Advanced monitor updates for NAP DoS 2.0 (#182)

aknot242 · web-flow · commit 91861fba7344 · 2021-10-19T19:21:14.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -200,7 +200,7 @@ FEATURES:
 * Explicitly list Jinja2 `2.11.3` as a requirement, as well as detail the minimum supported version (`2.11.x`).
 * Implement Release Drafter.
 * Add support for configuring NGINX App Protect DoS (Denial of Service) module and directives.
-* Add support for configuring the NGINX Rest API module and the NGINX stub status module
+* Add support for configuring the NGINX Rest API module and the NGINX stub status module.
 
 ENHANCEMENTS:
 
diff --git a/molecule/plus/converge.yml b/molecule/plus/converge.yml
@@ -24,7 +24,7 @@
             main:
               load_module:
                 - modules/ngx_http_app_protect_module.so
-                # - modules/ngx_http_app_protect_dos_module.so
+                - modules/ngx_http_app_protect_dos_module.so
               user: nginx
               worker_processes: auto
               error_log:
@@ -311,13 +311,17 @@
                         dest: syslog:server=10.1.1.1:514
                       - path: /etc/app_protect/conf/log_default.json
                         dest: syslog:server=10.1.1.2:514
-                  # app_protect_dos:
-                  #   enable: true
-                  #   policy_file: /etc/app_protect/conf/BADOSDefaultPolicy.json
-                  #   security_log_enable: true
-                  #   security_log:
-                  #     path: /etc/app_protect_dos/log-default.json
-                  #     dest: syslog:server=10.1.1.1:514
+                  app_protect_dos:
+                    enable: true
+                    policy_file: /etc/app_protect/conf/BADOSDefaultPolicy.json
+                    security_log_enable: true
+                    security_log:
+                      path: /etc/app_protect_dos/log-default.json
+                      dest: syslog:server=10.1.1.1:514
+                    monitor:
+                      uri: http://10.1.1.1:5000/monitor
+                      protocol: http2
+                      timeout: 10
                   auth_jwt:
                     enable:
                       realm: realm
@@ -346,6 +350,14 @@
                             dest: syslog:server=10.1.1.1:514
                           - path: /etc/app_protect/conf/log_default.json
                             dest: syslog:server=10.1.1.2:514
+                      app_protect_dos:
+                        enable: true
+                        policy_file: /etc/app_protect/conf/BADOSDefaultPolicy.json
+                        security_log_enable: true
+                        security_log:
+                          path: /etc/app_protect_dos/log-default.json
+                          dest: syslog:server=10.1.1.1:514
+                        monitor: http://10.1.1.1:5000/monitor
                       auth_jwt:
                         enable: false
                         leeway: 0s
diff --git a/molecule/plus/prepare.yml b/molecule/plus/prepare.yml
@@ -35,7 +35,7 @@
         name: nginxinc.nginx_app_protect
       vars:
         nginx_app_protect_waf_enable: true
-        nginx_app_protect_dos_enable: false
+        nginx_app_protect_dos_enable: true
         nginx_app_protect_setup_license: false
         nginx_app_protect_remove_license: false
         nginx_app_protect_install_signatures: false
diff --git a/templates/http/app_protect.j2 b/templates/http/app_protect.j2
@@ -60,7 +60,9 @@ app_protect_dos_policy_file {{ app_protect_dos['policy_file'] }};
 {% if app_protect_dos['name'] is defined %}
 app_protect_dos_name {{ app_protect_dos['name'] }};
 {% endif %}
-{% if app_protect_dos['monitor'] is defined %}
+{% if app_protect_dos['monitor'] is defined and app_protect_dos['monitor'] is mapping %}
+app_protect_dos_monitor uri={{ app_protect_dos['monitor']['uri'] | ternary(app_protect_dos['monitor']['uri'], app_protect_dos['monitor']) }}{{ app_protect_dos['monitor']['protocol'] | ternary((' protocol=' + app_protect_dos['monitor']['protocol'] | string), '') }}{{ app_protect_dos['monitor']['timeout'] | ternary((' timeout=' + app_protect_dos['monitor']['timeout'] | string), '') }};
+{% elif app_protect_dos['monitor'] is defined %}
 app_protect_dos_monitor {{ app_protect_dos['monitor'] }};
 {% endif %}
 {% if app_protect_dos['security_log_enable'] is defined and app_protect_dos['security_log_enable'] is boolean %}
