-
Notifications
You must be signed in to change notification settings - Fork 25
/
deploy-nginx-plus-app-protect-web-server-proxy.yml
147 lines (144 loc) · 5.71 KB
/
deploy-nginx-plus-app-protect-web-server-proxy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
---
- name: Install NGINX Plus and NGINX App Protect and configure a simple reverse proxy in front of two web servers protected by NGINX App Protect WAF/DoS
hosts: all
collections:
- nginxinc.nginx_core
tasks:
- name: Install NGINX Plus
ansible.builtin.include_role:
name: nginx
vars:
nginx_type: plus
nginx_license:
certificate: <path/to/certificate>
key: <path/to/key>
nginx_remove_license: false
- name: Install NGINX App Protect WAF/DoS
ansible.builtin.include_role:
name: nginx_app_protect
vars:
nginx_app_protect_waf_enable: true
nginx_app_protect_dos_enable: true
nginx_app_protect_install_signatures: true
nginx_app_protect_install_threat_campaigns: true
nginx_app_protect_setup_license: false
nginx_app_protect_remove_license: false
- name: Configure NGINX
ansible.builtin.include_role:
name: nginx_config
vars:
nginx_config_modules:
- modules/ngx_http_app_protect_module.so
- modules/ngx_http_app_protect_dos_module.so
nginx_config_http_template_enable: true
nginx_config_http_template:
- template_file: http/default.conf.j2
deployment_location: /etc/nginx/conf.d/default.conf
config:
upstreams:
- name: upstr
least_conn: true
servers:
- address: 0.0.0.0:8081
- address: 0.0.0.0:8082
servers:
- core:
listen:
- port: 80
server_name: localhost
app_protect_waf:
enable: true
security_log_enable: true
app_protect_dos:
enable: true
log:
access:
- path: /var/log/nginx/access.log
format: main
locations:
- location: /
proxy:
pass: http://upstr/
set_header:
field: Host
value: $host
- core:
listen:
- port: 8081
server_name: localhost
log:
access:
- path: /var/log/nginx/access.log
format: main
locations:
- location: /
core:
root: /usr/share/nginx/html
index: server_one.html
sub_filter:
sub_filters:
- string: server_hostname
replacement: $hostname
- string: server_address
replacement: $server_addr:$server_port
- string: server_url
replacement: $request_uri
- string: remote_addr
replacement: '$remote_addr:$remote_port'
- string: server_date
replacement: $time_local
- string: client_browser
replacement: $http_user_agent
- string: request_id
replacement: $request_id
- string: nginx_version
replacement: $nginx_version
- string: document_root
replacement: $document_root
- string: proxied_for_ip
replacement: $http_x_forwarded_for
once: false
- core:
listen:
- port: 8082
server_name: localhost
log:
access:
- path: /var/log/nginx/access.log
format: main
locations:
- location: /
core:
root: /usr/share/nginx/html
index: server_two.html
sub_filter:
sub_filters:
- string: server_hostname
replacement: $hostname
- string: server_address
replacement: $server_addr:$server_port
- string: server_url
replacement: $request_uri
- string: remote_addr
replacement: '$remote_addr:$remote_port'
- string: server_date
replacement: $time_local
- string: client_browser
replacement: $http_user_agent
- string: request_id
replacement: $request_id
- string: nginx_version
replacement: $nginx_version
- string: document_root
replacement: $document_root
- string: proxied_for_ip
replacement: $http_x_forwarded_for
once: false
nginx_config_html_demo_template_enable: true
nginx_config_html_demo_template:
- template_file: www/index.html.j2
deployment_location: /usr/share/nginx/html/server_one.html
web_server_name: Ansible NGINX collection - Server one
- template_file: www/index.html.j2
deployment_location: /usr/share/nginx/html/server_two.html
web_server_name: Ansible NGINX collection - Server two