bitfit/ansible_etalon_web
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

+ rhel9, - hardening

Browse Source
This commit is contained in:
ROTTLER Tamas 2025-04-27 11:38:18 +02:00
parent 0648224abe
commit 726b6dc279
9 changed files with 503 additions and 268 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
files/security.conf_redhat Normal file
View File

@ -0,0 +1,6 @@
# security
ServerTokens Prod
ServerSignature Off
TraceEnable Off

247
tasks/debian.yml Normal file
View File

@ -0,0 +1,247 @@
---
- name: check if apt.conf uses a proxy
shell: grep -Po '(?<=^Acquire::http::Proxy ")[^"]*' /etc/apt/apt.conf
register: proxy_grep
failed_when: false
changed_when: false
- name: set proxy variable
set_fact:
proxy: "{{ proxy_grep.stdout }}"
when: proxy_grep.stdout != ""
- name: install packages, debian8
tags: apt
apt:
name:
- apache2
- libapache2-mod-php5
- mysql-client
- php5-cli
- php5-curl
- php5-gd
- php5-json
- php5-ldap
- php5-mysqlnd
state: present
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version == "8"
- name: install packages, debian9-10
tags: apt
apt:
name:
- apache2
- libapache2-mod-php
- mariadb-client
- php-cli
- php-bcmath
- php-curl
- php-gd
- php-json
- php-ldap
- php-mbstring
- php-mysql
- php-soap
- php-xml
- php-zip
state: present
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version|int() == 9 or ansible_distribution_major_version|int() == 10
- name: sury repo pgp key, debian11-99
tags: apt
shell: "curl {{ (proxy is defined) | ternary('--proxy '+ proxy|default(''), '')}} -o /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg"
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version|int() >= 11
- name: sury repo in sources list, debian11
tags: apt
lineinfile:
dest: /etc/apt/sources.list.d/php-sury.list
line: 'deb https://packages.sury.org/php/ bullseye main'
create: yes
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version|int() == 11
- name: sury repo in sources list, debian12
tags: apt
lineinfile:
dest: /etc/apt/sources.list.d/php-sury.list
line: 'deb https://packages.sury.org/php/ bookworm main'
create: yes
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version|int() == 12
- name: apt update, debian11-99
tags: apt
apt:
update_cache: yes
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version|int() >= 11
- name: set phpver for debian11 ubuntu20
set_fact:
phpver: "7.4"
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version|int() == 12
- name: set phpver for debian debian12
set_fact:
phpver: "8.2"
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version|int() == 12
- name: set phpver for ubuntu20
set_fact:
phpver: "7.4"
# default, ubuntuba nem teszunk sury repot
when:
- ansible_distribution == "Ubuntu"
- ansible_distribution_major_version|int() == 20
- name: set phpver for debian ubuntu22
set_fact:
phpver: "8.1"
# default, ubuntuba nem teszunk sury repot
when:
- ansible_distribution == "Ubuntu"
- ansible_distribution_major_version|int() == 22
- name: install packages [phpver]
tags: apt
apt:
name:
- apache2
- mariadb-client
- "php{{ phpver }}-cli"
- "php{{ phpver }}-fpm"
- "php{{ phpver }}-bcmath"
- "php{{ phpver }}-curl"
- "php{{ phpver }}-gd"
- "php{{ phpver }}-ldap"
- "php{{ phpver }}-mbstring"
- "php{{ phpver }}-mongodb"
- "php{{ phpver }}-mysql"
- "php{{ phpver }}-opcache"
- "php{{ phpver }}-readline"
- "php{{ phpver }}-redis"
- "php{{ phpver }}-soap"
- "php{{ phpver }}-xml"
- "php{{ phpver }}-zip"
state: present
when:
- phpver is defined
- name: install json for php7.4 [phpver]
tags: apt
apt:
name:
- "php{{ phpver }}-json"
state: present
when:
- phpver is defined
- phpver == "7.4"
- name: php fpm/pool.d/www.conf [phpver]
template:
src: pool_www.conf
dest: "/etc/php/{{ phpver }}/fpm/pool.d/www.conf"
when:
- phpver is defined
- name: php config, debian8
copy:
src: hws.php.ini.modphp
dest: /etc/php5
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version == "8"
- name: php config symlinks, debian8
file:
state: link
src: /etc/php5/hws.php.ini
path: "/etc/php5/{{ item }}/conf.d/hws.php.ini"
with_items:
- apache2
- cli
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version == "8"
- name: php config, debian9
copy:
src: hws.php.ini.modphp
dest: /etc/php/7.0/hws.php.ini
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version == "9"
- name: php config, debian10
copy:
src: hws.php.ini.modphp
dest: /etc/php/7.3/hws.php.ini
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version == "10"
#- name: php config, bullseye
# copy:
# src: hws.php.ini.fpm
# dest: /etc/php/7.4/hws.php.ini
# when:
# - (ansible_distribution == "Debian" and ansible_distribution_major_version|int() == 11) or
# (ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int() >= 20)
- name: php config symlinks, debian9
file:
state: link
src: /etc/php/7.0/hws.php.ini
path: "/etc/php/7.0/{{ item }}/conf.d/hws.php.ini"
with_items:
- apache2
- cli
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version == "9"
- name: php config symlinks, debian10
file:
state: link
src: /etc/php/7.3/hws.php.ini
path: "/etc/php/7.3/{{ item }}/conf.d/hws.php.ini"
with_items:
- apache2
- cli
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version == "10"
#- name: php config symlinks, bullseye
# file:
# state: link
# src: /etc/php/7.4/hws.php.ini
# path: "/etc/php/7.4/{{ item }}/conf.d/hws.php.ini"
# with_items:
# - fpm
# - cli
# when:
# - ansible_distribution == "Debian"
# - ansible_distribution_major_version == "11"
- name: php logrotate config
copy:
src: logrotate.conf
dest: /etc/logrotate.d/php
# vim: set tabstop=2 shiftwidth=2 expandtab smarttab:

298
tasks/main.yml
View File

@ -1,15 +1,4 @@
---
- name: check if apt.conf uses a proxy
shell: grep -Po '(?<=^Acquire::http::Proxy ")[^"]*' /etc/apt/apt.conf
register: proxy_grep
failed_when: false
changed_when: false
- name: set proxy variable
set_fact:
proxy: "{{ proxy_grep.stdout }}"
when: proxy_grep.stdout != ""
- name: /var/www bind mount in fstab
lineinfile:
dest: /etc/fstab
@ -20,6 +9,20 @@
shell: 'mkdir -p /var/www && mv /var/www /data && mkdir -p /var/www && mount /var/www'
when: fstab_www.changed
- name: /var/www fcontext httpd_sys_content_t
sefcontext:
setype: httpd_sys_rw_content_t
target: "/var/www/.*"
when:
- ansible_distribution == "RedHat"
- ansible_selinux.status == 'enabled'
- name: /var/www restorecon
command: "restorecon -r /var/www"
when:
- ansible_distribution == "RedHat"
- ansible_selinux.status == 'enabled'
- name: www subdirs
file:
dest: "/var/www/{{ item }}"
@ -31,162 +34,27 @@
- name: www index.html
shell: "test -e /var/www/def/public/index.html || hostname > /var/www/def/public/index.html"
- name: install packages, debian8
tags: apt
apt:
name:
- apache2
- libapache2-mod-php5
- mysql-client
- php5-cli
- php5-curl
- php5-gd
- php5-json
- php5-ldap
- php5-mysqlnd
state: present
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version == "8"
- name: include debian/ubuntu specific
include_tasks: debian.yml
when: (ansible_distribution == "Debian" or ansible_distribution == "Ubuntu")
- name: install packages, debian9-10
tags: apt
apt:
name:
- apache2
- libapache2-mod-php
- mariadb-client
- php-cli
- php-bcmath
- php-curl
- php-gd
- php-json
- php-ldap
- php-mbstring
- php-mysql
- php-soap
- php-xml
- php-zip
state: present
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version|int() == 9 or ansible_distribution_major_version|int() == 10
- name: include redhat specific
include_tasks: redhat.yml
when: ansible_distribution == "RedHat"
- name: sury repo pgp key, debian11-99
tags: apt
shell: "curl {{ (proxy is defined) | ternary('--proxy '+ proxy|default(''), '')}} -o /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg"
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version|int() >= 11
- name: sury repo in sources list, debian11
tags: apt
lineinfile:
dest: /etc/apt/sources.list.d/php-sury.list
line: 'deb https://packages.sury.org/php/ bullseye main'
create: yes
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version|int() == 11
- name: sury repo in sources list, debian12
tags: apt
lineinfile:
dest: /etc/apt/sources.list.d/php-sury.list
line: 'deb https://packages.sury.org/php/ bookworm main'
create: yes
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version|int() == 12
- name: apt update, debian11-99
tags: apt
apt:
update_cache: yes
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version|int() >= 11
- name: set phpver for debian11 ubuntu20
set_fact:
phpver: "7.4"
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version|int() == 12
- name: set phpver for debian debian12
set_fact:
phpver: "8.2"
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version|int() == 12
- name: set phpver for ubuntu20
set_fact:
phpver: "7.4"
# default, ubuntuba nem teszunk sury repot
when:
- ansible_distribution == "Ubuntu"
- ansible_distribution_major_version|int() == 20
- name: set phpver for debian ubuntu22
set_fact:
phpver: "8.1"
# default, ubuntuba nem teszunk sury repot
when:
- ansible_distribution == "Ubuntu"
- ansible_distribution_major_version|int() == 22
- name: install packages [phpver]
tags: apt
apt:
name:
- apache2
- mariadb-client
- "php{{ phpver }}-cli"
- "php{{ phpver }}-fpm"
- "php{{ phpver }}-bcmath"
- "php{{ phpver }}-curl"
- "php{{ phpver }}-gd"
- "php{{ phpver }}-ldap"
- "php{{ phpver }}-mbstring"
- "php{{ phpver }}-mongodb"
- "php{{ phpver }}-mysql"
- "php{{ phpver }}-opcache"
- "php{{ phpver }}-readline"
- "php{{ phpver }}-redis"
- "php{{ phpver }}-soap"
- "php{{ phpver }}-xml"
- "php{{ phpver }}-zip"
state: present
when:
- phpver is defined
- name: install json for php7.4 [phpver]
tags: apt
apt:
name:
- "php{{ phpver }}-json"
state: present
when:
- phpver is defined
- phpver == "7.4"
- name: php fpm/pool.d/www.conf [phpver]
- name: conf-available templates
template:
src: pool_www.conf
dest: "/etc/php/{{ phpver }}/fpm/pool.d/www.conf"
when:
- phpver is defined
- name: conf-available
copy:
src: "{{ item }}"
dest: /etc/apache2/conf-available
with_items:
- other-vhosts-access-log.conf
- charset.conf
- name: conf-available files
copy:
src: "{{ item }}"
dest: /etc/apache2/conf-available
with_items:
- log-detailed.conf
- name: enable confs / modules, debian0-10
@ -209,120 +77,14 @@
- ansible_distribution == "Debian"
- ansible_distribution_major_version|int() < 11
- name: virtualhost config, debian11-99 ubuntu20-99
- name: virtualhost config, debian11-99 ubuntu20-99 redhat
template:
src: 000-default_fpm.conf
dest: /etc/apache2/sites-available/000-default.conf
when:
- (ansible_distribution == "Debian" and ansible_distribution_major_version|int() >= 11) or
(ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int() >= 20)
- name: php config, debian8
copy:
src: hws.php.ini.modphp
dest: /etc/php5
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version == "8"
- name: php config symlinks, debian8
file:
state: link
src: /etc/php5/hws.php.ini
path: "/etc/php5/{{ item }}/conf.d/hws.php.ini"
with_items:
- apache2
- cli
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version == "8"
- name: php config, debian9
copy:
src: hws.php.ini.modphp
dest: /etc/php/7.0/hws.php.ini
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version == "9"
- name: php config, debian10
copy:
src: hws.php.ini.modphp
dest: /etc/php/7.3/hws.php.ini
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version == "10"
#- name: php config, bullseye
# copy:
# src: hws.php.ini.fpm
# dest: /etc/php/7.4/hws.php.ini
# when:
# - (ansible_distribution == "Debian" and ansible_distribution_major_version|int() == 11) or
# (ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int() >= 20)
- name: php config symlinks, debian9
file:
state: link
src: /etc/php/7.0/hws.php.ini
path: "/etc/php/7.0/{{ item }}/conf.d/hws.php.ini"
with_items:
- apache2
- cli
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version == "9"
- name: php config symlinks, debian10
file:
state: link
src: /etc/php/7.3/hws.php.ini
path: "/etc/php/7.3/{{ item }}/conf.d/hws.php.ini"
with_items:
- apache2
- cli
when:
- ansible_distribution == "Debian"
- ansible_distribution_major_version == "10"
#- name: php config symlinks, bullseye
# file:
# state: link
# src: /etc/php/7.4/hws.php.ini
# path: "/etc/php/7.4/{{ item }}/conf.d/hws.php.ini"
# with_items:
# - fpm
# - cli
# when:
# - ansible_distribution == "Debian"
# - ansible_distribution_major_version == "11"
- name: php logrotate config
copy:
src: logrotate.conf
dest: /etc/logrotate.d/php
- name: security.conf ServerTokens, debian11-99 ubuntu20-99
tags: apt
lineinfile:
dest: /etc/apache2/conf-available/security.conf
regexp: "^ServerTokens"
line: "ServerTokens Prod"
when:
- (ansible_distribution == "Debian" and ansible_distribution_major_version|int() >= 11) or
(ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int() >= 20)
- name: security.conf ServerSignature, debian11-99 ubuntu20-99
tags: apt
lineinfile:
dest: /etc/apache2/conf-available/security.conf
regexp: "^ServerSignature"
line: "ServerSignature Off"
when:
- (ansible_distribution == "Debian" and ansible_distribution_major_version|int() >= 11) or
(ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int() >= 20)
(ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int() >= 20) or
ansible_distribution == "RedHat"
# vim: set tabstop=2 shiftwidth=2 expandtab smarttab:

160
tasks/redhat.yml Normal file
View File

@ -0,0 +1,160 @@
---
- name: set phpver for rhel9
set_fact:
phpver: "84"
when:
- ansible_distribution == "RedHat"
- ansible_distribution_major_version|int() == 9
- name: install remi repo
tags: dnf
dnf:
name: "https://rpms.remirepo.net/enterprise/remi-release-9.rpm"
disable_gpg_check: yes
#- name: dnf module php [phpver]
# tags: dnf
# dnf:
# name:
# - "@php:remi-{{ phpver }}"
- name: install packages
tags: dnf
dnf:
name:
- httpd
- mod_ssl
- mysql
- redis
- "php{{ phpver }}-php-fpm"
- "php{{ phpver }}-php-cli"
- "php{{ phpver }}-php-bcmath"
- "php{{ phpver }}-php-gd"
- "php{{ phpver }}-php-ldap"
- "php{{ phpver }}-php-mbstring"
- "php{{ phpver }}-php-mysqlnd"
- "php{{ phpver }}-php-opcache"
- "php{{ phpver }}-php-soap"
- "php{{ phpver }}-php-xml"
- "php{{ phpver }}-php-pecl-zip"
- "php{{ phpver }}-php-pecl-mongodb"
- "php{{ phpver }}-php-pecl-redis6"
- "php{{ phpver }}-php-process"
when:
- phpver is defined
- name: enable httpd service
systemd_service:
name: httpd
enabled: true
- name: enable redis service
systemd_service:
name: redis
enabled: true
- name: enable php-fpm service [phpver]
systemd_service:
name: "php{{ phpver }}-php-fpm"
enabled: true
- name: php-fpm.d/www.conf [phpver]
template:
src: pool_www.conf_redhat
dest: "/etc/opt/remi/php{{ phpver }}/php-fpm.d/www.conf"
when:
- phpver is defined
- name: httpd.conf remove conf.d include
lineinfile:
path: /etc/httpd/conf/httpd.conf
regex: "^IncludeOptional conf.d/\\*.conf"
state: absent
- name: httpd.conf add conf-enabled include
lineinfile:
path: /etc/httpd/conf/httpd.conf
line: "IncludeOptional conf-enabled/*.conf"
- name: httpd.conf add sites-enabled include
lineinfile:
path: /etc/httpd/conf/httpd.conf
line: "IncludeOptional sites-enabled/*.conf"
- name: /etc/apache2 symlink
file:
path: /etc/apache2
src: httpd
state: link
- name: /var/log/apache2 symlink
file:
path: /var/log/apache2
src: httpd
state: link
- name: /etc/apache2/conf-enabled
file:
path: /etc/apache2/conf-enabled
state: directory
owner: root
group: root
mode: "0755"
- name: /etc/apache2/conf-available
file:
path: /etc/apache2/conf-available
src: conf-enabled
state: link
- name: /etc/apache2/sites-enabled
file:
path: /etc/apache2/sites-enabled
state: directory
owner: root
group: root
mode: "0755"
- name: /etc/apache2/sites-available
file:
path: /etc/apache2/sites-available
src: sites-enabled
state: link
- name: create security.conf
copy:
src: security.conf_redhat
dest: /etc/apache2/conf-enabled/security.conf
- name: create index.conf
copy:
content: "DirectoryIndex index.html index.php\n"
dest: /etc/apache2/conf-enabled/index.conf
- name: ssl.conf
template:
src: redhat_ssl.conf
dest: "/etc/apache2/conf-enabled/ssl.conf"
- name: set httpd_can_network_connect
seboolean:
name: httpd_can_network_connect
state: true
persistent: yes
when:
- ansible_selinux.status == 'enabled'
- name: set httpd_can_sendmail
seboolean:
name: httpd_can_sendmail
state: true
persistent: yes
when:
- ansible_selinux.status == 'enabled'
#D- name: php logrotate config
#D copy:
#D src: logrotate.conf
#D dest: /etc/logrotate.d/php
# vim: set tabstop=2 shiftwidth=2 expandtab smarttab:

28
templates/000-default_fpm.conf
View File

@ -1,15 +1,43 @@
#<VirtualHost *:80>
{% if ansible_distribution == "RedHat" %}
# ErrorLog /var/log/httpd/notls.log
# CustomLog /var/log/httpd/notls.log detailed
{% else %}
# ErrorLog ${APACHE_LOG_DIR}/notls.log
# CustomLog ${APACHE_LOG_DIR}/notls.log detailed
{% endif %}
# RewriteEngine On
# RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/
# RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [R,L]
#</VirtualHost>
#<VirtualHost *:443>
# SSLEngine on
# SSLCertificateFile /etc/ssl/i.hwstudio.hu/fullchain.pem
# SSLCertificateKeyFile /etc/ssl/i.hwstudio.hu/privkey.pem
# #ServerName
# #Header always set Strict-Transport-Security "max-age=31536000;"
<VirtualHost *:80>
DocumentRoot /var/www/def/public
{% if ansible_distribution == "RedHat" %}
ErrorLog /var/log/httpd/error.log
CustomLog /var/log/httpd/access.log detailed
{% else %}
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log detailed
{% endif %}
<Directory /var/www/def/public>
Options -Indexes +FollowSymLinks +MultiViews
AllowOverride All
Require all granted
</Directory>
<Files "*.php">
{% if ansible_distribution == "RedHat" %}
SetHandler "proxy:unix:/var/opt/remi/php{{ phpver }}/run/php-fpm/www.sock|fcgi://localhost"
{% else %}
SetHandler "proxy:unix:/run/php/php{{ phpver }}-fpm.sock|fcgi://localhost"
{% endif %}
</Files>
</VirtualHost>

0
files/charset.conf → templates/charset.conf
View File

4
files/other-vhosts-access-log.conf → templates/other-vhosts-access-log.conf
View File

@ -1,5 +1,9 @@
# Define an access log for VirtualHosts that don't define their own logfile
#CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log vhost_combined
{% if ansible_distribution == "RedHat" %}
CustomLog /var/log/httpd/other_vhosts_access.log detailed
{% else %}
CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log detailed
{% endif %}
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

20
templates/pool_www.conf_redhat Normal file
View File

@ -0,0 +1,20 @@
[www]
user = apache
group = apache
listen = /var/opt/remi/php{{ phpver }}/run/php-fpm/www.sock
listen.acl_users = apache
listen.allowed_clients = 127.0.0.1
pm = dynamic
pm.max_children = 50
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 35
slowlog = /var/opt/remi/php{{ phpver }}/log/php-fpm/www-slow.log
php_admin_value[error_log] = /var/opt/remi/php{{ phpver }}/log/php-fpm/www-error.log
php_admin_flag[log_errors] = on
php_value[session.save_handler] = files
php_value[session.save_path] = /var/opt/remi/php{{ phpver }}/lib/php/session
php_value[soap.wsdl_cache_dir] = /var/opt/remi/php{{ phpver }}/lib/php/wsdlcache
php_admin_value[user_ini.filename] = .php.ini
php_admin_value[user_ini.cache_ttl] = 60

8
templates/redhat_ssl.conf Normal file
View File

@ -0,0 +1,8 @@
Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLCryptoDevice builtin
SSLCipherSuite HIGH+ECDHE:!aNULL:!SHA1:!SHA256:!SHA384
SSLHonorCipherOrder on
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1