From d62bcafa2189ac419190bd2dde54842ba1329079 Mon Sep 17 00:00:00 2001 From: Perry Kollmorgen Date: Tue, 5 Mar 2024 13:23:51 +1000 Subject: [PATCH 01/12] Significant refresh and added options to build the GeoIP and/or the MaxMind Nginx modules if you want geolocation lookups --- README.md | 30 +++++++++++---- defaults/main.yml | 48 ++++++++++++++++-------- meta/main.yml | 19 +++++++--- tasks/compile.yml | 93 +++++++++++++++++++++++++++++++++++++---------- tasks/main.yml | 57 ++++++++++++++++------------- 5 files changed, 173 insertions(+), 74 deletions(-) diff --git a/README.md b/README.md index fbd8d05..eb77e3c 100644 --- a/README.md +++ b/README.md @@ -2,11 +2,12 @@ ModSecurity3 is a powerful open source cross-platform web application firewall (WAF). -https://modsecurity.org/ +was: https://modsecurity.org/ , now owned by https://owasp.org/ -It goes hand in hand with a ruleset known as OWASP CRS. +It goes hand in hand with a ruleset known as OWASP CRS. Note, this role often refers to CRS3, however CRS version 4 has been released now. -https://modsecurity.org/crs/ +was: https://modsecurity.org/crs/, now https://owasp.org/www-project-modsecurity-core-rule-set/ +also: https://coreruleset.org/ and https://github.com/coreruleset/coreruleset/ Additionally both of these go hand in hand with a webserver, either Apache or Nginx, this role only supports Nginx however. @@ -24,7 +25,17 @@ By default this role will install Nginx packages from OS provided repos, this is This can be done by setting this variable: -``` nginx_official_repo: True``` +``` nginx_official_repo: true``` + +Optionally, this role can build the GeoIP and/or the MaxMind Nginx modules if you want geolocation lookups. You likely require a licensed copy of an up to date database from here if you want to use MaxMind: https://www.maxmind.com/en/geoip-databases + +You can enable these from the following variables: + +``` nginx_modsec3_crs3_geoip_enabled: false``` +``` nginx_modsec3_crs3_maxmind_enabled: true``` + +note: this role won't re-run the configure and make steps if their output exists, so if you change the options you want such as the different modules above you make need to delete the Makefile and remove any .so files from the objs/ folder. + ## Requirements @@ -68,16 +79,19 @@ Example playbook calling the role adding and enabling ModSecurity for the defaul nginx_pkgs: - nginx - nginx_install_epel_repo: False - nginx_official_repo: True - nginx_official_repo_mainline: True + nginx_install_epel_repo: false + nginx_official_repo: true + nginx_official_repo_mainline: true nginx_module_configs: - ngx_http_modsecurity_module + - ngx_http_geoip2_module + nginx_modules_disable: + - ngx_http_geoip_module nginx_sites: default: - listen 80 - server_name _ - - "Modsecurity on" + - "modsecurity on" - "modsecurity_rules_file /etc/nginx/modsec/main.conf" - root "/usr/share/nginx/html" - index index.html diff --git a/defaults/main.yml b/defaults/main.yml index 826cf1a..224e9e3 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,35 +1,51 @@ --- # defaults file for ansible-role-nginx-modsec3-crs3 +# These are packages you want kept even after compiling has finished nginx_modsec3_crs3_debian_pre_reqs: + - git - libgeoip-dev + - libmaxminddb-dev + - libmaxminddb0 - libcurl4-openssl-dev - - liblua5.2-dev + - liblua5.3-dev - libyajl-dev - libxml2-dev - - libpcre3-dev - - libpcre++-dev + - libpcre2-dev + #- libpcre++-dev #hmm I wonder if might need libpcre (1) still ? - ssdeep - libfuzzy-dev - - git + - libssl-dev + - zlib1g-dev +# These are packages which are removed after compiling has finished nginx_modsec3_crs3_debian_compiler_reqs: - build-essential +# These are packages you want kept even after compiling has finished nginx_modsec3_crs3_redhat_pre_reqs: - - GeoIP-devel - - curl-devel - # - lua-devel - # - yajl-devel - - libxml2-devel - - xz-devel - - pcre-devel - - ssdeep-devel - - ssdeep-libs - git - - openssl-devel - - libxslt-devel - - gd-devel + - GeoIP-devel #modsec, might not exist in EL9 ? + #- libmaxminddb-devel #modsec, but lets remove as EL8 has a broken compile error + #- libmaxminddb #modsec, but same as above + - curl-devel #modsec + - lua-devel #modsec + - yajl-devel #modsec + - libxml2-devel #modsec + - lmdb-devel #modsec + #- xz-devel # unsure if still needed + - pcre-devel #modsec, needed even if pcre2 is used + - pcre2-devel #modsec + - ssdeep-devel # used by modsec + - ssdeep-libs # used by modsec + - openssl-devel #nginx + - libxslt-devel #modsec +# These are packages which are removed after compiling has finished nginx_modsec3_crs3_redhat_compiler_reqs: - "@Development tools" + +nginx_modsec3_crs3_geoip_enabled: false +nginx_modsec3_crs3_maxmind_enabled: false + +nginx_modsec3_crs3_core_rule_set_version: "v4.0.0" diff --git a/meta/main.yml b/meta/main.yml index 04d9a4e..5005a49 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,7 +1,7 @@ galaxy_info: author: "Perry Kollmorgen (https://github.com/perryk)" role_name: nginx_modsec3_crs3 - description: "Installs Nginx, Compiles ModSecurity3, and downloads the OWASP CRS v3 ruleset (https://nginx.com, https://modsecurity.org, https://modsecurity.org/crs)" + description: "Installs Nginx, Compiles ModSecurity3, and downloads the OWASP CRS ruleset (https://nginx.com, https://owasp.org/, https://coreruleset.org/)" license: MIT @@ -13,17 +13,26 @@ galaxy_info: - 6 - 7 - 8 + - 9 - name: Debian versions: - jessie - stretch - - sid + - buster + - bullseye + - bookworm - name: Ubuntu versions: - - zesty - - artful - bionic - - cosmic + - cosmic + - disco + - eoan + - focal + - groovy + - hirsute + - impish + - jammy + - mantic galaxy_tags: - modsecurity diff --git a/tasks/compile.yml b/tasks/compile.yml index f565246..808530f 100644 --- a/tasks/compile.yml +++ b/tasks/compile.yml @@ -1,14 +1,20 @@ # vim: set ft=ansible et ts=2 sw=2: --- -# Tasks for compiling Modsecurity3 and installing OWASP CRS v3 +# Tasks for compiling Modsecurity3 and installing OWASP CRS + +- name: Check if Modsecurity source code folder exists + stat: + path: "~/ModSecurity" + register: modsecurity_folder - name: Obtain Modsecurity source code for branch v3/master git: - repo: "https://github.com/SpiderLabs/ModSecurity" + repo: "https://github.com/owasp-modsecurity/ModSecurity" dest: "~/ModSecurity" depth: 1 version: "v3/master" force: yes + when: not modsecurity_folder.stat.exists - name: Init submodules, configure, build, make install command: "{{ item }}" @@ -19,17 +25,26 @@ - "git submodule init" - "git submodule update" - "./build.sh" - - "./configure" + #- "./configure --with-lmdb --with-pcre2" + # lmdb is meant to be faster but more chance of memory leaks + # pcre2 should be a faster reg exp library + - "./configure --with-pcre2" - "make" - "make install" - name: Obtain Modsecurity-nginx source code git: - repo: "https://github.com/SpiderLabs/ModSecurity-nginx" + repo: "https://github.com/owasp-modsecurity/ModSecurity-nginx" dest: "~/ModSecurity-nginx" depth: 1 force: yes +- name: Obtain GeoIP2 module source code + git: + repo: "https://github.com/leev/ngx_http_geoip2_module" + dest: "~/GeoIP2-nginx" + when: nginx_modsec3_crs3_maxmind_enabled + - name: Download Nginx source code get_url: url: "https://nginx.org/download/nginx-{{ nginx_modsec3_crs3_nginx_version }}.tar.gz" @@ -48,18 +63,35 @@ - name: Get configure arguments shell: "nginx -V 2>&1 | awk -F ':' '/configure arguments/{print $2}'" - register: result + register: configargs changed_when: False -- name: Configure and make ModSecurity3 for Nginx module +- name: Run configure for building nginx modules + shell: > + CFLAGS=-Wno-error + ./configure + {% if ansible_distribution == 'OracleLinux' %} + {{ configargs.stdout }} + {% endif %} + --with-compat --add-dynamic-module=../../ModSecurity-nginx + {% if nginx_modsec3_crs3_maxmind_enabled %} + --add-dynamic-module=../../GeoIP2-nginx + {% endif %} + {% if nginx_modsec3_crs3_geoip_enabled %} + --with-http_geoip_module=dynamic + {% else %} + --without-http_geo_module + {% endif %} + args: + chdir: "~/Nginx/nginx-{{ nginx_modsec3_crs3_nginx_version }}" + creates: "~/Nginx/nginx-{{ nginx_modsec3_crs3_nginx_version }}/Makefile" + +- name: Run make for building Nginx modules shell: "{{ item }}" args: chdir: "~/Nginx/nginx-{{ nginx_modsec3_crs3_nginx_version }}" - creates: "~/mods.so" + creates: "~/Nginx/nginx-{{ nginx_modsec3_crs3_nginx_version }}/objs/ngx_http_modsecurity_module.so" with_items: - # Latest version had troubles parsing the entire configure arguments so trying just with --with-compat - #- "CFLAGS=-Wno-error ./configure {{ result.stdout }} --add-dynamic-module=../../ModSecurity-nginx" - - "CFLAGS=-Wno-error ./configure --with-compat --add-dynamic-module=../../ModSecurity-nginx" - "make modules" - name: import nginx role Debian/Ubuntu vars @@ -67,39 +99,59 @@ file: "../ansible-role-nginx/vars/Debian.yml" when: - ansible_os_family == "Debian" - #- nginx_modules_location is not defined - #- nginx_python_selinux_pkgs is not defined -- name: import nginx role Redhat/Centos vars +- name: import nginx role RedHat/Centos/OracleLinux vars include_vars: - file: "../ansible-role-nginx/vars/Redhat.yml" + file: "../ansible-role-nginx/vars/RedHat.yml" when: - - ansible_os_family == "Redhat" - #- nginx_modules_location is not defined - #- nginx_python_selinux_pkgs is not defined + - ansible_os_family == "RedHat" - name: set nginx_conf_dir if not already set set_fact: nginx_conf_dir: "/etc/nginx" when: nginx_conf_dir is not defined -- name: Copy Modsecurity-nginx module to Nginx modules folder +- name: Copy ModSecurity-nginx to Nginx modules folder copy: src: "~/Nginx/nginx-{{ nginx_modsec3_crs3_nginx_version }}/objs/ngx_http_modsecurity_module.so" dest: "{{ nginx_modules_location }}" remote_src: yes +- name: Copy GeoIP module to Nginx modules folder + copy: + src: "~/Nginx/nginx-{{ nginx_modsec3_crs3_nginx_version }}/objs/ngx_http_geoip_module.so" + dest: "{{ nginx_modules_location }}" + remote_src: yes + when: nginx_modsec3_crs3_geoip_enabled + + # Source /root/Nginx/nginx-1.25.4/objs/ngx_http_geoip_module.so not found + +- name: Copy MaxMind module to Nginx modules folder + copy: + src: "~/Nginx/nginx-{{ nginx_modsec3_crs3_nginx_version }}/objs/ngx_http_geoip2_module.so" + dest: "{{ nginx_modules_location }}" + remote_src: yes + when: nginx_modsec3_crs3_maxmind_enabled + - name: Create folder for Modsec config and rules file: #path: /etc/nginx/modsec path: "{{ nginx_conf_dir }}/modsec" state: directory +- name: Check if modsecurity.conf already exists + stat: + path: "{{ nginx_conf_dir }}/modsec/modsecurity.conf" + register: modsecurity_conf_stat + - name: Copy recommended conf to become modsecurity.conf copy: src: "~/ModSecurity/modsecurity.conf-recommended" dest: "{{ nginx_conf_dir }}/modsec/modsecurity.conf" remote_src: yes + register: modsecurity_conf_copied + changed_when: modsecurity_conf_copied.changed + when: not modsecurity_conf_stat.stat.exists - name: Copy unicode.mapping file also copy: @@ -112,6 +164,8 @@ path: "{{ nginx_conf_dir }}/modsec/modsecurity.conf" regexp: "SecRuleEngine DetectionOnly" replace: "SecRuleEngine On" + backup: yes + when: modsecurity_conf_copied.changed - name: Create a main.conf from template template: @@ -122,7 +176,8 @@ git: repo: "https://github.com/coreruleset/coreruleset" dest: "{{ nginx_conf_dir }}/modsec/owasp-modsecurity-crs" - version: "v3.4/dev" + #version: "v3.3.5" + version: "{{ nginx_modsec3_crs3_core_rule_set_version }}" - name: Copy crs-setup.conf.example to become crs-setup.conf copy: diff --git a/tasks/main.yml b/tasks/main.yml index ea3e031..b136762 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -7,32 +7,12 @@ state: present when: ansible_os_family == "Debian" -- name: Installing Pre-Reqs for RHEL/Centos - yum: +- name: Installing Pre-Reqs for RHEL/Centos/OracleLinux + dnf: name: "{{ nginx_modsec3_crs3_redhat_pre_reqs }}" state: present when: ansible_os_family == "RedHat" -- name: Save the current list of packages for Debian/Ubuntu - shell: dpkg-query -l > /tmp/before.txt - when: ansible_os_family == "Debian" and ( nginx_modsec3_crs3_keep is undefined or not nginx_modsec3_crs3_keep ) - -- name: Save the current list of packages for RHEL/Centos - shell: rpm -qa > /tmp/before.txt - when: ansible_os_family == 'RedHat' and ( nginx_modsec3_crs3_keep is undefined or not nginx_modsec3_crs3_keep ) - -- name: Installing compiler dependencies for Debian/Ubuntu - apt: - name: "{{ nginx_modsec3_crs3_debian_compiler_reqs }}" - state: present - when: ansible_os_family == "Debian" - -- name: Installing compiler dependencies for RHEL/Centos - yum: - name: "{{ nginx_modsec3_crs3_redhat_compiler_reqs }}" - state: present - when: ansible_os_family == "Redhat" - - name: run Nginx selinux tasks include_role: name: ansible-role-nginx @@ -52,7 +32,28 @@ name: ansible-role-nginx tasks_from: installation.packages.yml allow_duplicates: yes -# when: nginx_installation_type == "packages" + +- name: Save the current list of packages for Debian/Ubuntu + shell: dpkg-query -l > /tmp/before.txt + when: ansible_os_family == "Debian" and ( nginx_modsec3_crs3_keep is undefined or not nginx_modsec3_crs3_keep ) + changed_when: false + +- name: Save the current list of packages for RHEL/Centos/OracleLinux + shell: rpm -qa > /tmp/before.txt + when: ansible_os_family == 'RedHat' and ( nginx_modsec3_crs3_keep is undefined or not nginx_modsec3_crs3_keep ) + changed_when: false + +- name: Installing compiler dependencies for Debian/Ubuntu + apt: + name: "{{ nginx_modsec3_crs3_debian_compiler_reqs }}" + state: present + when: ansible_os_family == "Debian" + +- name: Installing compiler dependencies for RHEL/Centos/OracleLinux please + dnf: + name: "{{ nginx_modsec3_crs3_redhat_compiler_reqs }}" + state: present + when: ansible_os_family == "RedHat" - name: get the rpm or apt package facts package_facts: @@ -62,8 +63,8 @@ set_fact: nginx_modsec3_crs3_nginx_version: "{{ ansible_facts.packages.nginx[0].version.split('-')[0] }}" -- name: Compile ModSecurity3 and install OWAPS CRS3 - include: compile.yml +- name: Compile ModSecurity3 , install OWAPS CRS3, and build nginx modules + import_tasks: compile.yml - name: Configure Nginx now that the Modsec module is built import_role: @@ -72,18 +73,22 @@ - name: Check which packages were installed for Debian/Ubuntu shell: dpkg-query -l > /tmp/after.txt when: ansible_os_family == "Debian" and ( nginx_modsec3_crs3_keep is undefined or not nginx_modsec3_crs3_keep ) + changed_when: false -- name: Check which packages were installed for RHEL/Centos +- name: Check which packages were installed for RHEL/Centos/OracleLinux shell: rpm -qa > /tmp/after.txt when: ansible_os_family == "RedHat" and ( nginx_modsec3_crs3_keep is undefined or not nginx_modsec3_crs3_keep ) + changed_when: false - name: Create a list of installed packages shell: diff /tmp/before.txt /tmp/after.txt|awk '/>/{print $3}' register: installed when: nginx_modsec3_crs3_keep is undefined or not nginx_modsec3_crs3_keep + changed_when: false - name: Remove installed packages for compiling package: name: "{{ installed.stdout_lines }}" state: absent when: installed is defined and (nginx_modsec3_crs3_keep is undefined or not nginx_modsec3_crs3_keep) + From 39b91ce72337b23479e7a608b05ce910cab70ded Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pelayo=20Garc=C3=ADa?= <25091358+oyale@users.noreply.github.com> Date: Tue, 13 Dec 2022 13:17:35 +0100 Subject: [PATCH 02/12] fix: rename ansible-role-nginx to jdauphant.nginx --- tasks/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index b136762..8cc2223 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -15,21 +15,21 @@ - name: run Nginx selinux tasks include_role: - name: ansible-role-nginx + name: jdauphant.nginx tasks_from: selinux.yml allow_duplicates: yes when: ansible_selinux and ansible_selinux.status == "enabled" - name: run Nginx nginx offical repo tasks include_role: - name: ansible-role-nginx + name: jdauphant.nginx tasks_from: nginx-official-repo.yml allow_duplicates: yes when: nginx_official_repo == True - name: run Nginx install packages tasks include_role: - name: ansible-role-nginx + name: jdauphant.nginx tasks_from: installation.packages.yml allow_duplicates: yes @@ -68,7 +68,7 @@ - name: Configure Nginx now that the Modsec module is built import_role: - name: ansible-role-nginx + name: jdauphant.nginx - name: Check which packages were installed for Debian/Ubuntu shell: dpkg-query -l > /tmp/after.txt From 2cd62ef81cf4b1406d006d3518571660e08b9bee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pelayo=20Garc=C3=ADa?= <25091358+oyale@users.noreply.github.com> Date: Tue, 13 Dec 2022 16:04:37 +0100 Subject: [PATCH 03/12] refactor: extract & paint Extract the ruleset version to a variable. Set checks and conditionals depending on if it's already present on system --- defaults/main.yml | 9 ++++++--- tasks/compile.yml | 31 ++++++++++++++++++++++++------- tasks/main.yml | 30 +++++++++++++++++++++++++++--- 3 files changed, 57 insertions(+), 13 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 224e9e3..ff5ae62 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,7 +1,9 @@ --- -# defaults file for ansible-role-nginx-modsec3-crs3 - -# These are packages you want kept even after compiling has finished +# defaults file for coopdevs.nginx_modsec3_crs +nginx_modsec3_enabled: True +nginx_modsec3_crs_version: v3.4/dev +nginx_modsec3_crs3_force_compile: False +nginx_modsec3_crs3_block_mode: True nginx_modsec3_crs3_debian_pre_reqs: - git - libgeoip-dev @@ -49,3 +51,4 @@ nginx_modsec3_crs3_geoip_enabled: false nginx_modsec3_crs3_maxmind_enabled: false nginx_modsec3_crs3_core_rule_set_version: "v4.0.0" +nginx_official_repo: True diff --git a/tasks/compile.yml b/tasks/compile.yml index 808530f..9d8319b 100644 --- a/tasks/compile.yml +++ b/tasks/compile.yml @@ -31,6 +31,8 @@ - "./configure --with-pcre2" - "make" - "make install" + when: not modsec3_present or nginx_modsec3_crs3_force_compile + - name: Obtain Modsecurity-nginx source code git: @@ -38,6 +40,7 @@ dest: "~/ModSecurity-nginx" depth: 1 force: yes + when: not modsec3_nginx_present or nginx_modsec3_crs3_force_compile - name: Obtain GeoIP2 module source code git: @@ -49,22 +52,27 @@ get_url: url: "https://nginx.org/download/nginx-{{ nginx_modsec3_crs3_nginx_version }}.tar.gz" dest: "/tmp/nginx-{{ nginx_modsec3_crs3_nginx_version }}.tar.gz" + when: not modsec3_nginx_present or nginx_modsec3_crs3_force_compile - name: Create folder for Nginx source code file: path: "~/Nginx" state: directory + when: not modsec3_nginx_present or nginx_modsec3_crs3_force_compile - name: Extract Nginx source code unarchive: src: "/tmp/nginx-{{ nginx_modsec3_crs3_nginx_version }}.tar.gz" dest: "~/Nginx" remote_src: yes + when: not modsec3_nginx_present or nginx_modsec3_crs3_force_compile + - name: Get configure arguments shell: "nginx -V 2>&1 | awk -F ':' '/configure arguments/{print $2}'" register: configargs changed_when: False + when: not modsec3_nginx_present or nginx_modsec3_crs3_force_compile - name: Run configure for building nginx modules shell: > @@ -92,17 +100,22 @@ chdir: "~/Nginx/nginx-{{ nginx_modsec3_crs3_nginx_version }}" creates: "~/Nginx/nginx-{{ nginx_modsec3_crs3_nginx_version }}/objs/ngx_http_modsecurity_module.so" with_items: +<<<<<<< HEAD +======= + - "CFLAGS=-Wno-error ./configure --with-compat --add-dynamic-module=../../ModSecurity-nginx" +>>>>>>> 5286972 (refactor: extract & paint) - "make modules" + when: not modsec3_nginx_present or nginx_modsec3_crs3_force_compile - name: import nginx role Debian/Ubuntu vars include_vars: - file: "../ansible-role-nginx/vars/Debian.yml" + file: "../jdauphant.nginx/vars/Debian.yml" when: - ansible_os_family == "Debian" - name: import nginx role RedHat/Centos/OracleLinux vars include_vars: - file: "../ansible-role-nginx/vars/RedHat.yml" + file: "../jdauphant.nginx/vars/Redhat.yml" when: - ansible_os_family == "RedHat" @@ -116,6 +129,7 @@ src: "~/Nginx/nginx-{{ nginx_modsec3_crs3_nginx_version }}/objs/ngx_http_modsecurity_module.so" dest: "{{ nginx_modules_location }}" remote_src: yes + when: not modsec3_nginx_present or nginx_modsec3_crs3_force_compile - name: Copy GeoIP module to Nginx modules folder copy: @@ -138,6 +152,7 @@ #path: /etc/nginx/modsec path: "{{ nginx_conf_dir }}/modsec" state: directory + when: not crs3_present or nginx_modsec3_crs3_force_compile - name: Check if modsecurity.conf already exists stat: @@ -149,15 +164,14 @@ src: "~/ModSecurity/modsecurity.conf-recommended" dest: "{{ nginx_conf_dir }}/modsec/modsecurity.conf" remote_src: yes - register: modsecurity_conf_copied - changed_when: modsecurity_conf_copied.changed - when: not modsecurity_conf_stat.stat.exists + when: not crs3_present or nginx_modsec3_crs3_force_compile - name: Copy unicode.mapping file also copy: src: "~/ModSecurity/unicode.mapping" dest: "{{ nginx_conf_dir }}/modsec/unicode.mapping" remote_src: yes + when: not crs3_present or nginx_modsec3_crs3_force_compile - name: Activate blocking rather than detection only replace: @@ -165,22 +179,25 @@ regexp: "SecRuleEngine DetectionOnly" replace: "SecRuleEngine On" backup: yes - when: modsecurity_conf_copied.changed + when: nginx_modsec3_crs3_block_mode == true and (not crs3_present or nginx_modsec3_crs3_force_compile) + - name: Create a main.conf from template template: src: main.conf.j2 dest: "{{ nginx_conf_dir }}/modsec/main.conf" + when: not crs3_present or nginx_modsec3_crs3_force_compile - name: Obtain OWASP Modsecurity Rules git: repo: "https://github.com/coreruleset/coreruleset" dest: "{{ nginx_conf_dir }}/modsec/owasp-modsecurity-crs" - #version: "v3.3.5" version: "{{ nginx_modsec3_crs3_core_rule_set_version }}" + when: not crs3_present or nginx_modsec3_crs3_force_compile - name: Copy crs-setup.conf.example to become crs-setup.conf copy: src: "{{ nginx_conf_dir }}/modsec/owasp-modsecurity-crs/crs-setup.conf.example" dest: "{{ nginx_conf_dir }}/modsec/owasp-modsecurity-crs/crs-setup.conf" remote_src: yes + when: not crs3_present or nginx_modsec3_crs3_force_compile diff --git a/tasks/main.yml b/tasks/main.yml index 8cc2223..4096e31 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,5 +1,5 @@ --- -# tasks file for ansible-role-nginx-modsec3-crs3 +# tasks file for jdauphant.nginx-modsec3-crs3 - name: Installing Pre-Reqs for Debian/Ubuntu apt: @@ -55,17 +55,41 @@ state: present when: ansible_os_family == "RedHat" -- name: get the rpm or apt package facts +- name: Get the rpm or apt package facts package_facts: manager: "auto" -- name: record nginx version +- name: Record nginx version set_fact: nginx_modsec3_crs3_nginx_version: "{{ ansible_facts.packages.nginx[0].version.split('-')[0] }}" - name: Compile ModSecurity3 , install OWAPS CRS3, and build nginx modules import_tasks: compile.yml +- name: Set nginx_conf_dir if not already set + set_fact: + nginx_conf_dir: "/etc/nginx" + when: nginx_conf_dir is not defined + +- name: Check if ModSecurity3 is present + stat: + path: /usr/local/modsecurity/lib/libmodsecurity.so + register: modsec3_present + +- name: Check if modsecurity-nginx is present + stat: + path: /usr/lib/nginx/modules/ngx_http_modsecurity_module.so + register: modsec3_nginx_present + +- name: Check if OWASP CRS3 is present + stat: + path: /etc/nginx/modsec/owasp-modsecurity-crs/crs-setup.conf + register: crs3_present + +- name: Compile ModSecurity3 and install OWAPS CRS3 + include: compile.yml + when: nginx_modsec3_enabled + - name: Configure Nginx now that the Modsec module is built import_role: name: jdauphant.nginx From ad6c5b30ddd99dec7b7c8417acbf235f597404fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pelayo=20Garc=C3=ADa?= <25091358+oyale@users.noreply.github.com> Date: Tue, 13 Dec 2022 16:05:25 +0100 Subject: [PATCH 04/12] refactor: add new author & metadata --- LICENSE | 61 +++++++++++++++++++++++++++++++----------------- meta/main.yml | 14 ++++++----- requirements.yml | 1 + 3 files changed, 48 insertions(+), 28 deletions(-) diff --git a/LICENSE b/LICENSE index 717e5d7..1c91740 100644 --- a/LICENSE +++ b/LICENSE @@ -1,22 +1,39 @@ -MIT License - -Copyright (c) 2019 Perry Kollmorgen - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. - + /* + * Copyright (c) 2022 GPL-3.0-or-later nginx_modsec3_crs Coopdevs + * + * This file is free software: you may copy, redistribute and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation, either version 3 of the License, or (at your + * option) any later version. + * + * This file is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see https://www.gnu.org/licenses. + * + * This file incorporates work covered by the following copyright and + * permission notice: + * + * MIT License + * Copyright (c) 2019 Perry Kollmorgen + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ \ No newline at end of file diff --git a/meta/main.yml b/meta/main.yml index 5005a49..c948c4e 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,11 +1,11 @@ galaxy_info: - author: "Perry Kollmorgen (https://github.com/perryk)" - role_name: nginx_modsec3_crs3 - description: "Installs Nginx, Compiles ModSecurity3, and downloads the OWASP CRS ruleset (https://nginx.com, https://owasp.org/, https://coreruleset.org/)" + author: "Coopdevs (https://github.com/coopdevs)" + role_name: "nginx_modsec3_crs" + description: "Installs Nginx, Compiles ModSecurity3, and downloads the OWASP CRS v3 ruleset. Forked from Perry Kollmorgen's role (https://github.com/perryk) " - license: MIT + license: "GPL-3.0-or-later" - min_ansible_version: 2.4 + min_ansible_version: "2.4" platforms: - name: EL @@ -33,6 +33,7 @@ galaxy_info: - impish - jammy - mantic + - noble galaxy_tags: - modsecurity @@ -43,4 +44,5 @@ galaxy_info: - web - system -dependencies: [] +dependencies: + - role: jdauphant.nginx diff --git a/requirements.yml b/requirements.yml index c44fd8b..6b21bf7 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,2 +1,3 @@ --- - src: jdauphant.nginx + version: v2.21.2 From 68aa4826fdf48e9e16bda0b4502561cbcfc70f76 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pelayo=20Garc=C3=ADa?= <25091358+oyale@users.noreply.github.com> Date: Tue, 13 Dec 2022 16:05:52 +0100 Subject: [PATCH 05/12] doc: update doc with new features --- README.md | 71 ++++++++++++++++++++----------------------------------- 1 file changed, 26 insertions(+), 45 deletions(-) diff --git a/README.md b/README.md index eb77e3c..161df7e 100644 --- a/README.md +++ b/README.md @@ -1,17 +1,7 @@ -# Ansible role for Installing Nginx, compiling ModSecurity3, and installing the OWASP CRS v3 ruleset +# nginx_modsec3_crs role +## Ansible role for Installing Nginx, compiling ModSecurity3, and installing the OWASP CRS v3 ruleset -ModSecurity3 is a powerful open source cross-platform web application firewall (WAF). - -was: https://modsecurity.org/ , now owned by https://owasp.org/ - -It goes hand in hand with a ruleset known as OWASP CRS. Note, this role often refers to CRS3, however CRS version 4 has been released now. - -was: https://modsecurity.org/crs/, now https://owasp.org/www-project-modsecurity-core-rule-set/ -also: https://coreruleset.org/ and https://github.com/coreruleset/coreruleset/ - -Additionally both of these go hand in hand with a webserver, either Apache or Nginx, this role only supports Nginx however. - -https://www.nginx.com +Forked from @perryk's [ansible-role-nginx-modsec3-crs3](https://github.com/perryk/ansible-role-nginx-modsec3-crs3) There are a number of libraries and packages which ModSecurity3 depends on and will be installed via this role. @@ -21,21 +11,7 @@ Nginx support is primarily provided by the dependent role `ansible-role-nginx` b https://github.com/jdauphant/ansible-role-nginx -By default this role will install Nginx packages from OS provided repos, this is recommended to be changed to installing from the official Nginx repo instead. - -This can be done by setting this variable: - -``` nginx_official_repo: true``` - -Optionally, this role can build the GeoIP and/or the MaxMind Nginx modules if you want geolocation lookups. You likely require a licensed copy of an up to date database from here if you want to use MaxMind: https://www.maxmind.com/en/geoip-databases - -You can enable these from the following variables: - -``` nginx_modsec3_crs3_geoip_enabled: false``` -``` nginx_modsec3_crs3_maxmind_enabled: true``` - -note: this role won't re-run the configure and make steps if their output exists, so if you change the options you want such as the different modules above you make need to delete the Makefile and remove any .so files from the objs/ folder. - +:warning: jdauphant's nginx role is no longer mantained. ## Requirements @@ -46,26 +22,33 @@ Install any required [Ansible](https://www.ansible.com) roles from `requirements ```bash ansible-galaxy install -r requirements.yml ``` - -n.b in particular this role will call certain tasks from the nginx role so be sure to have it installed in the same location as this role and with a specific name of "ansible-role-nginx". - i.e this in the requirements.yml file for your project's playbook (not the requirements.yml file for this role) you will need to include both this role and the role mentioned above like this: ```yml -- src: perryk.nginx_modsec3_crs3 +- src: coopdevs.nginx_modsec3_crs -- src: https://github.com/jdauphant/ansible-role-nginx - version: master +- src: jdauphant.nginx + version: v2.21.2 ``` - ## Role Variables Browse the role's [defaults/main.yml](defaults/main.yml) and [vars/main.yml](vars/main.yml) files to see if there is anything you would like to change or need to override by setting in your playbook. -There are currently no variables of note being set. +Specific-role vars are explained below, with their default value set. -There are lots of variables however in the nginx role, perhaps the best explanation of these are all the examples in the role [README.md](https://github.com/jdauphant/ansible-role-nginx/blob/master/README.md) file. +```yaml +# Enables the modsecurity compilation, installation and configuration if it is not installed +nginx_modsec3_enabled: True + # Set the ruleset version +nginx_modsec3_crs_version: v3.4/dev +# Force modsecurity task despite it is already installed +nginx_modsec3_crs3_force_compile: False +# Enable the block mode (if False, then "Detection Only" mode is set) +nginx_modsec3_crs3_block_mode: True +``` + +There are lots of variables more in the nginx role, perhaps the best explanation of these are all the examples in the role [README.md](https://github.com/jdauphant/ansible-role-nginx/blob/master/README.md) file. ## Example Playbook @@ -89,15 +72,12 @@ Example playbook calling the role adding and enabling ModSecurity for the defaul - ngx_http_geoip_module nginx_sites: default: - - listen 80 - - server_name _ - - "modsecurity on" - - "modsecurity_rules_file /etc/nginx/modsec/main.conf" - - root "/usr/share/nginx/html" - - index index.html - + - ... + - modsecurity on; + - modsecurity_rules_file /etc/nginx/modsec/main.conf; + - ... roles: - - perryk.nginx-modsec3-crs3 + - coopdevs.nginx_modsec3_crs ``` # License @@ -107,4 +87,5 @@ MIT ## Author Information Perry Kollmorgen - https://github.com/perryk +Coopdevs - https://coopdevs.org From f320d1bd9d33bb7792661ab4dc1e5b80b8c5f0c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pelayo=20Garc=C3=ADa?= <25091358+oyale@users.noreply.github.com> Date: Tue, 13 Dec 2022 16:10:03 +0100 Subject: [PATCH 06/12] doc: fix doc --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 161df7e..e22d515 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # nginx_modsec3_crs role ## Ansible role for Installing Nginx, compiling ModSecurity3, and installing the OWASP CRS v3 ruleset -Forked from @perryk's [ansible-role-nginx-modsec3-crs3](https://github.com/perryk/ansible-role-nginx-modsec3-crs3) +Forked from @perryk [ansible-role-nginx-modsec3-crs3](https://github.com/perryk/ansible-role-nginx-modsec3-crs3) There are a number of libraries and packages which ModSecurity3 depends on and will be installed via this role. @@ -82,10 +82,10 @@ Example playbook calling the role adding and enabling ModSecurity for the defaul # License -MIT +GPL-3.0-or-later ## Author Information -Perry Kollmorgen - https://github.com/perryk +Perry Kollmorgen - https://github.com/perryk Coopdevs - https://coopdevs.org From 076f129f6207775f4a62591ec0764e810bc3038e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pelayo=20Garc=C3=ADa?= <25091358+oyale@users.noreply.github.com> Date: Tue, 13 Dec 2022 16:34:20 +0100 Subject: [PATCH 07/12] fix: pin dependencies --- meta/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/main.yml b/meta/main.yml index c948c4e..b17ea29 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -46,3 +46,4 @@ galaxy_info: dependencies: - role: jdauphant.nginx + version: v2.21.2 From 6207b25933cf46111b8442e55c62ceaff7db8aae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pelayo=20Garc=C3=ADa?= <25091358+oyale@users.noreply.github.com> Date: Tue, 13 Dec 2022 18:47:02 +0100 Subject: [PATCH 08/12] fix: remove dependencies from meta package --- README.md | 25 +++++++++++++------------ meta/main.yml | 4 ---- 2 files changed, 13 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index e22d515..bba3274 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # nginx_modsec3_crs role ## Ansible role for Installing Nginx, compiling ModSecurity3, and installing the OWASP CRS v3 ruleset -Forked from @perryk [ansible-role-nginx-modsec3-crs3](https://github.com/perryk/ansible-role-nginx-modsec3-crs3) +> Forked from [**@perryk**'s](https://github.com/perryk) [ansible-role-nginx-modsec3-crs3](https://github.com/perryk/ansible-role-nginx-modsec3-crs3) There are a number of libraries and packages which ModSecurity3 depends on and will be installed via this role. @@ -31,6 +31,9 @@ i.e this in the requirements.yml file for your project's playbook (not the requi version: v2.21.2 ``` +Other dependencies are embedded in Ansible Galaxy's metadata, who should take care of install them: +- `jdauphant.nginx` at version v2.21.2 + ## Role Variables Browse the role's [defaults/main.yml](defaults/main.yml) and [vars/main.yml](vars/main.yml) files to see if there is anything you would like to change or need to override by setting in your playbook. @@ -42,8 +45,8 @@ Specific-role vars are explained below, with their default value set. nginx_modsec3_enabled: True # Set the ruleset version nginx_modsec3_crs_version: v3.4/dev -# Force modsecurity task despite it is already installed -nginx_modsec3_crs3_force_compile: False +# Force modsecurity recompile despite it is already installed +nginx_modsec3_crs3_force_compile: True # Enable the block mode (if False, then "Detection Only" mode is set) nginx_modsec3_crs3_block_mode: True ``` @@ -59,12 +62,9 @@ Example playbook calling the role adding and enabling ModSecurity for the defaul - hosts: servers vars: - + nginx_modsec3_crs_version: v4.0/dev nginx_pkgs: - nginx - nginx_install_epel_repo: false - nginx_official_repo: true - nginx_official_repo_mainline: true nginx_module_configs: - ngx_http_modsecurity_module - ngx_http_geoip2_module @@ -72,10 +72,11 @@ Example playbook calling the role adding and enabling ModSecurity for the defaul - ngx_http_geoip_module nginx_sites: default: - - ... - - modsecurity on; - - modsecurity_rules_file /etc/nginx/modsec/main.conf; - - ... + - | + ... + modsecurity on; + modsecurity_rules_file /etc/nginx/modsec/main.conf; + ... roles: - coopdevs.nginx_modsec3_crs ``` @@ -87,5 +88,5 @@ GPL-3.0-or-later ## Author Information Perry Kollmorgen - https://github.com/perryk -Coopdevs - https://coopdevs.org +[Coopdevs](https://coopdevs.org) - https://github.com/coopdevs diff --git a/meta/main.yml b/meta/main.yml index b17ea29..aaecee2 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -43,7 +43,3 @@ galaxy_info: - nginx - web - system - -dependencies: - - role: jdauphant.nginx - version: v2.21.2 From 9e7cd93c87ca9c7ba9a4ed166cadee7ff3c33cb3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pelayo=20Garc=C3=ADa?= <25091358+oyale@users.noreply.github.com> Date: Tue, 13 Dec 2022 18:47:32 +0100 Subject: [PATCH 09/12] fix: clear previous compilations and enable plugin --- defaults/main.yml | 3 ++- tasks/compile.yml | 24 +++++++++++++++++++---- tasks/main.yml | 4 +++- templates/50-mod-http-modsecurity.conf.j2 | 1 + 4 files changed, 26 insertions(+), 6 deletions(-) create mode 100644 templates/50-mod-http-modsecurity.conf.j2 diff --git a/defaults/main.yml b/defaults/main.yml index ff5ae62..3b0c95e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -2,7 +2,7 @@ # defaults file for coopdevs.nginx_modsec3_crs nginx_modsec3_enabled: True nginx_modsec3_crs_version: v3.4/dev -nginx_modsec3_crs3_force_compile: False +nginx_modsec3_crs3_force_compile: True nginx_modsec3_crs3_block_mode: True nginx_modsec3_crs3_debian_pre_reqs: - git @@ -52,3 +52,4 @@ nginx_modsec3_crs3_maxmind_enabled: false nginx_modsec3_crs3_core_rule_set_version: "v4.0.0" nginx_official_repo: True +nginx_official_repo_mainline: True diff --git a/tasks/compile.yml b/tasks/compile.yml index 9d8319b..3504fcb 100644 --- a/tasks/compile.yml +++ b/tasks/compile.yml @@ -7,6 +7,24 @@ path: "~/ModSecurity" register: modsecurity_folder +- name: Set nginx_modules_location if not already set + set_fact: + nginx_modules_location: "{{ nginx_conf_dir }}/modules" + when: nginx_modules_location is not defined + +- name: Clear previous compilation + file: + path: "{{ item }}" + state: absent + with_items: + - "~/ModSecurity" + - "~/ModSecurity-nginx" + - "~/Nginx" + - "/tmp/nginx-*.tar.gz" + - "{{ nginx_modules_location }}/ngx_http_modsecurity_module.so" + - "{{ nginx_conf_dir }}/modsec/" + when: nginx_modsec3_crs3_force_compile + - name: Obtain Modsecurity source code for branch v3/master git: repo: "https://github.com/owasp-modsecurity/ModSecurity" @@ -33,7 +51,6 @@ - "make install" when: not modsec3_present or nginx_modsec3_crs3_force_compile - - name: Obtain Modsecurity-nginx source code git: repo: "https://github.com/owasp-modsecurity/ModSecurity-nginx" @@ -100,10 +117,7 @@ chdir: "~/Nginx/nginx-{{ nginx_modsec3_crs3_nginx_version }}" creates: "~/Nginx/nginx-{{ nginx_modsec3_crs3_nginx_version }}/objs/ngx_http_modsecurity_module.so" with_items: -<<<<<<< HEAD -======= - "CFLAGS=-Wno-error ./configure --with-compat --add-dynamic-module=../../ModSecurity-nginx" ->>>>>>> 5286972 (refactor: extract & paint) - "make modules" when: not modsec3_nginx_present or nginx_modsec3_crs3_force_compile @@ -112,12 +126,14 @@ file: "../jdauphant.nginx/vars/Debian.yml" when: - ansible_os_family == "Debian" + #- nginx_python_selinux_pkgs is not defined - name: import nginx role RedHat/Centos/OracleLinux vars include_vars: file: "../jdauphant.nginx/vars/Redhat.yml" when: - ansible_os_family == "RedHat" + #- nginx_python_selinux_pkgs is not defined - name: set nginx_conf_dir if not already set set_fact: diff --git a/tasks/main.yml b/tasks/main.yml index 4096e31..91af8b3 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -75,16 +75,19 @@ stat: path: /usr/local/modsecurity/lib/libmodsecurity.so register: modsec3_present + when: not nginx_modsec3_crs3_force_compile - name: Check if modsecurity-nginx is present stat: path: /usr/lib/nginx/modules/ngx_http_modsecurity_module.so register: modsec3_nginx_present + when: not nginx_modsec3_crs3_force_compile - name: Check if OWASP CRS3 is present stat: path: /etc/nginx/modsec/owasp-modsecurity-crs/crs-setup.conf register: crs3_present + when: not nginx_modsec3_crs3_force_compile - name: Compile ModSecurity3 and install OWAPS CRS3 include: compile.yml @@ -115,4 +118,3 @@ name: "{{ installed.stdout_lines }}" state: absent when: installed is defined and (nginx_modsec3_crs3_keep is undefined or not nginx_modsec3_crs3_keep) - diff --git a/templates/50-mod-http-modsecurity.conf.j2 b/templates/50-mod-http-modsecurity.conf.j2 new file mode 100644 index 0000000..963f2c8 --- /dev/null +++ b/templates/50-mod-http-modsecurity.conf.j2 @@ -0,0 +1 @@ +load_module {{ nginx_modules_location }}/ngx_http_modsecurity_module.so; \ No newline at end of file From 0944f996570e399bbe3aa391d20274038a325161 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pelayo=20Garc=C3=ADa?= <25091358+oyale@users.noreply.github.com> Date: Tue, 13 Dec 2022 19:04:29 +0100 Subject: [PATCH 10/12] docs: fix README --- README.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/README.md b/README.md index bba3274..a857cc0 100644 --- a/README.md +++ b/README.md @@ -30,10 +30,6 @@ i.e this in the requirements.yml file for your project's playbook (not the requi - src: jdauphant.nginx version: v2.21.2 ``` - -Other dependencies are embedded in Ansible Galaxy's metadata, who should take care of install them: -- `jdauphant.nginx` at version v2.21.2 - ## Role Variables Browse the role's [defaults/main.yml](defaults/main.yml) and [vars/main.yml](vars/main.yml) files to see if there is anything you would like to change or need to override by setting in your playbook. @@ -62,6 +58,7 @@ Example playbook calling the role adding and enabling ModSecurity for the defaul - hosts: servers vars: + nginx_modsec3_enabled: True nginx_modsec3_crs_version: v4.0/dev nginx_pkgs: - nginx From 9e07c23d759787f47cebd32864af1bbf40dd8622 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pelayo=20Garc=C3=ADa?= <25091358+oyale@users.noreply.github.com> Date: Tue, 13 Dec 2022 20:38:21 +0100 Subject: [PATCH 11/12] fix: dynamically get nginx paths --- tasks/compile.yml | 12 +++++++++--- tasks/main.yml | 37 ++++++++++++++++++++++++++++++------- 2 files changed, 39 insertions(+), 10 deletions(-) diff --git a/tasks/compile.yml b/tasks/compile.yml index 3504fcb..cc521bd 100644 --- a/tasks/compile.yml +++ b/tasks/compile.yml @@ -7,9 +7,15 @@ path: "~/ModSecurity" register: modsecurity_folder -- name: Set nginx_modules_location if not already set +- name: Get Nginx modules location + shell: nginx -V 2>&1 | grep "configure arguments:" | sed -e 's/.*--modules-path=\([^ ]*\).*/\1/' + register: _nginx_modules_location + changed_when: false + when: nginx_modules_location is not defined + +- name: Set variable nginx_modules_location set_fact: - nginx_modules_location: "{{ nginx_conf_dir }}/modules" + nginx_modules_location: "{{ _nginx_modules_location.stdout }}" when: nginx_modules_location is not defined - name: Clear previous compilation @@ -143,7 +149,7 @@ - name: Copy ModSecurity-nginx to Nginx modules folder copy: src: "~/Nginx/nginx-{{ nginx_modsec3_crs3_nginx_version }}/objs/ngx_http_modsecurity_module.so" - dest: "{{ nginx_modules_location }}" + dest: "{{ nginx_modules_location }}/ngx_http_modsecurity_module.so" remote_src: yes when: not modsec3_nginx_present or nginx_modsec3_crs3_force_compile diff --git a/tasks/main.yml b/tasks/main.yml index 91af8b3..7a98206 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -13,21 +13,41 @@ state: present when: ansible_os_family == "RedHat" -- name: run Nginx selinux tasks +- name: Save the current list of packages for Debian/Ubuntu + shell: dpkg-query -l > /tmp/before.txt + when: ansible_os_family == "Debian" and ( nginx_modsec3_crs3_keep is undefined or not nginx_modsec3_crs3_keep ) + +- name: Save the current list of packages for RHEL/Centos + shell: rpm -qa > /tmp/before.txt + when: ansible_os_family == 'RedHat' and ( nginx_modsec3_crs3_keep is undefined or not nginx_modsec3_crs3_keep ) + +- name: Installing compiler dependencies for Debian/Ubuntu + apt: + name: "{{ nginx_modsec3_crs3_debian_compiler_reqs }}" + state: present + when: ansible_os_family == "Debian" + +- name: Installing compiler dependencies for RHEL/Centos + yum: + name: "{{ nginx_modsec3_crs3_redhat_compiler_reqs }}" + state: present + when: ansible_os_family == "Redhat" + +- name: Run Nginx SElinux tasks include_role: name: jdauphant.nginx tasks_from: selinux.yml allow_duplicates: yes when: ansible_selinux and ansible_selinux.status == "enabled" -- name: run Nginx nginx offical repo tasks +- name: Run Nginx official repo tasks include_role: name: jdauphant.nginx tasks_from: nginx-official-repo.yml allow_duplicates: yes when: nginx_official_repo == True -- name: run Nginx install packages tasks +- name: Run Nginx install packages tasks include_role: name: jdauphant.nginx tasks_from: installation.packages.yml @@ -63,12 +83,15 @@ set_fact: nginx_modsec3_crs3_nginx_version: "{{ ansible_facts.packages.nginx[0].version.split('-')[0] }}" -- name: Compile ModSecurity3 , install OWAPS CRS3, and build nginx modules - import_tasks: compile.yml +- name: Get Nginx conf location + shell: dirname $(nginx -V 2>&1 | grep "configure arguments:" | sed -e 's/.*--conf-path=\([^ ]*\).*/\1/') + register: _nginx_conf_location + changed_when: false + when: nginx_conf_dir is not defined -- name: Set nginx_conf_dir if not already set +- name: Set variable nginx_conf_dir set_fact: - nginx_conf_dir: "/etc/nginx" + nginx_conf_dir: "{{ _nginx_conf_location.stdout }}" when: nginx_conf_dir is not defined - name: Check if ModSecurity3 is present From 3b8622e59cbbebd48d57c08c5d8c2121c8b85197 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9sar=20L=C3=B3pez=20Ram=C3=ADrez?= Date: Sun, 6 Oct 2024 13:35:42 +0200 Subject: [PATCH 12/12] Make compatible with last versions of Ansible --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 7a98206..c1771ee 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -113,7 +113,7 @@ when: not nginx_modsec3_crs3_force_compile - name: Compile ModSecurity3 and install OWAPS CRS3 - include: compile.yml + include_tasks: compile.yml when: nginx_modsec3_enabled - name: Configure Nginx now that the Modsec module is built