/ansible-role-nginx-modsec3-crs3

Ansible role for Installing Nginx, compiling ModSecurity3, and installing the OWASP CRS v3 ruleset

Primary LanguageHTMLMIT LicenseMIT

Ansible role for Installing Nginx, compiling ModSecurity3, and installing the OWASP CRS v3 ruleset

ModSecurity3 is a powerful open source cross-platform web application firewall (WAF).

https://modsecurity.org/

It goes hand in hand with a ruleset known as OWASP CRS.

https://modsecurity.org/crs/

Additionally both of these go hand in hand with a webserver, either Apache or Nginx, this role only supports Nginx however.

https://www.nginx.com

There are a number of libraries and packages which ModSecurity3 depends on and will be installed via this role.

This role will additionally install any compilers and other build tools required for compilation. It will then remove these tools if they were not previously installed.

Nginx support is primarily provided by the dependent role ansible-role-nginx by jdauphant.

https://github.com/jdauphant/ansible-role-nginx

By default this role will install Nginx packages from OS provided repos, this is recommended to be changed to installing from the official Nginx repo instead.

This can be done by setting this variable:

nginx_official_repo: True

Requirements

Before running a playbook which calls this role:

Install any required Ansible roles from requirements.yml View here.

ansible-galaxy install -r requirements.yml

n.b in particular this role will call certain tasks from the nginx role so be sure to have it installed in the same location as this role and with a specific name of "ansible-role-nginx".

i.e this in the requirements.yml file for your project's playbook (not the requirements.yml file for this role) you will need to include both this role and the role mentioned above like this:

- src: perryk.nginx_modsec3_crs3

- src: https://github.com/jdauphant/ansible-role-nginx
  version: master

Role Variables

Browse the role's defaults/main.yml and vars/main.yml files to see if there is anything you would like to change or need to override by setting in your playbook.

There are currently no variables of note being set.

There are lots of variables however in the nginx role, perhaps the best explanation of these are all the examples in the role README.md file.

Example Playbook

Example playbook calling the role adding and enabling ModSecurity for the default Nginx site.

- hosts: servers

  vars:

    nginx_pkgs:
      - nginx
    nginx_install_epel_repo: False
    nginx_official_repo: True
    nginx_official_repo_mainline: True
    nginx_module_configs:
      - ngx_http_modsecurity_module
    nginx_sites:
      default:
       - listen 80
       - server_name _
       - "Modsecurity on"
       - "modsecurity_rules_file /etc/nginx/modsec/main.conf"
       - root "/usr/share/nginx/html"
       - index index.html

  roles:
    - perryk.nginx-modsec3-crs3

License

MIT

Author Information

Perry Kollmorgen - https://github.com/perryk