ansible-openappsec/README.md

# ! Disclaimer !
This is an example role for how I have setup OpenAppSec on multiple VMs using docker containers.  
It has many many many things stripped out and is very custom for my needs.

Dont copy it and think it will work at all out-of-the-box. It is just here to show how Ansible can be used to deploy the OpenAppSec containers and push the NGINX config per (sub)domain. Dehydrated is used for obtaining valid LetsEncrypt certificates but do require to be kickstarted using already existing certificates.

# Architecture
In my setup we have 2 firewalls (active/passive ha) forwarding incoming tcp connections from a VIP.
Then we have two active/passive ha loadbalancers (based on HAproxy), forwarding only tcp/80 and tcp/443 to any available WAF node based on a simple healthcheck.

The WAFs mount a NFS share for storing certificates. This share is also used for the LetsEncrypt http challenge.

Since the load on the WAFs can increase we can easily add more in the furture.
Now here is some OpenAI generated ASCII art based on my architectural description... :)

                Internet
            /             \
           |               |
       +-------+       +-------+
       |       |       |       |
       |  fw0  |---.---|  fw1  |  (Active/Passive HA)
       |       |  VIP  |       |
       +-------+   |   +-------+
                   |      
                   |       
       +-------+   |   +-------+
       |       |   |   |       |
       |  lb0  |---.---|  lb1  |  (Active/Passive HA)
       |       |  VIP  |       |
       +-------+   |   +-------+
                   |
                  / \
      +--------+       +--------+
      |        |       |        |
      |  waf0  |       |  waf1  |   ... (Active/Active HA)
      |        |       |        |
      +--------+       +--------+
                  \ /
                +-----+
                | nfs |
                +-----+

# Requirements
This Ansible playbook assumes the target hosts are prepared with the following:
 - Docker container runtime installed
 - `/mnt/certs` share is mounted
 - Ansible user has passwordless sudo
first commit 2024-02-06 07:48:13 +01:00			`# ! Disclaimer !`
			`This is an example role for how I have setup OpenAppSec on multiple VMs using docker containers.`
[readme] improve readibility 2024-02-06 07:54:13 +01:00			`It has many many many things stripped out and is very custom for my needs.`
first commit 2024-02-06 07:48:13 +01:00
			`Dont copy it and think it will work at all out-of-the-box. It is just here to show how Ansible can be used to deploy the OpenAppSec containers and push the NGINX config per (sub)domain. Dehydrated is used for obtaining valid LetsEncrypt certificates but do require to be kickstarted using already existing certificates.`

			`# Architecture`
			`In my setup we have 2 firewalls (active/passive ha) forwarding incoming tcp connections from a VIP.`
			`Then we have two active/passive ha loadbalancers (based on HAproxy), forwarding only tcp/80 and tcp/443 to any available WAF node based on a simple healthcheck.`

[readme] improve readibility 2024-02-06 07:54:13 +01:00			`The WAFs mount a NFS share for storing certificates. This share is also used for the LetsEncrypt http challenge.`
first commit 2024-02-06 07:48:13 +01:00
			`Since the load on the WAFs can increase we can easily add more in the furture.`
			`Now here is some OpenAI generated ASCII art based on my architectural description... :)`

			`Internet`
			`/ \`
			`\| \|`
			`+-------+ +-------+`
			`\| \| \| \|`
			`\| fw0 \|---.---\| fw1 \| (Active/Passive HA)`
			`\| \| VIP \| \|`
			`+-------+ \| +-------+`
			`\|`
			`\|`
			`+-------+ \| +-------+`
			`\| \| \| \| \|`
			`\| lb0 \|---.---\| lb1 \| (Active/Passive HA)`
			`\| \| VIP \| \|`
			`+-------+ \| +-------+`
			`\|`
			`/ \`
			`+--------+ +--------+`
			`\| \| \| \|`
			`\| waf0 \| \| waf1 \| ... (Active/Active HA)`
			`\| \| \| \|`
			`+--------+ +--------+`
			`\ /`
			`+-----+`
			`\| nfs \|`
			`+-----+`

			`# Requirements`
			`This Ansible playbook assumes the target hosts are prepared with the following:`
			`- Docker container runtime installed`
[readme] fix typo 2024-02-06 07:54:47 +01:00			- `/mnt/certs` share is mounted
first commit 2024-02-06 07:48:13 +01:00			`- Ansible user has passwordless sudo`