From 3bfbd3f7f9d57a955f7ffd0549f5457dd876b148 Mon Sep 17 00:00:00 2001 From: sujiba Date: Tue, 17 Sep 2024 00:47:41 +0200 Subject: [PATCH] first commit --- README.md | 38 +++++++++++++++ defaults/main.yml | 19 ++++++++ handlers/main.yml | 12 +++++ meta/main.yml | 52 ++++++++++++++++++++ tasks/main.yml | 84 +++++++++++++++++++++++++++++++++ templates/http_redirect.conf.j2 | 11 +++++ templates/proxy_params.j2 | 19 ++++++++ templates/reverse_proxy.conf.j2 | 78 ++++++++++++++++++++++++++++++ templates/security.conf.j2 | 10 ++++ templates/ws_params.j2 | 6 +++ 10 files changed, 329 insertions(+) create mode 100644 README.md create mode 100644 defaults/main.yml create mode 100644 handlers/main.yml create mode 100644 meta/main.yml create mode 100644 tasks/main.yml create mode 100644 templates/http_redirect.conf.j2 create mode 100644 templates/proxy_params.j2 create mode 100644 templates/reverse_proxy.conf.j2 create mode 100644 templates/security.conf.j2 create mode 100644 templates/ws_params.j2 diff --git a/README.md b/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..b4ed972 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,19 @@ +--- +# defaults file for nginx +# homepage: + # name: homepage + # domains: + # - homepage.intern.example.com + # certificate: intern.example.com + # locations: + # Add Multiple locations + # Add a comment above every location block + # - comments: + # location_name: + # protocol: http + # ip: 127.0.0.1 + # port: 8080 + # path: + # websocket: true + # Add additional nginx settingss + # extra_settings: diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..5e4b62e --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,12 @@ +--- +# handlers file for nginx +- name: Start and enable nginx + ansible.builtin.systemd_service: + name: nginx + state: started + enabled: true + +- name: Reload nginx + ansible.builtin.systemd_service: + name: nginx + state: reloaded diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..c572acc --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..aff576b --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,84 @@ +--- +# tasks file for nginx +- name: Install nginx + ansible.builtin.apt: + name: nginx + state: present + notify: Start and enable nginx + +- name: Remove default from sites-enabled + ansible.builtin.file: + path: /etc/nginx/sites-enabled/default + state: absent + +- name: Comment ssl_protocols out in nginx.conf, is defined in security.conf + ansible.builtin.replace: + path: /etc/nginx/nginx.conf + regexp: '^(\s*ssl_protocols)' + replace: '#\1' + +- name: Second time, because of emptyline ¯\_(ツ)_/¯ + ansible.builtin.replace: + path: /etc/nginx/nginx.conf + regexp: '^(\s*ssl_protocols)' + replace: '#\1' + +- name: Comment ssl_prefer_server_ciphers out in nginx.conf, is defined in security.conf + ansible.builtin.replace: + path: /etc/nginx/nginx.conf + regexp: '^(\s*ssl_prefer_server_ciphers)' + replace: '#\1' + +- name: Create security.conf + ansible.builtin.template: + src: templates/security.conf.j2 + dest: /etc/nginx/conf.d/security.conf + owner: root + group: root + mode: '0644' + notify: Reload nginx + +- name: Create proxy_params + ansible.builtin.template: + src: templates/proxy_params.j2 + dest: /etc/nginx/proxy_params + owner: root + group: root + mode: '0644' + notify: Reload nginx + +- name: Create ws_params + ansible.builtin.template: + src: templates/ws_params.j2 + dest: /etc/nginx/ws_params + owner: root + group: root + mode: '0644' + notify: Reload nginx + +- name: Configure http redirect + ansible.builtin.template: + src: templates/http_redirect.conf.j2 + dest: /etc/nginx/conf.d/http_redirect.conf + owner: root + group: root + mode: '0644' + notify: Reload nginx + +- name: Configure reverse proxies + ansible.builtin.template: + src: templates/reverse_proxy.conf.j2 + dest: /etc/nginx/sites-available/{{ item.key }}.conf + owner: root + group: root + mode: '0644' + loop: "{{ reverse_proxies | dict2items }}" + notify: Reload nginx + +- name: Create a symbolic link + ansible.builtin.file: + src: /etc/nginx/sites-available/{{ item.key }}.conf + dest: /etc/nginx/sites-enabled/{{ item.key }}.conf + state: link + loop: "{{ reverse_proxies | dict2items }}" + notify: Reload nginx diff --git a/templates/http_redirect.conf.j2 b/templates/http_redirect.conf.j2 new file mode 100644 index 0000000..3b5fc21 --- /dev/null +++ b/templates/http_redirect.conf.j2 @@ -0,0 +1,11 @@ +#jinja2: lstrip_blocks: True +# {{ ansible_managed }} + +server { + listen 80 default_server; + listen [::]:80 default_server; + + location / { + return 301 https://$host$request_uri; + } +} \ No newline at end of file diff --git a/templates/proxy_params.j2 b/templates/proxy_params.j2 new file mode 100644 index 0000000..766181b --- /dev/null +++ b/templates/proxy_params.j2 @@ -0,0 +1,19 @@ +#jinja2: lstrip_blocks: True +# {{ ansible_managed }} + +# Set headers +proxy_set_header Host $http_host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; + +{# +# Hide headers +proxy_hide_header Server; +proxy_hide_header X-Powered-By; +proxy_hide_header X-Frame-Options; +proxy_hide_header X-XSS-Protection; +proxy_hide_header Content-Security-Policy; +proxy_hide_header Referrer-Policy; +proxy_hide_header Strict-Transport-Security; + #} diff --git a/templates/reverse_proxy.conf.j2 b/templates/reverse_proxy.conf.j2 new file mode 100644 index 0000000..199906e --- /dev/null +++ b/templates/reverse_proxy.conf.j2 @@ -0,0 +1,78 @@ +#jinja2: lstrip_blocks: True +# {{ ansible_managed }} + +# generated 2024-03-26, Mozilla Guideline v5.7, nginx 1.22.1, OpenSSL 3.0.11, modern configuration +# https://ssl-config.mozilla.org/#server=nginx&version=1.22.1&config=modern&openssl=3.0.11&guideline=5.7 + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name {{ item.value.domains | join(' ') }}; + + ssl_certificate {{ tls_cert_path }}/{{ item.value.certificate }}.fullchain; + ssl_certificate_key {{ tls_cert_path }}/{{ item.value.certificate }}.key; + # verify chain of trust of OCSP response using Root CA and Intermediate certs + ssl_trusted_certificate {{ tls_cert_path }}/{{ item.value.certificate }}.ca; + + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + # modern configuration + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; + + # OCSP stapling + ssl_stapling on; + ssl_stapling_verify on; + + # replace with the IP address of your resolver + resolver 127.0.0.1; + + # Logs + access_log /var/log/nginx/{{ item.key }}_access.log; + error_log /var/log/nginx/{{ item.key }}_error.log warn; + + {% if item.value.sec_headers is not defined or item.value.sec_headers %} + # Additional security headers + # https://developer.mozilla.org/en-US/docs/Web/HTTP + # https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-Content-Type-Options "nosniff"; + add_header Referrer-Policy "no-referrer"; + add_header X-XSS-Protection "0"; + {% endif %} + {% if item.value.no_index is not defined or item.value.no_index %} + # If you don't want to get indexed + add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive, noimageindex"; + {% endif %} + {% if item.value.enable_csp is defined and item.value.enable_csp %} + add_header Content-Security-Policy "default-src 'self' {{ item.value.certificate }} *.{{ item.value.certificate }};"; + {% endif %} + +{% for item in item.value.locations %} + {% if item.comments is defined %} + {% for comment in item.comments %} + {{ comment }} + {% endfor %} + {% endif %} + location {% if item.location_name is defined %}{{ item.location_name }}{% else %}/{% endif %} { + {% if item.protocol is defined %} + proxy_pass {{ item.protocol }}://{{ item.ip }}:{{ item.port }}{% if item.path is defined %}/{{ item.path }}{% endif %}; + include proxy_params; + {% endif %} + {% if item.websocket is defined and item.websocket %} + include ws_params; + {% endif %} + {% if item.extra_settings is defined %} + {% for extra_setting in item.extra_settings %} + {{ extra_setting }} + {% endfor %} + {% endif %} + } + +{% endfor %} +} diff --git a/templates/security.conf.j2 b/templates/security.conf.j2 new file mode 100644 index 0000000..e640967 --- /dev/null +++ b/templates/security.conf.j2 @@ -0,0 +1,10 @@ +#jinja2: lstrip_blocks: True +# {{ ansible_managed }} + +# Rate limiting +# https://blog.nginx.org/blog/rate-limiting-nginx +# https://www.techgrube.de/news-und-infos/nginx-rate-limiting-einstellungen-und-funktion +limit_req_zone $binary_remote_addr zone=conn_limit:10m rate=5r/s; + +# extras +server_tokens off; diff --git a/templates/ws_params.j2 b/templates/ws_params.j2 new file mode 100644 index 0000000..6d5e589 --- /dev/null +++ b/templates/ws_params.j2 @@ -0,0 +1,6 @@ +#jinja2: lstrip_blocks: True +# {{ ansible_managed }} + +proxy_http_version 1.1; +proxy_set_header Upgrade $http_upgrade; +proxy_set_header Connection "Upgrade";