forked from evolix/ansible-roles
Apache/Nginx: use ipaddr_whitelist
This commit is contained in:
parent
03bc456dfa
commit
e7e9f9e125
|
@ -10,8 +10,8 @@ Everything is in the `tasks/main.yml` file for now.
|
||||||
|
|
||||||
Main variables are :
|
Main variables are :
|
||||||
|
|
||||||
* `apache_private_ipaddr_whitelist_present` : list of IP addresses to have in the private whitelist ;
|
* `apache_ipaddr_whitelist_present` : list of IP addresses to have in the private whitelist ;
|
||||||
* `apache_private_ipaddr_whitelist_absent` : list of IP addresses **not** to have in the whitelist;
|
* `apache_ipaddr_whitelist_absent` : list of IP addresses **not** to have in the whitelist;
|
||||||
* `apache_private_htpasswd_present` : list of users to have in the private htpasswd ;
|
* `apache_private_htpasswd_present` : list of users to have in the private htpasswd ;
|
||||||
* `apache_private_htpasswd_absent` : list of users to **not** have in the private htpasswd.
|
* `apache_private_htpasswd_absent` : list of users to **not** have in the private htpasswd.
|
||||||
* `log2mail_alert_email`: email address to send Log2mail messages to (default: `general_alert_email`).
|
* `log2mail_alert_email`: email address to send Log2mail messages to (default: `general_alert_email`).
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
apache_private_ipaddr_whitelist_present: []
|
apache_ipaddr_whitelist_present: []
|
||||||
apache_private_ipaddr_whitelist_absent: []
|
apache_ipaddr_whitelist_absent: []
|
||||||
|
|
||||||
apache_private_htpasswd_present: []
|
apache_private_htpasswd_present: []
|
||||||
apache_private_htpasswd_absent: []
|
apache_private_htpasswd_absent: []
|
||||||
|
|
|
@ -1,8 +1,14 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
|
- name: "Rename private_ipaddr_whitelist if present"
|
||||||
|
command: "mv /etc/apache2/private_ipaddr_whitelist.conf /etc/apache2/ipaddr_whitelist.conf"
|
||||||
|
args:
|
||||||
|
removes: /etc/apache2/private_ipaddr_whitelist.conf
|
||||||
|
creates: /etc/apache2/ipaddr_whitelist.conf
|
||||||
|
|
||||||
- name: Init ipaddr_whitelist.conf file
|
- name: Init ipaddr_whitelist.conf file
|
||||||
copy:
|
copy:
|
||||||
src: private_ipaddr_whitelist.conf
|
src: ipaddr_whitelist.conf
|
||||||
dest: /etc/apache2/ipaddr_whitelist.conf
|
dest: /etc/apache2/ipaddr_whitelist.conf
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
@ -16,7 +22,7 @@
|
||||||
dest: /etc/apache2/ipaddr_whitelist.conf
|
dest: /etc/apache2/ipaddr_whitelist.conf
|
||||||
line: "Require ip {{ item }}"
|
line: "Require ip {{ item }}"
|
||||||
state: present
|
state: present
|
||||||
with_items: "{{ apache_private_ipaddr_whitelist_present }}"
|
with_items: "{{ apache_ipaddr_whitelist_present }}"
|
||||||
notify: reload apache
|
notify: reload apache
|
||||||
tags:
|
tags:
|
||||||
- apache
|
- apache
|
||||||
|
@ -26,7 +32,7 @@
|
||||||
dest: /etc/apache2/ipaddr_whitelist.conf
|
dest: /etc/apache2/ipaddr_whitelist.conf
|
||||||
line: "Require ip {{ item }}"
|
line: "Require ip {{ item }}"
|
||||||
state: absent
|
state: absent
|
||||||
with_items: "{{ apache_private_ipaddr_whitelist_absent }}"
|
with_items: "{{ apache_ipaddr_whitelist_absent }}"
|
||||||
notify: reload apache
|
notify: reload apache
|
||||||
tags:
|
tags:
|
||||||
- apache
|
- apache
|
||||||
|
|
|
@ -9,7 +9,7 @@ server {
|
||||||
server_name {{ kibana_proxy_domain }};
|
server_name {{ kibana_proxy_domain }};
|
||||||
|
|
||||||
# Auth.
|
# Auth.
|
||||||
include /etc/nginx/snippets/private_ipaddr_whitelist;
|
include /etc/nginx/snippets/ipaddr_whitelist;
|
||||||
deny all;
|
deny all;
|
||||||
auth_basic "Reserved {{ kibana_proxy_domain }}";
|
auth_basic "Reserved {{ kibana_proxy_domain }}";
|
||||||
auth_basic_user_file /etc/nginx/snippets/private_htpasswd;
|
auth_basic_user_file /etc/nginx/snippets/private_htpasswd;
|
||||||
|
|
|
@ -19,7 +19,7 @@ server {
|
||||||
ssl_certificate_key {{ kibana_proxy_ssl_key }};
|
ssl_certificate_key {{ kibana_proxy_ssl_key }};
|
||||||
|
|
||||||
# Auth.
|
# Auth.
|
||||||
include /etc/nginx/snippets/private_ipaddr_whitelist;
|
include /etc/nginx/snippets/ipaddr_whitelist;
|
||||||
deny all;
|
deny all;
|
||||||
auth_basic "Reserved {{ kibana_proxy_domain }}";
|
auth_basic "Reserved {{ kibana_proxy_domain }}";
|
||||||
auth_basic_user_file /etc/nginx/snippets/private_htpasswd;
|
auth_basic_user_file /etc/nginx/snippets/private_htpasswd;
|
||||||
|
|
|
@ -18,8 +18,8 @@ Main variables are :
|
||||||
|
|
||||||
* `nginx_minimal` : very basic install and config (default: `False`) ;
|
* `nginx_minimal` : very basic install and config (default: `False`) ;
|
||||||
* `nginx_jessie_backports` : on Debian Jessie, we can prefer v1.10 from backports (default: `False`) ;
|
* `nginx_jessie_backports` : on Debian Jessie, we can prefer v1.10 from backports (default: `False`) ;
|
||||||
* `nginx_private_ipaddr_whitelist_present` : list of IP addresses to have in the private whitelist ;
|
* `nginx_ipaddr_whitelist_present` : list of IP addresses to have in the private whitelist ;
|
||||||
* `nginx_private_ipaddr_whitelist_absent` : list of IP addresses **not** to have in the whitelist ;
|
* `nginx_ipaddr_whitelist_absent` : list of IP addresses **not** to have in the whitelist ;
|
||||||
* `nginx_private_htpasswd_present` : list of users to have in the private htpasswd ;
|
* `nginx_private_htpasswd_present` : list of users to have in the private htpasswd ;
|
||||||
* `nginx_private_htpasswd_absent` : list of users to **not** have in the private htpasswd.
|
* `nginx_private_htpasswd_absent` : list of users to **not** have in the private htpasswd.
|
||||||
|
|
||||||
|
|
|
@ -3,8 +3,8 @@
|
||||||
nginx_minimal: False
|
nginx_minimal: False
|
||||||
nginx_jessie_backports: False
|
nginx_jessie_backports: False
|
||||||
|
|
||||||
nginx_private_ipaddr_whitelist_present: []
|
nginx_ipaddr_whitelist_present: []
|
||||||
nginx_private_ipaddr_whitelist_absent: []
|
nginx_ipaddr_whitelist_absent: []
|
||||||
|
|
||||||
nginx_private_htpasswd_present: []
|
nginx_private_htpasswd_present: []
|
||||||
nginx_private_htpasswd_absent: []
|
nginx_private_htpasswd_absent: []
|
||||||
|
|
|
@ -38,13 +38,20 @@
|
||||||
- nginx
|
- nginx
|
||||||
|
|
||||||
# TODO: verify that those permissions are correct :
|
# TODO: verify that those permissions are correct :
|
||||||
# not too strict for private_ipaddr_whitelist
|
# not too strict for ipaddr_whitelist
|
||||||
# and not too loose for private_htpasswd
|
# and not too loose for private_htpasswd
|
||||||
|
|
||||||
- name: Copy private_ipaddr_whitelist
|
|
||||||
|
- name: "Rename private_ipaddr_whitelist if present"
|
||||||
|
command: "mv /etc/nginx/snippets/private_ipaddr_whitelist /etc/nginx/snippets/ipaddr_whitelist
|
||||||
|
args:
|
||||||
|
removes: /etc/nginx/snippets/private_ipaddr_whitelist
|
||||||
|
creates: /etc/nginx/snippets/ipaddr_whitelist
|
||||||
|
|
||||||
|
- name: Copy ipaddr_whitelist
|
||||||
copy:
|
copy:
|
||||||
src: nginx/snippets/private_ipaddr_whitelist
|
src: nginx/snippets/ipaddr_whitelist
|
||||||
dest: /etc/nginx/snippets/private_ipaddr_whitelist
|
dest: /etc/nginx/snippets/ipaddr_whitelist
|
||||||
owner: www-data
|
owner: www-data
|
||||||
group: www-data
|
group: www-data
|
||||||
directory_mode: "0640"
|
directory_mode: "0640"
|
||||||
|
@ -56,20 +63,20 @@
|
||||||
|
|
||||||
- name: add IP addresses to private IP whitelist
|
- name: add IP addresses to private IP whitelist
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: /etc/nginx/snippets/private_ipaddr_whitelist
|
dest: /etc/nginx/snippets/ipaddr_whitelist
|
||||||
line: "allow {{ item }};"
|
line: "allow {{ item }};"
|
||||||
state: present
|
state: present
|
||||||
with_items: "{{ nginx_private_ipaddr_whitelist_present }}"
|
with_items: "{{ nginx_ipaddr_whitelist_present }}"
|
||||||
notify: reload nginx
|
notify: reload nginx
|
||||||
tags:
|
tags:
|
||||||
- nginx
|
- nginx
|
||||||
|
|
||||||
- name: remove IP addresses from private IP whitelist
|
- name: remove IP addresses from private IP whitelist
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: /etc/nginx/snippets/private_ipaddr_whitelist
|
dest: /etc/nginx/snippets/ipaddr_whitelist
|
||||||
line: "allow {{ item }};"
|
line: "allow {{ item }};"
|
||||||
state: absent
|
state: absent
|
||||||
with_items: "{{ nginx_private_ipaddr_whitelist_absent }}"
|
with_items: "{{ nginx_ipaddr_whitelist_absent }}"
|
||||||
notify: reload nginx
|
notify: reload nginx
|
||||||
tags:
|
tags:
|
||||||
- nginx
|
- nginx
|
||||||
|
|
|
@ -23,7 +23,7 @@ server {
|
||||||
root /var/www;
|
root /var/www;
|
||||||
|
|
||||||
# Auth.
|
# Auth.
|
||||||
include /etc/nginx/snippets/private_ipaddr_whitelist;
|
include /etc/nginx/snippets/ipaddr_whitelist;
|
||||||
deny all;
|
deny all;
|
||||||
auth_basic "Reserved {{ ansible_fqdn }}";
|
auth_basic "Reserved {{ ansible_fqdn }}";
|
||||||
auth_basic_user_file /etc/nginx/snippets/private_htpasswd;
|
auth_basic_user_file /etc/nginx/snippets/private_htpasswd;
|
||||||
|
|
Loading…
Reference in a new issue