libretic/ansible-role-reverse_proxy
7
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
ansible-role-reverse_proxy/templates/custom_reverse_proxy.conf

393 lines
11 KiB
Text
Raw Blame History

# {{ ansible_managed }}
BufferedLogs Off
TraceEnable Off
Timeout 300
KeepAlive On
MaxKeepAliveRequests 512
KeepAliveTimeout 15
# Configuration MPM Event
ServerLimit 64
ThreadsPerChild 32
AsyncRequestWorkerFactor 2
MaxRequestWorkers 2048
MaxRequestsPerChild 16384
GracefulShutdownTimeout 2
# Supprime les informations version
ServerTokens ProductOnly
ServerSignature Off
SecServerSignature ";-)"
# Configuration headers
Header unset X-Powered-By
Header unset X-AspNet-Version
Header unset Server
Header set X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection 1;mode=block
Header set X-Content-Type-Options nosniff
Header set Strict-Transport-Security "max-age=16070400"
# Configuration Modsecurity par défaut pour l'analyse des requêtes
SecResponseBodyAccess Off
SecRequestBodyLimit 10485760
SecRequestBodyNoFilesLimit 131072
SecRequestBodyInMemoryLimit 131072
SecRequestBodyLimitAction ProcessPartial
# Macros
<Macro Empty>
</Macro>
<Macro OpenAccessPolicy>
Require all granted
</Macro>
<Macro InternalAccessPolicy>
Require ip 10.0.0.0/8
Require ip 172.16.0.0/12
Require ip 192.168.0.0/16
</Macro>
<Macro LDAPUserAccessPolicy>
Authname "Acces reserve aux utilisateurs disposant d'un compte valide (annuaire)"
Authtype Basic
AuthBasicProvider ldap
AuthLDAPBindAuthoritative on
AuthLDAPBindDN {{ reverse_proxy_ldap_bind_dn }}
AuthLDAPBindPassword {{ reverse_proxy_ldap_bind_password }}
AuthLDAPUrl ldap://{{ reverse_proxy_ldap_srv }}/{{ reverse_proxy_ldap_basedn }}?{{ reverse_proxy_ldap_userdn }}
Require valid-user
</Macro>
<Macro LDAPAdminAccessPolicy>
Authname "Acces reserve aux administrateurs (annuaire)"
Authtype Basic
AuthBasicProvider ldap
AuthLDAPBindAuthoritative on
AuthLDAPBindDN {{ reverse_proxy_ldap_bind_dn }}
AuthLDAPBindPassword {{ reverse_proxy_ldap_bind_password }}
AuthLDAPUrl ldap://{{ reverse_proxy_ldap_srv }}/{{ reverse_proxy_ldap_basedn }}?{{ reverse_proxy_ldap_userdn }}
Require valid-user
Require ldap-user {{ reverse_proxy_ldap_admins }}
</Macro>
<Macro BlockCrawlerIndexing>
Header set X-Robots-Tag "noindex, nofollow"
ProxyPass /robots.txt !
RewriteEngine On
RewriteRule ^/robots\.txt$ /rp_ressources/robots_disabled.txt [L]
</Macro>
<Macro AllowCrawlerIndexing>
Header set X-Robots-Tag "all"
ProxyPass /robots.txt !
RewriteEngine On
RewriteRule ^/robots\.txt$ /rp_ressources/robots_enabled.txt [L]
</Macro>
<Macro ErrorDocumentPages>
ProxyErrorOverride On
ErrorDocument 400 /rp_ressources/400.html
ErrorDocument 401 /rp_ressources/401.html
ErrorDocument 403 /rp_ressources/403.html
ErrorDocument 404 /rp_ressources/404.html
ErrorDocument 500 /rp_ressources/500.html
ErrorDocument 502 /rp_ressources/502.html
ErrorDocument 503 /rp_ressources/503.html
ErrorDocument 504 /rp_ressources/504.html
ErrorDocument {{ reverse_proxy_http_modsecurity_error_code }} /rp_ressources/{{ reverse_proxy_http_modsecurity_error_code }}.html
</Macro>
<Macro CheckMaintenancePage $vhostFQDN>
RewriteEngine On
<Location "/rp_maintenance/auth/">
Use LDAPAdminAccessPolicy
</Location>
# Si on est en maintenance
<If "-f %{DOCUMENT_ROOT} . '/rp_maintenance/$vhostFQDN.html'">
RewriteCond %{REMOTE_ADDR} !127.0.0.1
RewriteCond %{REQUEST_URI} !^/rp_ressources/*
RewriteCond %{REQUEST_URI} !^/rp_maintenance/*
RewriteCond %{HTTP_COOKIE} !rp_acces_maintenance=([^;]+)
RewriteRule ^.*$ %{DOCUMENT_ROOT}/rp_maintenance/$vhostFQDN.html
Header Set Cache-Control "no-store"
</If>
</Macro>
# Configuration de la fonction reverse proxy
<Macro ProxyCommon $vhostFQDN $protoDest $urlDest $logPolicy $accessPolicy $indexingConf>
# Definition du virtualhost
ServerName $vhostFQDN
DocumentRoot "/var/www/html"
# Niveau de log souhaite
LogLevel $logPolicy
ErrorLog ${APACHE_LOG_DIR}/$vhostFQDN-error.log
CustomLog ${APACHE_LOG_DIR}/$vhostFQDN-access.log combined
# Politique vis a vis des moteurs de recherche
Use $indexingConf
# Configuration de l'accessibilite du virtualhost (public, interne, restreint)
<Location />
Use $accessPolicy
</Location>
# On autorise quand même l'accès a .well-known pour letsencrypt
<Location /.well-known>
Use OpenAccessPolicy
</Location>
ProxyRequests Off
ProxyVia Off
ProxyPreserveHost On
ProxyPass /rp_ressources !
ProxyPass /rp_maintenance !
ProxyPass /balancer-manager !
ProxyPass / $protoDest://$urlDest/
ProxyPassReverse / $protoDest://$vhostFQDN/
# Configuration du chemin vers la page de status du load balancer
<Location "/balancer-manager">
SecRuleEngine off
SetHandler balancer-manager
Use InternalAccessPolicy
</Location>
# Configuration du chemin vers les ressources reverse proxy
<Location "/rp_ressources">
SecRuleEngine off
Use OpenAccessPolicy
</Location>
# Definition des pages d'erreur
Use ErrorDocumentPages
# Gestion de la page de maintenance
Use CheckMaintenancePage $vhostFQDN
</Macro>
# Redirige un domaine http vers https
<Macro vhost_redirect_http-https $domain>
<VirtualHost *:80>
ServerName $domain
Redirect permanent / https://$domain/
</VirtualHost>
</Macro>
# Redirige un domaine http vers n'importe qu'elle autre adresse http où https
<Macro vhost_redirect_http_generic $domainSource $domainDest $accessPolicy>
<VirtualHost *:80>
ServerName $domainSource
Redirect permanent / $domainDest/
#Restriction configuration
<Location />
Use $accessPolicy
Use ErrorDocumentPages
</Location>
</VirtualHost>
</Macro>
<Macro vhost_HTTPS_Generic $vhostFQDN $cert $protoDest $urlDest $logPolicy $accessPolicy $indexingConf $modsecurityStatus>
Use vhost_redirect_http-https $vhostFQDN
<Perl>
if ( $cert eq "LE" )
{
print "------- Utilisation d'un certificat LetsEncrypt pour $vhostFQDN -------\n";
$MDomain{"$vhostFQDN"} = {
MDCertificateAgreement => 'accepted',
MDContactEmail => '{{ reverse_proxy_default_serveradmin_email }}',
MDStapling => 'on',
};
}
</Perl>
<VirtualHost *:443>
<Perl>
$ENV{'PERL_CONF_DEBUG'} and print "------- Generation du vhosts $vhostFQDN -------\n";
</Perl>
Use ProxyCommon $vhostFQDN $protoDest $urlDest $logPolicy $accessPolicy $indexingConf
SSLEngine on
# Inclusion de la configuration additionnelle
<Perl>
my $dir=$ENV{"$vhostFQDN"};
my $config_file="$dir/1_vhost_additional.conf";
if( -f $config_file)
{
$ENV{'PERL_CONF_DEBUG'} and print "Inclusion du fichier '$config_file'\n";
push @Include, "$config_file";
}
</Perl>
<If "'$protoDest' == 'http'">
RequestHeader set X-Forwarded-Proto "https"
</If>
# Gestion mod_security et inclusion des exceptions
<IfModule mod_security2.c>
SecRuleEngine $modsecurityStatus
<Perl>
my $dir=$ENV{"$vhostFQDN"};
my $config_file="$dir/2_mds_exclusion.conf";
if( -f $config_file)
{
$ENV{'PERL_CONF_DEBUG'} and print "Inclusion du fichier '$config_file'\n";
push @Include, "$config_file";
}
</Perl>
</IfModule>
<Perl>
$ENV{'PERL_CONF_DEBUG'} and print "----------------------------------------------\n";
</Perl>
</VirtualHost>
</Macro>
<Macro vhost_HTTP_Generic $vhostFQDN $protoDest $urlDest $logPolicy $accessPolicy $indexingConf $modsecurityStatus>
<VirtualHost *:80>
<Perl>
$ENV{'PERL_CONF_DEBUG'} and print "------- Generation du vhosts $vhostFQDN -------\n";
</Perl>
Use ProxyCommon $vhostFQDN $protoDest $urlDest $logPolicy $accessPolicy $indexingConf
# Inclusion de la configuration additionnelle
<Perl>
my $dir=$ENV{"$vhostFQDN"};
my $config_file="$dir/1_vhost_additional.conf";
if( -f $config_file)
{
$ENV{'PERL_CONF_DEBUG'} and print "Inclusion du fichier '$config_file'\n";
push @Include, "$config_file";
}
</Perl>
<If "'$protoDest' == 'https'">
RequestHeader set X-Forwarded-Proto "http"
</If>
# Gestion mod_security et inclusion des exceptions
<IfModule mod_security2.c>
SecRuleEngine $modsecurityStatus
<Perl>
my $dir=$ENV{"$vhostFQDN"};
my $config_file="$dir/2_mds_exclusion.conf";
if( -f $config_file)
{
$ENV{'PERL_CONF_DEBUG'} and print "Inclusion du fichier '$config_file'\n";
push @Include, "$config_file";
}
</Perl>
</IfModule>
<Perl>
$ENV{'PERL_CONF_DEBUG'} and print "----------------------------------------------\n";
</Perl>
</VirtualHost>
</Macro>
# Virtualhosts techniques
# Fait en sorte que si fqdn demandé ne correspond a aucun connu apache ne serve pas le 1er
<VirtualHost *:80>
Redirect / https://www.libretic.fr/error
</VirtualHost>
# Permet l'acces a des pages d'info apache
ExtendedStatus on
Listen 9090 http
<VirtualHost *:9090>
ServerName localhost
DocumentRoot /var/www/html/
<Location /server-info>
SetHandler server-info
Use InternalAccessPolicy
Require host localhost
</Location>
<Location /status>
SetHandler server-status
Use InternalAccessPolicy
Require host localhost
</Location>
LogLevel info
ErrorLog ${APACHE_LOG_DIR}/monitoring-page-error.log
CustomLog ${APACHE_LOG_DIR}/monitoring-page-access.log combined
</VirtualHost>
# Perl scan vhosts.d
PerlSetEnv VHOSTS_DIR /etc/apache2/vhosts.d
PerlSetEnv VHOST_DEFAULT_FILE 0_vhost.conf
PerlSetEnv PERL_CONF_DEBUG 1
PerlSetVar StatusOptionsAll On
PerlSetVar StatusDeparseOptions "-p -sC"
<Perl>
$Apache2::Server::SaveConfig = 1
</Perl>
<Perl>
my $VHOSTS_REGEX='^\s*Use\s+vhost.+?\s+(.+?)\s+?';
my @vhosts_sub_dirs=`find $ENV{'VHOSTS_DIR'} -mindepth 1 -maxdepth 1 -type d`;
$ENV{'PERL_CONF_DEBUG'} and print "------ Pre-Traitement ------\n";
for my $subdir (@vhosts_sub_dirs)
{
chomp $subdir;
my $config_file="${subdir}/$ENV{'VHOST_DEFAULT_FILE'}";
open my $vhost_file, "<", $config_file or die;
while(my $line = <$vhost_file>)
{
if(my @matches = $line =~ /$VHOSTS_REGEX/)
{
my $vhost_name=${matches[0]};
$ENV{'PERL_CONF_DEBUG'} and print "Identification du vhost: $vhost_name\n";
push @PerlSetEnv, ["$vhost_name" => "$subdir"];
}
}
close $config_file;
}
$ENV{'PERL_CONF_DEBUG'} and print "----------------------------\n";
</Perl>
<Perl>
use Apache2::PerlSections ( );
$ENV{'PERL_CONF_DEBUG'} and print "------ Chargement des vhosts ------\n";
foreach my $key (keys %ENV) {
my $subdir=$ENV{$key};
my $config_file="${subdir}/$ENV{'VHOST_DEFAULT_FILE'}";
if( -f $config_file )
{
$ENV{'PERL_CONF_DEBUG'} and print "Ajout du vhost: $key\n";
push @Include, "$config_file";
}
}
$ENV{'PERL_CONF_DEBUG'} and print "-----------------------------------\n";
print STDERR Apache::PerlSections->dump( );
</Perl>
Reference in a new issue View git blame Copy permalink