From d75846ed28dc1cf226ccebabfa7dd80e9bdbc3c5 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Fri, 30 Aug 2019 10:32:44 -0400 Subject: [PATCH] Make it possible to add an htpasswd file to evoadmin --- CHANGELOG.md | 1 + webapps/evoadmin-web/README.md | 13 ++++++++++++- webapps/evoadmin-web/defaults/main.yml | 2 ++ webapps/evoadmin-web/tasks/web.yml | 16 ++++++++++++++++ webapps/evoadmin-web/templates/evoadmin.conf.j2 | 13 +++++++++++++ 5 files changed, 44 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 85161d0d..cae4f135 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ The **patch** part changes incrementally at each release. * php: variable to install the mysqlnd module instead of the default mysql module * packweb-apache: Deploy opcache.php to give some insights on PHP's opcache status * webapps/evoadmin-web Overload templates if needed +* webapps/evoadmin-web Add an htpasswd to evoadmin if you cant use an apache IP whitelist * redis: max clients is configurable ### Changed diff --git a/webapps/evoadmin-web/README.md b/webapps/evoadmin-web/README.md index 096a8378..db0a6441 100644 --- a/webapps/evoadmin-web/README.md +++ b/webapps/evoadmin-web/README.md @@ -32,4 +32,15 @@ And force it to update: - "templates/evoadmin-web/sudoers.j2" - "sudoers.j2" And force it to update: - evoadmin_sudoers_conf_force: True \ No newline at end of file + evoadmin_sudoers_conf_force: True + +# Set evoadmin-web sudoers file +evoadmin_htpasswd: true + +Overwrite its template: +- "templates/evoadmin-web/htpasswd.{{ inventory_hostname }}.j2" +- "templates/evoadmin-web/htpasswd.{{ host_group }}.j2" +- "templates/evoadmin-web/htpasswd.j2" +- "htpasswd.j2" +And force it to update: + evoadmin_htpasswd_force: true diff --git a/webapps/evoadmin-web/defaults/main.yml b/webapps/evoadmin-web/defaults/main.yml index 9e6a6683..906ae0f1 100644 --- a/webapps/evoadmin-web/defaults/main.yml +++ b/webapps/evoadmin-web/defaults/main.yml @@ -18,6 +18,8 @@ evoadmin_config_local_php_force: false evoadmin_sudoers_conf_force: false evoadmin_add_conf_force: false evoadmin_mail_tpl_force: false +evoadmin_htpasswd_force: false +evoadmin_htpasswd: false evoadmin_tpl_servername: "{{ ansible_fqdn }}" evoadmin_tpl_address: "{{ ansible_default_ipv4.address }}" diff --git a/webapps/evoadmin-web/tasks/web.yml b/webapps/evoadmin-web/tasks/web.yml index 1009960a..ddbee20b 100644 --- a/webapps/evoadmin-web/tasks/web.yml +++ b/webapps/evoadmin-web/tasks/web.yml @@ -45,6 +45,22 @@ notify: reload apache2 when: not evoadmin_enable_vhost +- name: Copy htpasswd for evoadmin + template: + src: "{{ item }}" + dest: "/var/www/.ansible_evoadmin_htpasswd" + mode: "0644" + owner: root + group: www-data + force: "{{ evoadmin_htpasswd_force }}" + with_first_found: + - "templates/evoadmin-web/htpasswd.{{ inventory_hostname }}.j2" + - "templates/evoadmin-web/htpasswd.{{ host_group }}.j2" + - "templates/evoadmin-web/htpasswd.j2" + - "htpasswd.j2" + when: evoadmin_htpasswd + register: evoadmin_htpasswd_template + - name: Copy config file for evoadmin template: src: "{{ item }}" diff --git a/webapps/evoadmin-web/templates/evoadmin.conf.j2 b/webapps/evoadmin-web/templates/evoadmin.conf.j2 index 182cddd7..cbe08bec 100644 --- a/webapps/evoadmin-web/templates/evoadmin.conf.j2 +++ b/webapps/evoadmin-web/templates/evoadmin.conf.j2 @@ -23,7 +23,20 @@ #Options Indexes SymLinksIfOwnerMatch Options SymLinksIfOwnerMatch AllowOverride AuthConfig Limit FileInfo +{% if evoadmin_htpasswd %} + Require all denied + Include /etc/apache2/ipaddr_whitelist.conf + AuthType Basic + AuthName "Restricted" + AuthUserFile "/var/www/.ansible_evoadmin_htpasswd" + Require valid-user + + SecRuleEngine Off + +{% else %} Require all granted +{% endif %} + # user - group (thanks to sesse@debian.org)