Page MenuHomeDevCentral
Files F25332091

D3908.id10586.diff
No OneTemporary
Actions

D3908.id10586.diff
View Options

diff --git a/GIDs b/GIDs
--- a/GIDs
+++ b/GIDs
@@ -16,3 +16,4 @@
9002 deploy
9003 web
9018 rhyne-wyse
+9019 anubis
diff --git a/UIDs b/UIDs
--- a/UIDs
+++ b/UIDs
@@ -13,6 +13,7 @@
9001 salt
9002 deploy
9018 rhyne-wyse
+9019 anubis
8900 zr LEGACY
# Web app
diff --git a/map.jinja b/map.jinja
--- a/map.jinja
+++ b/map.jinja
@@ -7,6 +7,7 @@
'lib': '/usr/lib',
'libexec': '/usr/libexec',
'man': '/usr/share/man',
+ 'run': '/run',
'sbin': '/usr/sbin',
'share': '/usr/share',
},
@@ -18,6 +19,7 @@
'lib': '/usr/local/lib',
'libexec': '/usr/local/libexec',
'man': '/usr/local/share/man',
+ 'run': '/var/run',
'sbin': '/usr/local/sbin',
'share': '/usr/local/share',
},
diff --git a/pillar/paas/docker/dwellers/orbeon.sls b/pillar/paas/docker/dwellers/orbeon.sls
--- a/pillar/paas/docker/dwellers/orbeon.sls
+++ b/pillar/paas/docker/dwellers/orbeon.sls
@@ -41,3 +41,11 @@
apps:
- nasqueron-join
- nasqueron-requests
+
+anubis_instances:
+ orbeon:
+ socket: /run/anubis/orbeon.sock
+ metrics_socket: /run/anubis/orbeon-metrics.sock
+ target:
+ service: orbeon
+ container: nasqueron_forms
diff --git a/roles/paas-docker/anubis/account.sls b/roles/paas-docker/anubis/account.sls
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/anubis/account.sls
@@ -0,0 +1,49 @@
+# -------------------------------------------------------------
+# Salt — Anubis
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+{% from "map.jinja" import dirs with context %}
+
+{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
+
+# -------------------------------------------------------------
+# User and group
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+anubis_group:
+ group.present:
+ - name: anubis
+ - gid: 9019
+
+anubis_user:
+ user.present:
+ - name: anubis
+ - uid: 9019
+ - shell: /sbin/nologin
+ - groups:
+ - anubis
+ - system: True
+ - require:
+ - group: anubis_group
+
+# -------------------------------------------------------------
+# /run directory
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{{ dirs.run }}/anubis:
+ file.directory:
+ - user: anubis
+
+{% if has_selinux %}
+anubis_run_policy:
+ selinux.fcontext_policy_present:
+ - name: {{ dirs.run }}/anubis
+ - sel_type: httpd_var_run_t
+
+anubis_run_policy_applied:
+ selinux.fcontext_policy_applied:
+ - name: {{ dirs.run }}/anubis
+{% endif %}
diff --git a/roles/paas-docker/anubis/config.sls b/roles/paas-docker/anubis/config.sls
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/anubis/config.sls
@@ -0,0 +1,69 @@
+# -------------------------------------------------------------
+# Salt — Anubis (WAF/Reverse Proxy)
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+{% from "map.jinja" import dirs with context %}
+
+# -------------------------------------------------------------
+# Global configuration
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{{ dirs.etc }}/anubis/private.key:
+ file.managed:
+ - source: salt://roles/paas-docker/anubis/files/private.key
+ - template: jinja
+ - context:
+ key: {{ salt["credentials.get_password"]("anubis/" + grains["id"]) }}
+ - user: anubis
+ - group: anubis
+ - mode: 400
+ - makedirs: True
+
+{{ dirs.etc }}/anubis/policies.yaml:
+ file.managed:
+ - source: salt://roles/paas-docker/anubis/files/policies.yaml
+ - user: root
+ - group: anubis
+ - mode: 644
+ - makedirs: True
+
+# -------------------------------------------------------------
+# Per-instance configuration and service
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{% for instance, config in salt["pillar.get"]("anubis_instances", {}).items() %}
+
+{{ dirs.etc }}/anubis/{{ instance }}/instance.env:
+ file.managed:
+ - source: salt://roles/paas-docker/anubis/files/instance.env
+ - template: jinja
+ - context:
+ instance: {{ instance }}
+ config: {{ config }}
+ port: {{ pillar["docker_containers"][config.target.service][config.target.container]["app_port"] }}
+ - user: root
+ - group: anubis
+ - mode: 644
+ - makedirs: True
+
+# e.g. systemctl status anubis@devcentral
+
+/etc/systemd/system/anubis@{{ instance }}.service:
+ file.managed:
+ - source: salt://roles/paas-docker/anubis/files/anubis.service
+ - template: jinja
+ - context:
+ instance: {{ instance }}
+
+anubis@{{ instance }}:
+ service.running:
+ - enable: True
+ - watch:
+ - file: {{ dirs.etc }}/anubis/{{ instance }}/instance.env
+ - file: {{ dirs.etc }}/anubis/policies.yaml
+ - file: {{ dirs.etc }}/anubis/private.key
+
+{% endfor %}
diff --git a/roles/paas-docker/anubis/files/anubis.service b/roles/paas-docker/anubis/files/anubis.service
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/anubis/files/anubis.service
@@ -0,0 +1,29 @@
+# -------------------------------------------------------------
+# Anubis — {{ instance }}
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Source file: roles/paas-docker/anubis/files/anubis.service
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+[Unit]
+Description=Anubis Web AI Firewall - {{ instance }}
+After=network.target
+
+[Service]
+Type=simple
+User=anubis
+Group=web
+ExecStart=/usr/bin/anubis
+Restart=always
+EnvironmentFile=/etc/anubis/{{ instance }}/instance.env
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/paas-docker/anubis/files/instance.env b/roles/paas-docker/anubis/files/instance.env
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/anubis/files/instance.env
@@ -0,0 +1,22 @@
+# -------------------------------------------------------------
+# Anubis — Instance configuration
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Source file: roles/paas-docker/anubis/files/instance.env
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+TARGET=http://127.0.0.1:{{ port }}
+BIND={{ config.socket }}
+BIND_NETWORK=unix
+POLICY_FNAME={{ config.policies_file | default("/usr/local/etc/anubis/policies.yaml") }}
+METRICS_BIND={{ config.metrics_socket }}
+METRICS_BIND_NETWORK=unix
+ED25519_PRIVATE_KEY_HEX_FILE=/etc/anubis/private.key
diff --git a/roles/paas-docker/anubis/files/policies.yaml b/roles/paas-docker/anubis/files/policies.yaml
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/anubis/files/policies.yaml
@@ -0,0 +1,133 @@
+# -------------------------------------------------------------
+# Anubis — Bot policies
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Source file: roles/paas-docker/anubis/files/policies.yaml
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+# Anubis botPolicies.yaml
+# Reconiciliated with P390
+
+bots:
+ - import: (data)/bots/_deny-pathological.yaml
+ - import: (data)/bots/aggressive-brazilian-scrapers.yaml
+ - import: (data)/meta/ai-block-aggressive.yaml
+ - import: (data)/crawlers/_allow-good.yaml
+ - import: (data)/clients/x-firefox-ai.yaml
+ - import: (data)/common/keep-internet-working.yaml
+
+ - name: low-load-average
+ action: WEIGH
+ expression: load_15m <= 2.0
+ weight:
+ adjust: -10
+
+ - name: realistic-browser-catchall
+ expression:
+ all:
+ - '"User-Agent" in headers'
+ - '( userAgent.contains("Firefox") ) || ( userAgent.contains("Chrome") ) || ( userAgent.contains("Safari") )'
+ - '"Accept" in headers'
+ - '"Sec-Fetch-Dest" in headers'
+ - '"Sec-Fetch-Mode" in headers'
+ - '"Sec-Fetch-Site" in headers'
+ - '"Accept-Encoding" in headers'
+ - '( headers["Accept-Encoding"].contains("zstd") || headers["Accept-Encoding"].contains("br") )'
+ - '"Accept-Language" in headers'
+ action: WEIGH
+ weight:
+ adjust: -10
+
+ - name: upgrade-insecure-requests
+ expression: '"Upgrade-Insecure-Requests" in headers'
+ action: WEIGH
+ weight:
+ adjust: -2
+
+ - name: chrome-is-proper
+ expression:
+ all:
+ - userAgent.contains("Chrome")
+ - '"Sec-Ch-Ua" in headers'
+ - 'headers["Sec-Ch-Ua"].contains("Chromium")'
+ - '"Sec-Ch-Ua-Mobile" in headers'
+ - '"Sec-Ch-Ua-Platform" in headers'
+ action: WEIGH
+ weight:
+ adjust: -5
+
+ - name: should-have-accept
+ expression: '!("Accept" in headers)'
+ action: WEIGH
+ weight:
+ adjust: 5
+
+ - name: generic-browser
+ user_agent_regex: >-
+ Mozilla|Opera
+ action: WEIGH
+ weight:
+ adjust: 10
+
+dnsbl: false
+
+status_codes:
+ CHALLENGE: 200
+ DENY: 200
+
+store:
+ backend: memory
+ parameters: {}
+
+thresholds:
+ - name: minimal-suspicion
+ expression: weight <= 0
+ action: CHALLENGE
+ challenge:
+ algorithm: fast
+ difficulty: 4
+
+ - name: mild-suspicion
+ expression:
+ all:
+ - weight > 0
+ - weight < 10
+ action: CHALLENGE
+ challenge:
+ algorithm: metarefresh
+ difficulty: 1
+
+ - name: moderate-suspicion
+ expression:
+ all:
+ - weight >= 10
+ - weight < 20
+ action: CHALLENGE
+ challenge:
+ algorithm: fast
+ difficulty: 2
+
+ - name: mild-proof-of-work
+ expression:
+ all:
+ - weight >= 20
+ - weight < 30
+ action: CHALLENGE
+ challenge:
+ algorithm: fast
+ difficulty: 4
+
+ - name: extreme-suspicion
+ expression: weight >= 30
+ action: CHALLENGE
+ challenge:
+ algorithm: fast
+ difficulty: 6
diff --git a/roles/paas-docker/anubis/files/private.key b/roles/paas-docker/anubis/files/private.key
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/anubis/files/private.key
@@ -0,0 +1 @@
+{{ key }}
diff --git a/roles/paas-docker/anubis/init.sls b/roles/paas-docker/anubis/init.sls
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/anubis/init.sls
@@ -0,0 +1,11 @@
+# -------------------------------------------------------------
+# Salt — Anubis
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+include:
+ - .account
+ - .software
+ - .config
diff --git a/roles/paas-docker/anubis/software.sls b/roles/paas-docker/anubis/software.sls
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/anubis/software.sls
@@ -0,0 +1,9 @@
+# -------------------------------------------------------------
+# Salt — Anubis
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+anubis:
+ pkg.installed
diff --git a/roles/paas-docker/init.sls b/roles/paas-docker/init.sls
--- a/roles/paas-docker/init.sls
+++ b/roles/paas-docker/init.sls
@@ -17,6 +17,7 @@
- .systemd-timers
- .wwwroot-502
- .wwwroot-content
+ - .anubis
- .nginx
- .monitoring
- .wrappers
diff --git a/roles/paas-docker/nginx/files/selinux/nginx.te b/roles/paas-docker/nginx/files/selinux/nginx.te
--- a/roles/paas-docker/nginx/files/selinux/nginx.te
+++ b/roles/paas-docker/nginx/files/selinux/nginx.te
@@ -15,11 +15,13 @@
# and will be lost if the state is redeployed.
# </auto-generated>
-policy_module(nginx, 1.0)
+policy_module(nginx, 1.1)
require {
type httpd_t;
+ type httpd_var_run_t;
type container_file_t;
+ type unconfined_service_t;
}
#============= httpd_t ==============
@@ -28,3 +30,7 @@
allow httpd_t container_file_t:lnk_file read;
allow httpd_t container_file_t:file read;
+
+# Allow to connect to UNIX sockets
+allow httpd_t httpd_var_run_t:sock_file write;
+allow httpd_t unconfined_service_t:unix_stream_socket connectto;

File Metadata

Mime Type
text/plain
Expires
Fri, Apr 10, 22:50 (15 h, 46 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3613795
Default Alt Text
D3908.id10586.diff (13 KB)

Event Timeline

Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator