Commit initial

2022-06-27 13:14:39 +02:00 · 2022-06-27 13:14:39 +02:00 · ae79718b5d
commit ae79718b5d
7 changed files with 69 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -0,0 +1,38 @@
+# Role : rp_vhost
+
+## Services fournis
+
+Configuration d'un virtualhost sur un reverse proxy
+
+
+## Variables
+
+```yaml
+rp_vhost_fqdn: mastodon.example.com
+rp_vhost_cert: LE
+rp_vhost_backend_proto: http
+rp_vhost_backend_host: machine.domaine.local
+rp_vhost_loglevel: info
+rp_vhost_access_policy: OpenAccessPolicy
+rp_vhost_indexing: Empty
+rp_vhost_waf: "On"
+rp_vhost_additional_conf: |
+  # Règles apache spécifiques ici
+rp_vhost_mds_exclusion: |
+  # Règles modsecurity spécifiques ici
+  SecRuleRemoveById 911100
+  SecRuleRemoveById 949110
+```
+
+| Option                   | Valeur par défaut    | Description                                                                             |
+|--------------------------|----------------------|-----------------------------------------------------------------------------------------|
+| rp_vhost_fqdn            |                      | Nom de domaine pour lequel le service mastodon répond                                   |
+| rp_vhost_backend_host    |                      | Le serveur de backend hébergeant le service                                             |
+| rp_vhost_cert            | LE                   | Type de certificat (parmi ceux supportés par le reverse proxy)                          |
+| rp_vhost_backend_proto   | http                 | Le protocole entre le reverse proxy et le backend (typiquement http ou https)           |
+| rp_vhost_loglevel        | info                 | Le niveau de log souhaitéserveur de backend hébergeant le service                       |
+| rp_vhost_access_policy   | InternalAccessPolicy | Modèle d'autorisation d'accès du reverse proxy                                          |
+| rp_vhost_indexing        | BlockCrawlerIndexing | Stratégie du reverse proxy vis à vis des robots                                         |
+| rp_vhost_waf             | "Off"                | Activation websecurity du reverse proxy                                                 |
+| rp_vhost_additional_conf | ""                   | La configuration apache supplémentaire à placer dans le fichier 1_vhost_additional.conf |
+| rp_vhost_mds_exclusion   | ""                   | La configuration modsecurity spécifique à placer dans le fichier 2_mds_exclusion.conf   |
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -0,0 +1,8 @@
+rp_vhost_cert: LE
+rp_vhost_backend_proto: http
+rp_vhost_loglevel: info
+rp_vhost_access_policy: InternalAccessPolicy
+rp_vhost_indexing: BlockCrawlerIndexing
+rp_vhost_waf: "Off"
+rp_vhost_additional_conf: ""
+rp_vhost_mds_exclusion: ""
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -0,0 +1,4 @@
+- name: reverse-proxy-reload
+  service:
+    name: apache2
+    state: reloaded
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -0,0 +1,11 @@
+- name: prepare reverse_proxy
+  template:
+    src: "{{ item }}"
+    dest: /etc/apache2/vhosts.d/{{ rp_vhost_fqdn }}/
+  with_items:
+    - 0_vhost.conf
+    - 1_vhost_additional.conf
+    - 2_mds_exclusion.conf
+  notify: reverse-proxy-reload
+  
+
--- a/templates/0_vhost.conf
+++ b/templates/0_vhost.conf
@ -0,0 +1,2 @@
+# {{ ansible_managed }}
+Use vhost_HTTPS_Generic {{ rp_vhost_fqdn }} {{ rp_vhost_cert }} {{ rp_vhost_backend_proto }} {{ rp_vhost_backend_host }} {{ rp_vhost_loglevel }} {{ rp_vhost_access_policy }} {{ rp_vhost_indexing }} {{ rp_vhost_waf }}
--- a/templates/1_vhost_additional.conf
+++ b/templates/1_vhost_additional.conf
@ -0,0 +1,3 @@
+# {{ ansible_managed }}
+
+{{ rp_vhost_additional_conf }}
--- a/templates/2_mds_exclusion.conf
+++ b/templates/2_mds_exclusion.conf
@ -0,0 +1,3 @@
+# {{ ansible_managed }}
+
+{{ rp_vhost_mds_exclusion }}