-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathconfigure-waf.yaml
189 lines (155 loc) · 5.14 KB
/
configure-waf.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
- name: Demo | Configure NetScaler WAF
hosts: demo_netscalers
gather_facts: false
tasks:
- name: Add SNIP to communicate with the servers
delegate_to: localhost
netscaler.adc.nsip:
nsip: "{{ nsip }}"
nitro_user: "{{ nitro_user }}"
nitro_pass: "{{ new_password }}"
nitro_protocol: "{{ nitro_protocol }}"
validate_certs: "{{ validate_certs }}"
state: present
ipaddress: "{{ snip }}"
netmask: "{{ snip_netmask }}"
type: SNIP
- name: Enable CS, LB, AppFw features
delegate_to: localhost
netscaler.adc.nsfeature:
state: enabled
feature:
- CS
- LB
- AppFw
- name: Add svc-red-server
delegate_to: localhost
netscaler.adc.service:
state: present
name: svc-red-server
ipaddress: "{{ server1_ip }}"
servicetype: HTTP
port: 80
- name: Add svc-green-server
delegate_to: localhost
netscaler.adc.service:
state: present
name: svc-green-server
ipaddress: "{{ server2_ip }}"
servicetype: HTTP
port: 80
- name: Add AppFw Profile for BLOCK+LOG SQL Injection
delegate_to: localhost
netscaler.adc.appfwprofile:
state: present
name: block_log_sql_injection_appfwprofile
type:
- HTML
starturlaction:
- none
sqlinjectionaction:
- log
- block
- name: Add AppFw Policy to inspect traffic to green-server for SQL Injection
delegate_to: localhost
netscaler.adc.appfwpolicy:
state: present
name: block_log_sql_injection_appfwpolicy
rule: "HTTP.REQ.URL.STARTSWITH(\"/green\")&&HTTP.REQ.URL.CONTAINS(\"aspx\")"
profilename: block_log_sql_injection_appfwprofile
- name: Add AppFw Profile to LOG SQL Injection
delegate_to: localhost
netscaler.adc.appfwprofile:
state: present
name: log_sql_injection_appfwprofile
type:
- HTML
starturlaction:
- none
sqlinjectionaction:
- log
- block
- name: Add AppFw Policy to inspect traffic to red-server for SQL Injection
delegate_to: localhost
netscaler.adc.appfwpolicy:
state: present
name: log_sql_injection_appfwpolicy
rule: "HTTP.REQ.URL.STARTSWITH(\"/red\")&&HTTP.REQ.URL.CONTAINS(\"aspx\")"
profilename: log_sql_injection_appfwprofile
- name: Add lb-red-server
delegate_to: localhost
netscaler.adc.lbvserver:
state: present
name: lb-red-server
servicetype: HTTP
lbvserver_service_binding:
mode: desired # desired | bind | unbind
binding_members:
- name: lb-red-server
servicename: svc-red-server
- name: Add lb-green-server
delegate_to: localhost
netscaler.adc.lbvserver:
state: present
name: lb-green-server
servicetype: HTTP
lbvserver_service_binding:
mode: desired # desired | bind | unbind
binding_members:
- name: lb-green-server
servicename: svc-green-server
lbvserver_appfwpolicy_binding:
mode: desired # desired | bind | unbind
binding_members:
- name: lb-green-server
policyname: block_log_sql_injection_appfwpolicy
priority: 100
- name: Add csaction-red-server
delegate_to: localhost
netscaler.adc.csaction:
state: present
name: csaction-red-server
targetlbvserver: lb-red-server
- name: Add csaction-green-server
delegate_to: localhost
netscaler.adc.csaction:
state: present
name: csaction-green-server
targetlbvserver: lb-green-server
- name: Add cspolicy-red-server
delegate_to: localhost
netscaler.adc.cspolicy:
state: present
policyname: cspolicy-red-server
rule: "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"/red\")"
action: csaction-red-server
- name: Add cspolicy-green-server
delegate_to: localhost
netscaler.adc.cspolicy:
state: present
policyname: cspolicy-green-server
rule: "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"/green\")"
action: csaction-green-server
- name: Add CS Vserver to direct traffic to red-server or green-server
delegate_to: localhost
netscaler.adc.csvserver:
state: present
name: demo-csvserver
servicetype: HTTP
ipv46: "{{ vip_ip }}"
port: 80
csvserver_cspolicy_binding:
mode: desired # desired | bind | unbind
binding_members:
- name: demo-csvserver
policyname: cspolicy-red-server
priority: 100
- name: demo-csvserver
policyname: cspolicy-green-server
priority: 110
csvserver_appfwpolicy_binding:
mode: desired # desired | bind | unbind
binding_members:
- name: demo-csvserver
policyname: log_sql_injection_appfwpolicy
priority: 20