From ef38cdd94e33072fc36d124fbc075e40e31fc4fd Mon Sep 17 00:00:00 2001 From: Nicolas Julian Date: Fri, 12 Jan 2024 12:54:57 +0700 Subject: [PATCH 1/2] Update compatibitly with ubuntu 22.04 Tested on ``` DISTRIB_ID=Ubuntu DISTRIB_RELEASE=22.04 DISTRIB_CODENAME=jammy DISTRIB_DESCRIPTION="Ubuntu 22.04.3 LTS" PRETTY_NAME="Ubuntu 22.04.3 LTS" ``` --- README.md | 4 ++-- defaults/main.yml | 1 + tasks/main.yml | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index fbd8d05..c40119f 100644 --- a/README.md +++ b/README.md @@ -70,14 +70,14 @@ Example playbook calling the role adding and enabling ModSecurity for the defaul - nginx nginx_install_epel_repo: False nginx_official_repo: True - nginx_official_repo_mainline: True + nginx_official_repo_mainline: False nginx_module_configs: - ngx_http_modsecurity_module nginx_sites: default: - listen 80 - server_name _ - - "Modsecurity on" + - "modsecurity on" - "modsecurity_rules_file /etc/nginx/modsec/main.conf" - root "/usr/share/nginx/html" - index index.html diff --git a/defaults/main.yml b/defaults/main.yml index 826cf1a..2949a51 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -12,6 +12,7 @@ nginx_modsec3_crs3_debian_pre_reqs: - ssdeep - libfuzzy-dev - git + - libssl-dev nginx_modsec3_crs3_debian_compiler_reqs: - build-essential diff --git a/tasks/main.yml b/tasks/main.yml index ea3e031..65e0b99 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -63,7 +63,7 @@ nginx_modsec3_crs3_nginx_version: "{{ ansible_facts.packages.nginx[0].version.split('-')[0] }}" - name: Compile ModSecurity3 and install OWAPS CRS3 - include: compile.yml + import_tasks: compile.yml - name: Configure Nginx now that the Modsec module is built import_role: From 78d318353017a0d96d24200b49007035523d2956 Mon Sep 17 00:00:00 2001 From: Nicolas Julian Date: Fri, 12 Jan 2024 14:30:43 +0700 Subject: [PATCH 2/2] Update core ruleset version and dependecy --- README.md | 1 + defaults/main.yml | 3 ++- tasks/compile.yml | 11 +++++++---- 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index c40119f..b1a931d 100644 --- a/README.md +++ b/README.md @@ -73,6 +73,7 @@ Example playbook calling the role adding and enabling ModSecurity for the defaul nginx_official_repo_mainline: False nginx_module_configs: - ngx_http_modsecurity_module + - ngx_http_geoip_module nginx_sites: default: - listen 80 diff --git a/defaults/main.yml b/defaults/main.yml index 2949a51..2c9ee40 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -2,7 +2,8 @@ # defaults file for ansible-role-nginx-modsec3-crs3 nginx_modsec3_crs3_debian_pre_reqs: - - libgeoip-dev + - libmaxminddb-dev + - libmaxminddb0 - libcurl4-openssl-dev - liblua5.2-dev - libyajl-dev diff --git a/tasks/compile.yml b/tasks/compile.yml index f565246..cefdb61 100644 --- a/tasks/compile.yml +++ b/tasks/compile.yml @@ -59,7 +59,7 @@ with_items: # Latest version had troubles parsing the entire configure arguments so trying just with --with-compat #- "CFLAGS=-Wno-error ./configure {{ result.stdout }} --add-dynamic-module=../../ModSecurity-nginx" - - "CFLAGS=-Wno-error ./configure --with-compat --add-dynamic-module=../../ModSecurity-nginx" + - "CFLAGS=-Wno-error ./configure --with-compat --add-dynamic-module=../../ModSecurity-nginx --with-http_geoip_module=dynamic" - "make modules" - name: import nginx role Debian/Ubuntu vars @@ -83,11 +83,14 @@ nginx_conf_dir: "/etc/nginx" when: nginx_conf_dir is not defined -- name: Copy Modsecurity-nginx module to Nginx modules folder +- name: Copy ModSecurity-nginx and GeoIP2 modules to Nginx modules folder copy: - src: "~/Nginx/nginx-{{ nginx_modsec3_crs3_nginx_version }}/objs/ngx_http_modsecurity_module.so" + src: "{{ item }}" dest: "{{ nginx_modules_location }}" remote_src: yes + loop: + - "~/Nginx/nginx-{{ nginx_modsec3_crs3_nginx_version }}/objs/ngx_http_modsecurity_module.so" + - "~/Nginx/nginx-{{ nginx_modsec3_crs3_nginx_version }}/objs/ngx_http_geoip_module.so" - name: Create folder for Modsec config and rules file: @@ -122,7 +125,7 @@ git: repo: "https://github.com/coreruleset/coreruleset" dest: "{{ nginx_conf_dir }}/modsec/owasp-modsecurity-crs" - version: "v3.4/dev" + version: "v3.3.5" - name: Copy crs-setup.conf.example to become crs-setup.conf copy: