diff --git a/.ansible-lint b/.ansible-lint new file mode 100644 index 00000000..7e100a8f --- /dev/null +++ b/.ansible-lint @@ -0,0 +1,2 @@ +skip_list: +- '106' diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 00000000..405be9aa --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,28 @@ +--- +name: Bug report +about: Create a report to help us improve +title: '' +labels: '' +assignees: '' + +--- + +**Describe the bug** +A clear and concise description of what the bug is. + +**To reproduce** +Steps to reproduce the behavior: +1. Deploy NGINX App Protect role using playbook.yml +2. View output/logs/configuration on '...' +3. See error + +**Expected behavior** +A clear and concise description of what you expected to happen. + +**Your environment:** +- Version of the NGINX App Protect role or specific commit +- Version of Ansible +- Target deployment platform + +**Additional context** +Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 00000000..bbcbbe7d --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,20 @@ +--- +name: Feature request +about: Suggest an idea for this project +title: '' +labels: '' +assignees: '' + +--- + +**Is your feature request related to a problem? Please describe.** +A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] + +**Describe the solution you'd like** +A clear and concise description of what you want to happen. + +**Describe alternatives you've considered** +A clear and concise description of any alternative solutions or features you've considered. + +**Additional context** +Add any other context or screenshots about the feature request here. diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 00000000..ba1fcacc --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,10 @@ +### Proposed changes +Describe the use case and detail of the change. If this PR addresses an issue on GitHub, make sure to include a link to that issue using one of the [supported keywords](https://docs.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue) here in this description (not in the title of the PR). + +### Checklist +Before creating a PR, run through this checklist and mark each as complete. + +- [ ] I have read the [CONTRIBUTING](https://github.com/nginxinc/ansible-role-nginx-app-protect/blob/main/CONTRIBUTING.md) document +- [ ] I have added Molecule tests that prove my fix is effective or that my feature works +- [ ] I have checked that all Molecule tests pass after adding my changes +- [ ] I have updated any relevant documentation (`defaults/main.yml`, `README.md` and `CHANGELOG.md`) diff --git a/.gitignore b/.gitignore index 7fbff3a2..de257811 100644 --- a/.gitignore +++ b/.gitignore @@ -36,6 +36,3 @@ default.pem # Scratch Directory scratch/ - -# nginx keys -sample-playbook/license/nginx-repo.* diff --git a/.travis.yml b/.travis.yml index 36bbf620..4acd3628 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,29 +1,23 @@ --- language: python -python: "2.7" - -# Use the new container infrastructure -sudo: false - -# Install ansible -addons: - apt: - packages: - - python-pip - +services: docker +jobs: + include: + - name: "Lint role" + env: + scenario: default +before_install: + - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - + - sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" + - sudo apt-get update + - sudo apt-get -y -o Dpkg::Options::="--force-confnew" install docker-ce install: - # Install ansible - - pip install ansible - - # Check ansible version - - ansible --version - - # Create ansible.cfg with correct roles_path - - printf '[defaults]\nroles_path=../' >ansible.cfg - + - pip install ansible==2.9.13 + - pip install ansible-lint==4.3.4 + - pip install yamllint==1.24.2 + - pip install molecule==3.0.8 + - pip install docker==4.3.1 script: - # Basic role syntax check - - ansible-playbook tests/test.yml -i tests/inventory --syntax-check - + - travis_wait 50 molecule lint -s $scenario notifications: - webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file + webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/.yamllint b/.yamllint index 88276760..99e86302 100644 --- a/.yamllint +++ b/.yamllint @@ -1,5 +1,4 @@ --- -# Based on ansible-lint config extends: default rules: @@ -9,25 +8,6 @@ rules: brackets: max-spaces-inside: 1 level: error - colons: - max-spaces-after: -1 - level: error - commas: - max-spaces-after: -1 - level: error - comments: disable comments-indentation: disable - document-start: disable - empty-lines: - max: 3 - level: error - hyphens: - level: error - indentation: disable - key-duplicates: enable line-length: disable - new-line-at-end-of-file: disable - new-lines: - type: unix - trailing-spaces: disable truthy: disable diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 00000000..5493a4dc --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,30 @@ +# Changelog + +## 0.2.0 (September 10, 2020) + +BREAKING CHANGES: + +* All of the variables have been updated to prevent naming collisions when using other roles. Please see README.MD for new variable names. +* Example playbook has been removed by collection authors in favor of using the Molecule configuration as a 'known-working' implementation. + +ENHANCEMENTS: + +* Huge refactoring by @alessfg to better unify this role with the structures present in the other nginxinc Ansible roles. +* Update Ansible to 2.9.13 and Ansible Lint to 4.3.4. +* Explicitly defined mode in relevant tasks for breaking changes in Ansible. +* Role refactored to separate install and configure operations in preparation for an upcoming role split. + +FEATURES: + +* Molecule 3 testing foundation is in the project, and linting is being performed by TravisCI. Now time to write tests! + +BUG FIXES: + +* The CentOS, RHEL, Debian and Ubuntu repositories have slightly changed to respond to a NAP repository deprecation activity. You may run into some duplication issues when running the role on a preexisting target that already has had NGINX installed using the role. To fix this, manually remove the old repository source. +* The RHEL and CentOS repository setups were incorrectly using a static gpgkey instead of using the variable as a source. + +## 0.1.0 (September 9, 2020) + +Supports App Protect 2.0, which brings a number of features including support for Ubuntu 18.04. + +Release notes for NGINX App Protect 2.0: docs.nginx.com/nginx-app-protect/releases/#release-2-0 diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 92d05427..c46249ab 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -14,25 +14,25 @@ The following is a set of guidelines for contributing to the NGINX App Protect A * [Git Guidelines](#git-guidelines) * [Ansible Guidelines](#ansible-guidelines) -[Code of Conduct](CODE_OF_CONDUCT.md) +[Code of Conduct](https://github.com/nginxinc/ansible-role-nginx-app-protect/blob/main/CODE_OF_CONDUCT.md) ## Ask a Question -Please open an Issue on GitHub with the label `question`. +Don't know how something works? Curious if the role can achieve your desired functionality? Please open an Issue on GitHub with the label `question`. ## Getting Started -Follow our [Installation Guide](README.md#Installation) to install Ansible and Molecule and get ready to use the NGINX App Protect Ansible role. +Follow our [Installation Guide](https://github.com/nginxinc/ansible-role-nginx-app-protect/blob/main/README.md#Installation) to install Ansible and Molecule and get ready to use the NGINX Ansible role. ### Project Structure -* The NGINX App Protect Ansible role is written in `yaml` and supports open source NGINX Plus. +* The NGINX Ansible role is written in `yaml` and supports NGINX App Protect. * The project follows the standard [Ansible role directory structure](https://docs.ansible.com/ansible/latest/user_guide/playbooks_reuse_roles.html) - * The main code is found at `tasks/` - * The main variables can be found at `defaults/main/` - * Configuration templates for NGINX can be found at `templates/` + * The main code is found in `tasks/` + * The main variables can be found in `defaults/main.yml` + * Configuration templates for NGINX Plus and NGINX App Protect can be found in `templates/` * [Molecule](https://molecule.readthedocs.io/) tests can be found in `molecule/`. - * CI/CD is done via Travis using `.travis.yml` Deployment yaml files, and Helm files are found at `deployments/` + * CI/CD is done via Travis using `.travis.yml` deployment yaml files ## Contributing @@ -46,27 +46,27 @@ To suggest an enhancement, please create an issue on GitHub with the label `enha ### Open a Pull Request -* Fork the repo, create a branch, submit a PR when your changes are tested and ready for review -* Fill in [our pull request template](https://github.com/nginxinc/ansible-role-nginx-app-protect/blob/master/.github/PULL_REQUEST_TEMPLATE.md) +* Fork the repo, create a branch, submit a PR when your changes are **tested** (ideally using Molecule) and ready for review +* Fill in [our pull request template](https://github.com/nginxinc/ansible-role-nginx-app-protect/blob/main/.github/PULL_REQUEST_TEMPLATE.md) Note: if you’d like to implement a new feature, please consider creating a feature request issue first to start a discussion about the feature. ## Code Guidelines +### Ansible Guidelines + +* Run `molecule lint` over your code to automatically resolve a lot of `yaml` and Ansible style issues. +* Run `molecule test --all` on your code before you submit a PR to catch any potential issues. +* Follow these guides on some good practices for Ansible: + * + * + ### Git Guidelines * Keep a clean, concise and meaningful git commit history on your branch (within reason), rebasing locally and squashing before submitting a PR -* Follow the guidelines of writing a good commit message as described here and summarized in the next few points +* Follow the guidelines of writing a good commit message as described here and summarised in the next few points * In the subject line, use the present tense ("Add feature" not "Added feature") * In the subject line, use the imperative mood ("Move cursor to..." not "Moves cursor to...") * Limit the subject line to 72 characters or less * Reference issues and pull requests liberally after the subject line * Add more detailed description in the body of the git message (`git commit -a` to give you more space and time in your text editor to write a good message instead of `git commit -am`) - -### Ansible Guidelines - -* Run `molecule lint` over your code to automatically resolve a lot of `yaml` and Ansible style issues. -* Run `molecule test --all` on your code to catch any other issues. -* Follow these guides on some good practices for Ansible: - * - * diff --git a/README.md b/README.md index 4d99b36a..3b2e833f 100644 --- a/README.md +++ b/README.md @@ -3,8 +3,8 @@ NGINX App Protect Ansible Role ============================== - - +[![Ansible Galaxy](https://img.shields.io/badge/galaxy-nginxinc.nginx-5bbdbf.svg)](https://galaxy.ansible.com/nginxinc/nginx_app_protect) +[![Build Status](https://travis-ci.org/nginxinc/ansible-role-nginx-app-protect.svg?branch=main)](https://travis-ci.org/nginxinc/ansible-role-nginx-app-protect) This role installs and configures NGINX App Protect (WAF) for NGINX Plus on your target host. @@ -41,171 +41,63 @@ The NGINX App Protect Ansible role supports all platforms supported by [NGINX Pl ```yaml CentOS: - versions: - - 7.4 - - 7.5 - - 7.6 - - 7.7 - - 7.8 - - 8.0 - - 8.1 - - 8.2 + - 7.4+ RHEL: - versions: - - 7.4 - - 7.5 - - 7.6 - - 7.7 - - 7.8 - - 8.0 - - 8.1 - - 8.2 + - 7.4+ Debian: - versions: - - 9.0 - - 9.1 - - 9.2 - - 9.3 - - 9.4 - - 9.5 - - 9.6 - - 9.7 - - 9.8 - - 9.9 - - 9.10 - - 9.11 - - 9.12 + - 9 Ubuntu: - versions: - - 18.04 + - 18.04 ``` Role Variables -------------- -This role has multiple variables. The descriptions and defaults for all these variables can be found in the **[defaults/main.yml](./defaults/main.yml)`**. +This role has multiple variables. The descriptions and defaults for all these variables can be found in the **`defaults`** directory in the following files: +- **[defaults/main.yml](https://github.com/nginxinc/ansible-role-nginx-app-protect/blob/main/defaults/main.yml)**: NGINX App Protect installation and configuration variables + +Similarly, descriptions and defaults for preset variables can be found in the **`vars`** directory in the following files: + +- **[vars/main.yml](https://github.com/nginxinc/ansible-role-nginx-app-protect/blob/main/vars/main.yml):** List of supported NGINX App Protect platforms Dependencies ------------ -- Since this role uses the [package_facts](https://docs.ansible.com/ansible/latest/modules/package_facts_module.html) module, on debian-based systems the `python-apt` package must be installed on targeted hosts. +- Since this role uses the [package_facts](https://docs.ansible.com/ansible/latest/modules/package_facts_module.html) module, on debian-based systems the `python-apt` package must be installed on targeted hosts. -- If NGINX+ is *not* already installed on the system, this role will install the version of NGINX+ that is dependent on the version of NGINX App Protect set with the `app_protect_version` variable. If none is specified, the latest version of NGINX+ and NGINX App Protect will be installed. +- If NGINX Plus is *not* already installed on the system, this role will install the version of NGINX Plus that is dependent on the version of NGINX App Protect set with the `nginx_app_protect_version` variable. If none is specified, the latest version of NGINX Plus and NGINX App Protect will be installed. -- When using the `app_protect_version` variable, a specific version of NGINX+ must already be installed on the target system. +- When using the `nginx_app_protect_version` variable, a specific version of NGINX Plus must already be installed on the target system. Example Playbook ---------------- +A working functional playbook example can be found in the **`molecule/default`** directory in the following file: -This is a sample playbook file for using the role to install NGINX App Protect on NGINX Plus and configure it using basic settings to all `wafs` inventory hosts. - -A copy of this is in the sample-playbook directory in this repo. - -First create a file for all the variables as `nginx-app-protect-vars.yml` -```yaml ---- - - # Specify whether you want to maintain your version of NGINX App Protect, upgrade to the latest version, or remove NGINX App Protect. - # Can be used with `app_protect_version` to achieve fine grained control on which version of NGINX App Protect is installed/used on each playbook execution. - # Using 'present' will install the latest version (or 'app_protect_version') of NGINX App Protect on a fresh install. - # Using 'latest' will upgrade NGINX App Protect to the latest version (that matches your 'app_protect_version') of NGINX App Protect on every playbook execution. - # Using 'absent' will remove NGINX App Protect from your system. - # Default is present. - app_protect_state: present - - # OPTIONAL: Installs a specific version of NGINX App Protect - app_protect_version: 22 - - # The installation of NGINX App Protect includes a base signature set, which may be out of date. - # This option installs the latest NGINX App Protect signatures. - app_protect_install_signatures: true - - # The installation of NGINX App Protect can include a page of frequently-updated, high-accuracy signatures called Threat Campaigns. - # This option installs the latest NGINX App Protect Threat Campaigns signatures. - app_protect_install_threat_campaigns: true - - # Creates basic configuration files and enables NGINX App Protect on the target host - app_protect_configure: true - - # Removes the license (certificate and key) for the NGINX App Protect repositories on the target host(s) when playbook run is complete. - app_protect_delete_license: true - - # If you have a RHEL subscription, NGINX App Protect's dependencies will use subscription repos. - # Otherwise, it will source packages from CentOS' repositories. - app_protect_use_rhel_subscription_repos: false - - # For use with the app_protect_configure option to determine if the default security policy will be written to the target host - # Used when `app_protect_configure: true`. - app_protect_security_policy_template_enable: true - - # Default app protect enforcement mode. Values can be `blocking` or `transparent`. - # Used when `app_protect_configure: true` and `app_protect_security_policy_template_enable: true`. - security_policy_enforcement_mode: blocking - - # For use with the app_protect_configure option to determine if the default log policy will be written to the target host. - # Used when `app_protect_configure: true`. - app_protect_log_policy_template_enable: true - - # Which violation types to log. Possible values: all, illegal, blocked - # Used when `app_protect_configure: true` and `app_protect_log_policy_template_enable: true`. - log_policy_filter_request_type: all - - # For use with the app_protect_configure option to determine if the sample nginx.conf will be written to the target host. - # Since this can be dangerous, this value is default to false in the role defaults. - # Used when `app_protect_configure: true`. - nginx_conf_template_enable: true - - # For use with the app_protect_configure option to determine the syslog target to be injected - # into the default log policy that will be written to the target host. - # Used when `nginx_conf_template_enable: true`. - log_policy_syslog_target: 10.1.1.8:5144 - - # DEPRECATED: A proxy pass workload used in the sample nginx.conf for demo purposes. - # Will be removed from this role in the future. - # Used when `nginx_conf_template_enable: true`. - nginx_demo_workload: http://10.1.10.105:8080 - - # The location of the certificate and key to be used when downloading the packages onto the host - nginx_license: - certificate: "{{playbook_dir}}/license/nginx-repo.crt" - key: "{{playbook_dir}}/license/nginx-repo.key" - -``` - -This is a sample playbook file for deploying the Ansible Galaxy NGINX App Protect role in a localhost and installing NGINX App Protect on NGINX Plus. - -```yaml ---- -- hosts: wafs - remote_user: centos - pre_tasks: - - name: load the vars - include_vars: - file: "{{playbook_dir}}/nginx-app-protect-vars.yml" - roles: - - nginxinc.nginx_app_protect -``` - - -To run any of the above sample playbooks create a `nginx-app-protect-playbook.yml` file and paste the contents. Executing the Ansible Playbook is then as simple as executing `ansible-playbook nginx-app-protect-playbook.yml -b -i inventory`. - -Alternatively, you can also clone this repository instead of installing it from Ansible Galaxy. If you decide to do so, replace the role variable in the previous sample playbooks from `nginxinc.nginx_app_protect` to `ansible-role-nginx-app-protect`. +- **[molecule/default/converge.yml](https://github.com/nginxinc/ansible-role-nginx-app_protect/blob/main/molecule/default/converge.yml):** Install and configure NGINX App Protect Other NGINX Roles ----------------- +You can find an Ansible role to install NGINX [here](https://github.com/nginxinc/ansible-role-nginx) + +You can find an Ansible role to configure NGINX [here](https://github.com/nginxinc/ansible-role-nginx-config) + You can find an Ansible collection of roles to help you install and configure NGINX Controller [here](https://github.com/nginxinc/ansible-collection-nginx_controller) +You can find an Ansible role to install NGINX Unit [here](https://github.com/nginxinc/ansible-role-nginx-unit) + License ------- -[Apache License, Version 2.0](LICENSE) +[Apache License, Version 2.0](https://github.com/nginxinc/ansible-role-nginx-app-protect/blob/main/LICENSE) Author Information ------------------ [Daniel Edgar](https://github.com/aknot242) +[Alessandro Fael Garcia](https://github.com/alessfg) + © [F5 Networks, Inc.](https://www.f5.com/) 2020 diff --git a/defaults/main.yml b/defaults/main.yml index 4a104394..b2e25916 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,115 +1,75 @@ --- -# defaults file for ansible-role-nginx-app-protect - # Specify whether you want to maintain your version of NGINX App Protect, upgrade to the latest version, or remove NGINX App Protect. -# Can be used with `app_protect_version` to achieve fine grained control on which version of NGINX App Protect is installed/used on each playbook execution. -# Using 'present' will install the latest version (or 'app_protect_version') of NGINX App Protect on a fresh install. -# Using 'latest' will upgrade NGINX App Protect to the latest version (that matches your 'app_protect_version') of NGINX App Protect on every playbook execution. +# Can be used with `nginx_app_protect_version` to achieve fine grained control on which version of NGINX App Protect is installed/used on each playbook execution. +# Using 'present' will install the latest version (or 'nginx_app_protect_version') of NGINX App Protect on a fresh install. +# Using 'latest' will upgrade NGINX App Protect to the latest version (that matches your 'nginx_app_protect_version') of NGINX App Protect on every playbook execution. # Using 'absent' will remove NGINX App Protect from your system. # Default is present. -app_protect_state: present +nginx_app_protect_state: present # # OPTIONAL: Installs a specific version of NGINX App Protect -# app_protect_version: 22 +# nginx_app_protect_version: 22 -# The installation of NGINX App Protect includes a base signature set, which may be out of date. +# The installation of NGINX App Protect includes a base signature set, which may be out of date. # This option installs the latest NGINX App Protect signatures. -app_protect_install_signatures: true +nginx_app_protect_install_signatures: true # The installation of NGINX App Protect can include a page of frequently-updated, high-accuracy signatures called Threat Campaigns. # This option installs the latest NGINX App Protect Threat Campaigns signatures. -app_protect_install_threat_campaigns: false +nginx_app_protect_install_threat_campaigns: false # Creates basic configuration files and enables NGINX App Protect on the target host -app_protect_configure: false +nginx_app_protect_configure: false # Removes the license (certificate and key) for the NGINX App Protect repositories on the target host(s) when playbook run is complete. -app_protect_delete_license: true +nginx_app_protect_delete_license: true # If you have a RHEL subscription, NGINX App Protect's dependencies will use subscription repos. # Otherwise, it will source packages from CentOS' repositories. -app_protect_use_rhel_subscription_repos: false +nginx_app_protect_use_rhel_subscription_repos: false + +# Choose where to fetch the NGINX App Protect and Security Updates signing keys from. +# Default settings are the official NGINX signing key hosts. +nginx_app_protect_signing_keys: + nginx_plus: https://cs.nginx.com/static/keys/nginx_signing.key + app_protect: https://cs.nginx.com/static/keys/app-protect.key + security_updates: https://cs.nginx.com/static/keys/app-protect-security-updates.key # Start/Restart NGINX service when App Protect related changes are complete. # Default is true. -nginx_start: true +nginx_app_protect_start: true -# Increase NGINX service timeout to accomdate ruleset loading from default 90s -nginx_timeout: 180 +# Increase NGINX service timeout to accommodate ruleset loading from default 90s +nginx_app_protect_timeout: 180 # App Protect Temporary Directory to use (Default: /tmp) -app_protect_tempdir: /tmp - -# Choose where to fetch the NGINX signing key from. -# Default is the official NGINX signing key host. -# nginx_signing_key: https://cs.nginx.com/static/keys/nginx_signing.key - -# Choose where to fetch the NGINX App Protect signing key from. -# Default is the official NGINX App Protect signing key host. -# app_protect_signing_key: https://cs.nginx.com/static/keys/app-protect.key - -# populate this dictionary of lists with appropriate values from the ansible_distribution and ansible_distribution_version facts -app_protect_linux_families: - CentOS: - - 7.4 - - 7.5 - - 7.6 - - 7.7 - - 7.8 - - 8.0 - - 8.1 - - 8.2 - RedHat: - - 7.4 - - 7.5 - - 7.6 - - 7.7 - - 7.8 - - 8.0 - - 8.1 - - 8.2 - Debian: - - 9.0 - - 9.1 - - 9.2 - - 9.3 - - 9.4 - - 9.5 - - 9.6 - - 9.7 - - 9.8 - - 9.9 - - 9.10 - - 9.11 - - 9.12 - Ubuntu: - - 18.04 - -app_protect_security_policy_template_enable: true -app_protect_security_policy_template: +nginx_app_protect_tempdir: /tmp + +nginx_app_protect_security_policy_template_enable: true +nginx_app_protect_security_policy_template: template_file: app-protect-security-policy.j2 out_file_name: app-protect-security-policy.json out_file_location: /etc/nginx/ -app_protect_log_policy_template_enable: true -app_protect_log_policy_template: +nginx_app_protect_log_policy_template_enable: true +nginx_app_protect_log_policy_template: template_file: app-protect-log-policy.j2 out_file_name: app-protect-log-policy.json out_file_location: /etc/nginx/ -nginx_conf_template_enable: false -nginx_conf_template: +nginx_app_protect_conf_template_enable: false +nginx_app_protect_conf_template: template_file: nginx.conf.j2 out_file_name: nginx.conf out_file_location: /etc/nginx/ # possible values: transparent, blocking -security_policy_enforcement_mode: transparent +nginx_app_protect_security_policy_enforcement_mode: transparent # possible values: all, illegal, blocked -log_policy_filter_request_type: all +nginx_app_protect_log_policy_filter_request_type: all -log_policy_syslog_target: 127.0.0.1:514 +nginx_app_protect_log_policy_syslog_target: 127.0.0.1:514 -nginx_demo_workload_protocol: http:// -nginx_demo_workload_host: 10.1.1.1:8080 +nginx_app_protect_demo_workload_protocol: http:// +nginx_app_protect_demo_workload_host: 10.1.1.1:8080 diff --git a/sample-playbook/license/add-license-cert-here b/files/license/.gitkeep similarity index 100% rename from sample-playbook/license/add-license-cert-here rename to files/license/.gitkeep diff --git a/handlers/main.yml b/handlers/main.yml index 2f70488a..6314b1f6 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,25 +1,22 @@ --- -# handlers file for ansible-role-nginx-app-protect -- name: "(Handler: All OSs) Check NGINX" +- name: (Handler) Check NGINX command: "nginx -t" changed_when: false -- name: "(Handler: All OSs) Run NGINX" +- name: (Handler) Run NGINX block: - - - name: "(Handler: All OSs) Start NGINX" + - name: (Handler) Start NGINX service: name: nginx state: started enabled: true - notify: "(Handler: All OSs) Check NGINX" + notify: (Handler) Check NGINX - - name: "(Handler: All OSs) Restart NGINX" + - name: (Handler) Restart NGINX service: name: nginx state: restarted changed_when: false - when: - - nginx_start | bool + - nginx_app_protect_start | bool - not ansible_check_mode diff --git a/meta/main.yml b/meta/main.yml index fe4cf224..9ce6d257 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -12,7 +12,6 @@ galaxy_info: - name: EL versions: - 7 - - 8 - name: Debian versions: - stretch diff --git a/molecule/Dockerfile.j2 b/molecule/Dockerfile.j2 new file mode 100644 index 00000000..39f9fd69 --- /dev/null +++ b/molecule/Dockerfile.j2 @@ -0,0 +1,43 @@ +# Molecule managed + +{% if item.registry is defined %} +FROM {{ item.registry.url }}/{{ item.image }} +{% else %} +FROM {{ item.image }} +{% endif %} + +{% if item.env is defined %} +{% for var, value in item.env.items() %} +{% if value %} +ENV {{ var }} {{ value }} +{% endif %} +{% endfor %} +{% endif %} + +RUN \ + if [ $(command -v apt-get) ]; then \ + apt-get update \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y aptitude bash ca-certificates curl iproute2 python-apt python3 python3-apt procps sudo systemd systemd-sysv \ + && apt-get clean; \ + elif [ $(command -v dnf) ]; then \ + dnf makecache \ + && dnf --assumeyes install bash iproute /usr/bin/dnf-3 /usr/bin/python3 /usr/bin/python3-config \ + && dnf clean all; \ + elif [ $(command -v yum) ]; then \ + yum makecache fast \ + && yum install -y bash iproute /usr/bin/python /usr/bin/python2-config sudo yum-plugin-ovl \ + && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf \ + && yum clean all; \ + elif [ $(command -v zypper) ]; then \ + zypper refresh \ + && zypper install -y bash iproute2 python3 sudo \ + && zypper clean -a; \ + elif [ $(command -v apk) ]; then \ + apk update \ + && apk add --no-cache bash ca-certificates curl openrc python3 sudo; \ + echo 'rc_provide="loopback net"' >> /etc/rc.conf; \ + elif [ $(command -v xbps-install) ]; then \ + xbps-install -Syu \ + && xbps-install -y bash ca-certificates iproute2 python3 sudo \ + && xbps-remove -O; \ + fi diff --git a/molecule/default/INSTALL.rst b/molecule/default/INSTALL.rst deleted file mode 100644 index d926ca25..00000000 --- a/molecule/default/INSTALL.rst +++ /dev/null @@ -1,22 +0,0 @@ -******* -Docker driver installation guide -******* - -Requirements -============ - -* Docker Engine - -Install -======= - -Please refer to the `Virtual environment`_ documentation for installation best -practices. If not using a virtual environment, please consider passing the -widely recommended `'--user' flag`_ when invoking ``pip``. - -.. _Virtual environment: https://virtualenv.pypa.io/en/latest/ -.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site - -.. code-block:: bash - - $ python3 -m pip install 'molecule[docker]' diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index 5b6f0bf6..2c6757ac 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -1,24 +1,24 @@ --- - name: Converge hosts: all - vars: - app_protect_enable: true - app_protect_install_signatures: true - app_protect_install_threat_campaigns: true - app_protect_configure: true - app_protect_security_policy_template_enable: true - security_policy_enforcement_mode: blocking - app_protect_log_policy_template_enable: true - log_policy_filter_request_type: all - nginx_conf_template_enable: true - log_policy_syslog_target: 10.1.10.105:5144 - nginx_demo_workload_protocol: http:// - nginx_demo_workload_host: 10.1.10.105:8080 - nginx_license: - certificate: "./license/nginx-repo.crt" - key: "./license/nginx-repo.key" - tasks: - - name: "Include ansible-role-nginx-app-protect" + - name: Install NGINX App Protect include_role: - name: "ansible-role-nginx-app-protect" + name: ansible-role-nginx-app-protect + vars: + nginx_app_protect_enable: true + nginx_app_protect_install_signatures: true + nginx_app_protect_install_threat_campaigns: true + nginx_app_protect_configure: true + nginx_app_protect_security_policy_template_enable: true + nginx_app_protect_security_policy_enforcement_mode: blocking + nginx_app_protect_log_policy_template_enable: true + nginx_app_protect_log_policy_filter_request_type: all + nginx_app_protect_conf_template_enable: true + nginx_app_protect_log_policy_syslog_target: 10.1.10.105:5144 + nginx_app_protect_demo_workload_protocol: http:// + nginx_app_protect_demo_workload_host: 10.1.10.105:8080 + nginx_app_protect_license: + certificate: "license/nginx-repo.crt" + key: "license/nginx-repo.key" + nginx_app_protect_delete_license: false diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 7ea599ab..bcc0d489 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -1,18 +1,31 @@ --- -dependency: - name: galaxy driver: name: docker +lint: | + set -e + yamllint . + ansible-lint --force-color platforms: - name: centos-7 - image: docker.io/pycontribs/centos:7 - pre_build_image: true + image: centos:7 + dockerfile: ../Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/usr/sbin/init" + - name: ubuntu-bionic + image: ubuntu:bionic + dockerfile: ../Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" + - name: debian-stretch + image: debian:stretch-slim + dockerfile: ../Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" provisioner: name: ansible - log: true -verifier: - name: ansible -lint: | - yamllint . - ansible-lint - flake8 diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index a82dd6fd..643ca8f5 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -1,9 +1,19 @@ --- -# This is an example playbook to execute Ansible tests. - - name: Verify hosts: all tasks: - - name: Example assertion - assert: - that: true + - name: Check if NGINX is installed + package: + name: nginx-plus + check_mode: yes + register: install + failed_when: (install is changed) or (install is failed) + + - name: Check if NGINX service is running + service: + name: nginx + state: started + enabled: yes + check_mode: yes + register: service + failed_when: (service is changed) or (service is failed) diff --git a/sample-playbook/README.md b/sample-playbook/README.md deleted file mode 100644 index ec409f05..00000000 --- a/sample-playbook/README.md +++ /dev/null @@ -1,11 +0,0 @@ -# ansible-nap - -## Usage - -install galaxy role: - -`ansible-galaxy install nginxinc.nginx_app_protect` - -install app protect - -`ansible-playbook nginx-app-protect-ansible-playbook.yml -b -i inventory` diff --git a/sample-playbook/inventory b/sample-playbook/inventory deleted file mode 100644 index 8d899bbe..00000000 --- a/sample-playbook/inventory +++ /dev/null @@ -1,2 +0,0 @@ -[wafs] -centos-nap1 ansible_user=centos diff --git a/sample-playbook/nginx-app-protect-playbook.yml b/sample-playbook/nginx-app-protect-playbook.yml deleted file mode 100644 index 34c06593..00000000 --- a/sample-playbook/nginx-app-protect-playbook.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- hosts: wafs - remote_user: centos - pre_tasks: - - name: load the vars - include_vars: - file: "{{playbook_dir}}/nginx-app-protect-vars.yml" - roles: - - nginxinc.nginx_app_protect \ No newline at end of file diff --git a/sample-playbook/nginx-app-protect-vars.yml b/sample-playbook/nginx-app-protect-vars.yml deleted file mode 100644 index eb3b1757..00000000 --- a/sample-playbook/nginx-app-protect-vars.yml +++ /dev/null @@ -1,69 +0,0 @@ - - # Specify whether you want to maintain your version of NGINX App Protect, upgrade to the latest version, or remove NGINX App Protect. - # Can be used with `app_protect_version` to achieve fine grained control on which version of NGINX App Protect is installed/used on each playbook execution. - # Using 'present' will install the latest version (or 'app_protect_version') of NGINX App Protect on a fresh install. - # Using 'latest' will upgrade NGINX App Protect to the latest version (that matches your 'app_protect_version') of NGINX App Protect on every playbook execution. - # Using 'absent' will remove NGINX App Protect from your system. - # Default is present. - app_protect_state: present - - # OPTIONAL: Installs a specific version of NGINX App Protect - #app_protect_version: 22 - - # The installation of NGINX App Protect includes a base signature set, which may be out of date. - # This option installs the latest NGINX App Protect signatures. - app_protect_install_signatures: true - - # The installation of NGINX App Protect can include a page of frequently-updated, high-accuracy signatures called Threat Campaigns. - # This option installs the latest NGINX App Protect Threat Campaigns signatures. - app_protect_install_threat_campaigns: true - - # Creates basic configuration files and enables NGINX App Protect on the target host - app_protect_configure: true - - # Removes the license (certificate and key) for the NGINX App Protect repositories on the target host(s) when playbook run is complete. - app_protect_delete_license: true - - # If you have a RHEL subscription, NGINX App Protect's dependencies will use subscription repos. - # Otherwise, it will source packages from CentOS' repositories. - app_protect_use_rhel_subscription_repos: false - - # For use with the app_protect_configure option to determine if the default security policy will be written to the target host - # Used when `app_protect_configure: true`. - app_protect_security_policy_template_enable: true - - # Default app protect enforcement mode. Values can be `blocking` or `transparent`. - # Used when `app_protect_configure: true` and `app_protect_security_policy_template_enable: true`. - security_policy_enforcement_mode: blocking - - # For use with the app_protect_configure option to determine if the default log policy will be written to the target host. - # Used when `app_protect_configure: true`. - app_protect_log_policy_template_enable: true - - # Which violation types to log. Possible values: all, illegal, blocked - # Used when `app_protect_configure: true` and `app_protect_log_policy_template_enable: true`. - log_policy_filter_request_type: all - - # For use with the app_protect_configure option to determine if the sample nginx.conf will be written to the target host. - # Since this can be dangerous, this value is default to false in the role defaults. - # Used when `app_protect_configure: true`. - nginx_conf_template_enable: true - - # For use with the app_protect_configure option to determine the syslog target to be injected - # into the default log policy that will be written to the target host. - # Used when `nginx_conf_template_enable: true`. - log_policy_syslog_target: 10.0.0.2:514 - - # DEPRECATED: A proxy pass workload used in the sample nginx.conf for demo purposes. - # Will be removed from this role in the future. - # Used when `nginx_conf_template_enable: true`. - nginx_demo_workload: http://10.0.0.3:88 - - # The location of the certificate and key to be used when downloading the packages onto the host - nginx_license: - certificate: "{{playbook_dir}}/license/nginx-repo.crt" - key: "{{playbook_dir}}/license/nginx-repo.key" - - # upstream target: - nginx_demo_workload_protocol: http:// - nginx_demo_workload_host: 10.1.1.1:8080 \ No newline at end of file diff --git a/tasks/config/configure-app-protect.yml b/tasks/config/configure-app-protect.yml new file mode 100644 index 00000000..ddd98f16 --- /dev/null +++ b/tasks/config/configure-app-protect.yml @@ -0,0 +1,66 @@ +--- +- name: "Ensure NGINX main directory exists" + file: + path: "{{ nginx_app_protect_conf_template.out_file_location }}" + state: directory + mode: 0755 + when: nginx_app_protect_security_policy_template_enable | bool + or nginx_app_protect_log_policy_template_enable | bool + or nginx_app_protect_conf_template_enable | bool + +- name: "Dynamically generate NGINX App Protect security policy file" + template: + src: "{{ nginx_app_protect_security_policy_template.template_file }}" + dest: "{{ nginx_app_protect_security_policy_template.out_file_location }}{{ nginx_app_protect_security_policy_template.out_file_name }}" + mode: 0644 + backup: true + when: nginx_app_protect_security_policy_template_enable | bool + +- name: "Dynamically generate NGINX App Protect log policy file" + template: + src: "{{ nginx_app_protect_log_policy_template.template_file }}" + dest: "{{ nginx_app_protect_log_policy_template.out_file_location }}{{ nginx_app_protect_log_policy_template.out_file_name }}" + mode: 0644 + backup: true + when: nginx_app_protect_log_policy_template_enable | bool + +- name: Backup existing nginx.conf + copy: + src: "{{ nginx_app_protect_conf_template.out_file_location }}{{ nginx_app_protect_conf_template.out_file_name }}" + dest: "{{ nginx_app_protect_conf_template.out_file_location }}{{ nginx_app_protect_conf_template.out_file_name }}.orig" + remote_src: true + mode: 0644 + when: nginx_app_protect_conf_template_enable | bool + changed_when: false + +- name: Dynamically Generate NGINX conf file + template: + src: "{{ nginx_app_protect_conf_template.template_file }}" + dest: "{{ nginx_app_protect_conf_template.out_file_location }}{{ nginx_app_protect_conf_template.out_file_name }}" + mode: 0644 + when: + - nginx_app_protect_conf_template_enable | bool + - nginx_app_protect_state != "absent" + +- name: Remove NGINX App Protect + block: + - name: Comment out NGINX App Protect module reference in nginx.conf + replace: + path: /etc/nginx/nginx.conf + regexp: '^([ \t]*load_module.*ngx_http_app_protect_module.so;)' + replace: '# \1' + + - name: Comment out NGINX App Protect directives in nginx.conf + replace: + path: /etc/nginx/nginx.conf + regexp: '^([ \t]*app_protect_)' + replace: '# \1' + when: nginx_app_protect_state == "absent" + +- name: Reload NGINX + debug: + msg: Trigger nginx reload if needed + notify: (Handler) Restart NGINX + when: nginx_app_protect_security_policy_template_enable | bool + or nginx_app_protect_log_policy_template_enable | bool + or nginx_app_protect_conf_template_enable | bool diff --git a/tasks/configure-app-protect.yml b/tasks/configure-app-protect.yml deleted file mode 100644 index 37f91e22..00000000 --- a/tasks/configure-app-protect.yml +++ /dev/null @@ -1,62 +0,0 @@ ---- -- name: "Ensure NGINX Main Directory Exists" - file: - path: "{{ nginx_conf_template.out_file_location }}" - state: directory - when: app_protect_security_policy_template_enable or app_protect_log_policy_template_enable or nginx_conf_template_enable - -- name: Backup existing nginx.conf - copy: - src: "{{ nginx_conf_template.out_file_location }}{{ nginx_conf_template.out_file_name }}" - dest: "{{ nginx_conf_template.out_file_location }}{{ nginx_conf_template.out_file_name }}.orig" - remote_src: true - when: nginx_conf_template_enable - changed_when: false - -- name: "Dynamically Generate NGINX App Protect security policy file" - template: - src: "{{ app_protect_security_policy_template.template_file }}" - dest: "{{ app_protect_security_policy_template.out_file_location }}{{ app_protect_security_policy_template.out_file_name }}" - mode: "0644" - backup: true - when: app_protect_security_policy_template_enable - -- name: "Dynamically Generate NGINX App Protect log policy file" - template: - src: "{{ app_protect_log_policy_template.template_file }}" - dest: "{{ app_protect_log_policy_template.out_file_location }}{{ app_protect_log_policy_template.out_file_name }}" - mode: "0644" - backup: true - when: app_protect_log_policy_template_enable - -- name: "Dynamically Generate NGINX conf file" - template: - src: "{{ nginx_conf_template.template_file }}" - dest: "{{ nginx_conf_template.out_file_location }}{{ nginx_conf_template.out_file_name }}" - backup: true - when: - - nginx_conf_template_enable - - app_protect_state != "absent" - -- name: "Remove NGINX App Protect" - block: - - - name: Comment out NGINX App Protect module reference in nginx.conf - replace: - path: /etc/nginx/nginx.conf - regexp: '^([ \t]*load_module.*ngx_http_app_protect_module.so;)' - replace: '# \1' - - - name: Comment out NGINX App Protect directives in nginx.conf - replace: - path: /etc/nginx/nginx.conf - regexp: '^([ \t]*app_protect_)' - replace: '# \1' - - when: app_protect_state == "absent" - -- name: "Reload NGINX" - debug: - msg: "trigger nginx reload if needed" - notify: "(Handler: All OSs) Restart NGINX" - when: app_protect_security_policy_template_enable or app_protect_log_policy_template_enable or nginx_conf_template_enable diff --git a/tasks/delete-license.yml b/tasks/delete-license.yml deleted file mode 100644 index 47ef1726..00000000 --- a/tasks/delete-license.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -- name: "(Setup: All OSs) Set NGINX App Protect License State" - set_fact: - key_value: "" # appeasing the linter - nginx_license_status: absent - -- name: "(Setup: All OSs) Delete NGINX App Protect License" - file: - path: /etc/ssl/nginx - state: absent - when: ansible_distribution != "Alpine" - -- import_tasks: setup-debian-repos.yml - when: ansible_os_family == "Debian" - -- import_tasks: setup-redhat-repos.yml - when: ansible_os_family == "RedHat" diff --git a/tasks/install-app-protect-linux.yml b/tasks/install-app-protect-linux.yml deleted file mode 100644 index 0a1d7b3d..00000000 --- a/tasks/install-app-protect-linux.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -- name: "Setup NGINX App Protect Repositories" - block: - - - import_tasks: setup-debian-repos.yml - when: ansible_os_family == "Debian" - - - import_tasks: setup-redhat-repos.yml - when: ansible_os_family == "RedHat" - - when: app_protect_state != "absent" - -- name: "(Install: Linux) Install NGINX App Protect" - package: - name: "app-protect{{ app_protect_version | default('') }}" - state: "{{ app_protect_state }}" - notify: "(Handler: All OSs) Restart NGINX" diff --git a/tasks/install-app-protect.yml b/tasks/install-app-protect.yml deleted file mode 100644 index 712dc7db..00000000 --- a/tasks/install-app-protect.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -- name: Get NGINX Plus version - set_fact: - key_value: "" # appeasing the linter - nginx_plus_version: "{{ ansible_facts.packages['nginx-plus'] | map(attribute='version') | list | first | regex_search('^(\\d{1,3})') }}" - when: "'nginx-plus' in ansible_facts.packages" - -- name: Fail if existing NGINX+ version preconditions fail - assert: - that: - - nginx_plus_version | int >= 19 - fail_msg: > - "'nginx_plus_version' release version must be a minimum of 19 for App Protect. - Actual: {{ (nginx_plus_version is defined) | ternary(nginx_plus_version, 'NONE') }}" - success_msg: "'nginx_plus_version' is {{ (nginx_plus_version is defined) | ternary(nginx_plus_version, 'NONE') }}" - quiet: true - when: nginx_plus_version is defined - -- name: "(Install: Linux) Create override for NGINX Plus service" - file: - path: /etc/systemd/system/nginx.service.d - state: directory - mode: '0755' - when: nginx_timeout is defined - -- name: "(Install: Linux) Increase timeout for NGINX Plus Service" - template: - src: nginx.service.override.conf.j2 - dest: /etc/systemd/system/nginx.service.d/override.conf - owner: root - group: root - mode: '0644' - when: nginx_timeout is defined - -- name: "(Install: Linux) Install NGINX Plus" - import_tasks: install-app-protect-linux.yml diff --git a/tasks/install-threat-campaigns.yml b/tasks/install-threat-campaigns.yml deleted file mode 100644 index 6b678747..00000000 --- a/tasks/install-threat-campaigns.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -- name: Get NGINX Plus version - set_fact: - key_value: "" # appeasing the linter - nginx_plus_version: "{{ ansible_facts.packages['nginx-plus'] | map(attribute='version') | list | first | regex_search('^(\\d{1,3})') }}" - when: "'nginx-plus' in ansible_facts.packages" - -- name: Fail if NGINX+ version preconditions fail - assert: - that: - - nginx_plus_version | int >= 19 - fail_msg: > - "'nginx_plus_version' release version must be a minimum of 19 for App Protect. - Actual: {{ (nginx_plus_version is defined) | ternary(nginx_plus_version, 'NONE') }}" - success_msg: "'nginx_plus_version' is {{ (nginx_plus_version is defined) | ternary(nginx_plus_version, 'NONE') }}" - quiet: true - when: nginx_plus_version is defined - -- name: "(Install: Linux) Install Latest NGINX App Protect Threat Campaigns" - package: - name: "app-protect-threat-campaigns" - state: "{{ app_protect_state }}" - notify: "(Handler: All OSs) Restart NGINX" \ No newline at end of file diff --git a/tasks/install/delete-license.yml b/tasks/install/delete-license.yml new file mode 100644 index 00000000..4e668094 --- /dev/null +++ b/tasks/install/delete-license.yml @@ -0,0 +1,17 @@ +--- +- name: Set NGINX App Protect license state + set_fact: + nginx_app_protect_license_status: absent + +- name: Delete NGINX App Protect license + file: + path: /etc/ssl/nginx + state: absent + +- name: Delete Debian repository data + include_tasks: "{{ role_path }}/tasks/install/setup-debian-repos.yml" + when: ansible_os_family == "Debian" + +- name: Delete Red Hat repository data + include_tasks: "{{ role_path }}/tasks/install/setup-redhat-repos.yml" + when: ansible_os_family == "RedHat" diff --git a/tasks/install/install-app-protect.yml b/tasks/install/install-app-protect.yml new file mode 100644 index 00000000..005438c5 --- /dev/null +++ b/tasks/install/install-app-protect.yml @@ -0,0 +1,48 @@ +--- +- name: Get NGINX Plus version + set_fact: + nginx_plus_version: "{{ ansible_facts.packages['nginx-plus'] | map(attribute='version') | list | first | regex_search('^(\\d{1,3})') }}" + when: "'nginx-plus' in ansible_facts.packages" + +- name: Fail if existing NGINX Plus version preconditions fails + assert: + that: nginx_plus_version | int >= 19 + fail_msg: > + "'nginx_plus_version' release version must be a minimum of 19 for App Protect. + Actual: {{ (nginx_plus_version is defined) | ternary(nginx_plus_version, 'NONE') }}" + success_msg: "'nginx_plus_version' is {{ (nginx_plus_version is defined) | ternary(nginx_plus_version, 'NONE') }}" + quiet: true + when: nginx_plus_version is defined + +- name: Create override for NGINX Plus service + file: + path: /etc/systemd/system/nginx.service.d + state: directory + mode: 0755 + when: nginx_app_protect_timeout is defined + +- name: Increase timeout for NGINX Plus service + template: + src: nginx.service.override.conf.j2 + dest: /etc/systemd/system/nginx.service.d/override.conf + owner: root + group: root + mode: 0644 + when: nginx_app_protect_timeout is defined + +- name: Setup NGINX App Protect repositories + block: + - name: Setup Debian repositories + include_tasks: "{{ role_path }}/tasks/install/setup-debian-repos.yml" + when: ansible_os_family == "Debian" + + - name: Setup Red Hat repositories + include_tasks: "{{ role_path }}/tasks/install/setup-redhat-repos.yml" + when: ansible_os_family == "RedHat" + when: nginx_app_protect_state != "absent" + +- name: Install NGINX App Protect + package: + name: "app-protect{{ nginx_app_protect_version | default('') }}" + state: "{{ nginx_app_protect_state }}" + notify: (Handler) Start NGINX diff --git a/tasks/install-signatures.yml b/tasks/install/install-security-updates.yml similarity index 52% rename from tasks/install-signatures.yml rename to tasks/install/install-security-updates.yml index 9b2d855b..652e9410 100644 --- a/tasks/install-signatures.yml +++ b/tasks/install/install-security-updates.yml @@ -1,14 +1,12 @@ --- - name: Get NGINX Plus version set_fact: - key_value: "" # appeasing the linter nginx_plus_version: "{{ ansible_facts.packages['nginx-plus'] | map(attribute='version') | list | first | regex_search('^(\\d{1,3})') }}" when: "'nginx-plus' in ansible_facts.packages" -- name: Fail if NGINX+ version preconditions fail +- name: Fail if NGINX Plus version preconditions fail assert: - that: - - nginx_plus_version | int >= 19 + that: nginx_plus_version | int >= 19 fail_msg: > "'nginx_plus_version' release version must be a minimum of 19 for App Protect. Actual: {{ (nginx_plus_version is defined) | ternary(nginx_plus_version, 'NONE') }}" @@ -16,8 +14,16 @@ quiet: true when: nginx_plus_version is defined -- name: "(Install: Linux) Install Latest NGINX App Protect Signatures" +- name: Install latest NGINX App Protect signatures package: - name: "app-protect-attack-signatures" - state: "{{ app_protect_state }}" - notify: "(Handler: All OSs) Restart NGINX" \ No newline at end of file + name: app-protect-attack-signatures + state: "{{ nginx_app_protect_state }}" + when: nginx_app_protect_install_signatures | bool + notify: (Handler) Restart NGINX + +- name: Install latest NGINX App Protect threat campaigns + package: + name: app-protect-threat-campaigns + state: "{{ nginx_app_protect_state }}" + when: nginx_app_protect_install_threat_campaigns | bool + notify: (Handler) Restart NGINX diff --git a/tasks/install/setup-debian-repos.yml b/tasks/install/setup-debian-repos.yml new file mode 100644 index 00000000..f1031dfe --- /dev/null +++ b/tasks/install/setup-debian-repos.yml @@ -0,0 +1,42 @@ +--- +- name: Setup Debian and Ubuntu NGINX App Protect repository + apt_repository: + repo: deb [arch=amd64] https://plus-pkgs.nginx.com/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} nginx-plus + filename: nginx-app-protect + update_cache: false + state: "{{ nginx_app_protect_license_status | default ('present') }}" + +- name: Setup Debian and Ubuntu NGINX App Protect security updates repository + apt_repository: + repo: deb [arch=amd64] https://app-protect-security-updates.nginx.com/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} nginx-plus + filename: app-protect-security-updates + update_cache: false + state: "{{ nginx_app_protect_license_status | default ('present') }}" + +- name: Setup NGINX App Protect license + blockinfile: + path: /etc/apt/apt.conf.d/90nginx + create: true + block: | + Acquire::https::plus-pkgs.nginx.com::Verify-Peer "true"; + Acquire::https::plus-pkgs.nginx.com::Verify-Host "true"; + Acquire::https::plus-pkgs.nginx.com::SslCert "/etc/ssl/nginx/{{ nginx_app_protect_license.certificate | basename }}"; + Acquire::https::plus-pkgs.nginx.com::SslKey "/etc/ssl/nginx/{{ nginx_app_protect_license.key | basename }}"; + state: "{{ nginx_app_protect_license_status | default ('present') }}" + mode: 0444 + +- name: Setup NGINX App Protect security updates license + blockinfile: + path: /etc/apt/apt.conf.d/90app-protect-security-updates + create: true + block: | + Acquire::https::app-protect-security-updates.nginx.com::Verify-Peer "true"; + Acquire::https::app-protect-security-updates.nginx.com::Verify-Host "true"; + Acquire::https::app-protect-security-updates.nginx.com::SslCert "/etc/ssl/nginx/{{ nginx_app_protect_license.certificate | basename }}"; + Acquire::https::app-protect-security-updates.nginx.com::SslKey "/etc/ssl/nginx/{{ nginx_app_protect_license.key | basename }}"; + state: "{{ nginx_app_protect_license_status | default ('present') }}" + mode: 0444 + +- name: Update APT cache + apt: + update_cache: true diff --git a/tasks/install/setup-license.yml b/tasks/install/setup-license.yml new file mode 100644 index 00000000..1cdd1e01 --- /dev/null +++ b/tasks/install/setup-license.yml @@ -0,0 +1,18 @@ +--- +- name: Setup NGINX App Protect license + block: + - name: Create SSL directory + file: + path: /etc/ssl/nginx + state: directory + mode: 0755 + + - name: Copy NGINX App Protect certificate and license key + copy: + src: "{{ item }}" + dest: /etc/ssl/nginx + decrypt: true + mode: 0444 + with_items: + - "{{ nginx_app_protect_license.certificate }}" + - "{{ nginx_app_protect_license.key }}" diff --git a/tasks/install/setup-redhat-repos.yml b/tasks/install/setup-redhat-repos.yml new file mode 100644 index 00000000..261aa790 --- /dev/null +++ b/tasks/install/setup-redhat-repos.yml @@ -0,0 +1,45 @@ +--- +- name: Get CentOS and Red Hat major version + set_fact: + redhat_major_version: "{{ (ansible_distribution_version | float >= 7.4 and ansible_distribution_version | float < 8.0) + | ternary(ansible_distribution_major_version | int, 7.4) }}" + +- name: Setup CentOS repository + yum_repository: + name: centos + baseurl: >- + http://ftp.heanet.ie/pub/centos/{{ redhat_major_version }}/os/$basearch/ + description: NGINX App Protect Repository + sslclientcert: "/etc/ssl/nginx/{{ nginx_app_protect_license.certificate | basename }}" + sslclientkey: "/etc/ssl/nginx/{{ nginx_app_protect_license.key | basename }}" + enabled: true + gpgcheck: true + gpgkey: >- + http://ftp.heanet.ie/pub/centos/{{ redhat_major_version }}/os/$basearch/RPM-GPG-KEY-CentOS-{{ redhat_major_version }} + state: "{{ nginx_app_protect_license_status | default ('present') }}" + +- name: Setup NGINX App Protect repository + yum_repository: + name: nginx-app-protect + baseurl: >- + https://plus-pkgs.nginx.com/centos/{{ redhat_major_version }}/$basearch/ + description: NGINX App Protect Repository + sslclientcert: "/etc/ssl/nginx/{{ nginx_app_protect_license.certificate | basename }}" + sslclientkey: "/etc/ssl/nginx/{{ nginx_app_protect_license.key | basename }}" + enabled: true + gpgcheck: true + gpgkey: "{{ nginx_app_protect_signing_keys.app_protect }}" + state: "{{ nginx_app_protect_license_status | default ('present') }}" + +- name: Setup NGINX App Protect security updates repository + yum_repository: + name: nginx-app-protect-security-updates + baseurl: >- + https://app-protect-sigs.nginx.com/centos/{{ redhat_major_version }}/$basearch/ + description: NGINX App Protect Security Updates Repository + sslclientcert: "/etc/ssl/nginx/{{ nginx_app_protect_license.certificate | basename }}" + sslclientkey: "/etc/ssl/nginx/{{ nginx_app_protect_license.key | basename }}" + enabled: true + gpgcheck: true + gpgkey: "{{ nginx_app_protect_signing_keys.security_updates }}" + state: "{{ nginx_app_protect_license_status | default ('present') }}" diff --git a/tasks/keys/apt-key.yml b/tasks/keys/apt-key.yml index 8cfbe8ea..c8990c1a 100644 --- a/tasks/keys/apt-key.yml +++ b/tasks/keys/apt-key.yml @@ -1,18 +1,12 @@ --- -- name: "(Install: APT OSs) Set APT NGINX Signing Key URL" - set_fact: - key_value: "" # appeasing the linter - nginx_keysite: "{{ nginx_signing_key | default('https://cs.nginx.com/static/keys/nginx_signing.key') }}" - -- name: "(Install: APT OSs) Set APT NGINX App Protect Signing Key URL" - set_fact: - key_value: "" # appeasing the linter - app_protect_keysite: "{{ app_protect_signing_key | default('https://cs.nginx.com/static/keys/app-protect.key') }}" +- name: Add APT NGINX Plus signing key + apt_key: + url: "{{ nginx_app_protect_signing_keys.nginx_plus }}" -- name: "(Install: APT OSs) Add APT NGINX Signing Key" +- name: Add APT NGINX App Protect signing key apt_key: - url: "{{ nginx_keysite }}" + url: "{{ nginx_app_protect_signing_keys.app_protect }}" -- name: "(Install: APT OSs) Add APT NGINX App Protect Signing Key" +- name: Add APT NGINX App Protect security updates signing key apt_key: - url: "{{ app_protect_keysite }}" + url: "{{ nginx_app_protect_signing_keys.security_updates }}" diff --git a/tasks/keys/rpm-key.yml b/tasks/keys/rpm-key.yml index 67112180..bebf2961 100644 --- a/tasks/keys/rpm-key.yml +++ b/tasks/keys/rpm-key.yml @@ -1,18 +1,12 @@ --- -- name: "(Install: RPM OSs) Set Default RPM NGINX Signing Key" - set_fact: - key_value: "" # appeasing the linter - nginx_keysite: "{{ nginx_signing_key | default('https://cs.nginx.com/static/keys/nginx_signing.key') }}" - -- name: "(Install: RPM OSs) Set Default RPM NGINX App Protect Signing Key" - set_fact: - key_value: "" # appeasing the linter - app_protect_keysite: "{{ app_protect_signing_key | default('https://cs.nginx.com/static/keys/app-protect.key') }}" +- name: Add RPM NGINX Plus signing key + rpm_key: + key: "{{ nginx_app_protect_signing_keys.nginx_plus }}" -- name: "(Install: RPM OSs) Add RPM NGINX Signing Key" +- name: Add RPM NGINX App Protect signing key rpm_key: - key: "{{ nginx_keysite }}" + key: "{{ nginx_app_protect_signing_keys.app_protect }}" -- name: "(Install: RPM OSs) Add RPM NGINX App Protect Signing Key" +- name: Add RPM NGINX App Protect security updates signing key rpm_key: - key: "{{ app_protect_keysite }}" + key: "{{ nginx_app_protect_signing_keys.security_updates }}" diff --git a/tasks/main.yml b/tasks/main.yml index f188dd4f..22d97643 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,97 +1,95 @@ --- - name: Get package facts package_facts: - manager: "auto" + manager: auto - name: Set supported_os when platform and version are in supported platforms dictionary set_fact: - key_value: "" # appeasing the linter supported_os: true - loop: "{{ query('dict', app_protect_linux_families) }}" when: ansible_distribution in item.key and ansible_distribution_version | float in item.value + loop: "{{ query('dict', nginx_app_protect_linux_families) }}" - name: Set supported_os to false if fact not defined set_fact: - key_value: "" # appeasing the linter supported_os: false when: supported_os is not defined -- name: Debug supported os +- name: Detect whether you are running a supported_os debug: msg: "supported_os {{ supported_os }}" verbosity: 2 -- name: Debug app_protect_state +- name: Check your desired nginx_app_protect_state debug: - msg: "Desired app_protect_state {{ app_protect_state }}" + msg: "Desired nginx_app_protect_state {{ nginx_app_protect_state }}" -- name: Abort if the OS/version combination is not supported +- name: Abort if the OS / version combination is not supported fail: msg: "NGINX App Protect is not supported on os family {{ ansible_distribution }} version {{ ansible_distribution_version }}" when: not supported_os - -- name: "Install NGINX App Protect" +- name: Install NGINX App Protect block: + - name: Install prerequisites + include_tasks: "{{ role_path }}/tasks/prerequisites/install-prerequisites.yml" + tags: nginx_app_protect_prerequisites - - import_tasks: "prerequisites/install-prerequisites.yml" - tags: nginx_prerequisites - - - import_tasks: keys/apt-key.yml + - name: Setup APT signing keys + include_tasks: "{{ role_path }}/tasks/keys/apt-key.yml" when: - ansible_os_family == "Debian" - - app_protect_state != "absent" - or app_protect_install_signatures - or app_protect_install_threat_campaigns - tags: nginx_aptkey + - nginx_app_protect_state != "absent" + or nginx_app_protect_install_signatures | bool + or nginx_app_protect_install_threat_campaigns | bool + tags: nginx_app_protect_aptkey - - import_tasks: keys/rpm-key.yml + - name: Setup RPM signing keys + include_tasks: "{{ role_path }}/tasks/keys/rpm-key.yml" when: - ansible_os_family == "RedHat" - - app_protect_state != "absent" - or app_protect_install_signatures - or app_protect_install_threat_campaigns - tags: nginx_rpmkey + - nginx_app_protect_state != "absent" + or nginx_app_protect_install_signatures | bool + or nginx_app_protect_install_threat_campaigns | bool + tags: nginx_app_protect_rpmkey - - name: "(All OSs) Setup license" - import_tasks: setup-license.yml + - name: (All OSs) Setup license + include_tasks: "{{ role_path }}/tasks/install/setup-license.yml" when: - - app_protect_state != "absent" - or app_protect_install_signatures - or app_protect_install_threat_campaigns - - - name: "Install NGINX App Protect" - import_tasks: install-app-protect.yml + - nginx_app_protect_state != "absent" + or nginx_app_protect_install_signatures | bool + or nginx_app_protect_install_threat_campaigns | bool + tags: nginx_app_protect_setup_license - - name: "NGINX App Protect Signatures" - import_tasks: install-signatures.yml - when: app_protect_install_signatures + - name: Install NGINX App Protect + include_tasks: "{{ role_path }}/tasks/install/install-app-protect.yml" + tags: nginx_app_protect_install_app_protect - - name: "NGINX App Protect Threat Campaigns" - import_tasks: install-threat-campaigns.yml - when: app_protect_install_threat_campaigns - - - name: "Remove license" - import_tasks: delete-license.yml + - name: Install NGINX App Protect security updates (signatures and threat campaigns) + include_tasks: "{{ role_path }}/tasks/install/install-security-updates.yml" when: - - app_protect_delete_license - tags: app_protect_delete_license - - - name: "Configure NGINX App Protect" - import_tasks: configure-app-protect.yml - when: app_protect_configure - - when: app_protect_state != "absent" - - -- name: "Remove NGINX App Protect" + - nginx_app_protect_install_signatures | bool + - nginx_app_protect_install_threat_campaigns | bool + tags: nginx_app_protect_install_signatures_threats + + - name: Remove NGINX App Protect license + include_tasks: "{{ role_path }}/tasks/install/delete-license.yml" + when: nginx_app_protect_delete_license | bool + tags: nginx_app_protect_delete_license + + - name: Configure NGINX App Protect + include_tasks: "{{ role_path }}/tasks/config/configure-app-protect.yml" + when: nginx_app_protect_configure | bool + tags: nginx_app_protect_configure + when: nginx_app_protect_state != "absent" + +- name: Remove NGINX App Protect block: - - - name: "Remove NGINX App Protect" - import_tasks: install-app-protect.yml - - - name: "Disable NGINX App Protect Configuration" - import_tasks: configure-app-protect.yml - when: app_protect_configure - - when: app_protect_state == "absent" + - name: Remove NGINX App Protect package + include_tasks: "{{ role_path }}/tasks/install/install-app-protect.yml" + tags: nginx_app_protect_remove + + - name: Disable NGINX App Protect config + include_tasks: "{{ role_path }}/tasks/config/configure-app-protect.yml" + when: nginx_app_protect_configure | bool + tags: nginx_app_protect_remove_config + when: nginx_app_protect_state == "absent" diff --git a/tasks/prerequisites/install-prerequisites.yml b/tasks/prerequisites/install-prerequisites.yml index f91dadc6..4ea426e5 100644 --- a/tasks/prerequisites/install-prerequisites.yml +++ b/tasks/prerequisites/install-prerequisites.yml @@ -4,14 +4,14 @@ msg: "ansible_distribution {{ ansible_distribution }}" verbosity: 2 -- name: "(Setup: Debian/Ubuntu) Install Prerequisites" - import_tasks: setup-debian.yml - when: ansible_distribution == "Debian" or ansible_distribution == "Ubuntu" +- name: Install Debian and Ubuntu prerequisites + include_tasks: setup-debian.yml + when: ansible_os_family == "Debian" -- name: "(Setup: CentOS) Install Prerequisites" - import_tasks: setup-centos.yml +- name: Install CentOS prerequisites + include_tasks: setup-centos.yml when: ansible_distribution == "CentOS" -- name: "(Setup: RedHat) Install Prerequisites" - import_tasks: setup-redhat.yml +- name: Install Red Hat prerequisites + include_tasks: setup-redhat.yml when: ansible_distribution == "RedHat" diff --git a/tasks/prerequisites/setup-centos.yml b/tasks/prerequisites/setup-centos.yml index 5a78661e..4d9d034d 100644 --- a/tasks/prerequisites/setup-centos.yml +++ b/tasks/prerequisites/setup-centos.yml @@ -1,5 +1,6 @@ --- -- name: "(Install: CentOS) Install Required CentOS Dependencies" - package: - name: ca-certificates, epel-release - state: present +- name: Install required CentOS dependencies + yum: + name: + - ca-certificates + - epel-release diff --git a/tasks/prerequisites/setup-debian.yml b/tasks/prerequisites/setup-debian.yml index c9153264..ef24e2f1 100644 --- a/tasks/prerequisites/setup-debian.yml +++ b/tasks/prerequisites/setup-debian.yml @@ -1,5 +1,7 @@ --- -- name: "(Setup: Debian/Ubuntu) Install Required Debian and Ubuntu Dependencies" - package: - name: apt-transport-https, lsb-release, ca-certificates, wget - state: present +- name: Install required Debian and Ubuntu dependencies + apt: + name: + - apt-transport-https + - dirmngr + update_cache: yes diff --git a/tasks/prerequisites/setup-redhat.yml b/tasks/prerequisites/setup-redhat.yml index 3e76081f..76415ffc 100644 --- a/tasks/prerequisites/setup-redhat.yml +++ b/tasks/prerequisites/setup-redhat.yml @@ -1,17 +1,16 @@ --- -- name: "(Install: RedHat) Install Required Dependencies - base" - package: - name: ca-certificates,wget - state: present +- name: Install required base dependencies + yum: + name: ca-certificates -- name: "(Install: RedHat) Install Required Dependencies - RHEL Subscription" - package: - name: rhel-7-server-optional-rpms,rhel-7-server-rpms - state: present - when: app_protect_use_rhel_subscription_repos +- name: Install required base dependencies from your Red Hat subscription + yum: + name: + - rhel-7-server-optional-rpms + - rhel-7-server-rpms + when: nginx_app_protect_use_rhel_subscription_repos | bool -- name: "(Install: RedHat) Install Required Dependencies - Centos Epel" - package: +- name: Install required Red Hat dependencies from epel + yum: name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm" - state: present - when: not app_protect_use_rhel_subscription_repos + when: not nginx_app_protect_use_rhel_subscription_repos | bool diff --git a/tasks/setup-debian-repos.yml b/tasks/setup-debian-repos.yml deleted file mode 100644 index 26e79998..00000000 --- a/tasks/setup-debian-repos.yml +++ /dev/null @@ -1,40 +0,0 @@ ---- -- name: "(Setup: Debian/Ubuntu) Setup NGINX App Protect Repository" - apt_repository: - repo: deb [arch=amd64] https://plus-pkgs.nginx.com/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} nginx-plus - filename: nginx-plus - update_cache: false - state: "{{ nginx_license_status | default ('present') }}" - -- name: "(Setup: Debian/Ubuntu) Setup NGINX App Protect Signatures Repository" - apt_repository: - repo: deb [arch=amd64] https://app-protect-sigs.nginx.com/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} nginx-plus - filename: app-protect-sigs - update_cache: false - state: "{{ nginx_license_status | default ('present') }}" - -- name: "(Setup: Debian/Ubuntu) Setup NGINX App Protect License" - blockinfile: - path: /etc/apt/apt.conf.d/90nginx - create: true - block: | - Acquire::https::plus-pkgs.nginx.com::Verify-Peer "true"; - Acquire::https::plus-pkgs.nginx.com::Verify-Host "true"; - Acquire::https::plus-pkgs.nginx.com::SslCert "/etc/ssl/nginx/{{ nginx_license.certificate | basename }}"; - Acquire::https::plus-pkgs.nginx.com::SslKey "/etc/ssl/nginx/{{ nginx_license.key | basename }}"; - state: "{{ nginx_license_status | default ('present') }}" - -- name: "(Setup: Debian/Ubuntu) Setup NGINX App Protect Signatures License" - blockinfile: - path: /etc/apt/apt.conf.d/90app-protect-sigs - create: true - block: | - Acquire::https::app-protect-sigs.nginx.com::Verify-Peer "true"; - Acquire::https::app-protect-sigs.nginx.com::Verify-Host "true"; - Acquire::https::app-protect-sigs.nginx.com::SslCert "/etc/ssl/nginx/{{ nginx_license.certificate | basename }}"; - Acquire::https::app-protect-sigs.nginx.com::SslKey "/etc/ssl/nginx/{{ nginx_license.key | basename }}"; - state: "{{ nginx_license_status | default ('present') }}" - -- name: "(Setup: Debian/Ubuntu) Update APT Cache" - apt: - update_cache: true diff --git a/tasks/setup-license.yml b/tasks/setup-license.yml deleted file mode 100644 index ce223b5f..00000000 --- a/tasks/setup-license.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -- name: "(Setup: All OSs Besides Alpine Linux) Setup NGINX App Protect License" - block: - - - name: "(Setup: All OSs Besides Alpine Linux) Create SSL Directory" - file: - path: /etc/ssl/nginx - state: directory - - - name: "(Setup: All OSs Besides Alpine Linux) Copy NGINX App Protect Certificate and License Key" - copy: - src: "{{ item }}" - dest: /etc/ssl/nginx - decrypt: true - with_items: - - "{{ nginx_license.certificate }}" - - "{{ nginx_license.key }}" - - when: ansible_distribution != "Alpine" \ No newline at end of file diff --git a/tasks/setup-redhat-repos.yml b/tasks/setup-redhat-repos.yml deleted file mode 100644 index b7019108..00000000 --- a/tasks/setup-redhat-repos.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- -- name: "(Setup: CentOS/RedHat/Oracle Linux) Setup Repos" - block: - - - name: "(Setup: CentOS/RedHat/Oracle Linux) Get OS Major Version" - set_fact: - key_value: "" # appeasing the linter - redhat_major_version: "{{ (ansible_distribution_version | float >= 7.4 and ansible_distribution_version | float < 8.0) - | ternary(ansible_distribution_major_version | int, 7.4) }}" - - - name: "(Setup: CentOS/RedHat/Oracle Linux) Setup CentOS-7 Repository" - yum_repository: - name: centos - baseurl: >- - http://ftp.heanet.ie/pub/centos/{{ redhat_major_version }}/os/$basearch/ - description: NGINX App Protect Repository - sslclientcert: "/etc/ssl/nginx/{{ nginx_license.certificate | basename }}" - sslclientkey: "/etc/ssl/nginx/{{ nginx_license.key | basename }}" - enabled: true - gpgcheck: true - gpgkey: >- - http://ftp.heanet.ie/pub/centos/{{ redhat_major_version }}/os/$basearch/RPM-GPG-KEY-CentOS-{{ redhat_major_version }} - state: "{{ nginx_license_status | default ('present') }}" - - - name: "(Setup: CentOS/RedHat/Oracle Linux) Setup NGINX App Protect Repository" - yum_repository: - name: nginx-app-protect - baseurl: >- - https://plus-pkgs.nginx.com/centos/{{ redhat_major_version }}/$basearch/ - description: NGINX App Protect Repository - sslclientcert: "/etc/ssl/nginx/{{ nginx_license.certificate | basename }}" - sslclientkey: "/etc/ssl/nginx/{{ nginx_license.key | basename }}" - enabled: true - gpgcheck: true - gpgkey: https://cs.nginx.com/static/keys/app-protect.key - state: "{{ nginx_license_status | default ('present') }}" - - - name: "(Setup: CentOS/RedHat/Oracle Linux) Setup NGINX App Protect Signatures Repository" - yum_repository: - name: nginx-app-protect-signatures - baseurl: >- - https://app-protect-sigs.nginx.com/centos/{{ redhat_major_version }}/$basearch/ - description: NGINX App Protect Signatures Repository - sslclientcert: "/etc/ssl/nginx/{{ nginx_license.certificate | basename }}" - sslclientkey: "/etc/ssl/nginx/{{ nginx_license.key | basename }}" - enabled: true - gpgcheck: true - gpgkey: https://cs.nginx.com/static/keys/app-protect.key - state: "{{ nginx_license_status | default ('present') }}" - when: ansible_distribution != "Amazon" diff --git a/templates/app-protect-log-policy.j2 b/templates/app-protect-log-policy.j2 index c182a633..472b5448 100644 --- a/templates/app-protect-log-policy.j2 +++ b/templates/app-protect-log-policy.j2 @@ -1,6 +1,6 @@ { "filter": { - "request_type": "{{ log_policy_filter_request_type }}" + "request_type": "{{ nginx_app_protect_log_policy_filter_request_type }}" }, "content": { "format": "default", diff --git a/templates/app-protect-security-policy.j2 b/templates/app-protect-security-policy.j2 index 4bfde26b..a238bea4 100644 --- a/templates/app-protect-security-policy.j2 +++ b/templates/app-protect-security-policy.j2 @@ -2,5 +2,5 @@ "name": "/Common/policy1", "template": { "name": "POLICY_TEMPLATE_NGINX_BASE" }, "applicationLanguage": "utf-8", - "enforcementMode": "{{ security_policy_enforcement_mode }}" + "enforcementMode": "{{ nginx_app_protect_security_policy_enforcement_mode }}" } diff --git a/templates/nginx.conf.j2 b/templates/nginx.conf.j2 index d3b4285d..654511f5 100644 --- a/templates/nginx.conf.j2 +++ b/templates/nginx.conf.j2 @@ -1,8 +1,8 @@ +load_module modules/ngx_http_app_protect_module.so; + user nginx; worker_processes 1; -load_module modules/ngx_http_app_protect_module.so; - error_log /var/log/nginx/error.log debug; events { @@ -16,7 +16,7 @@ http { keepalive_timeout 65; upstream backend_hosts { - server {{ nginx_demo_workload_host }}; + server {{ nginx_app_protect_demo_workload_host }}; } server { @@ -25,14 +25,14 @@ http { proxy_http_version 1.1; app_protect_enable on; - app_protect_policy_file "{{ app_protect_security_policy_template.out_file_location }}{{ app_protect_security_policy_template.out_file_name }}"; + app_protect_policy_file "{{ nginx_app_protect_security_policy_template.out_file_location }}{{ nginx_app_protect_security_policy_template.out_file_name }}"; app_protect_security_log_enable on; - app_protect_security_log "{{ app_protect_log_policy_template.out_file_location }}{{ app_protect_log_policy_template.out_file_name }}" syslog:server={{ log_policy_syslog_target }}; + app_protect_security_log "{{ nginx_app_protect_log_policy_template.out_file_location }}{{ nginx_app_protect_log_policy_template.out_file_name }}" syslog:server={{ nginx_app_protect_log_policy_syslog_target }}; location / { client_max_body_size 0; default_type text/html; - proxy_pass {{ nginx_demo_workload_protocol }}backend_hosts$request_uri; + proxy_pass {{ nginx_app_protect_demo_workload_protocol }}backend_hosts$request_uri; } } -} \ No newline at end of file +} diff --git a/templates/nginx.service.override.conf.j2 b/templates/nginx.service.override.conf.j2 index bbe012b4..8de7b162 100644 --- a/templates/nginx.service.override.conf.j2 +++ b/templates/nginx.service.override.conf.j2 @@ -1,3 +1,3 @@ [Service] # Override default 90 second timeout -TimeoutStopSec={{ nginx_timeout }} \ No newline at end of file +TimeoutStopSec={{ nginx_app_protect_timeout }} \ No newline at end of file diff --git a/tests/inventory b/tests/inventory deleted file mode 100644 index 878877b0..00000000 --- a/tests/inventory +++ /dev/null @@ -1,2 +0,0 @@ -localhost - diff --git a/tests/test.yml b/tests/test.yml deleted file mode 100644 index 16f419c0..00000000 --- a/tests/test.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- hosts: localhost - remote_user: root - roles: - - ansible-role-nginx-app-protect \ No newline at end of file diff --git a/vars/main.yml b/vars/main.yml index 31126c0c..a7acc4bc 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,2 +1,32 @@ --- -# vars file for ansible-role-nginx-app-protect \ No newline at end of file +# Populate this dictionary of lists with appropriate values from ansible_distribution and ansible_distribution_version facts +nginx_app_protect_linux_families: + CentOS: + - 7.4 + - 7.5 + - 7.6 + - 7.7 + - 7.8 + RedHat: + - 7.4 + - 7.5 + - 7.6 + - 7.7 + - 7.8 + Debian: + - 9.0 + - 9.1 + - 9.2 + - 9.3 + - 9.4 + - 9.5 + - 9.6 + - 9.7 + - 9.8 + - 9.9 + - 9.10 + - 9.11 + - 9.12 + - 9.13 + Ubuntu: + - 18.04