-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy path4-deploy-nginx-app-protect-web-server-proxy.yml
130 lines (128 loc) · 5.32 KB
/
4-deploy-nginx-app-protect-web-server-proxy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
---
- name: Deploy an NGINX Plus reverse proxy load balancing between two NGINX Plus web servers protected by NGINX App Protect
hosts: aws_ec2
become: true
remote_user: "{{ hostvars[inventory_hostname]['tags']['user'] }}"
roles:
- role: nginxinc.nginx_app_protect
vars:
nginx_app_protect_setup_license: false
nginx_app_protect_remove_license: false
nginx_app_protect_install_signatures: true
nginx_app_protect_install_threat_campaigns: true
- role: nginxinc.nginx_config
vars:
nginx_config_modules:
- modules/ngx_http_app_protect_module.so
nginx_config_http_template_enable: true
nginx_config_http_template:
- template_file: http/default.conf.j2
deployment_location: /etc/nginx/conf.d/default.conf
config:
servers:
- core:
listen:
- port: 80
server_name: localhost
app_protect_waf:
enable: true
policy_file: /etc/app_protect/conf/NginxDefaultPolicy.json
security_log_enable: true
security_log:
path: /etc/app_protect/conf/log_default.json
dest: /var/log/app_protect/security.log
log:
access:
- path: /var/log/nginx/access.log
format: main
locations:
- location: /
proxy:
pass: http://upstr/
set_header:
field: Host
value: $host
- core:
listen:
- port: 8008
server_name: localhost
log:
access:
- path: /var/log/nginx/access.log
format: main
sub_filter:
sub_filters:
- string: server_hostname
replacement: $hostname
- string: server_address
replacement: $server_addr:$server_port
- string: server_url
replacement: $request_uri
- string: remote_addr
replacement: '$remote_addr:$remote_port'
- string: server_date
replacement: $time_local
- string: client_browser
replacement: $http_user_agent
- string: request_id
replacement: $request_id
- string: nginx_version
replacement: $nginx_version
- string: document_root
replacement: $document_root
- string: proxied_for_ip
replacement: $http_x_forwarded_for
locations:
- location: /
core:
index: server_one.html
root: /usr/share/nginx/html
- core:
listen:
- port: 8009
server_name: localhost
log:
access:
- path: /var/log/nginx/access.log
format: main
sub_filter:
sub_filters:
- string: server_hostname
replacement: $hostname
- string: server_address
replacement: $server_addr:$server_port
- string: server_url
replacement: $request_uri
- string: remote_addr
replacement: '$remote_addr:$remote_port'
- string: server_date
replacement: $time_local
- string: client_browser
replacement: $http_user_agent
- string: request_id
replacement: $request_id
- string: nginx_version
replacement: $nginx_version
- string: document_root
replacement: $document_root
- string: proxied_for_ip
replacement: $http_x_forwarded_for
locations:
- location: /
core:
index: server_two.html
root: /usr/share/nginx/html
upstreams:
- name: upstr
least_conn: true
servers:
- address: 0.0.0.0:8008
- address: 0.0.0.0:8009
nginx_config_html_demo_template_enable: true
nginx_config_html_demo_template:
- template_file: www/index.html.j2
deployment_location: /usr/share/nginx/html/server_one.html
web_server_name: Ansible NGINX collection - Server one
- template_file: www/index.html.j2
deployment_location: /usr/share/nginx/html/server_two.html
web_server_name: Ansible NGINX collection - Server two