commit e8043f036d645be5e51bc318f448040b72eb1664 Author: Kris Date: Wed Dec 18 11:46:51 2024 +0000 Adding stuff diff --git a/README.md b/README.md new file mode 100644 index 0000000..e195f83 --- /dev/null +++ b/README.md @@ -0,0 +1,29 @@ +## Ansible Values asked are: + +``` +URL = FQDN for the new config +``` + +### the following is for the upstream config + +``` +upstream_name = Name for the upstream variables, keep it short and relevant with - only. +zone = Nginx HTTP Zone +backend1 = Backend IP for first Backend Server +backend1_port = Port for Backend Server +backend2 = Backend IP for second Backend Server +backend2_port = Port for Backend Server +``` + +### the following is for the server config + +``` +SIEM_IP = Enter the IP of the USM Sensor +status_zone = status_zone +``` + +### the following is for the location config + +``` +saml_yes = adds an s to http for SAML +``` \ No newline at end of file diff --git a/files/00-dashboard.conf b/files/00-dashboard.conf new file mode 100644 index 0000000..0ef5a63 --- /dev/null +++ b/files/00-dashboard.conf @@ -0,0 +1,21 @@ +js_import /usr/share/nginx-plus-module-prometheus/prometheus.js; + # ... + server { + listen 10.40.32.42:8080; + # ... + location /api { + api write=on; + allow 10.0.0.0/8; + deny all; + } + location = /dashboard.html { + auth_basic "Password Required"; + auth_basic_user_file /etc/nginx/.htpasswd; + root /usr/share/nginx/html; + allow 10.0.0.0/8; + deny all; + } + location = /metrics { + js_content prometheus.metrics; + } +} \ No newline at end of file diff --git a/files/00-map.conf b/files/00-map.conf new file mode 100644 index 0000000..b301e42 --- /dev/null +++ b/files/00-map.conf @@ -0,0 +1,23 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +map $remote_addr $proxy_forwarded_elem { + # IPv4 addresses can be sent as-is + ~^[0-9.]+$ "for=$remote_addr"; + + # IPv6 addresses need to be bracketed and quoted + ~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\""; + + # Unix domain socket names cannot be represented in RFC 7239 syntax + default "for=unknown"; +} + +map $http_forwarded $proxy_add_forwarded { + # If the incoming Forwarded header is syntactically valid, append to it + "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem"; + + # Otherwise, replace it + default "$proxy_forwarded_elem"; +} \ No newline at end of file diff --git a/files/00-waf_enable.conf b/files/00-waf_enable.conf new file mode 100644 index 0000000..c9631aa --- /dev/null +++ b/files/00-waf_enable.conf @@ -0,0 +1,4 @@ + app_protect_enable on; # This is how you enable NGINX App Protect WAF in the relevant context/block + app_protect_policy_file "/etc/app_protect/conf/NginxDefaultPolicy.json"; # This is a reference to the policy file to use. If not defined, the default policy is used + app_protect_security_log_enable on; # This section enables the logging capability + app_protect_security_log "/etc/app_protect/conf/log_default.json" syslog:server=127.0.0.1:514; \ No newline at end of file diff --git a/ld6/flow.london.firstderivatives.com.conf b/ld6/flow.london.firstderivatives.com.conf new file mode 100644 index 0000000..458e11c --- /dev/null +++ b/ld6/flow.london.firstderivatives.com.conf @@ -0,0 +1,47 @@ +upstream flow-london { + hash $remote_addr consistent; + zone flow-london 64k; + server 10.60.32.11:4010; # Use your own IP address + server 10.60.32.12:4010; + keepalive 120; +} + +server { + listen 80; + server_name flow.london.firstderivatives.com; + return 301 https://flow.london.firstderivatives.com$request_uri; +} + +server { + listen 443 ssl; + server_name flow.london.firstderivatives.com; + ssl_certificate /etc/ssl/client/flow.london.firstderivatives.com.cer; # Client Supplied Certificate + ssl_certificate_key /etc/ssl/client/flow.london.firstderivatives.com.key; # Client Supplied Certificate + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1.2 TLSv1.3; + access_log /var/log/nginx/flow.london.firstderivatives.com.access.log main ; + access_log syslog:server=10.60.64.56:514,tag=nginx,severity=info; + error_log /var/log/nginx/flow.london.firstderivatives.com.error.log; + error_log syslog:server=10.60.64.56:514,tag=nginx_error,severity=warn; + status_zone status_zone; + +### WAF Component ### + include conf.d/00-waf_enable.conf; +### WAF Component ### + + location / { + proxy_pass http://flow-london/; + proxy_set_header Origin http://flow.london.firstderivatives.com; + proxy_hide_header Access-Control-Allow-Origin; + add_header Access-Control-Allow-Origin $http_origin; + proxy_set_header Host flow.london.firstderivatives.com; # Required if Proxy Header is needed + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + +### Web Sockets (wss) ### + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; +### Web Sockets (wss) ### + } +} \ No newline at end of file diff --git a/ld6/i-trader.adss.com.conf b/ld6/i-trader.adss.com.conf new file mode 100644 index 0000000..0e1e120 --- /dev/null +++ b/ld6/i-trader.adss.com.conf @@ -0,0 +1,47 @@ +upstream itrader-adss { + hash $remote_addr consistent; + zone itrader-adss 64k; + server 10.60.32.11:4015; # Use your own IP address + server 10.60.32.12:4015; + keepalive 120; +} + +server { + listen 80; + server_name i-trader.adss.com; + return 301 https://i-trader.adss.com$request_uri; +} + +server { + listen 443 ssl; + server_name i-trader.adss.com; + ssl_certificate /etc/ssl/client/i-trader.adss.com.cer; # Client Supplied Certificate + ssl_certificate_key /etc/ssl/client/i-trader.adss.com.key; # Client Supplied Certificate + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1.2 TLSv1.3; + access_log /var/log/nginx/i-trader.adss.com.access.log main ; + access_log syslog:server=10.60.64.56:514,tag=nginx,severity=info; + error_log /var/log/nginx/i-trader.adss.com.error.log; + error_log syslog:server=10.60.64.56:514,tag=nginx_error,severity=warn; + status_zone status_zone; + +### WAF Component ### + include conf.d/00-waf_enable.conf; +### WAF Component ### + + location / { + proxy_pass http://itrader-adss/; + proxy_set_header Origin http://i-trader.adss.com; + proxy_hide_header Access-Control-Allow-Origin; + add_header Access-Control-Allow-Origin $http_origin; + proxy_set_header Host i-trader.adss.com; # Required if Proxy Header is needed + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + +### Web Sockets (wss) ### + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; +### Web Sockets (wss) ### + } +} \ No newline at end of file diff --git a/ld6/ld.smbc-gle-saml.firstderivatives.com.conf b/ld6/ld.smbc-gle-saml.firstderivatives.com.conf new file mode 100644 index 0000000..c8528ca --- /dev/null +++ b/ld6/ld.smbc-gle-saml.firstderivatives.com.conf @@ -0,0 +1,47 @@ +upstream ld-smbc-gle-saml { + hash $remote_addr consistent; + zone ld-smbc-gle-saml 64k; + server 10.60.32.11:4020; # Use your own IP address + server 10.60.32.12:4020; + keepalive 120; +} + +server { + listen 80; + server_name ld.smbc-gle-saml.firstderivatives.com; + return 301 https://ld.smbc-gle-saml.firstderivatives.com$request_uri; +} + +server { + listen 443 ssl; + server_name ld.smbc-gle-saml.firstderivatives.com; + ssl_certificate /etc/ssl/client/ld.smbc-gle-saml.firstderivatives.com.cer; # Client Supplied Certificate + ssl_certificate_key /etc/ssl/client/ld.smbc-gle-saml.firstderivatives.com.key; # Client Supplied Certificate + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1.2 TLSv1.3; + access_log /var/log/nginx/ld.smbc-gle-saml.firstderivatives.com.access.log main ; + access_log syslog:server=10.60.64.56:514,tag=nginx,severity=info; + error_log /var/log/nginx/ld.smbc-gle-saml.firstderivatives.com.error.log; + error_log syslog:server=10.60.64.56:514,tag=nginx_error,severity=warn; + status_zone status_zone; + +### WAF Component ### + include conf.d/00-waf_enable.conf; +### WAF Component ### + + location / { + proxy_pass http://ld-smbc-gle-saml/; + proxy_set_header Origin https://ld.smbc-gle-saml.firstderivatives.com; + proxy_hide_header Access-Control-Allow-Origin; + add_header Access-Control-Allow-Origin $http_origin; + proxy_set_header Host ld.smbc-gle-saml.firstderivatives.com; # Required if Proxy Header is needed + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + +### Web Sockets (wss) ### + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; +### Web Sockets (wss) ### + } +} \ No newline at end of file diff --git a/ld6/ld.smbc-gle.firstderivatives.com.conf b/ld6/ld.smbc-gle.firstderivatives.com.conf new file mode 100644 index 0000000..f4b0609 --- /dev/null +++ b/ld6/ld.smbc-gle.firstderivatives.com.conf @@ -0,0 +1,47 @@ +upstream ld-smbc-gle { + hash $remote_addr consistent; + zone ld-smbc-gle 64k; + server 10.60.32.11:4010; # Use your own IP address + server 10.60.32.12:4010; + keepalive 120; +} + +server { + listen 80; + server_name ld.smbc-gle.firstderivatives.com; + return 301 https://ld.smbc-gle.firstderivatives.com$request_uri; +} + +server { + listen 443 ssl; + server_name ld.smbc-gle.firstderivatives.com; + ssl_certificate /etc/ssl/client/ld.smbc-gle.firstderivatives.com.cer; # Client Supplied Certificate + ssl_certificate_key /etc/ssl/client/ld.smbc-gle.firstderivatives.com.key; # Client Supplied Certificate + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1.2 TLSv1.3; + access_log /var/log/nginx/ld.smbc-gle.firstderivatives.com.access.log main ; + access_log syslog:server=10.60.64.56:514,tag=nginx,severity=info; + error_log /var/log/nginx/ld.smbc-gle.firstderivatives.com.error.log; + error_log syslog:server=10.60.64.56:514,tag=nginx_error,severity=warn; + status_zone status_zone; + +### WAF Component ### + include conf.d/00-waf_enable.conf; +### WAF Component ### + + location / { + proxy_pass http://ld-smbc-gle/; + proxy_set_header Origin http://ld.smbc-gle.firstderivatives.com; + proxy_hide_header Access-Control-Allow-Origin; + add_header Access-Control-Allow-Origin $http_origin; + proxy_set_header Host ld.smbc-gle.firstderivatives.com; # Required if Proxy Header is needed + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + +### Web Sockets (wss) ### + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; +### Web Sockets (wss) ### + } +} \ No newline at end of file diff --git a/ld6/ld.smbc-rm-saml.firstderivatives.com.conf b/ld6/ld.smbc-rm-saml.firstderivatives.com.conf new file mode 100644 index 0000000..a15ceb3 --- /dev/null +++ b/ld6/ld.smbc-rm-saml.firstderivatives.com.conf @@ -0,0 +1,47 @@ +upstream ld-smbc-rm-saml { + hash $remote_addr consistent; + zone ld-smbc-rm-saml 64k; + server 10.60.32.11:4025; # Use your own IP address + server 10.60.32.12:4025; + keepalive 120; +} + +server { + listen 80; + server_name ld.smbc-rm-saml.firstderivatives.com; + return 301 https://ld.smbc-rm-saml.firstderivatives.com$request_uri; +} + +server { + listen 443 ssl; + server_name ld.smbc-rm-saml.firstderivatives.com; + ssl_certificate /etc/ssl/client/ld.smbc-rm-saml.firstderivatives.com.cer; # Client Supplied Certificate + ssl_certificate_key /etc/ssl/client/ld.smbc-rm-saml.firstderivatives.com.key; # Client Supplied Certificate + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1.2 TLSv1.3; + access_log /var/log/nginx/ld.smbc-rm-saml.firstderivatives.com.access.log main ; + access_log syslog:server=10.60.64.56:514,tag=nginx,severity=info; + error_log /var/log/nginx/ld.smbc-rm-saml.firstderivatives.com.error.log; + error_log syslog:server=10.60.64.56:514,tag=nginx_error,severity=warn; + status_zone status_zone; + +### WAF Component ### + include conf.d/00-waf_enable.conf; +### WAF Component ### + + location / { + proxy_pass http://ld-smbc-rm-saml/; + proxy_set_header Origin https://ld.smbc-rm-saml.firstderivatives.com; + proxy_hide_header Access-Control-Allow-Origin; + add_header Access-Control-Allow-Origin $http_origin; + proxy_set_header Host ld.smbc-rm-saml.firstderivatives.com; # Required if Proxy Header is needed + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + +### Web Sockets (wss) ### + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; +### Web Sockets (wss) ### + } +} \ No newline at end of file diff --git a/ld6/ld.smbc-rm.firstderivatives.com.conf b/ld6/ld.smbc-rm.firstderivatives.com.conf new file mode 100644 index 0000000..f1cf580 --- /dev/null +++ b/ld6/ld.smbc-rm.firstderivatives.com.conf @@ -0,0 +1,47 @@ +upstream ld-smbc-rm { + hash $remote_addr consistent; + zone ld-smbc-rm 64k; + server 10.60.32.11:4608; # Use your own IP address + server 10.60.32.12:4608; + keepalive 120; +} + +server { + listen 80; + server_name ld.smbc-rm.firstderivatives.com; + return 301 https://ld.smbc-rm.firstderivatives.com$request_uri; +} + +server { + listen 443 ssl; + server_name ld.smbc-rm.firstderivatives.com; + ssl_certificate /etc/ssl/client/ld.smbc-rm.firstderivatives.com.cer; # Client Supplied Certificate + ssl_certificate_key /etc/ssl/client/ld.smbc-rm.firstderivatives.com.key; # Client Supplied Certificate + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1.2 TLSv1.3; + access_log /var/log/nginx/ld.smbc-rm.firstderivatives.com.access.log main ; + access_log syslog:server=10.60.64.56:514,tag=nginx,severity=info; + error_log /var/log/nginx/ld.smbc-rm.firstderivatives.com.error.log; + error_log syslog:server=10.60.64.56:514,tag=nginx_error,severity=warn; + status_zone status_zone; + +### WAF Component ### + include conf.d/00-waf_enable.conf; +### WAF Component ### + + location / { + proxy_pass http://ld-smbc-rm/; + proxy_set_header Origin http://ld.smbc-rm.firstderivatives.com; + proxy_hide_header Access-Control-Allow-Origin; + add_header Access-Control-Allow-Origin $http_origin; + proxy_set_header Host ld.smbc-rm.firstderivatives.com; # Required if Proxy Header is needed + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + +### Web Sockets (wss) ### + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; +### Web Sockets (wss) ### + } +} \ No newline at end of file diff --git a/templates/nginx_template.j2 b/templates/nginx_template.j2 new file mode 100644 index 0000000..85fe50a --- /dev/null +++ b/templates/nginx_template.j2 @@ -0,0 +1,47 @@ +upstream {{ upstream_name }} { + hash $remote_addr consistent; + zone {{ zone }} 64k; + server {{ backend1 }}:{{ backend1_port }}; # Use your own IP address + server {{ backend2 }}:{{ backend2_port }}; + keepalive 120; +} + +server { + listen 80; + server_name {{ URL }}; + return 301 https://{{ URL }}$request_uri; +} + +server { + listen 443 ssl; + server_name {{ URL }}; + ssl_certificate /etc/ssl/client/{{ URL }}.cer; # Client Supplied Certificate + ssl_certificate_key /etc/ssl/client/{{ URL }}.key; # Client Supplied Certificate + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1.2 TLSv1.3; + access_log /var/log/nginx/{{ URL }}.access.log main ; + access_log syslog:server={{ SIEM_IP }}:514,tag=nginx,severity=info; + error_log /var/log/nginx/{{ URL }}.error.log; + error_log syslog:server={{ SIEM_IP }}:514,tag=nginx_error,severity=warn; + status_zone {{ status_zone }}; + +### WAF Component ### + include conf.d/00-waf_enable.conf; +### WAF Component ### + + location / { + proxy_pass http://{{ upstream_name }}/; + proxy_set_header Origin http{{ saml_yes }}://{{ URL }}; + proxy_hide_header Access-Control-Allow-Origin; + add_header Access-Control-Allow-Origin $http_origin; + proxy_set_header Host {{ URL }}; # Required if Proxy Header is needed + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + +### Web Sockets (wss) ### + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; +### Web Sockets (wss) ### + } +} \ No newline at end of file