commit ae79718b5d2ac44214f69e478c1245f3b6abd419 Author: Olivier Navas Date: Mon Jun 27 13:14:39 2022 +0200 Commit initial diff --git a/README.md b/README.md new file mode 100644 index 0000000..3084573 --- /dev/null +++ b/README.md @@ -0,0 +1,38 @@ +# Role : rp_vhost + +## Services fournis + +Configuration d'un virtualhost sur un reverse proxy + + +## Variables + +```yaml +rp_vhost_fqdn: mastodon.example.com +rp_vhost_cert: LE +rp_vhost_backend_proto: http +rp_vhost_backend_host: machine.domaine.local +rp_vhost_loglevel: info +rp_vhost_access_policy: OpenAccessPolicy +rp_vhost_indexing: Empty +rp_vhost_waf: "On" +rp_vhost_additional_conf: | + # Règles apache spécifiques ici +rp_vhost_mds_exclusion: | + # Règles modsecurity spécifiques ici + SecRuleRemoveById 911100 + SecRuleRemoveById 949110 +``` + +| Option | Valeur par défaut | Description | +|--------------------------|----------------------|-----------------------------------------------------------------------------------------| +| rp_vhost_fqdn | | Nom de domaine pour lequel le service mastodon répond | +| rp_vhost_backend_host | | Le serveur de backend hébergeant le service | +| rp_vhost_cert | LE | Type de certificat (parmi ceux supportés par le reverse proxy) | +| rp_vhost_backend_proto | http | Le protocole entre le reverse proxy et le backend (typiquement http ou https) | +| rp_vhost_loglevel | info | Le niveau de log souhaitéserveur de backend hébergeant le service | +| rp_vhost_access_policy | InternalAccessPolicy | Modèle d'autorisation d'accès du reverse proxy | +| rp_vhost_indexing | BlockCrawlerIndexing | Stratégie du reverse proxy vis à vis des robots | +| rp_vhost_waf | "Off" | Activation websecurity du reverse proxy | +| rp_vhost_additional_conf | "" | La configuration apache supplémentaire à placer dans le fichier 1_vhost_additional.conf | +| rp_vhost_mds_exclusion | "" | La configuration modsecurity spécifique à placer dans le fichier 2_mds_exclusion.conf | diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..659ec0e --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,8 @@ +rp_vhost_cert: LE +rp_vhost_backend_proto: http +rp_vhost_loglevel: info +rp_vhost_access_policy: InternalAccessPolicy +rp_vhost_indexing: BlockCrawlerIndexing +rp_vhost_waf: "Off" +rp_vhost_additional_conf: "" +rp_vhost_mds_exclusion: "" diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..41751b7 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,4 @@ +- name: reverse-proxy-reload + service: + name: apache2 + state: reloaded diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..45735cc --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,11 @@ +- name: prepare reverse_proxy + template: + src: "{{ item }}" + dest: /etc/apache2/vhosts.d/{{ rp_vhost_fqdn }}/ + with_items: + - 0_vhost.conf + - 1_vhost_additional.conf + - 2_mds_exclusion.conf + notify: reverse-proxy-reload + + diff --git a/templates/0_vhost.conf b/templates/0_vhost.conf new file mode 100644 index 0000000..543d7a7 --- /dev/null +++ b/templates/0_vhost.conf @@ -0,0 +1,2 @@ +# {{ ansible_managed }} +Use vhost_HTTPS_Generic {{ rp_vhost_fqdn }} {{ rp_vhost_cert }} {{ rp_vhost_backend_proto }} {{ rp_vhost_backend_host }} {{ rp_vhost_loglevel }} {{ rp_vhost_access_policy }} {{ rp_vhost_indexing }} {{ rp_vhost_waf }} diff --git a/templates/1_vhost_additional.conf b/templates/1_vhost_additional.conf new file mode 100644 index 0000000..aad9b30 --- /dev/null +++ b/templates/1_vhost_additional.conf @@ -0,0 +1,3 @@ +# {{ ansible_managed }} + +{{ rp_vhost_additional_conf }} diff --git a/templates/2_mds_exclusion.conf b/templates/2_mds_exclusion.conf new file mode 100644 index 0000000..80a2bce --- /dev/null +++ b/templates/2_mds_exclusion.conf @@ -0,0 +1,3 @@ +# {{ ansible_managed }} + +{{ rp_vhost_mds_exclusion }}