fix: clear previous compilations and enable plugin

coopdevs · Dec 13, 2022 · 56b1cad · 56b1cad
1 parent 7d6b264
commit 56b1cad
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 12 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -2,7 +2,7 @@
 # defaults file for coopdevs.nginx_modsec3_crs
 nginx_modsec3_enabled: True
 nginx_modsec3_crs_version: v3.4/dev
-nginx_modsec3_crs3_force_compile: False
+nginx_modsec3_crs3_force_compile: True
 nginx_modsec3_crs3_block_mode: True
 nginx_modsec3_crs3_debian_pre_reqs:
   - libgeoip-dev
@@ -37,4 +37,5 @@ nginx_modsec3_crs3_redhat_pre_reqs:
 nginx_modsec3_crs3_redhat_compiler_reqs:
   - "@Development tools"
 
-nginx_official_repo: True
+nginx_official_repo: True
+nginx_official_repo_mainline: True
diff --git a/tasks/compile.yml b/tasks/compile.yml
@@ -2,6 +2,24 @@
 ---
 # Tasks for compiling Modsecurity3 and installing OWASP CRS v3
 
+- name: Set nginx_modules_location if not already set
+  set_fact:
+    nginx_modules_location: "{{ nginx_conf_dir }}/modules"
+  when: nginx_modules_location is not defined
+
+- name: Clear previous compilation
+  file:
+    path: "{{ item }}"
+    state: absent
+  with_items:
+    - "~/ModSecurity"
+    - "~/ModSecurity-nginx"
+    - "~/Nginx"
+    - "/tmp/nginx-*.tar.gz"
+    - "{{ nginx_modules_location }}/ngx_http_modsecurity_module.so"
+    - "{{ nginx_conf_dir }}/modsec/"
+  when: nginx_modsec3_crs3_force_compile
+
 - name: Obtain Modsecurity source code for branch v3/master
   git:
     repo: "https://github.com/SpiderLabs/ModSecurity"
@@ -24,7 +42,6 @@
     - "make install"
   when: not modsec3_present or nginx_modsec3_crs3_force_compile
 
-
 - name: Obtain Modsecurity-nginx source code
   git:
     repo: "https://github.com/SpiderLabs/ModSecurity-nginx"
@@ -52,13 +69,6 @@
     remote_src: yes
   when: not modsec3_nginx_present or nginx_modsec3_crs3_force_compile
 
-
-- name: Get configure arguments
-  shell:  "nginx -V  2>&1 | awk -F ':' '/configure arguments/{print $2}'"
-  register: result
-  changed_when: False
-  when: not modsec3_nginx_present or nginx_modsec3_crs3_force_compile
-
 - name: Configure and make ModSecurity3 for Nginx module
   shell: "{{ item }}"
   args:
@@ -74,15 +84,13 @@
     file: "../jdauphant.nginx/vars/Debian.yml"
   when:
     - ansible_os_family == "Debian"
-    #- nginx_modules_location is not defined
     #- nginx_python_selinux_pkgs is not defined
 
 - name: import nginx role Redhat/Centos vars
   include_vars:
     file: "../jdauphant.nginx/vars/Redhat.yml"
   when:
     - ansible_os_family == "Redhat"
-    #- nginx_modules_location is not defined
     #- nginx_python_selinux_pkgs is not defined
 
 - name: Copy Modsecurity-nginx module to Nginx modules folder
@@ -92,6 +100,12 @@
     remote_src: yes
   when: not modsec3_nginx_present or nginx_modsec3_crs3_force_compile
 
+- name: Enable module in Nginx
+  template:
+    src: 50-mod-http-modsecurity.conf.j2
+    dest:  "{{ nginx_conf_dir }}/modules-enabled/50-mod-http-modsecurity.conf"   
+  when: not modsec3_nginx_present or nginx_modsec3_crs3_force_compile
+
 - name: Create folder for Modsec config and rules
   file:
     #path: /etc/nginx/modsec
@@ -132,6 +146,7 @@
     repo: "https://github.com/coreruleset/coreruleset"
     dest: "{{ nginx_conf_dir }}/modsec/owasp-modsecurity-crs"
     version: "{{ nginx_modsec3_crs_version }}"
+    depth: 1
   when: not crs3_present or nginx_modsec3_crs3_force_compile
 
 - name: Copy crs-setup.conf.example to become crs-setup.conf

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -71,16 +71,19 @@
   stat:
     path: /usr/local/modsecurity/lib/libmodsecurity.so
   register: modsec3_present
+  when: not nginx_modsec3_crs3_force_compile
 
 - name: Check if modsecurity-nginx is present
   stat:
     path: /usr/lib/nginx/modules/ngx_http_modsecurity_module.so
   register: modsec3_nginx_present
+  when: not nginx_modsec3_crs3_force_compile
 
 - name: Check if OWASP CRS3 is present
   stat:
     path: /etc/nginx/modsec/owasp-modsecurity-crs/crs-setup.conf
   register: crs3_present
+  when: not nginx_modsec3_crs3_force_compile
 
 - name: Compile ModSecurity3 and install OWAPS CRS3
   include: compile.yml
@@ -108,3 +111,4 @@
     name: "{{ installed.stdout_lines }}"
     state: absent
   when: installed is defined and (nginx_modsec3_crs3_keep is undefined or not nginx_modsec3_crs3_keep)
+
diff --git a/templates/50-mod-http-modsecurity.conf.j2 b/templates/50-mod-http-modsecurity.conf.j2
@@ -0,0 +1 @@
+load_module {{ nginx_modules_location }}/ngx_http_modsecurity_module.so;