Merge pull request #7 from sitewards/ad-hoc-harden-tls

AD-HOC refactor (*): Add support for apache
sitewards · Feb 19, 2018 · b607eb1 · b607eb1
2 parents 9199c52 + db6864e
commit b607eb1
Show file tree

Hide file tree

Showing 10 changed files with 122 additions and 35 deletions.
diff --git a/.arclint b/.arclint
@@ -0,0 +1,10 @@
+{
+  "linters": {
+    "yamllint": {
+      "type": "script-and-regex",
+      "include": "(\\.(yaml|yml)$)",
+      "script-and-regex.script": "sh -c '/usr/bin/yamllint -f parsable \"$0\" || true'",
+      "script-and-regex.regex": "/^(?P<file>[A-z0-9-_\\.\\/]+):(?P<line>[0-9]+):(?P<char>[0-9]+):\\s\\[(?P<severity>[a-z]+)\\]\\s(?P<message>.*)$/m"
+    }
+  }
+}
diff --git a/.yamllint b/.yamllint
@@ -0,0 +1,12 @@
+---
+
+extends: default
+
+rules:
+  line-length:
+    max: 120
+  comments-indentation: disable
+  braces:
+    max-spaces-inside: 1
+
+
diff --git a/README.md b/README.md
@@ -1,8 +1,8 @@
 # Ansible Prometheus exposition role
 
-This is the Ansible Prometheus NGINX exposition role. It's designed for consumption by playbooks, not for consumption by
-itself. It adds additional configuration that allows the exporters to be exposed on a public interface with the NGINX
-webserver
+This is the Ansible Prometheus reverse proxy exposition role. It's designed for consumption by playbooks, not for
+consumption by itself. It adds additional configuration that allows the exporters to be exposed on a public interface
+with the nginx or apache webservers
 
 ## Justification
 
@@ -18,6 +18,23 @@ data prevents unauthorized access.
 
 - Internet Access
 
+### Integrations
+
+This has been tested with the following additional roles:
+
+- geerlingguy.nginx
+- geerlingguy.apache
+
+It is not guaranteed to work with anything else.
+
+### Apache
+
+The module requires the following extensions to be enabled:
+
+- proxy
+- proxy_http
+- proxy_http2
+
 ## Warnings
 
 The way this works is to bind to a public interface, on the same port that the node exporter is listening to on the
@@ -34,9 +51,9 @@ There are two ways to install this role:
 ```bash
 $ cd path/to/playbook/root
 $ cat >> requirements.yaml <<EOF
-- src: "https://github.com/sitewards/ansible-role-nginx-prometheus-proxy"
+- src: "https://github.com/sitewards/ansible-role-prometheus-proxy"
   version: "master" # <----- Update this to a stable version
-  name: "sitewards.nginx-prometheus-proxy"
+  name: "sitewards.prometheus-proxy"
 EOF
 $ ansible-galaxy install -r requirements.yaml
 ```
@@ -46,7 +63,7 @@ $ ansible-galaxy install -r requirements.yaml
 ```
 $ cd path/to/playbook/root
 $ mkdir roles/
-$ git submodule add https://github.com/sitewards/ansible-role-nginx-prometheus-proxy.git  roles/sitewards.nginx-prometheus-proxy
+$ git submodule add https://github.com/sitewards/ansible-role-prometheus-proxy.git  roles/sitewards.prometheus-proxy
 ```
 
 ## Usage
@@ -69,7 +86,7 @@ Add the reference for the role:
 # ...
 become_user: "root"
 roles
-  - "sitewards.nginx-prometheus-proxy"
+  - "sitewards.prometheus-proxy"
 ```
 
 This should work!

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -1,24 +1,34 @@
 ---
+## The webserver that will expose the metrics. Currently supported:
+##  - NGINX
+##  - Apache
+## (Required)
+# prometheus_proxy_webserver:
+
 ## The addresses of the exporters, such that they can be reversed proxied by the webserver
-nginx_prometheus_proxy_exporters: []
+prometheus_proxy_exporters: []
 ## The name of the exporter.
 # - name: "node-exporter"
 ## The port the exporter operators on
 #   port: 9100
 
 ## A series of usernames and passwords that will be used by the webserver as basic auth
-nginx_prometheus_proxy_users: []
+prometheus_proxy_users: []
 # - user: "monitoring"
 #   password: "testpassword"
 
-nginx_prometheus_proxy_htaccess_path: "/etc/nginx/nginx_prometheus_proxy.htaccess"
+## The path to the password file for the proxy
+prometheus_proxy_htaccess_path: "/etc/prometheus_proxy/prometheus-proxy.htaccess"
 
-## A server name which will be used in the nginx configuration,
-## please be advised that by default we use "_" and that is a dirty trick to achieve catch-all behavior,
-## see http://nginx.org/en/docs/http/server_names.html 
-nginx_prometheus_proxy_server_name: "_"
+## The user/group that should own the file
+prometheus_proxy_htaccess_owner: "www-data"
+prometheus_proxy_htaccess_group: "www-data"
 
 ## If TLS should be enabled for the connection, enable it by supplying an appropriate TLS certificate and key
 ## (Optional)
 # nginx_prometheus_tls_certificate_path: ""
 # nginx_prometheus_tls_certificate_key_path: ""
+
+## The prompt that basic authentication will supply
+## (Required)
+prometheus_proxy_authentication_prompt: "Please supply a valid username / password"
diff --git a/meta/main.yml b/meta/main.yml
@@ -3,11 +3,11 @@ dependencies: []
 
 galaxy_info:
   author: "sitewards"
-  description: "Exposes difened ports to prometheus data collector through nginx proxy"
+  description: "Exposes difened ports to prometheus data collector through reverse proxy"
   company: "Sitewards GmbH"
   license: "proprietary"
   min_ansible_version: 2.3
   platforms:
     - name: Ubuntu
       versions:
-      - 16.04
+        - 16.04
diff --git a/tasks/exposition.yml b/tasks/exposition.yml
@@ -1,21 +1,20 @@
 ---
-## Debguging
-- name: "Show me teh ip addresses"
-  debug:
-    var: ansible_all_ipv4_addresses
+- name: "Create the dir for htaccess"
+  file:
+    path: "{{ prometheus_proxy_htaccess_path | dirname }}"
+    state: "directory"
+    mode: "u=rx,g=rx,o="
+    owner: "{{ prometheus_proxy_htaccess_owner }}"
+    group: "{{ prometheus_proxy_htaccess_owner }}"
 
 - name: "Create the .htaccess file"
   htpasswd:
-    path: "{{ nginx_prometheus_proxy_htaccess_path }}"
+    path: "{{ prometheus_proxy_htaccess_path }}"
     name: "{{ item.user }}"
     password: "{{ item.password }}"
-  with_items: "{{ nginx_prometheus_proxy_users }}"
+    mode: "u=r,g=r,o="
+    owner: "{{ prometheus_proxy_htaccess_owner }}"
+    group: "{{ prometheus_proxy_htaccess_owner }}"
+  with_items: "{{ prometheus_proxy_users }}"
 
-# Exposes the exporters via the webserver, in a password protected way.
-- name: "Create the vhosts"
-  template:
-    src: "etc/nginx/sites-enabled/template.conf"
-    dest: "/etc/nginx/sites-enabled/{{ item.name }}.conf"
-  with_items: "{{ nginx_prometheus_proxy_exporters }}"
-  ## This comes from the upstream geerlingguy.nginx task
-  notify: "reload nginx"
+- include: "proxies/{{ prometheus_proxy_webserver|lower }}.yml"
diff --git a/tasks/proxies/apache.yml b/tasks/proxies/apache.yml
@@ -0,0 +1,9 @@
+---
+# Exposes the exporters via the webserver, in a password protected way.
+- name: "Create the vhosts"
+  template:
+    src: "etc/apache2/sites-enabled/template.conf"
+    dest: "/etc/apache2/sites-enabled/{{ item.name }}.conf"
+  with_items: "{{ prometheus_proxy_exporters }}"
+  ## This comes from the upstream geerlingguy.apache task
+  notify: "restart apache"
diff --git a/tasks/proxies/nginx.yml b/tasks/proxies/nginx.yml
@@ -0,0 +1,9 @@
+---
+# Exposes the exporters via the webserver, in a password protected way.
+- name: "Create the vhosts"
+  template:
+    src: "etc/nginx/sites-enabled/template.conf"
+    dest: "/etc/nginx/sites-enabled/{{ item.name }}.conf"
+  with_items: "{{ prometheus_proxy_exporters }}"
+  ## This comes from the upstream geerlingguy.nginx task
+  notify: "reload nginx"
diff --git a/templates/etc/apache2/sites-enabled/template.conf b/templates/etc/apache2/sites-enabled/template.conf
@@ -0,0 +1,19 @@
+{{ ansible_managed | comment }}
+
+{% for ip in ansible_all_ipv4_addresses %}
+Listen {{ ip }}:{{ item.port }}
+
+<VirtualHost {{ ip }}:{{ item.port }}>
+    ProxyPreserveHost On
+
+    <Location "/">
+        AuthType Basic
+        AuthName "{{ prometheus_proxy_authentication_prompt }}"
+        AuthUserFile {{ prometheus_proxy_htaccess_path }}
+        Require valid-user
+
+        ProxyPass http://localhost:{{ item.port }}/
+    </Location>
+
+</VirtualHost>
+{% endfor %}
diff --git a/templates/etc/nginx/sites-enabled/template.conf b/templates/etc/nginx/sites-enabled/template.conf
@@ -1,10 +1,12 @@
+{{ ansible_managed | comment }}
+
 server {
-    # This isn't going to work as it's going to bind to localhosts
     {% for ip in ansible_all_ipv4_addresses %}
-    listen {{ ip }}:{{ item.port }}{% if nginx_prometheus_tls_certificate_path is defined %}    ssl http2{% endif %};
+    listen {{ ip }}:{{ item.port }}{% if nginx_prometheus_tls_certificate_path is defined %} ssl http2{% endif %};
     {% endfor %}
 
-    server_name {{ nginx_prometheus_proxy_server_name }};
+    ## We use "_" as a dirty trick to achieve catch-all behavior. See http://nginx.org/en/docs/http/server_names.html
+    server_name _;
 
     {% if nginx_prometheus_tls_certificate_path is defined %}
     ssl_certificate {{ nginx_prometheus_tls_certificate_path }};
@@ -16,8 +18,8 @@ server {
 
     location / {
         # Prevent unathorized access to this site
-        auth_basic           "Please supply a valid username / password";
-        auth_basic_user_file {{ nginx_prometheus_proxy_htaccess_path }};
+        auth_basic           "{{ prometheus_proxy_authentication_prompt }}";
+        auth_basic_user_file {{ prometheus_proxy_htaccess_path }};
 
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;