From dd06fb0a56feba126cce5ef75e84e23eb72fe7aa Mon Sep 17 00:00:00 2001 From: Michael Scherer Date: Wed, 15 Oct 2014 16:55:11 -0400 Subject: Add playbook and httpd and the rest --- roles/httpd/0001-Remove-ssl-v3-CVE-2014-3566.patch | 33 ++++++++++++++ roles/httpd/defaults/main.yml | 2 + roles/httpd/files/mod_filter.conf | 3 ++ roles/httpd/files/name_vhost.conf | 2 + roles/httpd/files/remove_sslv3.conf | 1 + roles/httpd/handlers/main.yml | 3 ++ roles/httpd/tasks/main.yml | 51 ++++++++++++++++++++++ roles/httpd/templates/vhost.conf | 21 +++++++++ roles/httpd/templates/vhost_redirect.conf | 16 +++++++ 9 files changed, 132 insertions(+) create mode 100644 roles/httpd/0001-Remove-ssl-v3-CVE-2014-3566.patch create mode 100644 roles/httpd/defaults/main.yml create mode 100644 roles/httpd/files/mod_filter.conf create mode 100644 roles/httpd/files/name_vhost.conf create mode 100644 roles/httpd/files/remove_sslv3.conf create mode 100644 roles/httpd/handlers/main.yml create mode 100644 roles/httpd/tasks/main.yml create mode 100644 roles/httpd/templates/vhost.conf create mode 100644 roles/httpd/templates/vhost_redirect.conf (limited to 'roles/httpd') diff --git a/roles/httpd/0001-Remove-ssl-v3-CVE-2014-3566.patch b/roles/httpd/0001-Remove-ssl-v3-CVE-2014-3566.patch new file mode 100644 index 0000000..62607b5 --- /dev/null +++ b/roles/httpd/0001-Remove-ssl-v3-CVE-2014-3566.patch @@ -0,0 +1,33 @@ +From ce67394ccb7eaf138330c52f9ec5062698efb8aa Mon Sep 17 00:00:00 2001 +From: Michael Scherer +Date: Tue, 14 Oct 2014 23:36:21 -0400 +Subject: [PATCH] Remove ssl v3, CVE-2014-3566 + +--- + roles/httpd/files/remove_sslv3.conf | 1 + + roles/httpd/tasks/main.yml | 1 + + 2 files changed, 2 insertions(+) + create mode 100644 roles/httpd/files/remove_sslv3.conf + +diff --git a/roles/httpd/files/remove_sslv3.conf b/roles/httpd/files/remove_sslv3.conf +new file mode 100644 +index 0000000..0872cbe +--- /dev/null ++++ b/roles/httpd/files/remove_sslv3.conf +@@ -0,0 +1 @@ ++SSLProtocol all -SSLv2 -SSLv3 +diff --git a/roles/httpd/tasks/main.yml b/roles/httpd/tasks/main.yml +index 98d6ade..7dfe89d 100644 +--- a/roles/httpd/tasks/main.yml ++++ b/roles/httpd/tasks/main.yml +@@ -11,6 +11,7 @@ + with_items: + - name_vhost.conf + - mod_filter.conf ++ - remove_sslv3.conf + notify: restart httpd + + - template: src=vhost.conf dest=/etc/httpd/conf.d/{{ website_url }}.conf owner=root group=apache mode=0644 +-- +1.8.3.1 + diff --git a/roles/httpd/defaults/main.yml b/roles/httpd/defaults/main.yml new file mode 100644 index 0000000..409440c --- /dev/null +++ b/roles/httpd/defaults/main.yml @@ -0,0 +1,2 @@ +--- +log_retention_week: 8 diff --git a/roles/httpd/files/mod_filter.conf b/roles/httpd/files/mod_filter.conf new file mode 100644 index 0000000..cde8c84 --- /dev/null +++ b/roles/httpd/files/mod_filter.conf @@ -0,0 +1,3 @@ +# not enabled by default on centos 6 +LoadModule filter_module modules/mod_filter.so + diff --git a/roles/httpd/files/name_vhost.conf b/roles/httpd/files/name_vhost.conf new file mode 100644 index 0000000..d2d1c0d --- /dev/null +++ b/roles/httpd/files/name_vhost.conf @@ -0,0 +1,2 @@ +NameVirtualHost *:443 +NameVirtualHost *:80 diff --git a/roles/httpd/files/remove_sslv3.conf b/roles/httpd/files/remove_sslv3.conf new file mode 100644 index 0000000..0872cbe --- /dev/null +++ b/roles/httpd/files/remove_sslv3.conf @@ -0,0 +1 @@ +SSLProtocol all -SSLv2 -SSLv3 diff --git a/roles/httpd/handlers/main.yml b/roles/httpd/handlers/main.yml new file mode 100644 index 0000000..e379288 --- /dev/null +++ b/roles/httpd/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart httpd + service: name=httpd state=restarted diff --git a/roles/httpd/tasks/main.yml b/roles/httpd/tasks/main.yml new file mode 100644 index 0000000..b1e7342 --- /dev/null +++ b/roles/httpd/tasks/main.yml @@ -0,0 +1,51 @@ +--- +- yum: name={{ item }} state=installed + with_items: + - python-passlib + - httpd + - mod_ssl + +- service: name=httpd state=started enabled=yes + +- copy: src={{ item }} dest=/etc/httpd/conf.d/{{ item }} owner=root group=apache mode=0644 + with_items: + - name_vhost.conf + - mod_filter.conf + - remove_sslv3.conf + notify: restart httpd + +- template: src=vhost.conf dest=/etc/httpd/conf.d/{{ website_url }}.conf owner=root group=apache mode=0644 + notify: restart httpd + when: document_root is defined + +- template: src=vhost_redirect.conf dest=/etc/httpd/conf.d/{{ website_url }}.conf owner=root group=apache mode=0644 + notify: restart httpd + when: redirect is defined + +- file: state=directory path={{ document_root }} setype=httpd_sys_content_t owner=root mode=755 group=root + when: document_root is defined + +- file: path=/etc/httpd/conf.d/{{ website_url }}.conf.d/ state=directory + when: website_url is defined + +# needed for newer apache, who requires at least 1 file for include +- file: path=/etc/httpd/conf.d/{{ website_url }}.conf.d/placeholder.conf state=touch + when: website_url is defined + +- file: path=/etc/httpd/conf.d/password_protection.conf state=absent + notify: restart httpd + +- htpasswd: path=/etc/httpd/{{ website_url }}.htpasswd name={{ website_user }} password={{ website_password }} owner=root group=apache mode=0640 + when: website_user is defined + +- shell: lokkit -s {{ item }} + with_items: + - http + - https + when: ansible_distribution_major_version == '6' and (ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat') + +- firewalld: service={{ item }} permanent=true state=enabled + with_items: + - http + - https + when: ansible_distribution == 'Fedora' or ansible_distribution_major_version == '7' diff --git a/roles/httpd/templates/vhost.conf b/roles/httpd/templates/vhost.conf new file mode 100644 index 0000000..21172c9 --- /dev/null +++ b/roles/httpd/templates/vhost.conf @@ -0,0 +1,21 @@ + + {% if website_password is defined %} + + + AuthType Basic + AuthName "Restricted access, contact OSAS for password" + AuthUserFile /etc/httpd/{{ website_url }}.htpasswd + Require valid-user + + {% endif %} + + + AllowOverride All + + + ServerName {{ website_url }} + DocumentRoot {{ document_root }} + Include /etc/httpd/conf.d/{{ website_url}}.conf.d/*conf + + + diff --git a/roles/httpd/templates/vhost_redirect.conf b/roles/httpd/templates/vhost_redirect.conf new file mode 100644 index 0000000..1c93343 --- /dev/null +++ b/roles/httpd/templates/vhost_redirect.conf @@ -0,0 +1,16 @@ + + {% if website_password is defined %} + + + AuthType Basic + AuthName "Restricted access, contact OSAS for password" + AuthUserFile /etc/httpd/{{ website_url }}.htpasswd + Require valid-user + + {% endif %} + + ServerName {{ website_url }} + Redirect / {{ redirect }} + + + -- cgit