Giter Club home page Giter Club logo

ansible-role-nginx-app-protect's Introduction

Ansible Galaxy Build Status License

๐Ÿ‘พ Help make the NGINX App Protect Ansible role better by participating in our survey! ๐Ÿ‘พ

NGINX App Protect WAF and DoS Ansible Role

This role installs and configures NGINX App Protect WAF or DoS for NGINX Plus on your target host.

Note: By default, this role will install NGINX App Protect WAF. To install NGINX App Protect DoS, you need to set the nginx_app_protect_dos_enable variable to true.

Note: This role is still in active development. There may be unidentified issues and the role variables may change as development continues.

Requirements

NGINX App Protect

If you wish to install NGINX App Protect WAF or NGINX App Protect DoS using this role, you will need to obtain the corresponding NGINX App Protect license beforehand.

Ansible

  • This role is developed and tested with maintained versions of Ansible core (above 2.12).

  • When using Ansible core, you will also need to install the following collections:

    ---
collections:
  - name: ansible.posix
    version: 1.4.0
  - name: community.crypto
    version: 2.10.0
  - name: community.general
    version: 6.2.0
  - name: community.docker  # Only required if you plan to use Molecule (see below)
    version: 3.4.0

    Note: You can alternatively install the Ansible community distribution (what is known as the "old" Ansible) if you don't want to manage individual collections.

  • Instructions on how to install Ansible can be found in the Ansible website.

Jinja2

  • This role uses Jinja2 templates. Ansible core installs Jinja2 by default, but depending on your install and/or upgrade path, you might be running an outdated version of Jinja2. The minimum version of Jinja2 required for the role to properly function is 3.1.
  • Instructions on how to install Jinja2 can be found in the Jinja2 website.

Molecule (Optional)

  • Molecule is used to test the various functionalities of the role. The recommended version of Molecule to test this role is 4.x.

  • Instructions on how to install Molecule can be found in the Molecule website. You will also need to install the Molecule Docker driver.

  • To run the Molecule tests, you must copy your NGINX App Protect license to the role's files/license folder.

    You can alternatively add your NGINX App Protect repository certificate and key to the local environment. Run the following commands to export these files as base64-encoded variables and execute the Molecule tests:

    export NGINX_CRT=$( cat <path to your certificate file> | base64 )
export NGINX_KEY=$( cat <path to your key file> | base64 )
molecule test

Installation

Ansible Galaxy

To install the latest stable release of the role on your system, use:

ansible-galaxy install nginxinc.nginx_app_protect

Alternatively, if you have already installed the role, update the role to the latest release:

ansible-galaxy install -f nginxinc.nginx_app_protect

Git

To pull the latest edge commit of the role from GitHub, use:

git clone https://github.com/nginxinc/ansible-role-nginx-app-protect.git

Platforms

NGINX App Protect WAF

The NGINX App Protect Ansible role supports all platforms supported by NGINX Plus that intersect with the following list of distributions of App Protect WAF:

Amazon Linux 2:
  - any
CentOS:
  - 7.4+
Debian:
  - buster (10)
RHEL:
  - 7.4+
  - 8.1+
Ubuntu:
  - bionic (18.04)
  - focal (20.04)

NGINX App Protect DoS

The NGINX App Protect Ansible role supports all platforms supported by NGINX Plus that intersect with the following list of distributions of App Protect DoS:

Alpine:
  - 3.15
CentOS:
  - 7.4+
Debian:
  - buster (10)
  - bullseye (11)
RHEL:
  - 7.4+
  - 8.0+
Ubuntu:
  - bionic (18.04)
  - focal (20.04)

Role Variables

This role has multiple variables. The descriptions and defaults for all these variables can be found in the defaults/ folder in the following files:

Name Description
main.yml NGINX App Protect installation and configuration variables

Similarly, descriptions and defaults for preset variables can be found in the vars/ folder in the following files:

Name Description
main.yml List of supported NGINX App Protect platforms

Dependencies

If NGINX Plus is not already installed on the system, this role will install the version of NGINX Plus that is dependent on the version of NGINX App Protect that is being installed.

Example Playbook

A working functional playbook example can be found in the molecule/default/ folder in the following file:

Name Description
molecule/default/converge.yml Install and configure NGINX App Protect WAF
molecule/advanced/converge.yml Advanced integration test including NGINX App Protect WAF sending log data to a "remote" syslog server
molecule/dos/converge.yml Install NGINX App Protect DoS
molecule/specific-version/converge.yml Install a specific version of NGINX App Protect WAF signatures
molecule/uninstall/converge.yml Uninstall NGINX App Protect WAF/DoS

Other NGINX Ansible Collections and Roles

You can find the Ansible NGINX Core collection of roles to install and configure NGINX Open Source, NGINX Plus, and NGINX App Protect WAF and DoS products here.

You can find the Ansible NGINX role to install NGINX OSS and NGINX Plus here.

You can find the Ansible NGINX configuration role to configure NGINX here.

You can find the Ansible NGINX Unit role to install NGINX Unit here.

License

Apache License, Version 2.0

Author Information

Daniel Edgar

Alessandro Fael Garcia

ยฉ F5, Inc. 2020 - 2024

ansible-role-nginx-app-protect's People

Contributors

aknot242 avatar alessfg avatar dependabot[bot] avatar jessegoodier avatar magicalyak avatar sjugge avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

magicalyak jessegoodier sjugge mashoodakram djbrogan bhanu-prakashl iteeukpe juangarcia4ks william3johnson inferno-inc

ansible-role-nginx-app-protect's Issues

Need ability to provide own JSON policy and logging profiles

Is your feature request related to a problem? Please describe.
Currently, the role will create JSON policy and log profiles based on a Jinja2 template, and the user cannot specify their own.

Describe the solution you'd like
In addition to the existing implementation, it would be good to be able to reference user-provided files to be used.

Describe alternatives you've considered
An alternative solution would be that the user could copy their own files to the target instance using their own playbook.

nginx_app_protect_license is undefined

Describe the bug
Get error:

TASK [nginx_app_protect : Copy NGINX App Protect certificate and license key] ***
fatal: [nginxwaf-0]: FAILED! => {"msg": "'nginx_app_protect_license' is undefined"}

nginx_app_protect_license is not described as a possible key/value in main.yaml
but it is called here

To reproduce
Steps to reproduce the behavior:
playbook.yaml.TXT

Expected behavior
Doc: add nginx_app_protect_license key

Your environment:

  • Version of the NGINX App Protect role or specific commit: update collection before each job execution
  • Version of Ansible: 2.9.7
  • Target deployment platform: CentOS 7.4

Pin version of App Protect and Nginx

Is your feature request related to a problem? Please describe

I would like the ability to pin the version of app protect and nginx plus so when this role is executed it installs the version specified instead of latest.

Describe the solution you'd like

Variables for app protect and nginx plus package versions.

Describe alternatives you've considered

Recommend approach to do this. For example, should you just make your own role to install nginx plus. Trying to use the official nginx ansible role.

Additional context

Install NGINX App Protect task in NGINX Core Collection failing with 403 Forbidden

Describe the bug

When running role nginx_app_protect it's failing during fetch of app-protect-security-updates repository with error.

To reproduce

Steps to reproduce the behaviour:

  1. Deploy NGINX App Protect role using deploy-nginx.yml using variables.

    role: nginx_app_protect
    vars:
    nginx_app_protect_license:
    certificate: "/nginx/nginx-repo.crt"
    key: "/nginx/nginx-repo.key"
    nginx_app_protect_setup_license: true
    nginx_app_protect_remove_license: false
    nginx_app_protect_install_signatures: true
    nginx_app_protect_install_threat_campaigns: true
    nginx_app_protect_configure: true
    nginx_app_protect_security_policy_template_enable: true
    nginx_app_protect_security_policy_enforcement_mode: blocking
    nginx_app_protect_log_policy_template_enable: true
    nginx_app_protect_log_policy_filter_request_type: all
    nginx_app_protect_conf_template_enable: false

  2. First failure occurred in the role nginx_app_protect running below task.

2021-10-06T12:39:00.6291143Z TASK [nginxinc.nginx_core.nginx_app_protect : (Debian/Ubuntu) Install NGINX App Protect] ***
2021-10-06T12:39:00.6291745Z Wednesday 06 October 2021  12:39:00 +0000 (0:00:01.199)       0:04:33.252 ***** 
2021-10-06T12:39:00.6295209Z Wednesday 06 October 2021  12:39:00 +0000 (0:00:01.199)       0:04:33.251 ***** 
2021-10-06T12:39:34.0436592Z fatal: [SECNGXDEVSR1004]: FAILED! => {"changed": false, "msg": "Failed to update apt cache: E:Failed to fetch https://app-protect-security-updates.nginx.com/ubuntu/dists/bionic/InRelease  403  Forbidden [IP: 3.126.134.177 443], E:The repository 'https://app-protect-security-updates.nginx.com/ubuntu bionic InRelease' is not signed."}
2021-10-06T12:39:37.8032937Z fatal: [SECNGXDEVSR1003]: FAILED! => {"changed": false, "msg": "Failed to update apt cache: E:Failed to fetch https://app-protect-security-updates.nginx.com/ubuntu/dists/bionic/InRelease  403  Forbidden [IP: 52.59.52.27 443], E:The repository 'https://app-protect-security-updates.nginx.com/ubuntu bionic InRelease' is not signed."}
 runs tasks until we get to ;
fatal: [SECNGXDEVSR1004]: FAILED! => {"changed": false, "msg": "Failed to update apt cache: E:Failed to fetch https://app-protect-security-updates.nginx.com/ubuntu/dists/bionic/InRelease  403  Forbidden [IP: 3.126.134.177 443], E:The repository 'https://app-protect-security-updates.nginx.com/ubuntu bionic InRelease' is not signed."}

The second run failed much earlier during task in core.nginx role;

2021-10-06T15:36:15.4912739Z TASK [nginxinc.nginx_core.nginx : (Debian/Ubuntu) Install dependencies] ********
2021-10-06T15:36:15.4913704Z Wednesday 06 October 2021  15:36:15 +0000 (0:00:00.117)       0:03:49.313 ***** 
2021-10-06T15:36:15.4915801Z Wednesday 06 October 2021  15:36:15 +0000 (0:00:00.117)       0:03:49.313 ***** 
2021-10-06T15:36:52.5807900Z fatal: [SECNGXDEVSR1004]: FAILED! => {"changed": false, "msg": "Failed to update apt cache: E:Failed to fetch https://app-protect-security-updates.nginx.com/ubuntu/dists/bionic/InRelease  403  Forbidden [IP: 52.59.52.27 443], E:The repository 'https://app-protect-security-updates.nginx.com/ubuntu bionic InRelease' is not signed."}
2021-10-06T15:36:54.2451939Z fatal: [SECNGXDEVSR1003]: FAILED! => {"changed": false, "msg": "Failed to update apt cache: E:Failed to fetch https://app-protect-security-updates.nginx.com/ubuntu/dists/bionic/InRelease  403  Forbidden [IP: 52.59.52.27 443], E:The repository 'https://app-protect-security-updates.nginx.com/ubuntu bionic InRelease' is not signed."}

Expected behavior

Install roles core.nginx and core.nginx_app_protect

Your environment

NGINX App Protect role 0.3.0 (January 11, 2021)
ansible [core 2.11.4]
config file = /etc/ansible/ansible.cfg
configured module search path = ['/home/vmadmin/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/lib/python3.6/dist-packages/ansible
ansible collection location = /home/vmadmin/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/local/bin/ansible
python version = 3.6.9 (default, Jan 26 2021, 15:33:00) [GCC 8.4.0]
jinja version = 2.10
libyaml = True

  • agent running Ubuntu 18.04.5 LTS

Additional context

Failing at different points with same error.

RHEL Subscription Support

Is your feature request related to a problem? Please describe.
Customers that have a RHEL subscription want to use dependency packages maintained by Red Hat rather than the CentOS repositories.

Describe the solution you'd like
Provide the ability to specify the subscription using the yum-config-manager rather than using the CentOS repositories.

Describe alternatives you've considered
None

Additional context
Should be equivalent to the RHEL Subscription process in the App Protect documentation: https://docs.nginx.com/nginx-app-protect/admin-guide/#rhel-7-4-installation

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.