From e7e9f9e125e20cc8e728b49fe27aabbf80d0e550 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 7 Oct 2017 13:48:04 +0200 Subject: [PATCH] Apache/Nginx: use ipaddr_whitelist --- apache/README.md | 4 ++-- apache/defaults/main.yml | 4 ++-- ...r_whitelist.conf => ipaddr_whitelist.conf} | 0 apache/tasks/auth.yml | 12 +++++++--- kibana/templates/nginx_proxy_kibana_nossl.j2 | 2 +- kibana/templates/nginx_proxy_kibana_ssl.j2 | 2 +- nginx/README.md | 4 ++-- nginx/defaults/main.yml | 4 ++-- nginx/tasks/main_regular.yml | 23 ++++++++++++------- nginx/templates/evolinux-default.conf.j2 | 2 +- 10 files changed, 35 insertions(+), 22 deletions(-) rename apache/files/{private_ipaddr_whitelist.conf => ipaddr_whitelist.conf} (100%) diff --git a/apache/README.md b/apache/README.md index 66804981..40e17499 100644 --- a/apache/README.md +++ b/apache/README.md @@ -10,8 +10,8 @@ Everything is in the `tasks/main.yml` file for now. Main variables are : -* `apache_private_ipaddr_whitelist_present` : list of IP addresses to have in the private whitelist ; -* `apache_private_ipaddr_whitelist_absent` : list of IP addresses **not** to have in the whitelist; +* `apache_ipaddr_whitelist_present` : list of IP addresses to have in the private whitelist ; +* `apache_ipaddr_whitelist_absent` : list of IP addresses **not** to have in the whitelist; * `apache_private_htpasswd_present` : list of users to have in the private htpasswd ; * `apache_private_htpasswd_absent` : list of users to **not** have in the private htpasswd. * `log2mail_alert_email`: email address to send Log2mail messages to (default: `general_alert_email`). diff --git a/apache/defaults/main.yml b/apache/defaults/main.yml index 276f5a38..390adb43 100644 --- a/apache/defaults/main.yml +++ b/apache/defaults/main.yml @@ -1,6 +1,6 @@ --- -apache_private_ipaddr_whitelist_present: [] -apache_private_ipaddr_whitelist_absent: [] +apache_ipaddr_whitelist_present: [] +apache_ipaddr_whitelist_absent: [] apache_private_htpasswd_present: [] apache_private_htpasswd_absent: [] diff --git a/apache/files/private_ipaddr_whitelist.conf b/apache/files/ipaddr_whitelist.conf similarity index 100% rename from apache/files/private_ipaddr_whitelist.conf rename to apache/files/ipaddr_whitelist.conf diff --git a/apache/tasks/auth.yml b/apache/tasks/auth.yml index 0f550a3c..4be44bea 100644 --- a/apache/tasks/auth.yml +++ b/apache/tasks/auth.yml @@ -1,8 +1,14 @@ --- +- name: "Rename private_ipaddr_whitelist if present" + command: "mv /etc/apache2/private_ipaddr_whitelist.conf /etc/apache2/ipaddr_whitelist.conf" + args: + removes: /etc/apache2/private_ipaddr_whitelist.conf + creates: /etc/apache2/ipaddr_whitelist.conf + - name: Init ipaddr_whitelist.conf file copy: - src: private_ipaddr_whitelist.conf + src: ipaddr_whitelist.conf dest: /etc/apache2/ipaddr_whitelist.conf owner: root group: root @@ -16,7 +22,7 @@ dest: /etc/apache2/ipaddr_whitelist.conf line: "Require ip {{ item }}" state: present - with_items: "{{ apache_private_ipaddr_whitelist_present }}" + with_items: "{{ apache_ipaddr_whitelist_present }}" notify: reload apache tags: - apache @@ -26,7 +32,7 @@ dest: /etc/apache2/ipaddr_whitelist.conf line: "Require ip {{ item }}" state: absent - with_items: "{{ apache_private_ipaddr_whitelist_absent }}" + with_items: "{{ apache_ipaddr_whitelist_absent }}" notify: reload apache tags: - apache diff --git a/kibana/templates/nginx_proxy_kibana_nossl.j2 b/kibana/templates/nginx_proxy_kibana_nossl.j2 index 1540b841..3c674317 100644 --- a/kibana/templates/nginx_proxy_kibana_nossl.j2 +++ b/kibana/templates/nginx_proxy_kibana_nossl.j2 @@ -9,7 +9,7 @@ server { server_name {{ kibana_proxy_domain }}; # Auth. - include /etc/nginx/snippets/private_ipaddr_whitelist; + include /etc/nginx/snippets/ipaddr_whitelist; deny all; auth_basic "Reserved {{ kibana_proxy_domain }}"; auth_basic_user_file /etc/nginx/snippets/private_htpasswd; diff --git a/kibana/templates/nginx_proxy_kibana_ssl.j2 b/kibana/templates/nginx_proxy_kibana_ssl.j2 index ea2e06c9..c72db251 100644 --- a/kibana/templates/nginx_proxy_kibana_ssl.j2 +++ b/kibana/templates/nginx_proxy_kibana_ssl.j2 @@ -19,7 +19,7 @@ server { ssl_certificate_key {{ kibana_proxy_ssl_key }}; # Auth. - include /etc/nginx/snippets/private_ipaddr_whitelist; + include /etc/nginx/snippets/ipaddr_whitelist; deny all; auth_basic "Reserved {{ kibana_proxy_domain }}"; auth_basic_user_file /etc/nginx/snippets/private_htpasswd; diff --git a/nginx/README.md b/nginx/README.md index d519608b..73ede527 100644 --- a/nginx/README.md +++ b/nginx/README.md @@ -18,8 +18,8 @@ Main variables are : * `nginx_minimal` : very basic install and config (default: `False`) ; * `nginx_jessie_backports` : on Debian Jessie, we can prefer v1.10 from backports (default: `False`) ; -* `nginx_private_ipaddr_whitelist_present` : list of IP addresses to have in the private whitelist ; -* `nginx_private_ipaddr_whitelist_absent` : list of IP addresses **not** to have in the whitelist ; +* `nginx_ipaddr_whitelist_present` : list of IP addresses to have in the private whitelist ; +* `nginx_ipaddr_whitelist_absent` : list of IP addresses **not** to have in the whitelist ; * `nginx_private_htpasswd_present` : list of users to have in the private htpasswd ; * `nginx_private_htpasswd_absent` : list of users to **not** have in the private htpasswd. diff --git a/nginx/defaults/main.yml b/nginx/defaults/main.yml index 16398ee4..dd6e58d7 100644 --- a/nginx/defaults/main.yml +++ b/nginx/defaults/main.yml @@ -3,8 +3,8 @@ nginx_minimal: False nginx_jessie_backports: False -nginx_private_ipaddr_whitelist_present: [] -nginx_private_ipaddr_whitelist_absent: [] +nginx_ipaddr_whitelist_present: [] +nginx_ipaddr_whitelist_absent: [] nginx_private_htpasswd_present: [] nginx_private_htpasswd_absent: [] diff --git a/nginx/tasks/main_regular.yml b/nginx/tasks/main_regular.yml index 74580972..6249e92b 100644 --- a/nginx/tasks/main_regular.yml +++ b/nginx/tasks/main_regular.yml @@ -38,13 +38,20 @@ - nginx # TODO: verify that those permissions are correct : -# not too strict for private_ipaddr_whitelist +# not too strict for ipaddr_whitelist # and not too loose for private_htpasswd -- name: Copy private_ipaddr_whitelist + +- name: "Rename private_ipaddr_whitelist if present" + command: "mv /etc/nginx/snippets/private_ipaddr_whitelist /etc/nginx/snippets/ipaddr_whitelist + args: + removes: /etc/nginx/snippets/private_ipaddr_whitelist + creates: /etc/nginx/snippets/ipaddr_whitelist + +- name: Copy ipaddr_whitelist copy: - src: nginx/snippets/private_ipaddr_whitelist - dest: /etc/nginx/snippets/private_ipaddr_whitelist + src: nginx/snippets/ipaddr_whitelist + dest: /etc/nginx/snippets/ipaddr_whitelist owner: www-data group: www-data directory_mode: "0640" @@ -56,20 +63,20 @@ - name: add IP addresses to private IP whitelist lineinfile: - dest: /etc/nginx/snippets/private_ipaddr_whitelist + dest: /etc/nginx/snippets/ipaddr_whitelist line: "allow {{ item }};" state: present - with_items: "{{ nginx_private_ipaddr_whitelist_present }}" + with_items: "{{ nginx_ipaddr_whitelist_present }}" notify: reload nginx tags: - nginx - name: remove IP addresses from private IP whitelist lineinfile: - dest: /etc/nginx/snippets/private_ipaddr_whitelist + dest: /etc/nginx/snippets/ipaddr_whitelist line: "allow {{ item }};" state: absent - with_items: "{{ nginx_private_ipaddr_whitelist_absent }}" + with_items: "{{ nginx_ipaddr_whitelist_absent }}" notify: reload nginx tags: - nginx diff --git a/nginx/templates/evolinux-default.conf.j2 b/nginx/templates/evolinux-default.conf.j2 index 165f39f8..2ec13fd8 100644 --- a/nginx/templates/evolinux-default.conf.j2 +++ b/nginx/templates/evolinux-default.conf.j2 @@ -23,7 +23,7 @@ server { root /var/www; # Auth. - include /etc/nginx/snippets/private_ipaddr_whitelist; + include /etc/nginx/snippets/ipaddr_whitelist; deny all; auth_basic "Reserved {{ ansible_fqdn }}"; auth_basic_user_file /etc/nginx/snippets/private_htpasswd;