From ba8bf80f7d8160a214c84f302818f18b3033e662 Mon Sep 17 00:00:00 2001 From: Wolfgang Medina-Erhardt Date: Fri, 11 Aug 2023 13:47:15 +0200 Subject: [PATCH 1/5] Add apache config, adjust handlers --- handlers/main.yaml | 6 --- meta/main.yaml | 3 ++ tasks/apache.yaml | 12 ++++++ tasks/main.yaml | 3 ++ tasks/service.yaml | 7 ++- templates/apache/Includes/mailhog.conf.j2 | 52 +++++++++++++++++++++++ 6 files changed, 76 insertions(+), 7 deletions(-) create mode 100644 tasks/apache.yaml create mode 100644 templates/apache/Includes/mailhog.conf.j2 diff --git a/handlers/main.yaml b/handlers/main.yaml index c87d210..e6f5e3d 100644 --- a/handlers/main.yaml +++ b/handlers/main.yaml @@ -1,10 +1,4 @@ --- -- name: Start MailHog - service: - name: mailhog - state: started - register: mailhog_service_result - - name: Restart MailHog service: name: mailhog diff --git a/meta/main.yaml b/meta/main.yaml index be1d45f..618979b 100644 --- a/meta/main.yaml +++ b/meta/main.yaml @@ -1,5 +1,8 @@ --- dependencies: + - role: apache + when: '"apache" in dehydrated.httpd_service.name' - role: nginx + when: '"nginx" in dehydrated.httpd_service.name' - role: oauth2_proxy when: mailhog.oauth2_proxy diff --git a/tasks/apache.yaml b/tasks/apache.yaml new file mode 100644 index 0000000..e115516 --- /dev/null +++ b/tasks/apache.yaml @@ -0,0 +1,12 @@ +--- +- name: Template apache configuration + template: src="{{ item }}" dest="{{ render_path }}" + loop_control: + label: "{{ render_path }}" + vars: + template_dir: "{{ role_path }}/templates/apache" + render_path: "{{ apache.prefix.config }}/{{ item|strip_prefix(template_dir + '/')|strip_suffix('.j2') }}" + with_fileglob: + - "{{ template_dir }}/*.j2" + - "{{ template_dir }}/Includes/*.j2" + notify: Restart apache diff --git a/tasks/main.yaml b/tasks/main.yaml index 5100a2b..9615def 100644 --- a/tasks/main.yaml +++ b/tasks/main.yaml @@ -1,4 +1,7 @@ --- - import_tasks: config.yaml - import_tasks: service.yaml +- import_tasks: apache.yaml + when: '"apache" in dehydrated.httpd_service.name' - import_tasks: nginx.yaml + when: '"nginx" in dehydrated.httpd_service.name' diff --git a/tasks/service.yaml b/tasks/service.yaml index 760778c..43bd706 100644 --- a/tasks/service.yaml +++ b/tasks/service.yaml @@ -6,4 +6,9 @@ line: 'mailhog_enable="YES"' with_items: - /etc/rc.conf - notify: Start MailHog + +- name: Start MailHog + service: + name: mailhog + state: started + register: mailhog_service_result diff --git a/templates/apache/Includes/mailhog.conf.j2 b/templates/apache/Includes/mailhog.conf.j2 new file mode 100644 index 0000000..5f4361b --- /dev/null +++ b/templates/apache/Includes/mailhog.conf.j2 @@ -0,0 +1,52 @@ +{% set http_listeners = ['*:80'] %} +{% set https_listeners = ['*:443'] %} +{% if ansible_local.proserver is defined and ansible_local.proserver.routing.with_gate64 -%} +{% set _ = http_listeners.append('[::]:87') %} +{% set _ = https_listeners.append('[::]:57') %} +{% endif %} + +{% for i in http_listeners %} + + {% if "57" in i %} + RemoteIPProxyProtocol On + {% endif %} + ServerName {{ mailhog.domain }} + RewriteEngine On + RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/ + RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L] + +{% endfor %} + +{% if dehydrated | cert_exists(mailhog.domain) %} +{% for i in https_listeners %} + + {% if "87" in i %} + RemoteIPProxyProtocol On + {% endif %} + ServerName {{ mailhog.domain }} + DocumentRoot /var/null + + SSLEngine on + SSLProxyEngine on + {% if mailhog.oauth2_proxy -%} + ProxyPass /proserver/iap/auth/ http://127.0.0.1:8025/proserver/iap/auth/ + ProxyPassReverse /proserver/iap/auth/ http://127.0.0.1:8025/proserver/iap/auth/ + + ErrorDocument 401 /proserver/iap/sign_in + + RequestHeader set Auth-Cookie %{upstream_set_cookie}e env=upstream_set_cookie + Header always set Cookie "%{env:upstream_set_cookie}e" env=upstream_set_cookie + {% endif -%} + + ProxyPass / http://127.0.0.1:8025/ + ProxyPassReverse / http://127.0.0.1:8025/ + ProxyPreserveHost On + ProxyPassInterpolateEnv On + + SSLCertificateFile {{ dehydrated | cert_fullchain(mailhog.domain) }} + SSLCertificateChainFile {{ dehydrated | cert_fullchain(mailhog.domain) }} + SSLCertificateKeyFile {{ dehydrated | cert_privkey(mailhog.domain) }} + + +{% endfor %} +{% endif %} From 3850f20c092d5bf105957edbd18db8b5ec429421 Mon Sep 17 00:00:00 2001 From: Wolfgang Medina-Erhardt Date: Mon, 28 Aug 2023 16:12:36 +0200 Subject: [PATCH 2/5] Fix nginx/apache switch behavior --- meta/main.yaml | 4 ++-- tasks/main.yaml | 7 +++++-- templates/apache/Includes/mailhog.conf.j2 | 4 ++-- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/meta/main.yaml b/meta/main.yaml index 618979b..d7f14e2 100644 --- a/meta/main.yaml +++ b/meta/main.yaml @@ -1,8 +1,8 @@ --- dependencies: - role: apache - when: '"apache" in dehydrated.httpd_service.name' + when: inventory_hostname in groups.apache - role: nginx - when: '"nginx" in dehydrated.httpd_service.name' + when: inventory_hostname in groups.nginx or not inventory_hostname in groups.apache - role: oauth2_proxy when: mailhog.oauth2_proxy diff --git a/tasks/main.yaml b/tasks/main.yaml index 9615def..fd8a984 100644 --- a/tasks/main.yaml +++ b/tasks/main.yaml @@ -1,7 +1,10 @@ --- - import_tasks: config.yaml + - import_tasks: service.yaml + - import_tasks: apache.yaml - when: '"apache" in dehydrated.httpd_service.name' + when: inventory_hostname in groups.apache + - import_tasks: nginx.yaml - when: '"nginx" in dehydrated.httpd_service.name' + when: inventory_hostname in groups.nginx or not inventory_hostname in groups.apache diff --git a/templates/apache/Includes/mailhog.conf.j2 b/templates/apache/Includes/mailhog.conf.j2 index 5f4361b..110c832 100644 --- a/templates/apache/Includes/mailhog.conf.j2 +++ b/templates/apache/Includes/mailhog.conf.j2 @@ -29,8 +29,8 @@ SSLEngine on SSLProxyEngine on {% if mailhog.oauth2_proxy -%} - ProxyPass /proserver/iap/auth/ http://127.0.0.1:8025/proserver/iap/auth/ - ProxyPassReverse /proserver/iap/auth/ http://127.0.0.1:8025/proserver/iap/auth/ + ProxyPass /proserver/iap/auth/ http://[::1]:{{ oauth2_proxy.config[mailhog.oauth2_proxy].http_address.split(":")[-1] }}/proserver/iap/auth/ + ProxyPassReverse /proserver/iap/auth/ http://[::1]:{{ oauth2_proxy.config[mailhog.oauth2_proxy].http_address.split(":")[-1] }}/proserver/iap/auth/ ErrorDocument 401 /proserver/iap/sign_in From afe474631481938e59fe125fc9bf650793e8a8f7 Mon Sep 17 00:00:00 2001 From: Wolfgang Medina-Erhardt Date: Mon, 28 Aug 2023 16:17:21 +0200 Subject: [PATCH 3/5] Add hard dependency for dehydrated --- meta/main.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/main.yaml b/meta/main.yaml index d7f14e2..2f6498d 100644 --- a/meta/main.yaml +++ b/meta/main.yaml @@ -1,5 +1,6 @@ --- dependencies: + - role: dehydrated - role: apache when: inventory_hostname in groups.apache - role: nginx From b57cee17862fc171fef4a3a15a63903e47809acf Mon Sep 17 00:00:00 2001 From: Wolfgang Medina-Erhardt Date: Tue, 5 Sep 2023 09:10:18 +0200 Subject: [PATCH 4/5] Add modsecurity support --- templates/nginx/http.d/mailhog.conf.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/templates/nginx/http.d/mailhog.conf.j2 b/templates/nginx/http.d/mailhog.conf.j2 index 8632784..a9a16a4 100644 --- a/templates/nginx/http.d/mailhog.conf.j2 +++ b/templates/nginx/http.d/mailhog.conf.j2 @@ -23,6 +23,10 @@ server { server_name {{ mailhog.domain }}; include {{ nginx.prefix.config }}/include/security_headers.conf; + {% if nginx.modsecurity.enabled is defined and nginx.modsecurity.enabled %} + include {{ nginx.prefix.config }}/include/modsecurity.conf; + {% endif %} + {% if mailhog.oauth2_proxy -%} location /proserver/iap { From 1820bf1fda8f06cae320907489f352830ba1d5e7 Mon Sep 17 00:00:00 2001 From: Wolfgang Medina-Erhardt Date: Tue, 5 Sep 2023 09:16:17 +0200 Subject: [PATCH 5/5] Add modsecurity support --- templates/nginx/http.d/mailhog.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/nginx/http.d/mailhog.conf.j2 b/templates/nginx/http.d/mailhog.conf.j2 index a9a16a4..a4853a8 100644 --- a/templates/nginx/http.d/mailhog.conf.j2 +++ b/templates/nginx/http.d/mailhog.conf.j2 @@ -23,7 +23,7 @@ server { server_name {{ mailhog.domain }}; include {{ nginx.prefix.config }}/include/security_headers.conf; - {% if nginx.modsecurity.enabled is defined and nginx.modsecurity.enabled %} + {% if nginx.modsecurity is defined and nginx.modsecurity.enabled %} include {{ nginx.prefix.config }}/include/modsecurity.conf; {% endif %}