From 96399915d5e8a67c77b27bbe0c3a34a97964d270 Mon Sep 17 00:00:00 2001 From: Alessandro Fael Garcia Date: Mon, 29 Jul 2024 01:58:36 +0200 Subject: [PATCH 1/2] ci(fix): NAP tests --- molecule/complete_plus/converge.yml | 124 ++++++++++++++-------------- molecule/complete_plus/molecule.yml | 2 +- molecule/complete_plus/prepare.yml | 20 ++--- 3 files changed, 73 insertions(+), 73 deletions(-) diff --git a/molecule/complete_plus/converge.yml b/molecule/complete_plus/converge.yml index 0723fece..72d46b99 100644 --- a/molecule/complete_plus/converge.yml +++ b/molecule/complete_plus/converge.yml @@ -22,9 +22,9 @@ deployment_location: /etc/nginx/nginx.conf config: main: - # load_module: - # - modules/ngx_http_app_protect_module.so - # - modules/ngx_http_app_protect_dos_module.so + load_module: + - modules/ngx_http_app_protect_module.so + - modules/ngx_http_app_protect_dos_module.so user: nginx worker_processes: auto error_log: @@ -151,27 +151,27 @@ core: default_type: application/octet-stream keepalive_timeout: 65s - # app_protect_waf: - # physical_memory_util_thresholds: - # high: 100 - # low: 100 - # cpu_thresholds: - # high: 100 - # low: 100 - # failure_mode_action: pass - # cookie_seed: testseed - # compressed_requests_action: drop - # app_protect_dos: - # liveliness: - # enable: true - # uri: /app_protect_dos_liveliness - # port: 8090 - # readiness: - # enable: true - # uri: /app_protect_dos_readiness - # port: 8090 - # arb_fqdn: 192.168.1.10 - # accelerated_mitigation: false + app_protect_waf: + physical_memory_util_thresholds: + high: 100 + low: 100 + cpu_thresholds: + high: 100 + low: 100 + failure_mode_action: pass + cookie_seed: testseed + compressed_requests_action: drop + app_protect_dos: + liveliness: + enable: true + uri: /app_protect_dos_liveliness + port: 8090 + readiness: + enable: true + uri: /app_protect_dos_readiness + port: 8090 + arb_fqdn: 192.168.1.10 + accelerated_mitigation: false grpc: bind: address: $remote_addr @@ -351,26 +351,26 @@ default_server: true server_name: localhost client_max_body_size: 512k - # app_protect_waf: - # enable: true - # policy_file: /etc/app_protect/conf/NginxDefaultPolicy.json - # security_log_enable: true - # security_log: - # - path: /etc/app_protect/conf/log_default.json - # dest: syslog:server=10.1.1.1:514 - # - path: /etc/app_protect/conf/log_default.json - # dest: syslog:server=10.1.1.2:514 - # app_protect_dos: - # enable: true - # policy_file: /etc/app_protect/conf/BADOSDefaultPolicy.json - # security_log_enable: true - # security_log: - # path: /etc/app_protect_dos/log-default.json - # dest: syslog:server=10.1.1.1:514 - # monitor: - # uri: http://10.1.1.1:5000/monitor - # protocol: http2 - # timeout: 10 + app_protect_waf: + enable: true + policy_file: /etc/app_protect/conf/NginxDefaultPolicy.json + security_log_enable: true + security_log: + - path: /etc/app_protect/conf/log_default.json + dest: syslog:server=10.1.1.1:514 + - path: /etc/app_protect/conf/log_default.json + dest: syslog:server=10.1.1.2:514 + app_protect_dos: + enable: true + policy_file: /etc/app_protect/conf/BADOSDefaultPolicy.json + security_log_enable: true + security_log: + path: /etc/app_protect_dos/log-default.json + dest: syslog:server=10.1.1.1:514 + monitor: + uri: http://10.1.1.1:5000/monitor + protocol: http2 + timeout: 10 auth_jwt: enable: realm: realm @@ -390,24 +390,24 @@ format: main locations: - location: / - # app_protect_waf: - # enable: true - # policy_file: /etc/app_protect/conf/NginxDefaultPolicy.json - # security_log_enable: true - # security_log: - # - path: /etc/app_protect/conf/log_default.json - # dest: syslog:server=10.1.1.1:514 - # - path: /etc/app_protect/conf/log_default.json - # dest: syslog:server=10.1.1.2:514 - # app_protect_dos: - # enable: true - # policy_file: /etc/app_protect/conf/BADOSDefaultPolicy.json - # security_log_enable: true - # security_log: - # path: /etc/app_protect_dos/log-default.json - # dest: syslog:server=10.1.1.1:514 - # monitor: http://10.1.1.1:5000/monitor - # api: true + app_protect_waf: + enable: true + policy_file: /etc/app_protect/conf/NginxDefaultPolicy.json + security_log_enable: true + security_log: + - path: /etc/app_protect/conf/log_default.json + dest: syslog:server=10.1.1.1:514 + - path: /etc/app_protect/conf/log_default.json + dest: syslog:server=10.1.1.2:514 + app_protect_dos: + enable: true + policy_file: /etc/app_protect/conf/BADOSDefaultPolicy.json + security_log_enable: true + security_log: + path: /etc/app_protect_dos/log-default.json + dest: syslog:server=10.1.1.1:514 + monitor: http://10.1.1.1:5000/monitor + api: true auth_jwt: enable: false leeway: 0s diff --git a/molecule/complete_plus/molecule.yml b/molecule/complete_plus/molecule.yml index 575ac405..3a51760d 100644 --- a/molecule/complete_plus/molecule.yml +++ b/molecule/complete_plus/molecule.yml @@ -10,7 +10,7 @@ lint: | ansible-lint --force-color platforms: - name: rhel-8 - image: redhat/ubi9:9.4 + image: redhat/ubi8:8.10 platform: x86_64 dockerfile: ../common/Dockerfile.j2 privileged: true diff --git a/molecule/complete_plus/prepare.yml b/molecule/complete_plus/prepare.yml index db2c6fc4..2c5347b5 100644 --- a/molecule/complete_plus/prepare.yml +++ b/molecule/complete_plus/prepare.yml @@ -30,13 +30,13 @@ key: ../common/files/license/nginx-repo.key nginx_remove_license: false - # - name: Install NGINX App Protect WAF - # ansible.builtin.include_role: - # name: nginxinc.nginx_app_protect - # vars: - # nginx_app_protect_waf_enable: true - # nginx_app_protect_dos_enable: true - # nginx_app_protect_setup_license: false - # nginx_app_protect_remove_license: false - # nginx_app_protect_install_signatures: false - # nginx_app_protect_install_threat_campaigns: false + - name: Install NGINX App Protect WAF + ansible.builtin.include_role: + name: nginxinc.nginx_app_protect + vars: + nginx_app_protect_waf_enable: true + nginx_app_protect_dos_enable: true + nginx_app_protect_setup_license: false + nginx_app_protect_remove_license: false + nginx_app_protect_install_signatures: false + nginx_app_protect_install_threat_campaigns: false From 419cce88f45212b78926d97466a6d9e327ba79b3 Mon Sep 17 00:00:00 2001 From: Alessandro Fael Garcia Date: Mon, 29 Jul 2024 02:12:03 +0200 Subject: [PATCH 2/2] Update molecule.yml --- molecule/complete_plus/molecule.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/molecule/complete_plus/molecule.yml b/molecule/complete_plus/molecule.yml index 3a51760d..91ad72e6 100644 --- a/molecule/complete_plus/molecule.yml +++ b/molecule/complete_plus/molecule.yml @@ -9,15 +9,6 @@ lint: | set -e ansible-lint --force-color platforms: - - name: rhel-8 - image: redhat/ubi8:8.10 - platform: x86_64 - dockerfile: ../common/Dockerfile.j2 - privileged: true - cgroupns_mode: host - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - command: /usr/sbin/init - name: ubuntu-jammy image: ubuntu:jammy platform: x86_64