Adding stuff

README.md

@@ -0,0 +1,29 @@
+## Ansible Values asked are:
+
+```
+URL = FQDN for the new config
+```
+
+### the following is for the upstream config
+
+```
+upstream_name = Name for the upstream variables, keep it short and relevant with - only.
+zone = Nginx HTTP Zone
+backend1 = Backend IP for first Backend Server
+backend1_port = Port for Backend Server
+backend2 = Backend IP for second Backend Server
+backend2_port = Port for Backend Server
+```
+
+### the following is for the server config
+
+```
+SIEM_IP = Enter the IP of the USM Sensor
+status_zone = status_zone
+```
+
+### the following is for the location config
+
+```
+saml_yes = adds an s to http for SAML
+```

files/00-dashboard.conf

@@ -0,0 +1,21 @@
+js_import /usr/share/nginx-plus-module-prometheus/prometheus.js;
+    # ...
+    server {
+        listen 10.40.32.42:8080;
+        # ...
+        location /api {
+            api write=on;
+            allow 10.0.0.0/8;
+            deny  all;
+        }
+        location = /dashboard.html {
+            auth_basic "Password Required";
+            auth_basic_user_file /etc/nginx/.htpasswd;
+            root   /usr/share/nginx/html;
+	    allow 10.0.0.0/8;
+	    deny all;
+        }
+	location = /metrics {
+	    js_content prometheus.metrics;
+	}
+}

files/00-map.conf

@@ -0,0 +1,23 @@
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    ''      close;
+}
+
+map $remote_addr $proxy_forwarded_elem {
+    # IPv4 addresses can be sent as-is
+    ~^[0-9.]+$          "for=$remote_addr";
+
+    # IPv6 addresses need to be bracketed and quoted
+    ~^[0-9A-Fa-f:.]+$   "for=\"[$remote_addr]\"";
+
+    # Unix domain socket names cannot be represented in RFC 7239 syntax
+    default             "for=unknown";
+}
+
+map $http_forwarded $proxy_add_forwarded {
+    # If the incoming Forwarded header is syntactically valid, append to it
+    "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
+
+    # Otherwise, replace it
+    default "$proxy_forwarded_elem";
+}

files/00-waf_enable.conf

@@ -0,0 +1,4 @@
+   app_protect_enable on; # This is how you enable NGINX App Protect WAF in the relevant context/block
+   app_protect_policy_file "/etc/app_protect/conf/NginxDefaultPolicy.json"; # This is a reference to the policy file to use. If not defined, the default policy is used
+   app_protect_security_log_enable on; # This section enables the logging capability
+   app_protect_security_log "/etc/app_protect/conf/log_default.json" syslog:server=127.0.0.1:514;

ld6/flow.london.firstderivatives.com.conf

@@ -0,0 +1,47 @@
+upstream flow-london {
+    hash $remote_addr consistent;
+    zone flow-london 64k;
+    server 10.60.32.11:4010; # Use your own IP address
+    server 10.60.32.12:4010;
+    keepalive 120;
+}
+
+server {
+   listen 80;
+   server_name flow.london.firstderivatives.com;
+   return 301 https://flow.london.firstderivatives.com$request_uri;
+}
+
+server {
+   listen 443 ssl;
+   server_name flow.london.firstderivatives.com;
+   ssl_certificate  /etc/ssl/client/flow.london.firstderivatives.com.cer; # Client Supplied Certificate
+   ssl_certificate_key  /etc/ssl/client/flow.london.firstderivatives.com.key; # Client Supplied Certificate
+   ssl_prefer_server_ciphers on;
+   ssl_protocols TLSv1.2 TLSv1.3;
+   access_log /var/log/nginx/flow.london.firstderivatives.com.access.log main ;
+   access_log syslog:server=10.60.64.56:514,tag=nginx,severity=info;
+   error_log /var/log/nginx/flow.london.firstderivatives.com.error.log;
+   error_log syslog:server=10.60.64.56:514,tag=nginx_error,severity=warn;
+   status_zone status_zone;
+
+### WAF Component ###
+   include conf.d/00-waf_enable.conf;
+### WAF Component ###
+
+   location / {
+        proxy_pass http://flow-london/;
+        proxy_set_header   Origin http://flow.london.firstderivatives.com;
+        proxy_hide_header  Access-Control-Allow-Origin;
+        add_header         Access-Control-Allow-Origin $http_origin;
+        proxy_set_header   Host flow.london.firstderivatives.com; # Required if Proxy Header is needed
+        proxy_set_header   X-Real-IP $remote_addr;
+        proxy_set_header   X-Forwarded-For $remote_addr;
+
+### Web Sockets (wss) ###
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+### Web Sockets (wss) ###
+    }
+}

ld6/i-trader.adss.com.conf

@@ -0,0 +1,47 @@
+upstream itrader-adss {
+    hash $remote_addr consistent;
+    zone itrader-adss 64k;
+    server 10.60.32.11:4015; # Use your own IP address
+    server 10.60.32.12:4015;
+    keepalive 120;
+}
+
+server {
+   listen 80;
+   server_name i-trader.adss.com;
+   return 301 https://i-trader.adss.com$request_uri;
+}
+
+server {
+   listen 443 ssl;
+   server_name i-trader.adss.com;
+   ssl_certificate  /etc/ssl/client/i-trader.adss.com.cer; # Client Supplied Certificate
+   ssl_certificate_key  /etc/ssl/client/i-trader.adss.com.key; # Client Supplied Certificate
+   ssl_prefer_server_ciphers on;
+   ssl_protocols TLSv1.2 TLSv1.3;
+   access_log /var/log/nginx/i-trader.adss.com.access.log main ;
+   access_log syslog:server=10.60.64.56:514,tag=nginx,severity=info;
+   error_log /var/log/nginx/i-trader.adss.com.error.log;
+   error_log syslog:server=10.60.64.56:514,tag=nginx_error,severity=warn;
+   status_zone status_zone;
+
+### WAF Component ###
+   include conf.d/00-waf_enable.conf;
+### WAF Component ###
+
+   location / {
+        proxy_pass http://itrader-adss/;
+        proxy_set_header   Origin http://i-trader.adss.com;
+        proxy_hide_header  Access-Control-Allow-Origin;
+        add_header         Access-Control-Allow-Origin $http_origin;
+        proxy_set_header   Host i-trader.adss.com; # Required if Proxy Header is needed
+        proxy_set_header   X-Real-IP $remote_addr;
+        proxy_set_header   X-Forwarded-For $remote_addr;
+
+### Web Sockets (wss) ###
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+### Web Sockets (wss) ###
+    }
+}

ld6/ld.smbc-gle-saml.firstderivatives.com.conf

@@ -0,0 +1,47 @@
+upstream ld-smbc-gle-saml {
+    hash $remote_addr consistent;
+    zone ld-smbc-gle-saml 64k;
+    server 10.60.32.11:4020; # Use your own IP address
+    server 10.60.32.12:4020;
+    keepalive 120;
+}
+
+server {
+   listen 80;
+   server_name ld.smbc-gle-saml.firstderivatives.com;
+   return 301 https://ld.smbc-gle-saml.firstderivatives.com$request_uri;
+}
+
+server {
+   listen 443 ssl;
+   server_name ld.smbc-gle-saml.firstderivatives.com;
+   ssl_certificate  /etc/ssl/client/ld.smbc-gle-saml.firstderivatives.com.cer; # Client Supplied Certificate
+   ssl_certificate_key  /etc/ssl/client/ld.smbc-gle-saml.firstderivatives.com.key; # Client Supplied Certificate
+   ssl_prefer_server_ciphers on;
+   ssl_protocols TLSv1.2 TLSv1.3;
+   access_log /var/log/nginx/ld.smbc-gle-saml.firstderivatives.com.access.log main ;
+   access_log syslog:server=10.60.64.56:514,tag=nginx,severity=info;
+   error_log /var/log/nginx/ld.smbc-gle-saml.firstderivatives.com.error.log;
+   error_log syslog:server=10.60.64.56:514,tag=nginx_error,severity=warn;
+   status_zone status_zone;
+
+### WAF Component ###
+   include conf.d/00-waf_enable.conf;
+### WAF Component ###
+
+   location / {
+        proxy_pass http://ld-smbc-gle-saml/;
+        proxy_set_header   Origin https://ld.smbc-gle-saml.firstderivatives.com;
+        proxy_hide_header  Access-Control-Allow-Origin;
+        add_header         Access-Control-Allow-Origin $http_origin;
+        proxy_set_header   Host ld.smbc-gle-saml.firstderivatives.com; # Required if Proxy Header is needed
+        proxy_set_header   X-Real-IP $remote_addr;
+        proxy_set_header   X-Forwarded-For $remote_addr;
+
+### Web Sockets (wss) ###
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+### Web Sockets (wss) ###
+    }
+}

ld6/ld.smbc-gle.firstderivatives.com.conf

@@ -0,0 +1,47 @@
+upstream ld-smbc-gle {
+    hash $remote_addr consistent;
+    zone ld-smbc-gle 64k;
+    server 10.60.32.11:4010; # Use your own IP address
+    server 10.60.32.12:4010;
+    keepalive 120;
+}
+
+server {
+   listen 80;
+   server_name ld.smbc-gle.firstderivatives.com;
+   return 301 https://ld.smbc-gle.firstderivatives.com$request_uri;
+}
+
+server {
+   listen 443 ssl;
+   server_name ld.smbc-gle.firstderivatives.com;
+   ssl_certificate  /etc/ssl/client/ld.smbc-gle.firstderivatives.com.cer; # Client Supplied Certificate
+   ssl_certificate_key  /etc/ssl/client/ld.smbc-gle.firstderivatives.com.key; # Client Supplied Certificate
+   ssl_prefer_server_ciphers on;
+   ssl_protocols TLSv1.2 TLSv1.3;
+   access_log /var/log/nginx/ld.smbc-gle.firstderivatives.com.access.log main ;
+   access_log syslog:server=10.60.64.56:514,tag=nginx,severity=info;
+   error_log /var/log/nginx/ld.smbc-gle.firstderivatives.com.error.log;
+   error_log syslog:server=10.60.64.56:514,tag=nginx_error,severity=warn;
+   status_zone status_zone;
+
+### WAF Component ###
+   include conf.d/00-waf_enable.conf;
+### WAF Component ###
+
+   location / {
+        proxy_pass http://ld-smbc-gle/;
+        proxy_set_header   Origin http://ld.smbc-gle.firstderivatives.com;
+        proxy_hide_header  Access-Control-Allow-Origin;
+        add_header         Access-Control-Allow-Origin $http_origin;
+        proxy_set_header   Host ld.smbc-gle.firstderivatives.com; # Required if Proxy Header is needed
+        proxy_set_header   X-Real-IP $remote_addr;
+        proxy_set_header   X-Forwarded-For $remote_addr;
+
+### Web Sockets (wss) ###
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+### Web Sockets (wss) ###
+    }
+}

ld6/ld.smbc-rm-saml.firstderivatives.com.conf

@@ -0,0 +1,47 @@
+upstream ld-smbc-rm-saml {
+    hash $remote_addr consistent;
+    zone ld-smbc-rm-saml 64k;
+    server 10.60.32.11:4025; # Use your own IP address
+    server 10.60.32.12:4025;
+    keepalive 120;
+}
+
+server {
+   listen 80;
+   server_name ld.smbc-rm-saml.firstderivatives.com;
+   return 301 https://ld.smbc-rm-saml.firstderivatives.com$request_uri;
+}
+
+server {
+   listen 443 ssl;
+   server_name ld.smbc-rm-saml.firstderivatives.com;
+   ssl_certificate  /etc/ssl/client/ld.smbc-rm-saml.firstderivatives.com.cer; # Client Supplied Certificate
+   ssl_certificate_key  /etc/ssl/client/ld.smbc-rm-saml.firstderivatives.com.key; # Client Supplied Certificate
+   ssl_prefer_server_ciphers on;
+   ssl_protocols TLSv1.2 TLSv1.3;
+   access_log /var/log/nginx/ld.smbc-rm-saml.firstderivatives.com.access.log main ;
+   access_log syslog:server=10.60.64.56:514,tag=nginx,severity=info;
+   error_log /var/log/nginx/ld.smbc-rm-saml.firstderivatives.com.error.log;
+   error_log syslog:server=10.60.64.56:514,tag=nginx_error,severity=warn;
+   status_zone status_zone;
+
+### WAF Component ###
+   include conf.d/00-waf_enable.conf;
+### WAF Component ###
+
+   location / {
+        proxy_pass http://ld-smbc-rm-saml/;
+        proxy_set_header   Origin https://ld.smbc-rm-saml.firstderivatives.com;
+        proxy_hide_header  Access-Control-Allow-Origin;
+        add_header         Access-Control-Allow-Origin $http_origin;
+        proxy_set_header   Host ld.smbc-rm-saml.firstderivatives.com; # Required if Proxy Header is needed
+        proxy_set_header   X-Real-IP $remote_addr;
+        proxy_set_header   X-Forwarded-For $remote_addr;
+
+### Web Sockets (wss) ###
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+### Web Sockets (wss) ###
+    }
+}

ld6/ld.smbc-rm.firstderivatives.com.conf

@@ -0,0 +1,47 @@
+upstream ld-smbc-rm {
+    hash $remote_addr consistent;
+    zone ld-smbc-rm 64k;
+    server 10.60.32.11:4608; # Use your own IP address
+    server 10.60.32.12:4608;
+    keepalive 120;
+}
+
+server {
+   listen 80;
+   server_name ld.smbc-rm.firstderivatives.com;
+   return 301 https://ld.smbc-rm.firstderivatives.com$request_uri;
+}
+
+server {
+   listen 443 ssl;
+   server_name ld.smbc-rm.firstderivatives.com;
+   ssl_certificate  /etc/ssl/client/ld.smbc-rm.firstderivatives.com.cer; # Client Supplied Certificate
+   ssl_certificate_key  /etc/ssl/client/ld.smbc-rm.firstderivatives.com.key; # Client Supplied Certificate
+   ssl_prefer_server_ciphers on;
+   ssl_protocols TLSv1.2 TLSv1.3;
+   access_log /var/log/nginx/ld.smbc-rm.firstderivatives.com.access.log main ;
+   access_log syslog:server=10.60.64.56:514,tag=nginx,severity=info;
+   error_log /var/log/nginx/ld.smbc-rm.firstderivatives.com.error.log;
+   error_log syslog:server=10.60.64.56:514,tag=nginx_error,severity=warn;
+   status_zone status_zone;
+
+### WAF Component ###
+   include conf.d/00-waf_enable.conf;
+### WAF Component ###
+
+   location / {
+        proxy_pass http://ld-smbc-rm/;
+        proxy_set_header   Origin http://ld.smbc-rm.firstderivatives.com;
+        proxy_hide_header  Access-Control-Allow-Origin;
+        add_header         Access-Control-Allow-Origin $http_origin;
+        proxy_set_header   Host ld.smbc-rm.firstderivatives.com; # Required if Proxy Header is needed
+        proxy_set_header   X-Real-IP $remote_addr;
+        proxy_set_header   X-Forwarded-For $remote_addr;
+
+### Web Sockets (wss) ###
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+### Web Sockets (wss) ###
+    }
+}

templates/nginx_template.j2

@@ -0,0 +1,47 @@
+upstream {{ upstream_name }} {
+    hash $remote_addr consistent;
+    zone {{ zone }} 64k;
+    server {{ backend1 }}:{{ backend1_port }}; # Use your own IP address
+    server {{ backend2 }}:{{ backend2_port }};
+    keepalive 120;
+}
+
+server {
+   listen 80;
+   server_name {{ URL }};
+   return 301 https://{{ URL }}$request_uri;
+}
+
+server {
+   listen 443 ssl;
+   server_name {{ URL }};
+   ssl_certificate  /etc/ssl/client/{{ URL }}.cer; # Client Supplied Certificate
+   ssl_certificate_key  /etc/ssl/client/{{ URL }}.key; # Client Supplied Certificate
+   ssl_prefer_server_ciphers on;
+   ssl_protocols TLSv1.2 TLSv1.3;
+   access_log /var/log/nginx/{{ URL }}.access.log main ;
+   access_log syslog:server={{ SIEM_IP }}:514,tag=nginx,severity=info;
+   error_log /var/log/nginx/{{ URL }}.error.log;
+   error_log syslog:server={{ SIEM_IP }}:514,tag=nginx_error,severity=warn;
+   status_zone {{ status_zone }};
+
+### WAF Component ###
+   include conf.d/00-waf_enable.conf;
+### WAF Component ###
+
+   location / {
+        proxy_pass         http://{{ upstream_name }}/;
+        proxy_set_header   Origin http{{ saml_yes }}://{{ URL }};
+        proxy_hide_header  Access-Control-Allow-Origin;
+        add_header         Access-Control-Allow-Origin $http_origin;
+        proxy_set_header   Host {{ URL }}; # Required if Proxy Header is needed
+        proxy_set_header   X-Real-IP $remote_addr;
+        proxy_set_header   X-Forwarded-For $remote_addr;
+
+### Web Sockets (wss) ###
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+### Web Sockets (wss) ###
+    }
+}