Ansible Role: apache-modsecurity

This Ansible Role installs and sets up Apache mod_security2 on Ubuntu, Debian, or Red Hat-based systems.

Requirements

No special requirements.

Role Variables

The most common configuration variables are included below. The mostly fixed ones are in defaults/main.yml, and recommended settings are in var/main.yml, which is where you should make edits. There are also templates for the modsecurity.conf file: a minimal version and one recommended by mod_security.

The Apache configuration folders for each distribution are specified in default/main.yml:

apache_conf_dir_debian: "/etc/apache2/conf-available"
apache_conf_dir_redhat: "/etc/httpd/conf.d"

Settings in var/main.yml:

Enable mod_security initially in detection-only mode. Change this to "On" once you're sure everything works well:

SecRuleEngine: DetectionOnly

Request rules:

SecRequestBodyAccess: On
SecRequestBodyLimit: 13107200
SecRequestBodyNoFilesLimit: 131072
SecRequestBodyInMemoryLimit: 131072
SecRequestBodyLimitAction: Reject
SecResponseBodyAccess: On
SecResponseBodyMimeType: "text/plain text/html text/xml"
SecResponseBodyLimit: 524288
SecResponseBodyLimitAction: ProcessPartial

Temporary and permanent storage:

SecTmpDir: /tmp/
SecDataDir: /tmp/

Logging settings:

SecAuditEngine: RelevantOnly
SecAuditLogParts: ABIJDEFHZ
SecAuditLogType: Serial
SecAuditLog: /var/log/modsec_audit.log

Share status with mod_security developers:

SecStatusEngine: On

Dependencies

Apache must be installed. Recommended role:

geerlingguy.apache

For Red Hat and CentOS, the EPEL repository is required:

geerlingguy.epel

Example Playbook

- hosts: all
  roles:
    - leogallego.apache-modsecurity

License

GPLv3

Author Information

Created by Leonardo Gallego for Debian and Red Hat, based on work by Apollo Clark.