diff --git a/molecule/complete_plus/converge.yml b/molecule/complete_plus/converge.yml index 0723fece..72d46b99 100644 --- a/molecule/complete_plus/converge.yml +++ b/molecule/complete_plus/converge.yml @@ -22,9 +22,9 @@ deployment_location: /etc/nginx/nginx.conf config: main: - # load_module: - # - modules/ngx_http_app_protect_module.so - # - modules/ngx_http_app_protect_dos_module.so + load_module: + - modules/ngx_http_app_protect_module.so + - modules/ngx_http_app_protect_dos_module.so user: nginx worker_processes: auto error_log: @@ -151,27 +151,27 @@ core: default_type: application/octet-stream keepalive_timeout: 65s - # app_protect_waf: - # physical_memory_util_thresholds: - # high: 100 - # low: 100 - # cpu_thresholds: - # high: 100 - # low: 100 - # failure_mode_action: pass - # cookie_seed: testseed - # compressed_requests_action: drop - # app_protect_dos: - # liveliness: - # enable: true - # uri: /app_protect_dos_liveliness - # port: 8090 - # readiness: - # enable: true - # uri: /app_protect_dos_readiness - # port: 8090 - # arb_fqdn: 192.168.1.10 - # accelerated_mitigation: false + app_protect_waf: + physical_memory_util_thresholds: + high: 100 + low: 100 + cpu_thresholds: + high: 100 + low: 100 + failure_mode_action: pass + cookie_seed: testseed + compressed_requests_action: drop + app_protect_dos: + liveliness: + enable: true + uri: /app_protect_dos_liveliness + port: 8090 + readiness: + enable: true + uri: /app_protect_dos_readiness + port: 8090 + arb_fqdn: 192.168.1.10 + accelerated_mitigation: false grpc: bind: address: $remote_addr @@ -351,26 +351,26 @@ default_server: true server_name: localhost client_max_body_size: 512k - # app_protect_waf: - # enable: true - # policy_file: /etc/app_protect/conf/NginxDefaultPolicy.json - # security_log_enable: true - # security_log: - # - path: /etc/app_protect/conf/log_default.json - # dest: syslog:server=10.1.1.1:514 - # - path: /etc/app_protect/conf/log_default.json - # dest: syslog:server=10.1.1.2:514 - # app_protect_dos: - # enable: true - # policy_file: /etc/app_protect/conf/BADOSDefaultPolicy.json - # security_log_enable: true - # security_log: - # path: /etc/app_protect_dos/log-default.json - # dest: syslog:server=10.1.1.1:514 - # monitor: - # uri: http://10.1.1.1:5000/monitor - # protocol: http2 - # timeout: 10 + app_protect_waf: + enable: true + policy_file: /etc/app_protect/conf/NginxDefaultPolicy.json + security_log_enable: true + security_log: + - path: /etc/app_protect/conf/log_default.json + dest: syslog:server=10.1.1.1:514 + - path: /etc/app_protect/conf/log_default.json + dest: syslog:server=10.1.1.2:514 + app_protect_dos: + enable: true + policy_file: /etc/app_protect/conf/BADOSDefaultPolicy.json + security_log_enable: true + security_log: + path: /etc/app_protect_dos/log-default.json + dest: syslog:server=10.1.1.1:514 + monitor: + uri: http://10.1.1.1:5000/monitor + protocol: http2 + timeout: 10 auth_jwt: enable: realm: realm @@ -390,24 +390,24 @@ format: main locations: - location: / - # app_protect_waf: - # enable: true - # policy_file: /etc/app_protect/conf/NginxDefaultPolicy.json - # security_log_enable: true - # security_log: - # - path: /etc/app_protect/conf/log_default.json - # dest: syslog:server=10.1.1.1:514 - # - path: /etc/app_protect/conf/log_default.json - # dest: syslog:server=10.1.1.2:514 - # app_protect_dos: - # enable: true - # policy_file: /etc/app_protect/conf/BADOSDefaultPolicy.json - # security_log_enable: true - # security_log: - # path: /etc/app_protect_dos/log-default.json - # dest: syslog:server=10.1.1.1:514 - # monitor: http://10.1.1.1:5000/monitor - # api: true + app_protect_waf: + enable: true + policy_file: /etc/app_protect/conf/NginxDefaultPolicy.json + security_log_enable: true + security_log: + - path: /etc/app_protect/conf/log_default.json + dest: syslog:server=10.1.1.1:514 + - path: /etc/app_protect/conf/log_default.json + dest: syslog:server=10.1.1.2:514 + app_protect_dos: + enable: true + policy_file: /etc/app_protect/conf/BADOSDefaultPolicy.json + security_log_enable: true + security_log: + path: /etc/app_protect_dos/log-default.json + dest: syslog:server=10.1.1.1:514 + monitor: http://10.1.1.1:5000/monitor + api: true auth_jwt: enable: false leeway: 0s diff --git a/molecule/complete_plus/molecule.yml b/molecule/complete_plus/molecule.yml index 575ac405..91ad72e6 100644 --- a/molecule/complete_plus/molecule.yml +++ b/molecule/complete_plus/molecule.yml @@ -9,15 +9,6 @@ lint: | set -e ansible-lint --force-color platforms: - - name: rhel-8 - image: redhat/ubi9:9.4 - platform: x86_64 - dockerfile: ../common/Dockerfile.j2 - privileged: true - cgroupns_mode: host - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - command: /usr/sbin/init - name: ubuntu-jammy image: ubuntu:jammy platform: x86_64 diff --git a/molecule/complete_plus/prepare.yml b/molecule/complete_plus/prepare.yml index db2c6fc4..2c5347b5 100644 --- a/molecule/complete_plus/prepare.yml +++ b/molecule/complete_plus/prepare.yml @@ -30,13 +30,13 @@ key: ../common/files/license/nginx-repo.key nginx_remove_license: false - # - name: Install NGINX App Protect WAF - # ansible.builtin.include_role: - # name: nginxinc.nginx_app_protect - # vars: - # nginx_app_protect_waf_enable: true - # nginx_app_protect_dos_enable: true - # nginx_app_protect_setup_license: false - # nginx_app_protect_remove_license: false - # nginx_app_protect_install_signatures: false - # nginx_app_protect_install_threat_campaigns: false + - name: Install NGINX App Protect WAF + ansible.builtin.include_role: + name: nginxinc.nginx_app_protect + vars: + nginx_app_protect_waf_enable: true + nginx_app_protect_dos_enable: true + nginx_app_protect_setup_license: false + nginx_app_protect_remove_license: false + nginx_app_protect_install_signatures: false + nginx_app_protect_install_threat_campaigns: false