jpp/ansible-roles
1
0
Fork 0
mirror of https://git.lapiole.org/dani/ansible-roles.git synced 2025-07-27 00:05:44 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update to 2021-12-01 19:13

Browse Source
This commit is contained in:
Daniel Berteaud
2021-12-01 19:13:34 +01:00
commit 4c4556c660
2153 changed files with 60999 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
roles/httpd_front/defaults/main.yml Normal file
View File

@@ -0,0 +1,39 @@
---
httpd_ssl_ports: ['443']
httpd_ssl_src_ip:
- 0.0.0.0/0
httpd_front_modules:
- ssl
- socache_shmcb
- cache
- cache_disk
- security2
- unique_id
httpd_cert_path: /etc/pki/tls/certs/localhost.crt
httpd_key_path: /etc/pki/tls/private/localhost.key
# httpd_chain_path: /etc/pki/tls/certs/chain.crt
# httpd_ssl_cipher_suite: 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'
# httpd_dos_page_count: 8
# httpd_dos_site_count: 150
# httpd_dos_page_interval: 1
# httpd_dos_site_interval: 5
# httpd_dos_block_time: 30
# httpd_dos_whitelisted_ip:
# - 12.13.14.15
# - 41.42.43.44
# httpd_cache_max_file_size: 1000000
# httpd_cache_default_expire: 3600
# httpd_cache_max_expire: 86400
# httpd_cache_limit: 200M
# httpd_mod_security: True | audit
# httpd_mod_security_request_body_limit: 13107200
# httpd_mod_security_body_no_files_limit: 131072
# httpd_mod_security_in_memory_limit: 131072
# httpd_mod_sec_disabled_rules:
# - 960015
# - 981203
...

3
roles/httpd_front/files/dehydrated_deploy_hook Normal file
View File

@@ -0,0 +1,3 @@
#!/bin/sh
/sbin/service httpd reload

8
roles/httpd_front/handlers/main.yml Normal file
View File

@@ -0,0 +1,8 @@
---
- include: ../httpd_common/handlers/main.yml
- name: restart htcacheclean
service: name=htcacheclean state=restarted enabled=yes
...

4
roles/httpd_front/meta/main.yml Normal file
View File

@@ -0,0 +1,4 @@
---
dependencies:
- { role: httpd_common }
...

134
roles/httpd_front/tasks/main.yml Normal file
View File

@@ -0,0 +1,134 @@
---
- name: Install needed packages
yum:
name:
- mod_ssl
- mod_evasive
- mod_security
- mod_security_crs
tags: [package,web]
- name: List httpd SSL ports
set_fact: httpd_ssl_ports={{ httpd_ssl_ports + (httpd_ansible_vhosts | selectattr('ssl','defined') | selectattr('ssl.port','defined') | map(attribute='ssl.port') | list) | unique }}
tags: [firewall,web]
- name: Allow httpd to bind on ssl ports
seport: ports={{ httpd_ssl_ports | join(',') }} proto=tcp setype=http_port_t state=present
when: ansible_selinux.status == 'enabled'
tags: [firewall,web]
- set_fact: httpd_cert_path={{ '/var/lib/dehydrated/certificates/certs/' + httpd_letsencrypt_cert + '/cert.pem' }}
when: httpd_letsencrypt_cert is defined
tags: [cert,web,conf]
- set_fact: httpd_key_path={{ '/var/lib/dehydrated/certificates/certs/' + httpd_letsencrypt_cert + '/privkey.pem' }}
when: httpd_letsencrypt_cert is defined
tags: [cert,web,conf]
- set_fact: httpd_chain_path={{ '/var/lib/dehydrated/certificates/certs/' + httpd_letsencrypt_cert + '/chain.pem' }}
when: httpd_letsencrypt_cert is defined
tags: [cert,web,conf]
- name: Deploy configuration fragments
template: src={{ item.src }} dest={{ item.dest }}
with_items:
- src: ssl.conf.j2
dest: /etc/httpd/ansible_conf.d/10-ssl.conf
- src: evasive.conf.j2
dest: /etc/httpd/ansible_conf.d/10-evasive.conf
- src: security.conf.j2
dest: /etc/httpd/ansible_conf.d/10-security.conf
- src: common_filter.inc.j2
dest: /etc/httpd/ansible_conf.d/common_filter.inc
- src: common_perf.inc.j2
dest: /etc/httpd/ansible_conf.d/common_perf.inc
- src: common_cache.inc.j2
dest: /etc/httpd/ansible_conf.d/common_cache.inc
- src: common_force_ssl.inc.j2
dest: /etc/httpd/ansible_conf.d/common_force_ssl.inc
- src: common_maintenance.inc.j2
dest: /etc/httpd/ansible_conf.d/common_maintenance.inc
- src: common_mod_security2.inc.j2
dest: /etc/httpd/ansible_conf.d/common_mod_security2.inc
- src: vhost_downtime.conf.j2
dest: /etc/httpd/ansible_conf.d/21-vhost_downtime.conf
- src: 01-front.conf.j2
dest: /etc/httpd/ansible_conf.modules.d/01-front.conf
- src: 02-evasive.conf.j2
dest: /etc/httpd/ansible_conf.modules.d/02-evasive.conf
notify: reload httpd
tags: [conf,web]
- name: Check if Let's Encrypt' cert exist
stat: path=/var/lib/dehydrated/certificates/certs/{{ item.ssl.letsencrypt_cert }}/cert.pem
register: httpd_letsencrypt_certs
with_items: "{{ httpd_ansible_vhosts }}"
when:
- item.ssl is defined
- item.ssl.letsencrypt_cert is defined
tags: [cert,web,conf]
- name: Create directories for missing Let's Encrypt cert
file: path=/var/lib/dehydrated/certificates/certs/{{ item.item.ssl.letsencrypt_cert }} state=directory
with_items: "{{ httpd_letsencrypt_certs.results }}"
when:
- item.stat is defined
- not item.stat.exists
tags: [cert,web,conf]
- name: Link missing Let's Encrypt cert to the default one
file: src={{ httpd_cert_path }} dest=/var/lib/dehydrated/certificates/certs/{{ item.item.ssl.letsencrypt_cert }}/cert.pem state=link
with_items: "{{ httpd_letsencrypt_certs.results }}"
when:
- item.stat is defined
- not item.stat.exists
tags: [cert,web,conf]
- name: Link missing Let's Encrypt key to the default one
file: src={{ httpd_key_path }} dest=/var/lib/dehydrated/certificates/certs/{{ item.item.ssl.letsencrypt_cert }}/privkey.pem state=link
with_items: "{{ httpd_letsencrypt_certs.results }}"
when:
- item.stat is defined
- not item.stat.exists
tags: [cert,web,conf]
- name: Link missing Let's Encrypt chain to the default cert
file: src={{ httpd_cert_path }} dest=/var/lib/dehydrated/certificates/certs/{{ item.item.ssl.letsencrypt_cert }}/chain.pem state=link
with_items: "{{ httpd_letsencrypt_certs.results }}"
when:
- item.stat is defined
- not item.stat.exists
tags: [cert,web,conf]
- name: Create dehydrated hooks dir
file: path=/etc/dehydrated/hooks_deploy_cert.d/ state=directory
tags: [cert,web]
- name: Deploy dehydrated hook
copy: src=dehydrated_deploy_hook dest=/etc/dehydrated/hooks_deploy_cert.d/10httpd.sh mode=755
tags: [cert,web]
- name: Remove old iptables rule
iptables_raw:
name: httpd_ssl_port
state: absent
when: iptables_manage | default(True)
tags: [firewall,web]
- name: Handle HTTPS ports
iptables_raw:
name: httpd_ssl_ports
state: "{{ (httpd_ssl_src_ip | length > 0) | ternary('present','absent') }}"
rules: "-A INPUT -m state --state new -p tcp -m multiport --dports {{ httpd_ssl_ports | join(',') }} -s {{ httpd_ssl_src_ip | join(',') }} -j ACCEPT"
when: iptables_manage | default(True)
tags: [firewall,web]
- name: Deploy the Cache cleaner configuration
template: src=htcacheclean.j2 dest=/etc/sysconfig/htcacheclean
notify: restart htcacheclean
tags: [conf,web]
- name: Enable the htcacheclean service
service: name=htcacheclean state=started enabled=yes
tags: web
...

3
roles/httpd_front/templates/01-front.conf.j2 Normal file
View File

@@ -0,0 +1,3 @@
{% for module in httpd_front_modules %}
LoadModule {{ module }}_module modules/mod_{{ module }}.so
{% endfor %}

1
roles/httpd_front/templates/02-evasive.conf.j2 Normal file
View File

@@ -0,0 +1 @@
LoadModule evasive20_module modules/mod_evasive24.so

15
roles/httpd_front/templates/common_cache.inc.j2 Normal file
View File

@@ -0,0 +1,15 @@
CacheLock on
CacheLockPath /tmp/mod_cache-lock
CacheLockMaxAge 5
CacheRoot /var/cache/httpd/proxy
CacheEnable disk /
CacheDirLevels 2
CacheDirLength 1
CacheIgnoreHeaders Set-Cookie
CacheMaxFileSize {{ httpd_cache_max_file_size | default('1000000') }}
CacheMinFileSize 1
CacheIgnoreNoLastMod On
CacheIgnoreQueryString Off
CacheLastModifiedFactor 0.1
CacheDefaultExpire {{ httpd_cache_default_expire | default('3600') }}
CacheMaxExpire {{ httpd_cache_max_expire | default('86400') }}

153
roles/httpd_front/templates/common_filter.inc.j2 Normal file
View File

@@ -0,0 +1,153 @@
# enable rewrite engine
RewriteEngine on
# block trace and track methods
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
# block XSS attacks (attempted to hide query string)
RewriteCond %{THE_REQUEST} \?.*\?(\ |$)
RewriteRule .* - [F]
# block XSS attacks (http)
RewriteCond %{THE_REQUEST} (\b|%\d\d)https?(:|%3A)(/|%\d\d){2} [NC]
RewriteRule .* - [F]
# block XSS attacks (ftp)
RewriteCond %{THE_REQUEST} (\b|%\d\d)ftp(:|%3A)(/|%\d\d){2} [NC]
RewriteRule .* - [F]
# block hack attempts (/etc/passwd)
RewriteCond %{THE_REQUEST} (/|%2F)etc(/|%2F)passwd [NC]
RewriteRule .* - [R=404,L]
# Block out some common exploits
# If the request query string contains /proc/self/environ (by SigSiu.net)
RewriteCond %{QUERY_STRING} proc/self/environ [OR]
# Block out any script trying to base64_encode or base64_decode data within the URL
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Return 403 Forbidden header and show the content of the root homepage
RewriteRule .* - [F]
# File injection protection
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
RewriteRule .* - [F]
# Basic antispam Filter
RewriteCond %{QUERY_STRING} \b(ambien|blue\spill|cialis)\b [NC,OR]
RewriteCond %{QUERY_STRING} \b(cocaine|ejaculation|erectile)\b [NC,OR]
RewriteCond %{QUERY_STRING} \b(erections|hoodia)\b [NC,OR]
RewriteCond %{QUERY_STRING} \b(huronriveracres|impotence)\b [NC,OR]
RewriteCond %{QUERY_STRING} \b(levitra|libido|lipitor)\b [NC,OR]
RewriteCond %{QUERY_STRING} \b(phentermin|pro[sz]ac|sandyauer)\b [NC,OR]
RewriteCond %{QUERY_STRING} \b(tramadol|troyhamby|ultram)\b [NC,OR]
RewriteCond %{QUERY_STRING} \b(unicauca|valium|viagra|vicodin)\b [NC,OR]
RewriteCond %{QUERY_STRING} \b(xanax|ypxaieo)\b [NC]
RewriteRule .* - [F]
## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine your PHP version
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC]
RewriteRule .* - [F]
# SQLi basic protection
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC]
RewriteRule .* - [F]
# Block bad user agents
RewriteCond %{HTTP_USER_AGENT} ^Google\ Desktop [OR]
RewriteCond %{HTTP_USER_AGENT} ^Baiduspider [OR]
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR]
RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]
RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]
RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR]
RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]
RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR]
RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR]
RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR]
RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR]
RewriteCond %{HTTP_USER_AGENT} ^HMView [OR]
RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR]
RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR]
RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR]
RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR]
RewriteCond %{HTTP_USER_AGENT} ^larbin [OR]
RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR]
RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR]
RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR]
RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR]
RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR]
RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR]
RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR]
RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR]
RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR]
RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR]
RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]
RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Typhoeus [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mylyn/[\d\.]+\ BugzillaConnector\ Eclipse
RewriteRule .* - [F]

5
roles/httpd_front/templates/common_force_ssl.inc.j2 Normal file
View File

@@ -0,0 +1,5 @@
RewriteEngine On
RewriteCond %{HTTPS} =off
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/.*
RewriteRule ^/(.*)$ https://%{HTTP_HOST}/$1 [R=301,L,NE,E=NOCACHE:1]
Header always set Cache-Control "no-store, no-cache, must-revalidate" env=NOCACHE

7
roles/httpd_front/templates/common_maintenance.inc.j2 Normal file
View File

@@ -0,0 +1,7 @@
RewriteEngine on
{% for ip in httpd_maintenance_ip | default([]) %}
RewriteCond %{REMOTE_ADDR} !^{{ ip | replace('.','\.') }}
{% endfor %}
RewriteRule ^(.*)$ https://downtime.{{ httpd_primary_domain | default(ansible_domain) }}/ [R=301,L,E=nocache:1]
Header always set Cache-Control "no-store, no-cache, must-revalidate" env=nocache
Header always set Expires "Thu, 01 Jan 1970 00:00:00 GMT" env=nocache

15
roles/httpd_front/templates/common_mod_security2.inc.j2 Normal file
View File

@@ -0,0 +1,15 @@
# {{ ansible_managed }}
{% if httpd_mod_security | default(True) %}
Include modsecurity.d/*.conf
Include modsecurity.d/activated_rules/*.conf
{% if httpd_mod_security | default(True) == 'audit' %}
SecRuleEngine DetectionOnly
{% elif httpd_mod_security | default(True) == True %}
SecRuleEngine On
{% else %}
SecRuleEngine Off
{% endif %}
{% for id in httpd_mod_security_disabled_rules | default(['960015', '981203']) %}
SecRuleRemoveById {{ id }}
{% endfor %}
{% endif %}

70
roles/httpd_front/templates/common_perf.inc.j2 Normal file
View File

@@ -0,0 +1,70 @@
# Compress output to make pages smaller
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/atom_xml
AddOutputFilterByType DEFLATE application/x-javascript
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
<IfModule mod_headers.c>
Header append Vary User-Agent env=!dont-vary
</IfModule>
</IfModule>
# Remove ETag Headers
<IfModule mod_headers.c>
Header unset ETag
FileETag None
</IfModule>
# Set Cache-Control, but only if not already set!
SetEnvIf !Cache-Control value NO_CACHE_CONTROL
<FilesMatch "\.(ico|jpg|jpeg|png|gif|js|css|swf|pdf|flv|mp3)$">
<IfModule mod_header.c>
Header set Cache-Control "public" env=NO_CACHE_CONTROL
</IfModule>
</FilesMatch>
<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault "now"
# Media files
ExpiresByType image/gif "access plus 1 week"
ExpiresByType image/png "access plus 1 week"
ExpiresByType image/jpg "access plus 1 week"
ExpiresByType image/jpeg "access plus 1 week"
ExpiresByType video/ogg "access plus 1 week"
ExpiresByType audio/ogg "access plus 1 week"
ExpiresByType video/mp4 "access plus 1 week"
ExpiresByType video/webm "access plus 1 week"
ExpiresByType image/x-icon "access plus 1 week"
# Fonts
ExpiresByType application/x-font-ttf "access plus 1 week"
ExpiresByType font/opentype "access plus 1 week"
ExpiresByType application/x-font-woff "access plus 1 week"
ExpiresByType image/svg+xml "access plus 1 week"
ExpiresByType application/vnd.ms-fontobject "access plus 1 week"
# Static assets
ExpiresByType text/css "access plus 1 week"
ExpiresByType application/javascript "access plus 1 week"
ExpiresByType text/javascript "access plus 1 week"
# Feeds can be cached, but not too long
ExpiresByType application/rss+xml "access plus 1 hour"
ExpiresByType application/atom+xml "access plus 1 hour"
</IfModule>

17
roles/httpd_front/templates/evasive.conf.j2 Normal file
View File

@@ -0,0 +1,17 @@
DOSHashTableSize 3097
DOSPageCount {{ httpd_dos_page_count | default('40') }}
DOSSiteCount {{ httpd_dos_site_count | default('150') }}
DOSPageInterval {{ httpd_dos_page_interval | default('1') }}
DOSSiteInterval {{ httpd_dos_site_interval | default('5') }}
DOSBlockingPeriod {{ httpd_dos_block_time | default('30') }}
{% if system_admin_email is defined %}
DOSEmailNotify {{ system_admin_email }}
{% endif %}
DOSWhitelist 127.0.0.1
{% for ip in trusted_ip | default([]) %}
DOSWhitelist {{ ip }}
{% endfor %}
{% for ip in httpd_dos_whitelisted_ip | default([])%}
DOSWhitelist {{ ip }}
{% endfor %}

4
roles/httpd_front/templates/htcacheclean.j2 Normal file
View File

@@ -0,0 +1,4 @@
INTERVAL=60
CACHE_ROOT=/var/cache/httpd/proxy/
LIMIT={{ httpd_cache_limit | default('200M') }}
OPTIONS="-t"

51
roles/httpd_front/templates/security.conf.j2 Normal file
View File

@@ -0,0 +1,51 @@
# {{ ansible_managed }}
{% if httpd_mod_security | default(True) %}
SecRuleEngine Off
SecRequestBodyAccess Off
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
SecRequestBodyLimit {{ httpd_mod_security_request_body_limit | default('13107200') }}
SecRequestBodyNoFilesLimit {{ httpd_mod_security_body_no_files_limit | default('131072') }}
SecRequestBodyInMemoryLimit {{ httpd_mod_security_in_memory_limit | default('131072') }}
SecRequestBodyLimitAction Reject
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000
SecRule TX:/^MSC_/ "!@streq 0" \
"id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
SecResponseBodyAccess Off
SecDebugLog /var/log/httpd/modsec_debug.log
SecDebugLogLevel {{ httpd_mod_security_debug_level | default(0) }}
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIJDEFHZ
SecAuditLogType Serial
SecAuditLog /var/log/httpd/modsec_audit.log
SecArgumentSeparator &
SecCookieFormat 0
SecTmpDir /var/lib/mod_security
SecDataDir /var/lib/mod_security
{% endif %}

25
roles/httpd_front/templates/ssl.conf.j2 Normal file
View File

@@ -0,0 +1,25 @@
{% for port in httpd_ssl_ports %}
Listen {{ port }} https
{% endfor %}
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
SSLEngine off
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite {{ httpd_ssl_cipher_suite | default('ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA') }}
SSLCertificateFile {{ httpd_cert_path }}
SSLCertificateKeyFile {{ httpd_key_path }}
{% if httpd_chain_path is defined %}
SSLCertificateChainFile {{ httpd_chain_path }}
{% endif %}
SSLHonorCipherOrder on
SSLCompression off
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

25
roles/httpd_front/templates/vhost_downtime.conf.j2 Normal file
View File

@@ -0,0 +1,25 @@
<Directory /var/www/html/downtime>
Require all granted
AllowOverride None
Options None
</Directory>
<VirtualHost *:{{ httpd_port | default('80') }}>
ServerName downtime.{{ ansible_domain }}
DocumentRoot /var/www/html/downtime/
ErrorDocument 404 /
Include ansible_conf.d/common_env.inc
#Include ansible_conf.d/common_letsencrypt.inc
Include ansible_conf.d/common_force_ssl.inc
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:{{ httpd_ssl_port | default('443') }}>
ServerName downtime.{{ ansible_domain }}
SSLEngine on
DocumentRoot /var/www/html/downtime/
ErrorDocument 404 /
Include ansible_conf.d/common_env.inc
Include ansible_conf.d/common_filter.inc
Include ansible_conf.d/common_perf.inc
</VirtualHost>
</IfModule>