDES .shtml + + +# +# Specify a default charset for all content served; this enables +# interpretation of all content as UTF-8 by default. To use the +# default browser choice (ISO-8859-1), or to allow the META tags +# in HTML content to override this choice, comment out this +# directive: +# +#AddDefaultCharset UTF-8 + + + # + # The mod_mime_magic module allows the server to use various hints from the + # contents of the file itself to determine its type. The MIMEMagicFile + # directive tells the module where the hint definitions are located. + # + MIMEMagicFile conf/magic + + +# +# Customizable error responses come in three flavors: +# 1) plain text 2) local redirects 3) external redirects +# +# Some examples: +#ErrorDocument 500 "The server made a boo boo." +#ErrorDocument 404 /missing.html +#ErrorDocument 404 "/cgi-bin/missing_handler.pl" +#ErrorDocument 402 http://www.example.com/subscription_info.html +# + +# +# EnableMMAP and EnableSendfile: On systems that support it, +# memory-mapping or the sendfile syscall may be used to deliver +# files. This usually improves server performance, but must +# be turned off when serving from networked-mounted +# filesystems or if support for these functions is otherwise +# broken on your system. +# Defaults if commented: EnableMMAP On, EnableSendfile Off +# +#EnableMMAP off +EnableSendfile on + +# Supplemental configuration +# +# Load config files in the "/etc/httpd/conf.d" directory, if any. +IncludeOptional conf.d/*.conf +IncludeOptional macro.d/*.conf +#IncludeOptional vhosts.d/*.conf +IncludeOptional technical_vhosts.d/*.conf +IncludeOptional perl.d/*.conf diff --git a/templates/jail.local b/templates/jail.local new file mode 100644 index 0000000..e71b3b9 --- /dev/null +++ b/templates/jail.local @@ -0,0 +1,49 @@ +# {{ ansible_managed }} + +[DEFAULT] +ignoreip = 127.0.0.1/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 + +destemail = olivier+fail2ban@navas.rocks +banaction = nftables-multiport +banaction_allports = nftables-allports +action = %(action_mwl)s + + +apache_error_log = /var/log/apache2/*error.log +apache_access_log = /var/log/apache2/*access.log + +[sshd] +enabled = true + +[apache-auth] +enabled = true +logpath = %(apache_error_log)s + +[apache-badbots] +enabled = true + +[apache-noscript] +enabled = true + +[apache-overflows] +enabled = true + +[apache-nohome] +enabled = true + +[apache-botsearch] +enabled = true + +[apache-fakegooglebot] +enabled = true + +[apache-modsecurity] +enabled = true + +[apache-shellshock] +enabled = true + + + +[recidive] +enabled = true diff --git a/templates/rp_maintenance/auth/index.html b/templates/rp_maintenance/auth/index.html new file mode 100644 index 0000000..b6bfe75 --- /dev/null +++ b/templates/rp_maintenance/auth/index.html @@ -0,0 +1,47 @@ + + + + Maintenance en cours :-[ + + + + + + + + + + + + + + +
+ +
+
+
+
+ +
+

Avertissement

+ +

+ +

L'application demandée est en maintenance. En tant que personnel de la DSI vous allez pouvoir y accéder. Cependant, merci de vous assurer + auprès de l'équipe en charge de la maintenance que vos actions dans l'application ne risquent pas de perturber l'opération en cours.

+ Accéder à l'application +
+ +
+
+
+ + + diff --git a/templates/rp_maintenance/maintenance-generique.html b/templates/rp_maintenance/maintenance-generique.html new file mode 100644 index 0000000..22f7ff0 --- /dev/null +++ b/templates/rp_maintenance/maintenance-generique.html @@ -0,0 +1,42 @@ + + + + Maintenance en cours :-[ + + + + + + + + + + + + + + +
+ +
+
+
+
+ +
+

Une maintenance est en cours

+ +

Nous vous remercions pour votre compréhension et vous prions de nous excuser pour la gêne occasionnée

+ +

Vous pouvez rester sur cette page et le service demandé apparaîtra sitôt qu'il sera de nouveau disponible. + En attendant vous pouvez également aller visiter {{ reverse_proxy_default_website }}

+ Retourner à la page d'accueil + S'identifier pour accéder à l'application +
+ +
+
+
+ + + diff --git a/templates/rp_ressources/400.html b/templates/rp_ressources/400.html new file mode 100644 index 0000000..32d71d4 --- /dev/null +++ b/templates/rp_ressources/400.html @@ -0,0 +1,41 @@ + + + + Erreur 400 :-[ + + + + + + + + + + + + + +
+ +
+
+
+
+ +
+

Requête mal formulée

+ +

Le service demandé n'a pas pu vous répondre.

+ +

Le serveur ne peut pas traiter votre demande car mal formulée (par exemple, problème de syntaxe, de taille...) + Si vous pensez que ce comportement est anormal, vous pouvez signaler une anomalie.

+ + Retourner à la page d'accueil +
+ +
+
+
+ + + diff --git a/templates/rp_ressources/401.html b/templates/rp_ressources/401.html new file mode 100644 index 0000000..e830d73 --- /dev/null +++ b/templates/rp_ressources/401.html @@ -0,0 +1,40 @@ + + + + Erreur 401 :-[ + + + + + + + + + + + + + +
+ +
+
+
+
+ +
+

Accès non autorisé

+ +

+ +

L'accès à la page demandée nécessite une autorisation.

+ + Retourner à la page d'accueil +
+ +
+
+
+ + + diff --git a/templates/rp_ressources/403.html b/templates/rp_ressources/403.html new file mode 100644 index 0000000..098eed6 --- /dev/null +++ b/templates/rp_ressources/403.html @@ -0,0 +1,40 @@ + + + + Erreur 403 :-[ + + + + + + + + + + + + + +
+ +
+
+
+
+ +
+

Accès refusé

+ +

L'accès à la page demandée vous a été refusé

+ +

Votre identifiant ou mot de passe est peut-être incorrect, ou bien l'application ne vous y autorise pas l'accès.

+ + Retourner à la page d'accueil +
+ +
+
+
+ + + diff --git a/templates/rp_ressources/404.html b/templates/rp_ressources/404.html new file mode 100644 index 0000000..10ad851 --- /dev/null +++ b/templates/rp_ressources/404.html @@ -0,0 +1,40 @@ + + + + Erreur 404 :-[ + + + + + + + + + + + + + +
+ +
+
+
+
+ +
+

Oups...

+ +

Il semble que vous vous soyez égaré...

+ +

La page que vous avez demandée n'a pas été trouvée, mais pas d'inquiétude, vous pouvez revenir sur {{ reverse_proxy_default_website }} ou bien...

+ + Retourner à la page d'accueil +
+ +
+
+
+ + + diff --git a/templates/rp_ressources/410.html b/templates/rp_ressources/410.html new file mode 100644 index 0000000..7332fdb --- /dev/null +++ b/templates/rp_ressources/410.html @@ -0,0 +1,42 @@ + + + + Erreur 410 :-[ + + + + + + + + + + + + + +
+ +
+
+
+
+ +
+

Requête bloquée par WAF

+ +

L'accès à la page demandée a été refusée par le WAF

+ +

Une anomalie de sécurité a été détectée. Si vous pensez que ce comportement est anormal, + vous pouvez signaler une anomalie.

+ + + Retourner à la page d'accueil +
+ +
+
+
+ + + diff --git a/templates/rp_ressources/500.html b/templates/rp_ressources/500.html new file mode 100644 index 0000000..5b5a961 --- /dev/null +++ b/templates/rp_ressources/500.html @@ -0,0 +1,41 @@ + + + + Erreur 500 :-[ + + + + + + + + + + + + + +
+ +
+
+
+
+ +
+

Erreur interne

+ +

Une erreur s'est produite pendant l'exécution de votre demande

+ +

Vous pouvez tenter de recommencer. Si malgré tout l'erreur se reproduit et que vous pensez que ce comportement n'est pas normal, + vous pouvez signaler une anomalie.

+ + Retourner à la page d'accueil +
+ +
+
+
+ + + diff --git a/templates/rp_ressources/502.html b/templates/rp_ressources/502.html new file mode 100644 index 0000000..2a65113 --- /dev/null +++ b/templates/rp_ressources/502.html @@ -0,0 +1,39 @@ + + + + Erreur 502 :-[ + + + + + + + + + + + + +
+ +
+
+
+
+ +
+

Erreur de passerelle

+ +

Le service demandé n'a pas pu vous répondre.

+ +

Le service demandé n'a pas pu être atteint par la passerelle, probablement en raison d'un dysfonctionnement de ce dernier.

+ + Retourner à la page d'accueil +
+ +
+
+
+ + + diff --git a/templates/rp_ressources/503.html b/templates/rp_ressources/503.html new file mode 100644 index 0000000..c974a26 --- /dev/null +++ b/templates/rp_ressources/503.html @@ -0,0 +1,41 @@ + + + + Erreur 503 :-[ + + + + + + + + + + + + + +
+ +
+
+
+
+ +
+

Service indisponible

+ +

Le service demandé n'a pas pu vous répondre.

+ +

L'application est soit indisponible ou soit protégée par un dispositif de sécurité. Si vous pensez que ce comportement est anormal, + vous pouvez signaler une anomalie.

+ + Retourner à la page d'accueil +
+ +
+
+
+ + + diff --git a/templates/rp_ressources/504.html b/templates/rp_ressources/504.html new file mode 100644 index 0000000..853be34 --- /dev/null +++ b/templates/rp_ressources/504.html @@ -0,0 +1,41 @@ + + + + Erreur 504 :-[ + + + + + + + + + + + + + +
+ +
+
+
+
+ +
+

Délai d'attente dépassé

+ +

Le délai accordé à l'application pour répondre à votre demande est dépassé.

+ +

L'application est peut-être momentanément surchargée ou défaillante. Si le problême persiste, ou si vous pensez que ce comportement est anormal, + vous pouvez signaler une anomalie.

+ + Retourner à la page d'accueil +
+ +
+
+
+ + + diff --git a/templates/rp_ressources/customization.css b/templates/rp_ressources/customization.css new file mode 100644 index 0000000..01371a6 --- /dev/null +++ b/templates/rp_ressources/customization.css @@ -0,0 +1,43 @@ + +body { + padding-bottom: 100px; +} + +.navbar { + margin-bottom: 0px; +} + +.logo_rp_header { + height: 60px; +} + +.logo_rp_footer { + height: 50px; +} + + +html { + position: relative; + min-height: 100%; +} + +.footer { + position: absolute; + bottom: 0; + width: 100%; + height: 70px; +} + +.illustration { + padding-top: 20px; + padding-bottom: 20px; + width: 80%; + max-width: 500px; +} + +.illustration404 { + padding-top: 40px; + padding-bottom: 40px; + width: 100%; + max-width: 700px; +} diff --git a/templates/rp_ressources/header.html b/templates/rp_ressources/header.html new file mode 100644 index 0000000..4950584 --- /dev/null +++ b/templates/rp_ressources/header.html @@ -0,0 +1,21 @@ +
+ +
diff --git a/templates/rp_ressources/robots_disabled.txt b/templates/rp_ressources/robots_disabled.txt new file mode 100644 index 0000000..6ffbc30 --- /dev/null +++ b/templates/rp_ressources/robots_disabled.txt @@ -0,0 +1,3 @@ +User-agent: * +Disallow: / + diff --git a/templates/rp_ressources/robots_enabled.txt b/templates/rp_ressources/robots_enabled.txt new file mode 100644 index 0000000..c277ffd --- /dev/null +++ b/templates/rp_ressources/robots_enabled.txt @@ -0,0 +1,3 @@ +User-agent: * +Crawl-delay: 10 + diff --git a/tests/inventory b/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/tests/test.yml b/tests/test.yml new file mode 100644 index 0000000..5334824 --- /dev/null +++ b/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - reverse-proxy diff --git a/vars/main.yml b/vars/main.yml new file mode 100644 index 0000000..266e360 --- /dev/null +++ b/vars/main.yml @@ -0,0 +1 @@ +reverse_proxy_http_modsecurity_error_code: 410