Browse Source

Support IP whitelists with php{syscheck,myadmin,pgadmin}_http_auth

Emmanuel Bouthenot 3 years ago
parent
commit
3c98cd09ac

+ 3 - 0
roles/webserver/defaults/main.yml

@@ -40,6 +40,7 @@ phpsyscheck_vhostip: Null
 phpsyscheck_vhostport: Null
 phpsyscheck_ssl: False
 phpsyscheck_http_auth: False
+phpsyscheck_http_whitelist_ip: []
 
 php_config:
   date.timezone: 'Europe/Paris'
@@ -62,12 +63,14 @@ phpmyadmin_vhostip: Null
 phpmyadmin_vhostport: Null
 phpmyadmin_ssl: False
 phpmyadmin_http_auth: False
+phpmyadmin_http_whitelist_ip: []
 
 with_phppgadmin: False
 phppgadmin_vhostname: 'pga.localhost'
 phppgadmin_vhostip: Null
 phppgadmin_vhostport: 80
 phppgadmin_http_auth: False
+phppgadmin_http_whitelist_ip: []
 
 http_auth_admin_password: Null
 http_auth_user_name: Null

+ 6 - 1
roles/webserver/templates/apache2/pga_vhost.j2

@@ -15,7 +15,12 @@
         AuthType basic
         AuthName "Restricted Access"
         AuthUserFile /etc/apache2/auth_admin
-        Require valid-user
+        <RequireAny>
+{% if phppgadmin_http_whitelist_ip|length > 0 %}
+            Require ip {{ phppgadmin_http_whitelist_ip | join(' ')  }}
+{% endif %}
+            Require valid-user
+        </RequireAny>
     </Location>
 {% endif %}
 

+ 12 - 2
roles/webserver/templates/apache2/pma_vhost.j2

@@ -20,7 +20,12 @@
         AuthType basic
         AuthName "Restricted Access"
         AuthUserFile /etc/apache2/auth_admin
-        Require valid-user
+        <RequireAny>
+{% if phpmyadmin_http_whitelist_ip|length > 0 %}
+            Require ip {{ phpmyadmin_http_whitelist_ip | join(' ')  }}
+{% endif %}
+            Require valid-user
+        </RequireAny>
     </Location>
 {% endif %}
 
@@ -70,7 +75,12 @@
         AuthType basic
         AuthName "Restricted Access"
         AuthUserFile /etc/apache2/auth_admin
-        Require valid-user
+        <RequireAny>
+{% if phpmyadmin_http_whitelist_ip|length > 0 %}
+            Require ip {{ phpmyadmin_http_whitelist_ip | join(' ')  }}
+{% endif %}
+            Require valid-user
+        </RequireAny>
     </Location>
 {% endif %}
 

+ 14 - 6
roles/webserver/templates/apache2/sys_vhost.j2

@@ -20,15 +20,19 @@
         AuthType basic
         AuthName "Restricted Access"
         AuthUserFile /etc/apache2/auth_admin
-        Require valid-user
+        <RequireAny>
+{% if phpsyscheck_http_whitelist_ip|length > 0 %}
+            Require ip {{ phpsyscheck_http_whitelist_ip | join(' ')  }}
+{% endif %}
+            Require valid-user
+        </RequireAny>
     </Location>
 {% endif %}
 
     <Directory /etc/phpsyscheck>
         Options None
         AllowOverride None
-        Order allow,deny
-        Allow from all
+        Require all granted
     </Directory>
 
 {% if with_fpm|bool %}
@@ -59,15 +63,19 @@
         AuthType basic
         AuthName "Restricted Access"
         AuthUserFile /etc/apache2/auth_admin
-        Require valid-user
+        <RequireAny>
+{% if phpsyscheck_http_whitelist_ip|length > 0 %}
+            Require ip {{ phpsyscheck_http_whitelist_ip | join(' ')  }}
+{% endif %}
+            Require valid-user
+        </RequireAny>
     </Location>
 {% endif %}
 
     <Directory /etc/phpsyscheck>
         Options None
         AllowOverride None
-        Order allow,deny
-        Allow from all
+        Require all granted
     </Directory>
 
     <IfModule php7_module>

+ 7 - 0
roles/webserver/templates/nginx/pga_vhost.j2

@@ -19,6 +19,13 @@ server {
 {% if phppgadmin_http_auth %}
     auth_basic "Restricted Access";
     auth_basic_user_file /etc/nginx/auth_admin;
+{% if phppgadmin_http_whitelist_ip|length > 0 %}
+{% for ip in phppgadmin_http_whitelist_ip %}
+    allow {{ ip }};
+{% endfor %}
+    deny all;
+    satisfy any;
+{% endif %}
 {% endif %}
 
     client_max_body_size 128m;

+ 14 - 0
roles/webserver/templates/nginx/pma_vhost.j2

@@ -30,6 +30,13 @@ server {
 {% if phpmyadmin_http_auth %}
     auth_basic "Restricted Access";
     auth_basic_user_file /etc/nginx/auth_admin;
+{% if phpmyadmin_http_whitelist_ip|length > 0 %}
+{% for ip in phpmyadmin_http_whitelist_ip %}
+    allow {{ ip }};
+{% endfor %}
+    deny all;
+    satisfy any;
+{% endif %}
 {% endif %}
 
     client_max_body_size 128m;
@@ -64,6 +71,13 @@ server {
 {% if phpmyadmin_http_auth %}
     auth_basic "Restricted Access";
     auth_basic_user_file /etc/nginx/auth_admin;
+{% if phpmyadmin_http_whitelist_ip|length > 0 %}
+{% for ip in phpmyadmin_http_whitelist_ip %}
+    allow {{ ip }};
+{% endfor %}
+    deny all;
+    satisfy any;
+{% endif %}
 {% endif %}
 
     client_max_body_size 128m;

+ 14 - 0
roles/webserver/templates/nginx/sys_vhost.j2

@@ -30,6 +30,13 @@ server {
 {% if phpsyscheck_http_auth %}
     auth_basic "Restricted Access";
     auth_basic_user_file /etc/nginx/auth_admin;
+{% if phpsyscheck_http_whitelist_ip|length > 0 %}
+{% for ip in phpsyscheck_http_whitelist_ip %}
+    allow {{ ip }};
+{% endfor %}
+    deny all;
+    satisfy any;
+{% endif %}
 {% endif %}
 
     location ~ \.php(/|$) {
@@ -56,6 +63,13 @@ server {
 {% if phpsyscheck_http_auth %}
     auth_basic "Restricted Access";
     auth_basic_user_file /etc/nginx/auth_admin;
+{% if phpsyscheck_http_whitelist_ip|length > 0 %}
+{% for ip in phpsyscheck_http_whitelist_ip %}
+    allow {{ ip }};
+{% endfor %}
+    deny all;
+    satisfy any;
+{% endif %}
 {% endif %}
 
     location ~ \.php(/|$) {