[WIP]: First pass for packweb-apache

This commit is contained in:
Benoît S. 2017-03-21 17:35:42 +01:00 committed by Jérémy Lecour
parent 6bada3aa70
commit 6a225e469b
10 changed files with 227 additions and 2 deletions

View File

@ -0,0 +1,11 @@
# Strong security.
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCompression off
SSLSessionCache shmcb:/var/log/apache2/ssl_gcache_data(512000)
SSLSessionCacheTimeout 600
# Stapling not activated by default. Need config.
#SSLUseStapling on
#SSLStaplingCache shmcb:${APACHE_RUN_DIR}/stapling-cache(150000)

View File

@ -3,9 +3,7 @@
name: '{{ item }}'
state: present
with_items:
- apache2-mpm-itk
- apachetop
- libapache2-mod-evasive
- libwww-perl
tags:
- apache
@ -20,6 +18,7 @@
- headers
- rewrite
- cgi
- ssl
tags:
- apache
@ -45,6 +44,17 @@
tags:
- apache
- name: Copy Apache SSL (strong security) config file
copy:
src: evolinux-ssl.conf
dest: "/etc/apache2/conf-available/evolinux-ssl.conf"
owner: root
group: root
mode: "0644"
force: no
tags:
- apache
- name: Ensure Apache config files are enabled
command: "a2enconf {{ item }}"
register: command_result
@ -52,6 +62,7 @@
with_items:
- z-evolinux-defaults.conf
- zzz-evolinux-custom.conf
- evolinux-ssl.conf
tags:
- apache

38
packweb-apache/README.md Normal file
View File

@ -0,0 +1,38 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

View File

@ -0,0 +1,4 @@
---
# defaults file for packweb-apache
general_alert_email: "root@localhost"
log2mail_alert_email: Null

View File

@ -0,0 +1,8 @@
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 30
DOSPageInterval 3
DOSSiteInterval 1
DOSBlockingPeriod 60
</IfModule>

View File

@ -0,0 +1,10 @@
<IfModule mpm_itk_module>
StartServers 50
MinSpareServers 20
MaxSpareServers 30
ServerLimit 250
MaxClients 250
MaxRequestsPerChild 0
LimitUIDRange 0 6000
LimitGIDRange 0 6000
</IfModule>

View File

@ -0,0 +1,48 @@
<IfModule mod_security2.c>
# enable mod_security
SecRuleEngine On
# access to request bodies
SecRequestBodyAccess On
#SecRequestBodyLimit 134217728
#SecRequestBodyInMemoryLimit 131072
# access to response bodies
SecResponseBodyAccess Off
#SecResponseBodyLimit 524288
SecResponseBodyMimeType (null) text/html text/plain text/xml
#SecServerSignature "Apache/2.2.0 (Fedora)"
SecUploadDir /tmp
SecUploadKeepFiles Off
# default action
SecDefaultAction "log,auditlog,deny,status:406,phase:2"
SecAuditEngine RelevantOnly
#SecAuditLogRelevantStatus "^[45]"
# use only one log file
SecAuditLogType Serial
# audit log file
SecAuditLog /var/log/apache2/modsec_audit.log
# what is logged
SecAuditLogParts "ABIFHZ"
#SecArgumentSeparator "&"
SecCookieFormat 0
SecDebugLog /var/log/apache2/modsec_debug.log
SecDebugLogLevel 0
SecDataDir /tmp
SecTmpDir /tmp
#########
# RULES
#########
# File name
SecRule REQUEST_FILENAME "modsecuritytest1" "id:1"
# Complete URI
SecRule REQUEST_URI "modsecuritytest2" "id:2"
SecRule REQUEST_FILENAME "(?:n(?:map|et|c)|w(?:guest|sh)|cmd(?:32)?|telnet|rcmd|ftp)\.exe" "id:3"
</IfModule>

View File

@ -0,0 +1,4 @@
file = /var/log/apache2/error.log
pattern = "Segmentation fault"
mailto = alert3@evolix.fr
template = /etc/log2mail/mail

View File

@ -0,0 +1,87 @@
---
# tasks file for packweb-apache
- name: Setting /etc/skel/
file:
path: "/etc/skel/{{ item.path }}"
state: "{{ item.state }}"
mode: "{{ item.mode }}"
with_items:
- {path: log, mode: "0750", state: directory}
- {path: awstats, mode: "0750", state: directory}
- {path: www, mode: "0750", state: directory}
- {path: log/access.log, mode: "0644", state: touch}
- {path: log/error.log, mode: "0644", state: touch}
- name: Setting DIR_MODE in /etc/adduser.conf to 0750
lineinfile:
dest: /etc/adduser.conf
regexp: '^DIR_MODE='
line: 'DIR_MODE=0750'
- name: is PATH already present?
command: "grep -E '^export PATH ' /etc/apache2/envvars"
failed_when: False
changed_when: False
register: envvar_grep_path
#check_mode: no (for migration to Ansible 2.2)
always_run: yes
- name: Add a mark in envvars for PATH
blockinfile:
dest: /etc/apache2/envvars
marker: "## {mark} ANSIBLE MANAGED BLOCK FOR PATH"
block: |
# Used for Evoadmin-web
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
when: envvar_grep_path.rc != 0
- name: packages are installed
apt:
name: '{{ item }}'
state: present
with_items:
- libapache2-mod-evasive
- apache2-mpm-itk
- libapache2-mod-security2
- name: Copy Apache itk and evasive settings
copy:
src: "{{ item }}"
dest: "/etc/apache2/conf-available/{{ item }}"
owner: root
group: root
mode: "0644"
force: no
with_items:
- evolinux-itk.conf
- evolinux-evasive.conf
- evolinux-modsec.conf
- name: Ensure Apache config files are enabled
command: "a2enconf {{ item }}"
register: command_result
changed_when: "'Enabling' in command_result.stderr"
with_items:
- evolinux-itk
- evolinux-evasive
- evolinux-modsec
- name: Is log2mail installed?
command: "apt list --installed log2mail"
register: command_result
changed_when: False
- debug:
var: command_result
- name: Add log2mail config for apache segfault
template:
src: log2mail-apache.j2
dest: "/etc/log2mail/config/apache"
owner: root
group: root
mode: "0644"
force: no
when: "'log2mail' in command_result.stdout"

View File

@ -0,0 +1,4 @@
file = /var/log/apache2/error.log
pattern = "Segmentation fault"
mailto = {{ log2mail_alert_email or general_alert_email | mandatory }}
template = /etc/log2mail/mail