forked from evolix/ansible-roles
Apache/Nginx: use ipaddr_whitelist
This commit is contained in:
parent
03bc456dfa
commit
e7e9f9e125
|
@ -10,8 +10,8 @@ Everything is in the `tasks/main.yml` file for now.
|
|||
|
||||
Main variables are :
|
||||
|
||||
* `apache_private_ipaddr_whitelist_present` : list of IP addresses to have in the private whitelist ;
|
||||
* `apache_private_ipaddr_whitelist_absent` : list of IP addresses **not** to have in the whitelist;
|
||||
* `apache_ipaddr_whitelist_present` : list of IP addresses to have in the private whitelist ;
|
||||
* `apache_ipaddr_whitelist_absent` : list of IP addresses **not** to have in the whitelist;
|
||||
* `apache_private_htpasswd_present` : list of users to have in the private htpasswd ;
|
||||
* `apache_private_htpasswd_absent` : list of users to **not** have in the private htpasswd.
|
||||
* `log2mail_alert_email`: email address to send Log2mail messages to (default: `general_alert_email`).
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
apache_private_ipaddr_whitelist_present: []
|
||||
apache_private_ipaddr_whitelist_absent: []
|
||||
apache_ipaddr_whitelist_present: []
|
||||
apache_ipaddr_whitelist_absent: []
|
||||
|
||||
apache_private_htpasswd_present: []
|
||||
apache_private_htpasswd_absent: []
|
||||
|
|
|
@ -1,8 +1,14 @@
|
|||
---
|
||||
|
||||
- name: "Rename private_ipaddr_whitelist if present"
|
||||
command: "mv /etc/apache2/private_ipaddr_whitelist.conf /etc/apache2/ipaddr_whitelist.conf"
|
||||
args:
|
||||
removes: /etc/apache2/private_ipaddr_whitelist.conf
|
||||
creates: /etc/apache2/ipaddr_whitelist.conf
|
||||
|
||||
- name: Init ipaddr_whitelist.conf file
|
||||
copy:
|
||||
src: private_ipaddr_whitelist.conf
|
||||
src: ipaddr_whitelist.conf
|
||||
dest: /etc/apache2/ipaddr_whitelist.conf
|
||||
owner: root
|
||||
group: root
|
||||
|
@ -16,7 +22,7 @@
|
|||
dest: /etc/apache2/ipaddr_whitelist.conf
|
||||
line: "Require ip {{ item }}"
|
||||
state: present
|
||||
with_items: "{{ apache_private_ipaddr_whitelist_present }}"
|
||||
with_items: "{{ apache_ipaddr_whitelist_present }}"
|
||||
notify: reload apache
|
||||
tags:
|
||||
- apache
|
||||
|
@ -26,7 +32,7 @@
|
|||
dest: /etc/apache2/ipaddr_whitelist.conf
|
||||
line: "Require ip {{ item }}"
|
||||
state: absent
|
||||
with_items: "{{ apache_private_ipaddr_whitelist_absent }}"
|
||||
with_items: "{{ apache_ipaddr_whitelist_absent }}"
|
||||
notify: reload apache
|
||||
tags:
|
||||
- apache
|
||||
|
|
|
@ -9,7 +9,7 @@ server {
|
|||
server_name {{ kibana_proxy_domain }};
|
||||
|
||||
# Auth.
|
||||
include /etc/nginx/snippets/private_ipaddr_whitelist;
|
||||
include /etc/nginx/snippets/ipaddr_whitelist;
|
||||
deny all;
|
||||
auth_basic "Reserved {{ kibana_proxy_domain }}";
|
||||
auth_basic_user_file /etc/nginx/snippets/private_htpasswd;
|
||||
|
|
|
@ -19,7 +19,7 @@ server {
|
|||
ssl_certificate_key {{ kibana_proxy_ssl_key }};
|
||||
|
||||
# Auth.
|
||||
include /etc/nginx/snippets/private_ipaddr_whitelist;
|
||||
include /etc/nginx/snippets/ipaddr_whitelist;
|
||||
deny all;
|
||||
auth_basic "Reserved {{ kibana_proxy_domain }}";
|
||||
auth_basic_user_file /etc/nginx/snippets/private_htpasswd;
|
||||
|
|
|
@ -18,8 +18,8 @@ Main variables are :
|
|||
|
||||
* `nginx_minimal` : very basic install and config (default: `False`) ;
|
||||
* `nginx_jessie_backports` : on Debian Jessie, we can prefer v1.10 from backports (default: `False`) ;
|
||||
* `nginx_private_ipaddr_whitelist_present` : list of IP addresses to have in the private whitelist ;
|
||||
* `nginx_private_ipaddr_whitelist_absent` : list of IP addresses **not** to have in the whitelist ;
|
||||
* `nginx_ipaddr_whitelist_present` : list of IP addresses to have in the private whitelist ;
|
||||
* `nginx_ipaddr_whitelist_absent` : list of IP addresses **not** to have in the whitelist ;
|
||||
* `nginx_private_htpasswd_present` : list of users to have in the private htpasswd ;
|
||||
* `nginx_private_htpasswd_absent` : list of users to **not** have in the private htpasswd.
|
||||
|
||||
|
|
|
@ -3,8 +3,8 @@
|
|||
nginx_minimal: False
|
||||
nginx_jessie_backports: False
|
||||
|
||||
nginx_private_ipaddr_whitelist_present: []
|
||||
nginx_private_ipaddr_whitelist_absent: []
|
||||
nginx_ipaddr_whitelist_present: []
|
||||
nginx_ipaddr_whitelist_absent: []
|
||||
|
||||
nginx_private_htpasswd_present: []
|
||||
nginx_private_htpasswd_absent: []
|
||||
|
|
|
@ -38,13 +38,20 @@
|
|||
- nginx
|
||||
|
||||
# TODO: verify that those permissions are correct :
|
||||
# not too strict for private_ipaddr_whitelist
|
||||
# not too strict for ipaddr_whitelist
|
||||
# and not too loose for private_htpasswd
|
||||
|
||||
- name: Copy private_ipaddr_whitelist
|
||||
|
||||
- name: "Rename private_ipaddr_whitelist if present"
|
||||
command: "mv /etc/nginx/snippets/private_ipaddr_whitelist /etc/nginx/snippets/ipaddr_whitelist
|
||||
args:
|
||||
removes: /etc/nginx/snippets/private_ipaddr_whitelist
|
||||
creates: /etc/nginx/snippets/ipaddr_whitelist
|
||||
|
||||
- name: Copy ipaddr_whitelist
|
||||
copy:
|
||||
src: nginx/snippets/private_ipaddr_whitelist
|
||||
dest: /etc/nginx/snippets/private_ipaddr_whitelist
|
||||
src: nginx/snippets/ipaddr_whitelist
|
||||
dest: /etc/nginx/snippets/ipaddr_whitelist
|
||||
owner: www-data
|
||||
group: www-data
|
||||
directory_mode: "0640"
|
||||
|
@ -56,20 +63,20 @@
|
|||
|
||||
- name: add IP addresses to private IP whitelist
|
||||
lineinfile:
|
||||
dest: /etc/nginx/snippets/private_ipaddr_whitelist
|
||||
dest: /etc/nginx/snippets/ipaddr_whitelist
|
||||
line: "allow {{ item }};"
|
||||
state: present
|
||||
with_items: "{{ nginx_private_ipaddr_whitelist_present }}"
|
||||
with_items: "{{ nginx_ipaddr_whitelist_present }}"
|
||||
notify: reload nginx
|
||||
tags:
|
||||
- nginx
|
||||
|
||||
- name: remove IP addresses from private IP whitelist
|
||||
lineinfile:
|
||||
dest: /etc/nginx/snippets/private_ipaddr_whitelist
|
||||
dest: /etc/nginx/snippets/ipaddr_whitelist
|
||||
line: "allow {{ item }};"
|
||||
state: absent
|
||||
with_items: "{{ nginx_private_ipaddr_whitelist_absent }}"
|
||||
with_items: "{{ nginx_ipaddr_whitelist_absent }}"
|
||||
notify: reload nginx
|
||||
tags:
|
||||
- nginx
|
||||
|
|
|
@ -23,7 +23,7 @@ server {
|
|||
root /var/www;
|
||||
|
||||
# Auth.
|
||||
include /etc/nginx/snippets/private_ipaddr_whitelist;
|
||||
include /etc/nginx/snippets/ipaddr_whitelist;
|
||||
deny all;
|
||||
auth_basic "Reserved {{ ansible_fqdn }}";
|
||||
auth_basic_user_file /etc/nginx/snippets/private_htpasswd;
|
||||
|
|
Loading…
Reference in a new issue