diff --git a/LICENSE b/LICENSE index 717e5d7..1c91740 100644 --- a/LICENSE +++ b/LICENSE @@ -1,22 +1,39 @@ -MIT License - -Copyright (c) 2019 Perry Kollmorgen - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. - + /* + * Copyright (c) 2022 GPL-3.0-or-later nginx_modsec3_crs Coopdevs + * + * This file is free software: you may copy, redistribute and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation, either version 3 of the License, or (at your + * option) any later version. + * + * This file is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see https://www.gnu.org/licenses. + * + * This file incorporates work covered by the following copyright and + * permission notice: + * + * MIT License + * Copyright (c) 2019 Perry Kollmorgen + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ \ No newline at end of file diff --git a/README.md b/README.md index fbd8d05..a857cc0 100644 --- a/README.md +++ b/README.md @@ -1,16 +1,7 @@ -# Ansible role for Installing Nginx, compiling ModSecurity3, and installing the OWASP CRS v3 ruleset +# nginx_modsec3_crs role +## Ansible role for Installing Nginx, compiling ModSecurity3, and installing the OWASP CRS v3 ruleset -ModSecurity3 is a powerful open source cross-platform web application firewall (WAF). - -https://modsecurity.org/ - -It goes hand in hand with a ruleset known as OWASP CRS. - -https://modsecurity.org/crs/ - -Additionally both of these go hand in hand with a webserver, either Apache or Nginx, this role only supports Nginx however. - -https://www.nginx.com +> Forked from [**@perryk**'s](https://github.com/perryk) [ansible-role-nginx-modsec3-crs3](https://github.com/perryk/ansible-role-nginx-modsec3-crs3) There are a number of libraries and packages which ModSecurity3 depends on and will be installed via this role. @@ -20,11 +11,7 @@ Nginx support is primarily provided by the dependent role `ansible-role-nginx` b https://github.com/jdauphant/ansible-role-nginx -By default this role will install Nginx packages from OS provided repos, this is recommended to be changed to installing from the official Nginx repo instead. - -This can be done by setting this variable: - -``` nginx_official_repo: True``` +:warning: jdauphant's nginx role is no longer mantained. ## Requirements @@ -35,26 +22,32 @@ Install any required [Ansible](https://www.ansible.com) roles from `requirements ```bash ansible-galaxy install -r requirements.yml ``` - -n.b in particular this role will call certain tasks from the nginx role so be sure to have it installed in the same location as this role and with a specific name of "ansible-role-nginx". - i.e this in the requirements.yml file for your project's playbook (not the requirements.yml file for this role) you will need to include both this role and the role mentioned above like this: ```yml -- src: perryk.nginx_modsec3_crs3 +- src: coopdevs.nginx_modsec3_crs -- src: https://github.com/jdauphant/ansible-role-nginx - version: master +- src: jdauphant.nginx + version: v2.21.2 ``` - - ## Role Variables Browse the role's [defaults/main.yml](defaults/main.yml) and [vars/main.yml](vars/main.yml) files to see if there is anything you would like to change or need to override by setting in your playbook. -There are currently no variables of note being set. +Specific-role vars are explained below, with their default value set. + +```yaml +# Enables the modsecurity compilation, installation and configuration if it is not installed +nginx_modsec3_enabled: True + # Set the ruleset version +nginx_modsec3_crs_version: v3.4/dev +# Force modsecurity recompile despite it is already installed +nginx_modsec3_crs3_force_compile: True +# Enable the block mode (if False, then "Detection Only" mode is set) +nginx_modsec3_crs3_block_mode: True +``` -There are lots of variables however in the nginx role, perhaps the best explanation of these are all the examples in the role [README.md](https://github.com/jdauphant/ansible-role-nginx/blob/master/README.md) file. +There are lots of variables more in the nginx role, perhaps the best explanation of these are all the examples in the role [README.md](https://github.com/jdauphant/ansible-role-nginx/blob/master/README.md) file. ## Example Playbook @@ -65,32 +58,32 @@ Example playbook calling the role adding and enabling ModSecurity for the defaul - hosts: servers vars: - + nginx_modsec3_enabled: True + nginx_modsec3_crs_version: v4.0/dev nginx_pkgs: - nginx - nginx_install_epel_repo: False - nginx_official_repo: True - nginx_official_repo_mainline: True nginx_module_configs: - ngx_http_modsecurity_module + - ngx_http_geoip2_module + nginx_modules_disable: + - ngx_http_geoip_module nginx_sites: default: - - listen 80 - - server_name _ - - "Modsecurity on" - - "modsecurity_rules_file /etc/nginx/modsec/main.conf" - - root "/usr/share/nginx/html" - - index index.html - + - | + ... + modsecurity on; + modsecurity_rules_file /etc/nginx/modsec/main.conf; + ... roles: - - perryk.nginx-modsec3-crs3 + - coopdevs.nginx_modsec3_crs ``` # License -MIT +GPL-3.0-or-later ## Author Information -Perry Kollmorgen - https://github.com/perryk +Perry Kollmorgen - https://github.com/perryk +[Coopdevs](https://coopdevs.org) - https://github.com/coopdevs diff --git a/defaults/main.yml b/defaults/main.yml index 826cf1a..3b0c95e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,35 +1,55 @@ --- -# defaults file for ansible-role-nginx-modsec3-crs3 - +# defaults file for coopdevs.nginx_modsec3_crs +nginx_modsec3_enabled: True +nginx_modsec3_crs_version: v3.4/dev +nginx_modsec3_crs3_force_compile: True +nginx_modsec3_crs3_block_mode: True nginx_modsec3_crs3_debian_pre_reqs: + - git - libgeoip-dev + - libmaxminddb-dev + - libmaxminddb0 - libcurl4-openssl-dev - - liblua5.2-dev + - liblua5.3-dev - libyajl-dev - libxml2-dev - - libpcre3-dev - - libpcre++-dev + - libpcre2-dev + #- libpcre++-dev #hmm I wonder if might need libpcre (1) still ? - ssdeep - libfuzzy-dev - - git + - libssl-dev + - zlib1g-dev +# These are packages which are removed after compiling has finished nginx_modsec3_crs3_debian_compiler_reqs: - build-essential +# These are packages you want kept even after compiling has finished nginx_modsec3_crs3_redhat_pre_reqs: - - GeoIP-devel - - curl-devel - # - lua-devel - # - yajl-devel - - libxml2-devel - - xz-devel - - pcre-devel - - ssdeep-devel - - ssdeep-libs - git - - openssl-devel - - libxslt-devel - - gd-devel + - GeoIP-devel #modsec, might not exist in EL9 ? + #- libmaxminddb-devel #modsec, but lets remove as EL8 has a broken compile error + #- libmaxminddb #modsec, but same as above + - curl-devel #modsec + - lua-devel #modsec + - yajl-devel #modsec + - libxml2-devel #modsec + - lmdb-devel #modsec + #- xz-devel # unsure if still needed + - pcre-devel #modsec, needed even if pcre2 is used + - pcre2-devel #modsec + - ssdeep-devel # used by modsec + - ssdeep-libs # used by modsec + - openssl-devel #nginx + - libxslt-devel #modsec +# These are packages which are removed after compiling has finished nginx_modsec3_crs3_redhat_compiler_reqs: - "@Development tools" + +nginx_modsec3_crs3_geoip_enabled: false +nginx_modsec3_crs3_maxmind_enabled: false + +nginx_modsec3_crs3_core_rule_set_version: "v4.0.0" +nginx_official_repo: True +nginx_official_repo_mainline: True diff --git a/meta/main.yml b/meta/main.yml index 04d9a4e..aaecee2 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,11 +1,11 @@ galaxy_info: - author: "Perry Kollmorgen (https://github.com/perryk)" - role_name: nginx_modsec3_crs3 - description: "Installs Nginx, Compiles ModSecurity3, and downloads the OWASP CRS v3 ruleset (https://nginx.com, https://modsecurity.org, https://modsecurity.org/crs)" + author: "Coopdevs (https://github.com/coopdevs)" + role_name: "nginx_modsec3_crs" + description: "Installs Nginx, Compiles ModSecurity3, and downloads the OWASP CRS v3 ruleset. Forked from Perry Kollmorgen's role (https://github.com/perryk) " - license: MIT + license: "GPL-3.0-or-later" - min_ansible_version: 2.4 + min_ansible_version: "2.4" platforms: - name: EL @@ -13,17 +13,27 @@ galaxy_info: - 6 - 7 - 8 + - 9 - name: Debian versions: - jessie - stretch - - sid + - buster + - bullseye + - bookworm - name: Ubuntu versions: - - zesty - - artful - bionic - - cosmic + - cosmic + - disco + - eoan + - focal + - groovy + - hirsute + - impish + - jammy + - mantic + - noble galaxy_tags: - modsecurity @@ -33,5 +43,3 @@ galaxy_info: - nginx - web - system - -dependencies: [] diff --git a/requirements.yml b/requirements.yml index c44fd8b..6b21bf7 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,2 +1,3 @@ --- - src: jdauphant.nginx + version: v2.21.2 diff --git a/tasks/compile.yml b/tasks/compile.yml index f565246..cc521bd 100644 --- a/tasks/compile.yml +++ b/tasks/compile.yml @@ -1,14 +1,44 @@ # vim: set ft=ansible et ts=2 sw=2: --- -# Tasks for compiling Modsecurity3 and installing OWASP CRS v3 +# Tasks for compiling Modsecurity3 and installing OWASP CRS + +- name: Check if Modsecurity source code folder exists + stat: + path: "~/ModSecurity" + register: modsecurity_folder + +- name: Get Nginx modules location + shell: nginx -V 2>&1 | grep "configure arguments:" | sed -e 's/.*--modules-path=\([^ ]*\).*/\1/' + register: _nginx_modules_location + changed_when: false + when: nginx_modules_location is not defined + +- name: Set variable nginx_modules_location + set_fact: + nginx_modules_location: "{{ _nginx_modules_location.stdout }}" + when: nginx_modules_location is not defined + +- name: Clear previous compilation + file: + path: "{{ item }}" + state: absent + with_items: + - "~/ModSecurity" + - "~/ModSecurity-nginx" + - "~/Nginx" + - "/tmp/nginx-*.tar.gz" + - "{{ nginx_modules_location }}/ngx_http_modsecurity_module.so" + - "{{ nginx_conf_dir }}/modsec/" + when: nginx_modsec3_crs3_force_compile - name: Obtain Modsecurity source code for branch v3/master git: - repo: "https://github.com/SpiderLabs/ModSecurity" + repo: "https://github.com/owasp-modsecurity/ModSecurity" dest: "~/ModSecurity" depth: 1 version: "v3/master" force: yes + when: not modsecurity_folder.stat.exists - name: Init submodules, configure, build, make install command: "{{ item }}" @@ -19,63 +49,96 @@ - "git submodule init" - "git submodule update" - "./build.sh" - - "./configure" + #- "./configure --with-lmdb --with-pcre2" + # lmdb is meant to be faster but more chance of memory leaks + # pcre2 should be a faster reg exp library + - "./configure --with-pcre2" - "make" - "make install" + when: not modsec3_present or nginx_modsec3_crs3_force_compile - name: Obtain Modsecurity-nginx source code git: - repo: "https://github.com/SpiderLabs/ModSecurity-nginx" + repo: "https://github.com/owasp-modsecurity/ModSecurity-nginx" dest: "~/ModSecurity-nginx" depth: 1 force: yes + when: not modsec3_nginx_present or nginx_modsec3_crs3_force_compile + +- name: Obtain GeoIP2 module source code + git: + repo: "https://github.com/leev/ngx_http_geoip2_module" + dest: "~/GeoIP2-nginx" + when: nginx_modsec3_crs3_maxmind_enabled - name: Download Nginx source code get_url: url: "https://nginx.org/download/nginx-{{ nginx_modsec3_crs3_nginx_version }}.tar.gz" dest: "/tmp/nginx-{{ nginx_modsec3_crs3_nginx_version }}.tar.gz" + when: not modsec3_nginx_present or nginx_modsec3_crs3_force_compile - name: Create folder for Nginx source code file: path: "~/Nginx" state: directory + when: not modsec3_nginx_present or nginx_modsec3_crs3_force_compile - name: Extract Nginx source code unarchive: src: "/tmp/nginx-{{ nginx_modsec3_crs3_nginx_version }}.tar.gz" dest: "~/Nginx" remote_src: yes + when: not modsec3_nginx_present or nginx_modsec3_crs3_force_compile + - name: Get configure arguments shell: "nginx -V 2>&1 | awk -F ':' '/configure arguments/{print $2}'" - register: result + register: configargs changed_when: False + when: not modsec3_nginx_present or nginx_modsec3_crs3_force_compile + +- name: Run configure for building nginx modules + shell: > + CFLAGS=-Wno-error + ./configure + {% if ansible_distribution == 'OracleLinux' %} + {{ configargs.stdout }} + {% endif %} + --with-compat --add-dynamic-module=../../ModSecurity-nginx + {% if nginx_modsec3_crs3_maxmind_enabled %} + --add-dynamic-module=../../GeoIP2-nginx + {% endif %} + {% if nginx_modsec3_crs3_geoip_enabled %} + --with-http_geoip_module=dynamic + {% else %} + --without-http_geo_module + {% endif %} + args: + chdir: "~/Nginx/nginx-{{ nginx_modsec3_crs3_nginx_version }}" + creates: "~/Nginx/nginx-{{ nginx_modsec3_crs3_nginx_version }}/Makefile" -- name: Configure and make ModSecurity3 for Nginx module +- name: Run make for building Nginx modules shell: "{{ item }}" args: chdir: "~/Nginx/nginx-{{ nginx_modsec3_crs3_nginx_version }}" - creates: "~/mods.so" + creates: "~/Nginx/nginx-{{ nginx_modsec3_crs3_nginx_version }}/objs/ngx_http_modsecurity_module.so" with_items: - # Latest version had troubles parsing the entire configure arguments so trying just with --with-compat - #- "CFLAGS=-Wno-error ./configure {{ result.stdout }} --add-dynamic-module=../../ModSecurity-nginx" - "CFLAGS=-Wno-error ./configure --with-compat --add-dynamic-module=../../ModSecurity-nginx" - "make modules" + when: not modsec3_nginx_present or nginx_modsec3_crs3_force_compile - name: import nginx role Debian/Ubuntu vars include_vars: - file: "../ansible-role-nginx/vars/Debian.yml" + file: "../jdauphant.nginx/vars/Debian.yml" when: - ansible_os_family == "Debian" - #- nginx_modules_location is not defined #- nginx_python_selinux_pkgs is not defined -- name: import nginx role Redhat/Centos vars +- name: import nginx role RedHat/Centos/OracleLinux vars include_vars: - file: "../ansible-role-nginx/vars/Redhat.yml" + file: "../jdauphant.nginx/vars/Redhat.yml" when: - - ansible_os_family == "Redhat" - #- nginx_modules_location is not defined + - ansible_os_family == "RedHat" #- nginx_python_selinux_pkgs is not defined - name: set nginx_conf_dir if not already set @@ -83,49 +146,80 @@ nginx_conf_dir: "/etc/nginx" when: nginx_conf_dir is not defined -- name: Copy Modsecurity-nginx module to Nginx modules folder +- name: Copy ModSecurity-nginx to Nginx modules folder copy: src: "~/Nginx/nginx-{{ nginx_modsec3_crs3_nginx_version }}/objs/ngx_http_modsecurity_module.so" + dest: "{{ nginx_modules_location }}/ngx_http_modsecurity_module.so" + remote_src: yes + when: not modsec3_nginx_present or nginx_modsec3_crs3_force_compile + +- name: Copy GeoIP module to Nginx modules folder + copy: + src: "~/Nginx/nginx-{{ nginx_modsec3_crs3_nginx_version }}/objs/ngx_http_geoip_module.so" dest: "{{ nginx_modules_location }}" remote_src: yes + when: nginx_modsec3_crs3_geoip_enabled + + # Source /root/Nginx/nginx-1.25.4/objs/ngx_http_geoip_module.so not found + +- name: Copy MaxMind module to Nginx modules folder + copy: + src: "~/Nginx/nginx-{{ nginx_modsec3_crs3_nginx_version }}/objs/ngx_http_geoip2_module.so" + dest: "{{ nginx_modules_location }}" + remote_src: yes + when: nginx_modsec3_crs3_maxmind_enabled - name: Create folder for Modsec config and rules file: #path: /etc/nginx/modsec path: "{{ nginx_conf_dir }}/modsec" state: directory + when: not crs3_present or nginx_modsec3_crs3_force_compile + +- name: Check if modsecurity.conf already exists + stat: + path: "{{ nginx_conf_dir }}/modsec/modsecurity.conf" + register: modsecurity_conf_stat - name: Copy recommended conf to become modsecurity.conf copy: src: "~/ModSecurity/modsecurity.conf-recommended" dest: "{{ nginx_conf_dir }}/modsec/modsecurity.conf" remote_src: yes + when: not crs3_present or nginx_modsec3_crs3_force_compile - name: Copy unicode.mapping file also copy: src: "~/ModSecurity/unicode.mapping" dest: "{{ nginx_conf_dir }}/modsec/unicode.mapping" remote_src: yes + when: not crs3_present or nginx_modsec3_crs3_force_compile - name: Activate blocking rather than detection only replace: path: "{{ nginx_conf_dir }}/modsec/modsecurity.conf" regexp: "SecRuleEngine DetectionOnly" replace: "SecRuleEngine On" + backup: yes + when: nginx_modsec3_crs3_block_mode == true and (not crs3_present or nginx_modsec3_crs3_force_compile) + - name: Create a main.conf from template template: src: main.conf.j2 dest: "{{ nginx_conf_dir }}/modsec/main.conf" + when: not crs3_present or nginx_modsec3_crs3_force_compile - name: Obtain OWASP Modsecurity Rules git: repo: "https://github.com/coreruleset/coreruleset" dest: "{{ nginx_conf_dir }}/modsec/owasp-modsecurity-crs" - version: "v3.4/dev" + version: "{{ nginx_modsec3_crs3_core_rule_set_version }}" + when: not crs3_present or nginx_modsec3_crs3_force_compile - name: Copy crs-setup.conf.example to become crs-setup.conf copy: src: "{{ nginx_conf_dir }}/modsec/owasp-modsecurity-crs/crs-setup.conf.example" dest: "{{ nginx_conf_dir }}/modsec/owasp-modsecurity-crs/crs-setup.conf" remote_src: yes + when: not crs3_present or nginx_modsec3_crs3_force_compile diff --git a/tasks/main.yml b/tasks/main.yml index ea3e031..c1771ee 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,5 +1,5 @@ --- -# tasks file for ansible-role-nginx-modsec3-crs3 +# tasks file for jdauphant.nginx-modsec3-crs3 - name: Installing Pre-Reqs for Debian/Ubuntu apt: @@ -7,8 +7,8 @@ state: present when: ansible_os_family == "Debian" -- name: Installing Pre-Reqs for RHEL/Centos - yum: +- name: Installing Pre-Reqs for RHEL/Centos/OracleLinux + dnf: name: "{{ nginx_modsec3_crs3_redhat_pre_reqs }}" state: present when: ansible_os_family == "RedHat" @@ -33,54 +33,108 @@ state: present when: ansible_os_family == "Redhat" -- name: run Nginx selinux tasks +- name: Run Nginx SElinux tasks include_role: - name: ansible-role-nginx + name: jdauphant.nginx tasks_from: selinux.yml allow_duplicates: yes when: ansible_selinux and ansible_selinux.status == "enabled" -- name: run Nginx nginx offical repo tasks +- name: Run Nginx official repo tasks include_role: - name: ansible-role-nginx + name: jdauphant.nginx tasks_from: nginx-official-repo.yml allow_duplicates: yes when: nginx_official_repo == True -- name: run Nginx install packages tasks +- name: Run Nginx install packages tasks include_role: - name: ansible-role-nginx + name: jdauphant.nginx tasks_from: installation.packages.yml allow_duplicates: yes -# when: nginx_installation_type == "packages" -- name: get the rpm or apt package facts +- name: Save the current list of packages for Debian/Ubuntu + shell: dpkg-query -l > /tmp/before.txt + when: ansible_os_family == "Debian" and ( nginx_modsec3_crs3_keep is undefined or not nginx_modsec3_crs3_keep ) + changed_when: false + +- name: Save the current list of packages for RHEL/Centos/OracleLinux + shell: rpm -qa > /tmp/before.txt + when: ansible_os_family == 'RedHat' and ( nginx_modsec3_crs3_keep is undefined or not nginx_modsec3_crs3_keep ) + changed_when: false + +- name: Installing compiler dependencies for Debian/Ubuntu + apt: + name: "{{ nginx_modsec3_crs3_debian_compiler_reqs }}" + state: present + when: ansible_os_family == "Debian" + +- name: Installing compiler dependencies for RHEL/Centos/OracleLinux please + dnf: + name: "{{ nginx_modsec3_crs3_redhat_compiler_reqs }}" + state: present + when: ansible_os_family == "RedHat" + +- name: Get the rpm or apt package facts package_facts: manager: "auto" -- name: record nginx version +- name: Record nginx version set_fact: nginx_modsec3_crs3_nginx_version: "{{ ansible_facts.packages.nginx[0].version.split('-')[0] }}" +- name: Get Nginx conf location + shell: dirname $(nginx -V 2>&1 | grep "configure arguments:" | sed -e 's/.*--conf-path=\([^ ]*\).*/\1/') + register: _nginx_conf_location + changed_when: false + when: nginx_conf_dir is not defined + +- name: Set variable nginx_conf_dir + set_fact: + nginx_conf_dir: "{{ _nginx_conf_location.stdout }}" + when: nginx_conf_dir is not defined + +- name: Check if ModSecurity3 is present + stat: + path: /usr/local/modsecurity/lib/libmodsecurity.so + register: modsec3_present + when: not nginx_modsec3_crs3_force_compile + +- name: Check if modsecurity-nginx is present + stat: + path: /usr/lib/nginx/modules/ngx_http_modsecurity_module.so + register: modsec3_nginx_present + when: not nginx_modsec3_crs3_force_compile + +- name: Check if OWASP CRS3 is present + stat: + path: /etc/nginx/modsec/owasp-modsecurity-crs/crs-setup.conf + register: crs3_present + when: not nginx_modsec3_crs3_force_compile + - name: Compile ModSecurity3 and install OWAPS CRS3 - include: compile.yml + include_tasks: compile.yml + when: nginx_modsec3_enabled - name: Configure Nginx now that the Modsec module is built import_role: - name: ansible-role-nginx + name: jdauphant.nginx - name: Check which packages were installed for Debian/Ubuntu shell: dpkg-query -l > /tmp/after.txt when: ansible_os_family == "Debian" and ( nginx_modsec3_crs3_keep is undefined or not nginx_modsec3_crs3_keep ) + changed_when: false -- name: Check which packages were installed for RHEL/Centos +- name: Check which packages were installed for RHEL/Centos/OracleLinux shell: rpm -qa > /tmp/after.txt when: ansible_os_family == "RedHat" and ( nginx_modsec3_crs3_keep is undefined or not nginx_modsec3_crs3_keep ) + changed_when: false - name: Create a list of installed packages shell: diff /tmp/before.txt /tmp/after.txt|awk '/>/{print $3}' register: installed when: nginx_modsec3_crs3_keep is undefined or not nginx_modsec3_crs3_keep + changed_when: false - name: Remove installed packages for compiling package: diff --git a/templates/50-mod-http-modsecurity.conf.j2 b/templates/50-mod-http-modsecurity.conf.j2 new file mode 100644 index 0000000..963f2c8 --- /dev/null +++ b/templates/50-mod-http-modsecurity.conf.j2 @@ -0,0 +1 @@ +load_module {{ nginx_modules_location }}/ngx_http_modsecurity_module.so; \ No newline at end of file