[WIP]: First pass for packweb-apache
This commit is contained in:
parent
6bada3aa70
commit
6a225e469b
11
apache/files/evolinux-ssl.conf
Normal file
11
apache/files/evolinux-ssl.conf
Normal file
|
@ -0,0 +1,11 @@
|
|||
# Strong security.
|
||||
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
|
||||
SSLProtocol All -SSLv2 -SSLv3
|
||||
SSLHonorCipherOrder On
|
||||
SSLCompression off
|
||||
SSLSessionCache shmcb:/var/log/apache2/ssl_gcache_data(512000)
|
||||
SSLSessionCacheTimeout 600
|
||||
|
||||
# Stapling not activated by default. Need config.
|
||||
#SSLUseStapling on
|
||||
#SSLStaplingCache shmcb:${APACHE_RUN_DIR}/stapling-cache(150000)
|
|
@ -3,9 +3,7 @@
|
|||
name: '{{ item }}'
|
||||
state: present
|
||||
with_items:
|
||||
- apache2-mpm-itk
|
||||
- apachetop
|
||||
- libapache2-mod-evasive
|
||||
- libwww-perl
|
||||
tags:
|
||||
- apache
|
||||
|
@ -20,6 +18,7 @@
|
|||
- headers
|
||||
- rewrite
|
||||
- cgi
|
||||
- ssl
|
||||
tags:
|
||||
- apache
|
||||
|
||||
|
@ -45,6 +44,17 @@
|
|||
tags:
|
||||
- apache
|
||||
|
||||
- name: Copy Apache SSL (strong security) config file
|
||||
copy:
|
||||
src: evolinux-ssl.conf
|
||||
dest: "/etc/apache2/conf-available/evolinux-ssl.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
force: no
|
||||
tags:
|
||||
- apache
|
||||
|
||||
- name: Ensure Apache config files are enabled
|
||||
command: "a2enconf {{ item }}"
|
||||
register: command_result
|
||||
|
@ -52,6 +62,7 @@
|
|||
with_items:
|
||||
- z-evolinux-defaults.conf
|
||||
- zzz-evolinux-custom.conf
|
||||
- evolinux-ssl.conf
|
||||
tags:
|
||||
- apache
|
||||
|
||||
|
|
38
packweb-apache/README.md
Normal file
38
packweb-apache/README.md
Normal file
|
@ -0,0 +1,38 @@
|
|||
Role Name
|
||||
=========
|
||||
|
||||
A brief description of the role goes here.
|
||||
|
||||
Requirements
|
||||
------------
|
||||
|
||||
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
|
||||
|
||||
Role Variables
|
||||
--------------
|
||||
|
||||
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
|
||||
|
||||
Dependencies
|
||||
------------
|
||||
|
||||
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
|
||||
|
||||
Example Playbook
|
||||
----------------
|
||||
|
||||
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
|
||||
|
||||
- hosts: servers
|
||||
roles:
|
||||
- { role: username.rolename, x: 42 }
|
||||
|
||||
License
|
||||
-------
|
||||
|
||||
BSD
|
||||
|
||||
Author Information
|
||||
------------------
|
||||
|
||||
An optional section for the role authors to include contact information, or a website (HTML is not allowed).
|
4
packweb-apache/defaults/main.yml
Normal file
4
packweb-apache/defaults/main.yml
Normal file
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
# defaults file for packweb-apache
|
||||
general_alert_email: "root@localhost"
|
||||
log2mail_alert_email: Null
|
8
packweb-apache/files/evolinux-evasive.conf
Normal file
8
packweb-apache/files/evolinux-evasive.conf
Normal file
|
@ -0,0 +1,8 @@
|
|||
<IfModule mod_evasive20.c>
|
||||
DOSHashTableSize 3097
|
||||
DOSPageCount 5
|
||||
DOSSiteCount 30
|
||||
DOSPageInterval 3
|
||||
DOSSiteInterval 1
|
||||
DOSBlockingPeriod 60
|
||||
</IfModule>
|
10
packweb-apache/files/evolinux-itk.conf
Normal file
10
packweb-apache/files/evolinux-itk.conf
Normal file
|
@ -0,0 +1,10 @@
|
|||
<IfModule mpm_itk_module>
|
||||
StartServers 50
|
||||
MinSpareServers 20
|
||||
MaxSpareServers 30
|
||||
ServerLimit 250
|
||||
MaxClients 250
|
||||
MaxRequestsPerChild 0
|
||||
LimitUIDRange 0 6000
|
||||
LimitGIDRange 0 6000
|
||||
</IfModule>
|
48
packweb-apache/files/evolinux-modsec.conf
Normal file
48
packweb-apache/files/evolinux-modsec.conf
Normal file
|
@ -0,0 +1,48 @@
|
|||
<IfModule mod_security2.c>
|
||||
|
||||
# enable mod_security
|
||||
SecRuleEngine On
|
||||
# access to request bodies
|
||||
SecRequestBodyAccess On
|
||||
#SecRequestBodyLimit 134217728
|
||||
#SecRequestBodyInMemoryLimit 131072
|
||||
# access to response bodies
|
||||
SecResponseBodyAccess Off
|
||||
#SecResponseBodyLimit 524288
|
||||
SecResponseBodyMimeType (null) text/html text/plain text/xml
|
||||
#SecServerSignature "Apache/2.2.0 (Fedora)"
|
||||
|
||||
SecUploadDir /tmp
|
||||
SecUploadKeepFiles Off
|
||||
|
||||
# default action
|
||||
SecDefaultAction "log,auditlog,deny,status:406,phase:2"
|
||||
|
||||
SecAuditEngine RelevantOnly
|
||||
#SecAuditLogRelevantStatus "^[45]"
|
||||
# use only one log file
|
||||
SecAuditLogType Serial
|
||||
# audit log file
|
||||
SecAuditLog /var/log/apache2/modsec_audit.log
|
||||
# what is logged
|
||||
SecAuditLogParts "ABIFHZ"
|
||||
|
||||
#SecArgumentSeparator "&"
|
||||
SecCookieFormat 0
|
||||
SecDebugLog /var/log/apache2/modsec_debug.log
|
||||
SecDebugLogLevel 0
|
||||
|
||||
SecDataDir /tmp
|
||||
SecTmpDir /tmp
|
||||
|
||||
#########
|
||||
# RULES
|
||||
#########
|
||||
|
||||
# File name
|
||||
SecRule REQUEST_FILENAME "modsecuritytest1" "id:1"
|
||||
# Complete URI
|
||||
SecRule REQUEST_URI "modsecuritytest2" "id:2"
|
||||
SecRule REQUEST_FILENAME "(?:n(?:map|et|c)|w(?:guest|sh)|cmd(?:32)?|telnet|rcmd|ftp)\.exe" "id:3"
|
||||
|
||||
</IfModule>
|
4
packweb-apache/files/log2mail-apache.conf
Normal file
4
packweb-apache/files/log2mail-apache.conf
Normal file
|
@ -0,0 +1,4 @@
|
|||
file = /var/log/apache2/error.log
|
||||
pattern = "Segmentation fault"
|
||||
mailto = alert3@evolix.fr
|
||||
template = /etc/log2mail/mail
|
87
packweb-apache/tasks/main.yml
Normal file
87
packweb-apache/tasks/main.yml
Normal file
|
@ -0,0 +1,87 @@
|
|||
---
|
||||
# tasks file for packweb-apache
|
||||
|
||||
|
||||
- name: Setting /etc/skel/
|
||||
file:
|
||||
path: "/etc/skel/{{ item.path }}"
|
||||
state: "{{ item.state }}"
|
||||
mode: "{{ item.mode }}"
|
||||
with_items:
|
||||
- {path: log, mode: "0750", state: directory}
|
||||
- {path: awstats, mode: "0750", state: directory}
|
||||
- {path: www, mode: "0750", state: directory}
|
||||
- {path: log/access.log, mode: "0644", state: touch}
|
||||
- {path: log/error.log, mode: "0644", state: touch}
|
||||
|
||||
- name: Setting DIR_MODE in /etc/adduser.conf to 0750
|
||||
lineinfile:
|
||||
dest: /etc/adduser.conf
|
||||
regexp: '^DIR_MODE='
|
||||
line: 'DIR_MODE=0750'
|
||||
|
||||
- name: is PATH already present?
|
||||
command: "grep -E '^export PATH ' /etc/apache2/envvars"
|
||||
failed_when: False
|
||||
changed_when: False
|
||||
register: envvar_grep_path
|
||||
#check_mode: no (for migration to Ansible 2.2)
|
||||
always_run: yes
|
||||
|
||||
- name: Add a mark in envvars for PATH
|
||||
blockinfile:
|
||||
dest: /etc/apache2/envvars
|
||||
marker: "## {mark} ANSIBLE MANAGED BLOCK FOR PATH"
|
||||
block: |
|
||||
# Used for Evoadmin-web
|
||||
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
||||
when: envvar_grep_path.rc != 0
|
||||
|
||||
- name: packages are installed
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
state: present
|
||||
with_items:
|
||||
- libapache2-mod-evasive
|
||||
- apache2-mpm-itk
|
||||
- libapache2-mod-security2
|
||||
|
||||
- name: Copy Apache itk and evasive settings
|
||||
copy:
|
||||
src: "{{ item }}"
|
||||
dest: "/etc/apache2/conf-available/{{ item }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
force: no
|
||||
with_items:
|
||||
- evolinux-itk.conf
|
||||
- evolinux-evasive.conf
|
||||
- evolinux-modsec.conf
|
||||
|
||||
- name: Ensure Apache config files are enabled
|
||||
command: "a2enconf {{ item }}"
|
||||
register: command_result
|
||||
changed_when: "'Enabling' in command_result.stderr"
|
||||
with_items:
|
||||
- evolinux-itk
|
||||
- evolinux-evasive
|
||||
- evolinux-modsec
|
||||
|
||||
- name: Is log2mail installed?
|
||||
command: "apt list --installed log2mail"
|
||||
register: command_result
|
||||
changed_when: False
|
||||
|
||||
- debug:
|
||||
var: command_result
|
||||
|
||||
- name: Add log2mail config for apache segfault
|
||||
template:
|
||||
src: log2mail-apache.j2
|
||||
dest: "/etc/log2mail/config/apache"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
force: no
|
||||
when: "'log2mail' in command_result.stdout"
|
4
packweb-apache/templates/log2mail-apache.j2
Normal file
4
packweb-apache/templates/log2mail-apache.j2
Normal file
|
@ -0,0 +1,4 @@
|
|||
file = /var/log/apache2/error.log
|
||||
pattern = "Segmentation fault"
|
||||
mailto = {{ log2mail_alert_email or general_alert_email | mandatory }}
|
||||
template = /etc/log2mail/mail
|
Loading…
Reference in a new issue