From 6a225e469bd99b41da319e7df8212c2c7e76396f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= Date: Tue, 21 Mar 2017 17:35:42 +0100 Subject: [PATCH] [WIP]: First pass for packweb-apache --- apache/files/evolinux-ssl.conf | 11 +++ apache/tasks/main.yml | 15 +++- packweb-apache/README.md | 38 +++++++++ packweb-apache/defaults/main.yml | 4 + packweb-apache/files/evolinux-evasive.conf | 8 ++ packweb-apache/files/evolinux-itk.conf | 10 +++ packweb-apache/files/evolinux-modsec.conf | 48 ++++++++++++ packweb-apache/files/log2mail-apache.conf | 4 + packweb-apache/tasks/main.yml | 87 +++++++++++++++++++++ packweb-apache/templates/log2mail-apache.j2 | 4 + 10 files changed, 227 insertions(+), 2 deletions(-) create mode 100644 apache/files/evolinux-ssl.conf create mode 100644 packweb-apache/README.md create mode 100644 packweb-apache/defaults/main.yml create mode 100644 packweb-apache/files/evolinux-evasive.conf create mode 100644 packweb-apache/files/evolinux-itk.conf create mode 100644 packweb-apache/files/evolinux-modsec.conf create mode 100644 packweb-apache/files/log2mail-apache.conf create mode 100644 packweb-apache/tasks/main.yml create mode 100644 packweb-apache/templates/log2mail-apache.j2 diff --git a/apache/files/evolinux-ssl.conf b/apache/files/evolinux-ssl.conf new file mode 100644 index 00000000..cde0f7ec --- /dev/null +++ b/apache/files/evolinux-ssl.conf @@ -0,0 +1,11 @@ +# Strong security. +SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH +SSLProtocol All -SSLv2 -SSLv3 +SSLHonorCipherOrder On +SSLCompression off +SSLSessionCache shmcb:/var/log/apache2/ssl_gcache_data(512000) +SSLSessionCacheTimeout 600 + +# Stapling not activated by default. Need config. +#SSLUseStapling on +#SSLStaplingCache shmcb:${APACHE_RUN_DIR}/stapling-cache(150000) diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index 4df77dcf..502cb9f2 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -3,9 +3,7 @@ name: '{{ item }}' state: present with_items: - - apache2-mpm-itk - apachetop - - libapache2-mod-evasive - libwww-perl tags: - apache @@ -20,6 +18,7 @@ - headers - rewrite - cgi + - ssl tags: - apache @@ -45,6 +44,17 @@ tags: - apache +- name: Copy Apache SSL (strong security) config file + copy: + src: evolinux-ssl.conf + dest: "/etc/apache2/conf-available/evolinux-ssl.conf" + owner: root + group: root + mode: "0644" + force: no + tags: + - apache + - name: Ensure Apache config files are enabled command: "a2enconf {{ item }}" register: command_result @@ -52,6 +62,7 @@ with_items: - z-evolinux-defaults.conf - zzz-evolinux-custom.conf + - evolinux-ssl.conf tags: - apache diff --git a/packweb-apache/README.md b/packweb-apache/README.md new file mode 100644 index 00000000..225dd44b --- /dev/null +++ b/packweb-apache/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/packweb-apache/defaults/main.yml b/packweb-apache/defaults/main.yml new file mode 100644 index 00000000..a9e9416f --- /dev/null +++ b/packweb-apache/defaults/main.yml @@ -0,0 +1,4 @@ +--- +# defaults file for packweb-apache +general_alert_email: "root@localhost" +log2mail_alert_email: Null diff --git a/packweb-apache/files/evolinux-evasive.conf b/packweb-apache/files/evolinux-evasive.conf new file mode 100644 index 00000000..15be182f --- /dev/null +++ b/packweb-apache/files/evolinux-evasive.conf @@ -0,0 +1,8 @@ + +DOSHashTableSize 3097 +DOSPageCount 5 +DOSSiteCount 30 +DOSPageInterval 3 +DOSSiteInterval 1 +DOSBlockingPeriod 60 + diff --git a/packweb-apache/files/evolinux-itk.conf b/packweb-apache/files/evolinux-itk.conf new file mode 100644 index 00000000..4e25d84b --- /dev/null +++ b/packweb-apache/files/evolinux-itk.conf @@ -0,0 +1,10 @@ + +StartServers 50 +MinSpareServers 20 +MaxSpareServers 30 +ServerLimit 250 +MaxClients 250 +MaxRequestsPerChild 0 +LimitUIDRange 0 6000 +LimitGIDRange 0 6000 + diff --git a/packweb-apache/files/evolinux-modsec.conf b/packweb-apache/files/evolinux-modsec.conf new file mode 100644 index 00000000..d78c0d9f --- /dev/null +++ b/packweb-apache/files/evolinux-modsec.conf @@ -0,0 +1,48 @@ + + +# enable mod_security +SecRuleEngine On +# access to request bodies +SecRequestBodyAccess On +#SecRequestBodyLimit 134217728 +#SecRequestBodyInMemoryLimit 131072 +# access to response bodies +SecResponseBodyAccess Off +#SecResponseBodyLimit 524288 +SecResponseBodyMimeType (null) text/html text/plain text/xml +#SecServerSignature "Apache/2.2.0 (Fedora)" + +SecUploadDir /tmp +SecUploadKeepFiles Off + +# default action +SecDefaultAction "log,auditlog,deny,status:406,phase:2" + +SecAuditEngine RelevantOnly +#SecAuditLogRelevantStatus "^[45]" +# use only one log file +SecAuditLogType Serial +# audit log file +SecAuditLog /var/log/apache2/modsec_audit.log +# what is logged +SecAuditLogParts "ABIFHZ" + +#SecArgumentSeparator "&" +SecCookieFormat 0 +SecDebugLog /var/log/apache2/modsec_debug.log +SecDebugLogLevel 0 + +SecDataDir /tmp +SecTmpDir /tmp + +######### +# RULES +######### + +# File name +SecRule REQUEST_FILENAME "modsecuritytest1" "id:1" +# Complete URI +SecRule REQUEST_URI "modsecuritytest2" "id:2" +SecRule REQUEST_FILENAME "(?:n(?:map|et|c)|w(?:guest|sh)|cmd(?:32)?|telnet|rcmd|ftp)\.exe" "id:3" + + diff --git a/packweb-apache/files/log2mail-apache.conf b/packweb-apache/files/log2mail-apache.conf new file mode 100644 index 00000000..93547a53 --- /dev/null +++ b/packweb-apache/files/log2mail-apache.conf @@ -0,0 +1,4 @@ +file = /var/log/apache2/error.log +pattern = "Segmentation fault" +mailto = alert3@evolix.fr +template = /etc/log2mail/mail diff --git a/packweb-apache/tasks/main.yml b/packweb-apache/tasks/main.yml new file mode 100644 index 00000000..feb60529 --- /dev/null +++ b/packweb-apache/tasks/main.yml @@ -0,0 +1,87 @@ +--- +# tasks file for packweb-apache + + +- name: Setting /etc/skel/ + file: + path: "/etc/skel/{{ item.path }}" + state: "{{ item.state }}" + mode: "{{ item.mode }}" + with_items: + - {path: log, mode: "0750", state: directory} + - {path: awstats, mode: "0750", state: directory} + - {path: www, mode: "0750", state: directory} + - {path: log/access.log, mode: "0644", state: touch} + - {path: log/error.log, mode: "0644", state: touch} + +- name: Setting DIR_MODE in /etc/adduser.conf to 0750 + lineinfile: + dest: /etc/adduser.conf + regexp: '^DIR_MODE=' + line: 'DIR_MODE=0750' + +- name: is PATH already present? + command: "grep -E '^export PATH ' /etc/apache2/envvars" + failed_when: False + changed_when: False + register: envvar_grep_path + #check_mode: no (for migration to Ansible 2.2) + always_run: yes + +- name: Add a mark in envvars for PATH + blockinfile: + dest: /etc/apache2/envvars + marker: "## {mark} ANSIBLE MANAGED BLOCK FOR PATH" + block: | + # Used for Evoadmin-web + export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + when: envvar_grep_path.rc != 0 + +- name: packages are installed + apt: + name: '{{ item }}' + state: present + with_items: + - libapache2-mod-evasive + - apache2-mpm-itk + - libapache2-mod-security2 + +- name: Copy Apache itk and evasive settings + copy: + src: "{{ item }}" + dest: "/etc/apache2/conf-available/{{ item }}" + owner: root + group: root + mode: "0644" + force: no + with_items: + - evolinux-itk.conf + - evolinux-evasive.conf + - evolinux-modsec.conf + +- name: Ensure Apache config files are enabled + command: "a2enconf {{ item }}" + register: command_result + changed_when: "'Enabling' in command_result.stderr" + with_items: + - evolinux-itk + - evolinux-evasive + - evolinux-modsec + +- name: Is log2mail installed? + command: "apt list --installed log2mail" + register: command_result + changed_when: False + +- debug: + var: command_result + +- name: Add log2mail config for apache segfault + template: + src: log2mail-apache.j2 + dest: "/etc/log2mail/config/apache" + owner: root + group: root + mode: "0644" + force: no + when: "'log2mail' in command_result.stdout" diff --git a/packweb-apache/templates/log2mail-apache.j2 b/packweb-apache/templates/log2mail-apache.j2 new file mode 100644 index 00000000..ff08f04f --- /dev/null +++ b/packweb-apache/templates/log2mail-apache.j2 @@ -0,0 +1,4 @@ +file = /var/log/apache2/error.log +pattern = "Segmentation fault" +mailto = {{ log2mail_alert_email or general_alert_email | mandatory }} +template = /etc/log2mail/mail