ansible-role-reverse_proxy/templates/custom_reverse_proxy.conf
2022-03-02 14:08:21 +01:00

492 lines
14 KiB
Text

# {{ ansible_managed }}
BufferedLogs Off
TraceEnable Off
Timeout 300
KeepAlive On
MaxKeepAliveRequests 512
KeepAliveTimeout 15
# Configuration MPM Event
ServerLimit 64
ThreadsPerChild 32
AsyncRequestWorkerFactor 2
MaxRequestWorkers 2048
MaxRequestsPerChild 16384
GracefulShutdownTimeout 2
# Supprime les informations version
ServerTokens ProductOnly
ServerSignature Off
SecServerSignature ";-)"
# Configuration headers
Header unset X-Powered-By
Header unset X-AspNet-Version
Header unset Server
Header set X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection 1;mode=block
Header set X-Content-Type-Options nosniff
Header set Strict-Transport-Security "max-age=16070400"
# Configuration modsecurity
SecTmpDir /var/lib/mod_security
SecDataDir /var/lib/mod_security
# ModSecurity Core Rules Set configuration
IncludeOptional modsecurity.d/*.conf
IncludeOptional modsecurity.d/activated_rules/*.conf
# Default recommended configuration
SecRuleEngine On
SecRequestBodyAccess On
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
# 300 Mo
SecRequestBodyLimit 314572800
# 128 Ko
SecRequestBodyNoFilesLimit 131072
SecRequestBodyInMemoryLimit 131072
SecRequestBodyLimitAction Reject
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
#SecPcreMatchLimit 50000
#SecPcreMatchLimitRecursion 50000
SecPcreMatchLimit 250000000
SecPcreMatchLimitRecursion 250000000
SecRule TX:/^MSC_/ "!@streq 0" \
"id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
SecResponseBodyAccess Off
SecDebugLog /var/log/apache2/modsec_debug.log
#SecDebugLogLevel 4
SecDebugLogLevel 0
#SecAuditEngine RelevantOnly
SecAuditEngine Off
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIJDEFHZ
SecAuditLogType Serial
SecAuditLog /var/log/apache2/modsec_audit.log
SecArgumentSeparator &
SecCookieFormat 0
# Macros
<Macro ProxyCommon>
ProxyRequests Off
ProxyVia Off
ProxyPreserveHost On
</Macro>
<Macro OpenAccessPolicy>
Require all granted
</Macro>
<Macro InternalAccessPolicy>
Require ip 10.0.0.0/8
Require ip 172.16.0.0/12
Require ip 192.168.0.0/16
</Macro>
<Macro InternalAdminAccessPolicy>
Require ip 192.168.3.11/32
</Macro>
<Macro LDAPUserAccessPolicy>
Authname "Acces reserve aux utilisateurs disposant d'un compte valide"
Authtype Basic
AuthBasicProvider ldap
AuthLDAPBindAuthoritative on
AuthLDAPUrl ldap://{{ reverse_proxy_ldap_srv }}/{{ reverse_proxy_ldap_basedn }}?{{ reverse_proxy_ldap_userdn }}
Require valid-user
</Macro>
<Macro LDAPAdminAccessPolicy>
Authname "Acces reserve aux administrateurs"
Authtype Basic
AuthBasicProvider ldap
AuthLDAPBindAuthoritative on
AuthLDAPUrl ldap://{{ reverse_proxy_ldap_srv }}/{{ reverse_proxy_ldap_basedn }}?{{ reverse_proxy_ldap_userdn }}
Require valid-user
Require ldap-user {{ reverse_proxy_ldap_admins }}
</Macro>
<Macro BlockCrawlerIndexing>
Header set X-Robots-Tag "noindex, nofollow"
ProxyPass /robots.txt !
RewriteEngine On
RewriteRule ^/robots\.txt$ /rp_ressources/robots_disabled.txt [L]
</Macro>
<Macro AllowCrawlerIndexing>
Header set X-Robots-Tag "all"
ProxyPass /robots.txt !
RewriteEngine On
RewriteRule ^/robots\.txt$ /rp_ressources/robots_enabled.txt [L]
</Macro>
<Macro ErrorDocumentPages>
ProxyErrorOverride On
ErrorDocument 400 /rp_ressources/400.html
ErrorDocument 401 /rp_ressources/401.html
ErrorDocument 403 /rp_ressources/403.html
ErrorDocument 404 /rp_ressources/404.html
ErrorDocument 500 /rp_ressources/500.html
ErrorDocument 502 /rp_ressources/502.html
ErrorDocument 503 /rp_ressources/503.html
ErrorDocument 504 /rp_ressources/504.html
ErrorDocument {{ reverse_proxy_http_modsecurity_error_code }} /rp_ressources/{{ reverse_proxy_http_modsecurity_error_code }}.html
</Macro>
<Macro CheckMaintenancePage $vhostFQDN>
RewriteEngine On
<Location "/rp_maintenance/auth/">
Use LDAPAdminAccessPolicy
</Location>
# Si on est en maintenance
<If "-f %{DOCUMENT_ROOT} . '/maintenance/$vhostFQDN'">
RewriteCond %{REMOTE_ADDR} !127.0.0.1
RewriteCond %{REQUEST_URI} !^/rp_ressources/*
RewriteCond %{REQUEST_URI} !^/rp_maintenance/*
RewriteCond %{HTTP_COOKIE} !rp_acces_maintenance=([^;]+)
RewriteRule ^.*$ %{DOCUMENT_ROOT}/maintenance/$vhostFQDN
Header Set Cache-Control "no-store"
</If>
</Macro>
# Redirige un domaine http vers https
<Macro vhost_redirect_http-https $domain>
<VirtualHost *:80>
ServerName $domain
Redirect permanent / https://$domain/
</VirtualHost>
</Macro>
# Redirige un domaine http vers n'importe qu'elle autre adresse http où https
<Macro vhost_redirect_http_generic $domainSource $domainDest $accessPolicy>
<VirtualHost *:80>
ServerName $domainSource
Redirect permanent / $domainDest/
#Restriction configuration
<Location />
Use $accessPolicy
Use ErrorDocumentPages
</Location>
</VirtualHost>
</Macro>
<Macro vhost_HTTPS_Generic $vhostFQDN $cert $protoDest $urlDest $logPolicy $accessPolicy $indexingConf $modsecurityStatus>
Use vhost_redirect_http-https $vhostFQDN
<Perl>
if ( $cert eq "LE" )
{
print "------- Utilisation d'un certificat LetsEncrypt pour $vhostFQDN -------\n";
$MDomain{"$vhostFQDN"} = {
MDCertificateAgreement => 'accepted',
MDContactEmail => '{{ reverse_proxy_default_serveradmin_email }}',
MDStapling => 'on',
};
}
</Perl>
<VirtualHost *:443>
<Perl>
$ENV{'PERL_CONF_DEBUG'} and print "------- Generation du vhosts $vhostFQDN -------\n";
</Perl>
# Definition du virtualhost
ServerName $vhostFQDN
DocumentRoot "/var/www/html"
# Configuration SSL avec le bon certificat
# Include conf.patterns.d/01_ssl_$cert.conf
SSLEngine on
# Niveau de log souhaite
LogLevel $logPolicy
ErrorLog ${APACHE_LOG_DIR}/$vhostFQDN-error.log
CustomLog ${APACHE_LOG_DIR}/$vhostFQDN-access.log combined
# Politique vis a vis des moteurs de recherche
Use $indexingConf
# Configuration de l'accessibilite du virtualhost (public, interne, restreint)
<Location />
Use $accessPolicy
</Location>
# Inclusion de la configuration additionnelle
<Perl>
my $dir=$ENV{"$vhostFQDN"};
my $config_file="$dir/1_vhost_additional.conf";
if( -f $config_file)
{
$ENV{'PERL_CONF_DEBUG'} and print "Inclusion du fichier '$config_file'\n";
push @Include, "$config_file";
}
</Perl>
# Configuration du chemin vers la page de status du load balancer
<Location "/balancer-manager">
SecRuleEngine off
SetHandler balancer-manager
Use InternalAdminAccessPolicy
</Location>
# Configuration du chemin vers les ressources reverse proxy
<Location "/rp_ressources">
SecRuleEngine off
Use OpenAccessPolicy
</Location>
# Configuration de la fonction reverse proxy
Use ProxyCommon
ProxyPass /rp_ressources !
ProxyPass /rp_maintenance !
ProxyPass /balancer-manager !
ProxyPass / $protoDest://$urlDest/
ProxyPassReverse / $protoDest://$vhostFQDN/
<If "'$protoDest' == 'http'">
RequestHeader set X-Forwarded-Proto "https"
</If>
# Definition des pages d'erreur
Use ErrorDocumentPages
# Gestion de la page de maintenance
Use CheckMaintenancePage $vhostFQDN
# Gestion mod_security et inclusion des exceptions
<IfModule mod_security2.c>
SecRuleEngine $modsecurityStatus
<Perl>
my $dir=$ENV{"$vhostFQDN"};
my $config_file="$dir/2_mds_exclusion.conf";
if( -f $config_file)
{
$ENV{'PERL_CONF_DEBUG'} and print "Inclusion du fichier '$config_file'\n";
push @Include, "$config_file";
}
</Perl>
</IfModule>
<Perl>
$ENV{'PERL_CONF_DEBUG'} and print "----------------------------------------------\n";
</Perl>
</VirtualHost>
</Macro>
<Macro vhost_HTTP_Generic $vhostFQDN $protoDest $urlDest $logPolicy $accessPolicy $indexingConf $modsecurityStatus>
<VirtualHost *:80>
<Perl>
$ENV{'PERL_CONF_DEBUG'} and print "------- Generation du vhosts $vhostFQDN -------\n";
</Perl>
# Definition du virtualhost
ServerName $vhostFQDN
DocumentRoot "/var/www/html"
# Niveau de log souhaite
LogLevel $logPolicy
ErrorLog ${APACHE_LOG_DIR}/$vhostFQDN-error.log
CustomLog ${APACHE_LOG_DIR}/$vhostFQDN-access.log combined
# Politique vis a vis des moteurs de recherche
Use $indexingConf
# Configuration de l'accessibilite du virtualhost (public, interne, restreint)
<Location />
Use $accessPolicy
</Location>
# Inclusion de la configuration additionnelle
<Perl>
my $dir=$ENV{"$vhostFQDN"};
my $config_file="$dir/1_vhost_additional.conf";
if( -f $config_file)
{
$ENV{'PERL_CONF_DEBUG'} and print "Inclusion du fichier '$config_file'\n";
push @Include, "$config_file";
}
</Perl>
# Configuration du chemin vers la page de status du load balancer
<Location "/balancer-manager">
SecRuleEngine off
SetHandler balancer-manager
Use InternalAdminAccessPolicy
</Location>
# Configuration du chemin vers les ressources reverse proxy
<Location "/rp_ressources">
SecRuleEngine off
Use OpenAccessPolicy
</Location>
# Configuration de la fonction reverse proxy
Use ProxyCommon
ProxyPass /rp_ressources !
ProxyPass /rp_maintenance !
ProxyPass /balancer-manager !
ProxyPass / $protoDest://$urlDest/
ProxyPassReverse / $protoDest://$vhostFQDN/
<If "'$protoDest' == 'https'">
RequestHeader set X-Forwarded-Proto "http"
</If>
# Definition des pages d'erreur
Use ErrorDocumentPages
# Gestion de la page de maintenance
Use CheckMaintenancePage $vhostFQDN
# Gestion mod_security et inclusion des exceptions
<IfModule mod_security2.c>
SecRuleEngine $modsecurityStatus
<Perl>
my $dir=$ENV{"$vhostFQDN"};
my $config_file="$dir/2_mds_exclusion.conf";
if( -f $config_file)
{
$ENV{'PERL_CONF_DEBUG'} and print "Inclusion du fichier '$config_file'\n";
push @Include, "$config_file";
}
</Perl>
</IfModule>
<Perl>
$ENV{'PERL_CONF_DEBUG'} and print "----------------------------------------------\n";
</Perl>
</VirtualHost>
</Macro>
# Virtualhosts techniques
# Fait en sorte que si fqdn demandé ne correspond a aucun connu apache ne serve pas le 1er
<VirtualHost *:80>
Redirect / http://erreur.libretic.fr/
</VirtualHost>
# Permet l'acces a des pages d'info apache
ExtendedStatus on
Listen 9090 http
<VirtualHost *:9090>
ServerName localhost
DocumentRoot /var/www/html/
<Location /server-info>
SetHandler server-info
Use InternalAdminAccessPolicy
Require host localhost
</Location>
<Location /status>
SetHandler server-status
Use InternalAdminAccessPolicy
Require host localhost
</Location>
LogLevel info
ErrorLog ${APACHE_LOG_DIR}/monitoring-page-error.log
CustomLog ${APACHE_LOG_DIR}/monitoring-page-access.log combined
</VirtualHost>
# Perl scan vhosts.d
PerlSetEnv VHOSTS_DIR /etc/apache2/vhosts.d
PerlSetEnv VHOST_DEFAULT_FILE 0_vhost.conf
PerlSetEnv PERL_CONF_DEBUG 1
PerlSetVar StatusOptionsAll On
PerlSetVar StatusDeparseOptions "-p -sC"
<Perl>
$Apache2::Server::SaveConfig = 1
</Perl>
<Perl>
my $VHOSTS_REGEX='^\s*Use\s+vhost.+?\s+(.+?)\s+?';
my @vhosts_sub_dirs=`find $ENV{'VHOSTS_DIR'} -mindepth 1 -maxdepth 1 -type d`;
$ENV{'PERL_CONF_DEBUG'} and print "------ Pre-Traitement ------\n";
for my $subdir (@vhosts_sub_dirs)
{
chomp $subdir;
my $config_file="${subdir}/$ENV{'VHOST_DEFAULT_FILE'}";
open my $vhost_file, "<", $config_file or die;
while(my $line = <$vhost_file>)
{
if(my @matches = $line =~ /$VHOSTS_REGEX/)
{
my $vhost_name=${matches[0]};
$ENV{'PERL_CONF_DEBUG'} and print "Identification du vhost: $vhost_name\n";
push @PerlSetEnv, ["$vhost_name" => "$subdir"];
}
}
close $config_file;
}
$ENV{'PERL_CONF_DEBUG'} and print "----------------------------\n";
</Perl>
<Perl>
use Apache2::PerlSections ( );
$ENV{'PERL_CONF_DEBUG'} and print "------ Chargement des vhosts ------\n";
foreach my $key (keys %ENV) {
my $subdir=$ENV{$key};
my $config_file="${subdir}/$ENV{'VHOST_DEFAULT_FILE'}";
if( -f $config_file )
{
$ENV{'PERL_CONF_DEBUG'} and print "Ajout du vhost: $key\n";
push @Include, "$config_file";
}
}
$ENV{'PERL_CONF_DEBUG'} and print "-----------------------------------\n";
print STDERR Apache::PerlSections->dump( );
</Perl>