wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-06-06 15:13:56 +02:00
Code Issues Projects Releases Wiki Activity

remove the proxy role #440 (#457)

Browse source 
* remove the proxy role #440

* Separate facts. Make roles more independent from each other

move openssl to local tasks

move unneeded tasks
This commit is contained in:
Jack Ivanov 2017-04-21 00:00:17 +02:00 committed by Dan Guido
parent 019d729fe6
commit a7b06058cb
22 changed files with 53 additions and 2707 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
README.md
View file

@ -15,7 +15,7 @@ Algo VPN is a set of Ansible scripts that simplify the setup of a personal IPSEC
* Supports only IKEv2 with strong crypto: AES-GCM, SHA2, and P-256
* Generates Apple profiles to auto-configure iOS and macOS devices
* Includes a helper script to add and remove users
* Blocks ads with a local DNS resolver and HTTP proxy (optional)
* Blocks ads with a local DNS resolver (optional)
* Sets up limited SSH users for tunneling traffic (optional)
* Based on current versions of Ubuntu and strongSwan
* Installs to DigitalOcean, Amazon EC2, Microsoft Azure, Google Compute Engine, or your own server
@ -79,7 +79,7 @@ You can now setup clients to connect it, e.g. your iPhone or laptop. Proceed to
"\"# Config files and certificates are in the ./configs/ directory. #\"",
"\"# Go to https://whoer.net/ after connecting #\"",
"\"# and ensure that all your traffic passes through the VPN. #\"",
"\"# Local DNS resolver and Proxy IP address: 172.16.0.1 #\"",
"\"# Local DNS resolver 172.16.0.1 #\"",
"\"# The p12 and SSH keys password is XXXXXXXX #\"",
"\"#----------------------------------------------------------------------#\"",
```
@ -180,9 +180,9 @@ Use the example command below to start an SSH tunnel by replacing `user` and `ip
To SSH into the Algo server for administrative purposes you can use the example command below by replacing `ip` with your own:
`ssh ubuntu@ip -i ~/.ssh/algo.pem`
If you find yourself regularly logging into Algo then it will be useful to load your Algo ssh key automatically. Add the following snippet to the bottom of `~/.bash_profile` to add it to your shell environment permanently.
`ssh-add ~/.ssh/algo > /dev/null 2>&1`

4
config.cfg
View file

@ -28,7 +28,7 @@ dns_servers:
- 2001:4860:4860::8888
- 2001:4860:4860::8844
# IP address for the proxy and the local dns resolver
# IP address for the local dns resolver
local_service_ip: 172.16.0.1
pkcs12_PayloadCertificateUUID: "{{ 900000 | random | to_uuid | upper }}"
@ -45,7 +45,7 @@ congrats:
"# Config files and certificates are in the ./configs/ directory. #"
"# Go to https://whoer.net/ after connecting #"
"# and ensure that all your traffic passes through the VPN. #"
"# Local DNS resolver and Proxy IP address: {{ local_service_ip }} #"
"# Local DNS resolver {{ local_service_ip }} #"
p12_pass: |
"# The p12 and SSH keys password is {{ easyrsa_p12_export_password }} #"
ca_key_pass: |

5
deploy.yml
View file

@ -41,13 +41,8 @@
include: playbooks/common.yml
tags: [ 'digitalocean', 'ec2', 'gce', 'azure', 'local', 'pre' ]
- set_fact:
cloud_deployment: true
tags: ['cloud']
roles:
- { role: security, tags: [ 'security' ] }
- { role: proxy, tags: [ 'proxy', 'adblock' ] }
- { role: dns_adblocking, tags: ['dns', 'adblock' ] }
- { role: ssh_tunneling, tags: [ 'ssh_tunneling' ] }
- { role: vpn, tags: [ 'vpn' ] }

4
docs/setup-roles.md
View file

@ -17,10 +17,6 @@
* Enables [unattended-upgrades](https://help.ubuntu.com/community/AutomaticSecurityUpdates) to ensure available patches are always applied
* Modify features like core dumps, kernel parameters, and SUID binaries to limit possible attacks
* Enhances SSH with modern ciphers and seccomp, and restricts access to old or unwanted features like X11 forwarding and SFTP
* **Proxy-based Adblocking and Compression**
* Installs [Privoxy](https://www.privoxy.org/) with an ad blocking ruleset
* Installs Apache with [mod_pagespeed](http://modpagespeed.com/) as an HTTP proxy
* Constrains Privoxy and Apache with AppArmor and cgroups CPU and memory limitations
* **DNS-based Adblocking**
* Install the [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) local resolver with a blacklist for advertising domains
* Constrains dnsmasq with AppArmor and cgroups CPU and memory limitations

7
playbooks/common.yml
View file

@ -12,9 +12,4 @@
include: freebsd.yml
when: '"FreeBSD" in OS.stdout'
- name: Ensure the algo ssh key exist on the server
authorized_key:
user: "{{ ansible_ssh_user }}"
state: present
key: "{{ lookup('file', '{{ SSH_keys.public }}') }}"
tags: [ 'cloud' ]
- include: facts/main.yml

42
playbooks/facts/main.yml Normal file
View file

@ -0,0 +1,42 @@
---
- name: Gather Facts
setup:
- name: Ensure the algo ssh key exist on the server
authorized_key:
user: "{{ ansible_ssh_user }}"
state: present
key: "{{ lookup('file', '{{ SSH_keys.public }}') }}"
tags: [ 'cloud' ]
- name: Enable IPv6
set_fact:
ipv6_support: true
when: ansible_default_ipv6.gateway is defined
- name: Set facts if the deployment in a cloud
set_fact:
cloud_deployment: true
tags: ['cloud']
- name: Generate password for the CA key
local_action:
module: shell
openssl rand -hex 16
become: no
register: CA_password
- name: Define password facts
set_fact:
easyrsa_p12_export_password: "{{ p12_export_password|default((ansible_date_time.iso8601_basic|sha1|to_uuid).split('-')[0]) }}"
easyrsa_CA_password: "{{ CA_password.stdout }}"
- name: Define the commonName
set_fact:
IP_subject_alt_name: "{{ IP_subject_alt_name }}"
- name: Change the algorithm to RSA
set_fact:
algo_params: "rsa:2048"
when: Win10_Enabled is defined and Win10_Enabled == "Y"

3
roles/dns_adblocking/tasks/main.yml
View file

@ -1,5 +1,4 @@
- name: Gather Facts
setup:
---
- name: Dnsmasq installed
package: name=dnsmasq

12
roles/proxy/handlers/main.yml
View file

@ -1,12 +0,0 @@
- name: restart privoxy
service: name=privoxy state=restarted
- name: daemon-reload
shell: systemctl daemon-reload
- name: restart apparmor
service: name=apparmor state=restarted
- name: restart apache2
service: name=apache2 state=restarted

5
roles/proxy/meta/main.yml
View file

@ -1,5 +0,0 @@
---
dependencies:
- { role: common, tags: common }
- { role: vpn, tags: vpn }

115
roles/proxy/tasks/main.yml
View file

@ -1,115 +0,0 @@
- name: Gather Facts
setup:
- name: Privoxy installed
apt: name=privoxy state=latest
- name: Privoxy configured
template: src="{{ item.src }}" dest="{{ item.dest }}"
with_items:
- { src: privoxy_config.j2, dest: /etc/privoxy/config }
- { src: default.filter.j2, dest: /etc/privoxy/default.filter }
notify:
- restart privoxy
- name: Privoxy profile for apparmor configured
template: src=usr.sbin.privoxy.j2 dest=/etc/apparmor.d/usr.sbin.privoxy owner=root group=root mode=0600
when: apparmor_enabled is defined and apparmor_enabled == true
notify:
- restart privoxy
- name: Enforce the privoxy AppArmor policy
shell: aa-enforce usr.sbin.privoxy
when: apparmor_enabled is defined and apparmor_enabled == true
tags: ['apparmor']
- name: Ensure that the privoxy service directory exist
file: path=/etc/systemd/system/privoxy.service.d/ state=directory mode=0755 owner=root group=root
- name: Setup the cgroup limitations for the privoxy daemon
template: src=privoxy_100-CustomLimitations.conf.j2 dest=/etc/systemd/system/privoxy.service.d/100-CustomLimitations.conf
notify:
- daemon-reload
- restart privoxy
- meta: flush_handlers
- name: Privoxy enabled and started
service: name=privoxy state=started enabled=yes
# PageSpeed
- name: Apache installed
apt: name=apache2 state=latest
- name: PageSpeed installed for x86_64
apt: deb=https://dl-ssl.google.com/dl/linux/direct/mod-pagespeed-stable_current_amd64.deb
when: ansible_architecture == "x86_64"
- name: PageSpeed installed for i386
apt: deb=https://dl-ssl.google.com/dl/linux/direct/mod-pagespeed-stable_current_i386.deb
when: ansible_architecture != "x86_64"
- name: PageSpeed configured
template: src=pagespeed.conf.j2 dest=/etc/apache2/mods-available/pagespeed.conf
notify:
- restart apache2
- name: Modules enabled
apache2_module: state=present name="{{ item }}"
with_items:
- proxy_http
- pagespeed
- cache
- proxy_connect
- proxy_html
- rewrite
notify:
- restart apache2
- name: VirtualHost configured for the PageSpeed module
template: src=000-default.conf.j2 dest=/etc/apache2/sites-enabled/000-default.conf
notify:
- restart apache2
- name: Apache ports configured
template: src=ports.conf.j2 dest=/etc/apache2/ports.conf
notify:
- restart apache2
- name: Ensure that the apache2 service directory exist
file: path=/etc/systemd/system/apache2.service.d/ state=directory mode=0755 owner=root group=root
- name: Setup the cgroup limitations for the apache2 daemon
template: src=apache2_100-CustomLimitations.conf.j2 dest=/etc/systemd/system/apache2.service.d/100-CustomLimitations.conf
notify:
- daemon-reload
- restart apache2
- meta: flush_handlers
- name: Set facts for mobileconfigs
set_fact:
proxy_enabled: true
- name: Register p12 PayloadContent
shell: >
cat /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 | base64
register: PayloadContent
with_items: "{{ users }}"
- name: Register CA PayloadContent
shell: >
cat /{{ easyrsa_dir }}/easyrsa3/pki/ca.crt | base64
register: PayloadContentCA
- name: Build the mobileconfigs
template: src=roles/vpn/templates/mobileconfig.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item.0 }}_proxy.mobileconfig mode=0600
with_together:
- "{{ users }}"
- "{{ PayloadContent.results }}"
no_log: True
- name: Fetch users mobileconfig
fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}_proxy.mobileconfig dest=configs/{{ IP_subject_alt_name }}_{{ item }}_proxy.mobileconfig flat=yes
with_items: "{{ users }}"

11
roles/proxy/templates/000-default.conf.j2
View file

@ -1,11 +0,0 @@
<VirtualHost *:*>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
RewriteEngine On
RewriteRule ^(.*)$ http://%{HTTP_HOST}$1 [NC,P]
ProxyPass / http://$1
ProxyPassReverse / http://$1
ProxyPreserveHost On
</VirtualHost>

4
roles/proxy/templates/apache2_100-CustomLimitations.conf.j2
View file

@ -1,4 +0,0 @@
[Service]
MemoryLimit=134217728
CPUAccounting=true
CPUQuota=15%

0
roles/proxy/templates/default.filter.j2
View file

369
roles/proxy/templates/pagespeed.conf.j2
View file

@ -1,369 +0,0 @@
<IfModule pagespeed_module>
# Turn on mod_pagespeed. To completely disable mod_pagespeed, you
# can set this to "off".
ModPagespeed on
# We want VHosts to inherit global configuration.
# If this is not included, they'll be independent (except for inherently
# global options), at least for backwards compatibility.
ModPagespeedInheritVHostConfig on
# Direct Apache to send all HTML output to the mod_pagespeed
# output handler.
AddOutputFilterByType MOD_PAGESPEED_OUTPUT_FILTER text/html
# If you want mod_pagespeed process XHTML as well, please uncomment this
# line.
# AddOutputFilterByType MOD_PAGESPEED_OUTPUT_FILTER application/xhtml+xml
# The ModPagespeedFileCachePath directory must exist and be writable
# by the apache user (as specified by the User directive).
ModPagespeedFileCachePath "/var/cache/mod_pagespeed/"
# LogDir is needed to store various logs, including the statistics log
# required for the console.
ModPagespeedLogDir "/var/log/pagespeed"
# The locations of SSL Certificates is distribution-dependent.
ModPagespeedSslCertDirectory "/etc/ssl/certs"
# If you want, you can use one or more memcached servers as the store for
# the mod_pagespeed cache.
# ModPagespeedMemcachedServers localhost:11211
# A portion of the cache can be kept in memory only, to reduce load on disk
# (or memcached) from many small files.
# ModPagespeedCreateSharedMemoryMetadataCache "/var/cache/mod_pagespeed/" 51200
# Override the mod_pagespeed 'rewrite level'. The default level
# "CoreFilters" uses a set of rewrite filters that are generally
# safe for most web pages. Most sites should not need to change
# this value and can instead fine-tune the configuration using the
# ModPagespeedDisableFilters and ModPagespeedEnableFilters
# directives, below. Valid values for ModPagespeedRewriteLevel are
# PassThrough, CoreFilters and TestingCoreFilters.
#
ModPagespeedRewriteLevel CoreFilters
ModPagespeedEnableFilters combine_heads
ModPagespeedEnableFilters combine_javascript
ModPagespeedEnableFilters convert_jpeg_to_webp
ModPagespeedEnableFilters convert_png_to_jpeg
ModPagespeedEnableFilters inline_preview_images
ModPagespeedEnableFilters make_google_analytics_async
ModPagespeedEnableFilters move_css_above_scripts
ModPagespeedEnableFilters move_css_to_head
ModPagespeedEnableFilters resize_mobile_images
ModPagespeedEnableFilters sprite_images
ModPagespeedEnableFilters defer_iframe
ModPagespeedEnableFilters defer_javascript
ModPagespeedEnableFilters lazyload_images
# Explicitly disables specific filters. This is useful in
# conjunction with ModPagespeedRewriteLevel. For instance, if one
# of the filters in the CoreFilters needs to be disabled for a
# site, that filter can be added to
# ModPagespeedDisableFilters. This directive contains a
# comma-separated list of filter names, and can be repeated.
#
# ModPagespeedDisableFilters rewrite_images
# Explicitly enables specific filters. This is useful in
# conjunction with ModPagespeedRewriteLevel. For instance, filters
# not included in the CoreFilters may be enabled using this
# directive. This directive contains a comma-separated list of
# filter names, and can be repeated.
#
# ModPagespeedEnableFilters rewrite_javascript,rewrite_css
# ModPagespeedEnableFilters collapse_whitespace,elide_attributes
# Explicitly forbids the enabling of specific filters using either query
# parameters or request headers. This is useful, for example, when we do
# not want the filter to run for performance or security reasons. This
# directive contains a comma-separated list of filter names, and can be
# repeated.
#
# ModPagespeedForbidFilters rewrite_images
# How long mod_pagespeed will wait to return an optimized resource
# (per flush window) on first request before giving up and returning the
# original (unoptimized) resource. After this deadline is exceeded the
# original resource is returned and the optimization is pushed to the
# background to be completed for future requests. Increasing this value will
# increase page latency, but might reduce load time (for instance on a
# bandwidth-constrained link where it's worth waiting for image
# compression to complete). If the value is less than or equal to zero
# mod_pagespeed will wait indefinitely for the rewrite to complete before
# returning.
#
# ModPagespeedRewriteDeadlinePerFlushMs 10
# ModPagespeedDomain
# authorizes rewriting of JS, CSS, and Image files found in this
# domain. By default only resources with the same origin as the
# HTML file are rewritten. For example:
#
ModPagespeedDomain *
#
# This will allow resources found on http://cdn.myhost.com to be
# rewritten in addition to those in the same domain as the HTML.
#
# Other domain-related directives (like ModPagespeedMapRewriteDomain
# and ModPagespeedMapOriginDomain) can also authorize domains.
#
# Wildcards (* and ?) are allowed in the domain specification. Be
# careful when using them as if you rewrite domains that do not
# send you traffic, then the site receiving the traffic will not
# know how to serve the rewritten content.
# If you use downstream caches such as varnish or proxy_cache for caching
# HTML, you can configure pagespeed to work with these caches correctly
# using the following directives. Note that the values for
# ModPagespeedDownstreamCachePurgeLocationPrefix and
# ModPagespeedDownstreamCacheRebeaconingKey are deliberately left empty here
# in order to force the webmaster to choose appropriate value for these.
#
# ModPagespeedDownstreamCachePurgeLocationPrefix
# ModPagespeedDownstreamCachePurgeMethod PURGE
# ModPagespeedDownstreamCacheRewrittenPercentageThreshold 95
# ModPagespeedDownstreamCacheRebeaconingKey
# Other defaults (cache sizes and thresholds):
#
# ModPagespeedFileCacheSizeKb 102400
# ModPagespeedFileCacheCleanIntervalMs 3600000
# ModPagespeedLRUCacheKbPerProcess 1024
# ModPagespeedLRUCacheByteLimit 16384
# ModPagespeedCssFlattenMaxBytes 102400
# ModPagespeedCssInlineMaxBytes 2048
# ModPagespeedCssImageInlineMaxBytes 0
# ModPagespeedImageInlineMaxBytes 3072
# ModPagespeedJsInlineMaxBytes 2048
# ModPagespeedCssOutlineMinBytes 3000
# ModPagespeedJsOutlineMinBytes 3000
# ModPagespeedMaxCombinedCssBytes -1
# ModPagespeedMaxCombinedJsBytes 92160
# Limit the number of inodes in the file cache. Set to 0 for no limit.
# The default value if this parameter is not specified is 0 (no limit).
ModPagespeedFileCacheInodeLimit 500000
# Bound the number of images that can be rewritten at any one time; this
# avoids overloading the CPU. Set this to 0 to remove the bound.
#
# ModPagespeedImageMaxRewritesAtOnce 8
# You can also customize the number of threads per Apache process
# mod_pagespeed will use to do resource optimization. Plain
# "rewrite threads" are used to do short, latency-sensitive work,
# while "expensive rewrite threads" are used for actual optimization
# work that's more computationally expensive. If you live these unset,
# or use values <= 0 the defaults will be used, which is 1 for both
# values when using non-threaded MPMs (e.g. prefork) and 4 for both
# on threaded MPMs (e.g. worker and event). These settings can only
# be changed globally, and not per virtual host.
#
# ModPagespeedNumRewriteThreads 4
# ModPagespeedNumExpensiveRewriteThreads 4
# Randomly drop rewrites (*) to increase the chance of optimizing
# frequently fetched resources and decrease the chance of optimizing
# infrequently fetched resources. This can reduce CPU load. The default
# value of this parameter is 0 (no drops). 90 means that a resourced
# fetched once has a 10% probability of being optimized while a resource
# that is fetched 50 times has a 99.65% probability of being optimized.
#
# (*) Currently only CSS files and images are randomly dropped. Images
# within CSS files are not randomly dropped.
#
# ModPagespeedRewriteRandomDropPercentage 90
# Many filters modify the URLs of resources in HTML files. This is typically
# harmless but pages whose JavaScript expects to read or modify the original
# URLs may break. The following parameters prevent filters from modifying
# URLs of their respective types.
#
# ModPagespeedJsPreserveURLs on
# ModPagespeedImagePreserveURLs on
# ModPagespeedCssPreserveURLs on
# When PreserveURLs is on, it is still possible to enable browser-specific
# optimizations (for example, webp images can be served to browsers that
# will accept them). They'll be served with Vary: Accept or Vary:
# User-Agent headers as appropriate. Note that this may require configuring
# reverse proxy caches such as varnish to handle these headers properly.
#
# ModPagespeedFilters in_place_optimize_for_browser
# Internet Explorer has difficulty caching resources with Vary: headers.
# They will either be uncached (older IE) or require revalidation. See:
# http://blogs.msdn.com/b/ieinternals/archive/2009/06/17/vary-header-prevents-caching-in-ie.aspx
# As a result we serve them as Cache-Control: private instead by default.
# If you are using a reverse proxy or CDN configured to cache content with
# the Vary: Accept header you should turn this setting off.
#
# ModPagespeedPrivateNotVaryForIE on
# Settings for image optimization:
#
# Lossy image recompression quality (0 to 100, -1 just strips metadata):
# ModPagespeedImageRecompressionQuality 85
#
# Jpeg recompression quality (0 to 100, -1 uses ImageRecompressionQuality):
# ModPagespeedJpegRecompressionQuality -1
# ModPagespeedJpegRecompressionQualityForSmallScreens 70
ModPagespeedJpegRecompressionQuality 75
#
# WebP recompression quality (0 to 100, -1 uses ImageRecompressionQuality):
# ModPagespeedWebpRecompressionQuality 80
# ModPagespeedWebpRecompressionQualityForSmallScreens 70
#
# Timeout for conversions to WebP format, in
# milliseconds. Negative values mean no timeout is applied. The
# default value is -1:
# ModPagespeedWebpTimeoutMs 5000
#
# Percent of original image size below which optimized images are retained:
# ModPagespeedImageLimitOptimizedPercent 100
#
# Percent of original image area below which image resizing will be
# attempted:
# ModPagespeedImageLimitResizeAreaPercent 100
# Settings for inline preview images
#
# Setting this to n restricts preview images to the first n images found on
# the page. The default of -1 means preview images can appear anywhere on
# the page (if those images appear above the fold).
# ModPagespeedMaxInlinedPreviewImagesIndex -1
# Sets the minimum size in bytes of any image for which a low quality image
# is generated.
# ModPagespeedMinImageSizeLowResolutionBytes 3072
# The maximum URL size is generally limited to about 2k characters
# due to IE: See http://support.microsoft.com/kb/208427/EN-US.
# Apache servers by default impose a further limitation of about
# 250 characters per URL segment (text between slashes).
# mod_pagespeed circumvents this limitation, but if you employ
# proxy servers in your path you may need to re-impose it by
# overriding the setting here. The default setting is 1024
# characters.
#
# ModPagespeedMaxSegmentLength 250
# Uncomment this if you want to prevent mod_pagespeed from combining files
# (e.g. CSS files) across paths
#
# ModPagespeedCombineAcrossPaths off
# Renaming JavaScript URLs can sometimes break them. With this
# option enabled, mod_pagespeed uses a simple heuristic to decide
# not to rename JavaScript that it thinks is introspective.
#
# You can uncomment this to let mod_pagespeed rename all JS files.
#
# ModPagespeedAvoidRenamingIntrospectiveJavaScript off
# Certain common JavaScript libraries are available from Google, which acts
# as a CDN and allows you to benefit from browser caching if a new visitor
# to your site previously visited another site that makes use of the same
# libraries as you do. Enable the following filter to turn on this feature.
#
# ModPagespeedEnableFilters canonicalize_javascript_libraries
# The following line configures a library that is recognized by
# canonicalize_javascript_libraries. This will have no effect unless you
# enable this filter (generally by uncommenting the last line in the
# previous stanza). The format is:
# ModPagespeedLibrary bytes md5 canonical_url
# Where bytes and md5 are with respect to the *minified* JS; use
# js_minify --print_size_and_hash to obtain this data.
# Note that we can register multiple hashes for the same canonical url;
# we do this if there are versions available that have already been minified
# with more sophisticated tools.
#
# Additional library configuration can be found in
# pagespeed_libraries.conf included in the distribution. You should add
# new entries here, though, so that file can be automatically upgraded.
# ModPagespeedLibrary 43 1o978_K0_LNE5_ystNklf http://www.modpagespeed.com/rewrite_javascript.js
# Explicitly tell mod_pagespeed to load some resources from disk.
# This will speed up load time and update frequency.
#
# This should only be used for static resources which do not need
# specific headers set or other processing by Apache.
#
# Both URL and filesystem path should specify directories and
# filesystem path must be absolute (for now).
#
# ModPagespeedLoadFromFile "http://example.com/static/" "/var/www/static/"
# Enables server-side instrumentation and statistics. If this rewriter is
# enabled, then each rewritten HTML page will have instrumentation javascript
# added that sends latency beacons to /mod_pagespeed_beacon. These
# statistics can be accessed at /mod_pagespeed_statistics. You must also
# enable the mod_pagespeed_statistics and mod_pagespeed_beacon handlers
# below.
#
# ModPagespeedEnableFilters add_instrumentation
# The add_instrumentation filter sends a beacon after the page onload
# handler is called. The user might navigate to a new URL before this. If
# you enable the following directive, the beacon is sent as part of an
# onbeforeunload handler, for pages where navigation happens before the
# onload event.
#
# ModPagespeedReportUnloadTime on
# Uncomment the following line so that ModPagespeed will not cache or
# rewrite resources with Vary: in the header, e.g. Vary: User-Agent.
# Note that ModPagespeed always respects Vary: headers on html content.
# ModPagespeedRespectVary on
# Uncomment the following line if you want to disable statistics entirely.
#
# ModPagespeedStatistics off
# These handlers are central entry-points into the admin pages.
# By default, pagespeed_admin and pagespeed_global_admin present
# the same data, and differ only when
# ModPagespeedUsePerVHostStatistics is enabled. In that case,
# /pagespeed_global_admin sees aggregated data across all vhosts,
# and the /pagespeed_admin sees data only for a particular vhost.
#
# You may insert other "Allow from" lines to add hosts you want to
# allow to look at generated statistics. Another possibility is
# to comment out the "Order" and "Allow" options from the config
# file, to allow any client that can reach your server to access
# and change server state, such as statistics, caches, and
# messages. This might be appropriate in an experimental setup.
<Location /pagespeed_admin>
Order allow,deny
Allow from localhost
Allow from 127.0.0.1
SetHandler pagespeed_admin
</Location>
<Location /pagespeed_global_admin>
Order allow,deny
Allow from localhost
Allow from 127.0.0.1
SetHandler pagespeed_global_admin
</Location>
# Enable logging of mod_pagespeed statistics, needed for the console.
ModPagespeedStatisticsLogging on
# Page /mod_pagespeed_message lets you view the latest messages from
# mod_pagespeed, regardless of log-level in your httpd.conf
# ModPagespeedMessageBufferSize is the maximum number of bytes you would
# like to dump to your /mod_pagespeed_message page at one time,
# its default value is 100k bytes.
# Set it to 0 if you want to disable this feature.
ModPagespeedMessageBufferSize 100000
</IfModule>

13
roles/proxy/templates/ports.conf.j2
View file

@ -1,13 +0,0 @@
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf
Listen {{ local_service_ip }}:8080
<IfModule ssl_module>
Listen {{ local_service_ip }}:443
</IfModule>
<IfModule mod_gnutls.c>
Listen {{ local_service_ip }}:443
</IfModule>

4
roles/proxy/templates/privoxy_100-CustomLimitations.conf.j2
View file

@ -1,4 +0,0 @@
[Service]
MemoryLimit=33554432
CPUAccounting=true
CPUQuota=15%

2107
roles/proxy/templates/privoxy_config.j2
View file

File diff suppressed because it is too large Load diff

15
roles/proxy/templates/usr.sbin.privoxy.j2
View file

@ -1,15 +0,0 @@
#include <tunables/global>
/usr/sbin/privoxy {
#include <abstractions/apache2-common>
#include <abstractions/base>
capability setgid,
capability setuid,
/etc/privoxy/* r,
/etc/privoxy/templates/* r,
/run/privoxy.pid w,
/var/log/privoxy/logfile w,
}

2
roles/security/tasks/main.yml
View file

@ -1,3 +1,5 @@
---
- name: Install tools
apt: name="{{ item }}" state=latest
with_items:

3
roles/ssh_tunneling/tasks/main.yml
View file

@ -1,8 +1,5 @@
---
- set_fact:
IP_subject_alt_name: "{{ IP_subject_alt_name }}"
- name: Ensure that the sshd_config file has desired options
blockinfile:
dest: /etc/ssh/sshd_config

23
roles/vpn/tasks/main.yml
View file

@ -1,25 +1,4 @@
- name: Gather Facts
setup:
- name: Enable IPv6
set_fact:
ipv6_support: true
when: ansible_default_ipv6.gateway is defined
- name: Generate password for the CA key
shell: >
openssl rand -hex 16
register: CA_password
- set_fact:
easyrsa_p12_export_password: "{{ p12_export_password|default((ansible_date_time.iso8601_basic|sha1|to_uuid).split('-')[0]) }}"
easyrsa_CA_password: "{{ CA_password.stdout }}"
IP_subject_alt_name: "{{ IP_subject_alt_name }}"
- name: Change the algorithm to RSA
set_fact:
algo_params: "rsa:2048"
when: Win10_Enabled is defined and Win10_Enabled == "Y"
---
- name: Ensure that the strongswan group exist
group: name=strongswan state=present

4
users.yml
View file

@ -40,10 +40,6 @@
- name: Common pre-tasks
include: playbooks/common.yml
- set_fact:
IP_subject_alt_name: "{{ IP_subject }}"
easyrsa_p12_export_password: "{{ p12_export_password|default((ansible_date_time.iso8601_basic|sha1|to_uuid).split('-')[0]) }}"
roles:
- { role: ssh_tunneling, tags: [ 'ssh_tunneling' ], when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }