Claude 1

2025-12-09 09:33:48 -06:00
parent 228174e541
commit 4f1e8d3add
55 changed files with 4345 additions and 0 deletions
--- a/sophos-xgs-ansible/roles/sophos_waf/defaults/main.yml
+++ b/sophos-xgs-ansible/roles/sophos_waf/defaults/main.yml
@@ -0,0 +1,4 @@
+---
+# Default WAF settings
+sophos_default_waf_mode: "prevention"
+sophos_default_waf_session_timeout: 1800
--- a/sophos-xgs-ansible/roles/sophos_waf/tasks/main.yml
+++ b/sophos-xgs-ansible/roles/sophos_waf/tasks/main.yml
@@ -0,0 +1,90 @@
+---
+# ============================================================================
+# Sophos WAF Role - Main Tasks
+# ============================================================================
+
+- name: Display WAF configuration overview
+  ansible.builtin.debug:
+    msg:
+      - "======================================"
+      - "Configuring Web Application Firewall"
+      - "======================================"
+      - "Firewall: {{ inventory_hostname }}"
+      - "Backends: {{ sophos_waf_backends | default([]) | length }}"
+      - "Policies: {{ sophos_waf_policies | default([]) | length }}"
+      - "Virtual Hosts: {{ sophos_waf_virtual_hosts | default([]) | length }}"
+      - "Exceptions: {{ sophos_waf_exceptions | default([]) | length }}"
+  tags: ['always']
+
+- name: Configure WAF backend servers
+  ansible.builtin.uri:
+    url: "https://{{ sophos_mgmt_host }}:{{ sophos_mgmt_port }}/webconsole/APIController"
+    method: POST
+    validate_certs: "{{ sophos_validate_certs }}"
+    headers:
+      Content-Type: "application/x-www-form-urlencoded"
+    body: "reqxml={{ lookup('template', 'waf_backend.json.j2') | urlencode }}"
+    status_code: [200, 201]
+    timeout: "{{ sophos_api_timeout }}"
+  loop: "{{ sophos_waf_backends | default([]) }}"
+  loop_control:
+    label: "{{ item.name }}"
+  when: sophos_waf_backends is defined and sophos_waf_backends | length > 0
+  no_log: "{{ sophos_no_log_sensitive }}"
+  tags: ['waf', 'backends']
+
+- name: Configure WAF protection policies
+  ansible.builtin.uri:
+    url: "https://{{ sophos_mgmt_host }}:{{ sophos_mgmt_port }}/webconsole/APIController"
+    method: POST
+    validate_certs: "{{ sophos_validate_certs }}"
+    headers:
+      Content-Type: "application/x-www-form-urlencoded"
+    body: "reqxml={{ lookup('template', 'waf_policy.json.j2') | urlencode }}"
+    status_code: [200, 201]
+    timeout: "{{ sophos_api_timeout }}"
+  loop: "{{ sophos_waf_policies | default([]) }}"
+  loop_control:
+    label: "{{ item.name }}"
+  when: sophos_waf_policies is defined and sophos_waf_policies | length > 0
+  no_log: "{{ sophos_no_log_sensitive }}"
+  tags: ['waf', 'policies']
+
+- name: Configure WAF virtual hosts
+  ansible.builtin.uri:
+    url: "https://{{ sophos_mgmt_host }}:{{ sophos_mgmt_port }}/webconsole/APIController"
+    method: POST
+    validate_certs: "{{ sophos_validate_certs }}"
+    headers:
+      Content-Type: "application/x-www-form-urlencoded"
+    body: "reqxml={{ lookup('template', 'waf_policy.json.j2') | urlencode }}"
+    status_code: [200, 201]
+    timeout: "{{ sophos_api_timeout }}"
+  loop: "{{ sophos_waf_virtual_hosts | default([]) }}"
+  loop_control:
+    label: "{{ item.name }} ({{ item.domain }})"
+  when: sophos_waf_virtual_hosts is defined and sophos_waf_virtual_hosts | length > 0
+  no_log: "{{ sophos_no_log_sensitive }}"
+  tags: ['waf', 'virtual-hosts']
+
+- name: Configure WAF exceptions
+  ansible.builtin.uri:
+    url: "https://{{ sophos_mgmt_host }}:{{ sophos_mgmt_port }}/webconsole/APIController"
+    method: POST
+    validate_certs: "{{ sophos_validate_certs }}"
+    headers:
+      Content-Type: "application/x-www-form-urlencoded"
+    body: "reqxml={{ lookup('template', 'waf_exception.json.j2') | urlencode }}"
+    status_code: [200, 201]
+    timeout: "{{ sophos_api_timeout }}"
+  loop: "{{ sophos_waf_exceptions | default([]) }}"
+  loop_control:
+    label: "{{ item.name }}"
+  when: sophos_waf_exceptions is defined and sophos_waf_exceptions | length > 0
+  no_log: "{{ sophos_no_log_sensitive }}"
+  tags: ['waf', 'exceptions']
+
+- name: WAF configuration completed
+  ansible.builtin.debug:
+    msg: "Web Application Firewall configured successfully"
+  tags: ['always']
--- a/sophos-xgs-ansible/roles/sophos_waf/templates/waf_backend.json.j2
+++ b/sophos-xgs-ansible/roles/sophos_waf/templates/waf_backend.json.j2
@@ -0,0 +1,15 @@
+<Request>
+  <Login>
+    <Username>{{ sophos_api_username }}</Username>
+    <Password>{{ sophos_api_password }}</Password>
+  </Login>
+  <Set operation="add">
+    <WebServer>
+      <Name>{{ item.name }}</Name>
+      <Host>{{ item.host }}</Host>
+      <Port>{{ item.port }}</Port>
+      <Protocol>{{ item.protocol | upper }}</Protocol>
+      <HealthCheck>{{ 'Enable' if item.health_check | default(true) else 'Disable' }}</HealthCheck>
+    </WebServer>
+  </Set>
+</Request>
--- a/sophos-xgs-ansible/roles/sophos_waf/templates/waf_exception.json.j2
+++ b/sophos-xgs-ansible/roles/sophos_waf/templates/waf_exception.json.j2
@@ -0,0 +1,24 @@
+<Request>
+  <Login>
+    <Username>{{ sophos_api_username }}</Username>
+    <Password>{{ sophos_api_password }}</Password>
+  </Login>
+  <Set operation="add">
+    <WebException>
+      <Name>{{ item.name }}</Name>
+      <VirtualHost>{{ item.virtual_host }}</VirtualHost>
+      <Path>{{ item.path }}</Path>
+      <SkipRules>
+        {% for rule in item.skip_rules %}
+        <Rule>{{ rule }}</Rule>
+        {% endfor %}
+      </SkipRules>
+      <SourceNetworks>
+        {% for network in item.source_networks %}
+        <Network>{{ network }}</Network>
+        {% endfor %}
+      </SourceNetworks>
+      <Comment>{{ item.comment | default('') }}</Comment>
+    </WebException>
+  </Set>
+</Request>
--- a/sophos-xgs-ansible/roles/sophos_waf/templates/waf_policy.json.j2
+++ b/sophos-xgs-ansible/roles/sophos_waf/templates/waf_policy.json.j2
@@ -0,0 +1,31 @@
+<Request>
+  <Login>
+    <Username>{{ sophos_api_username }}</Username>
+    <Password>{{ sophos_api_password }}</Password>
+  </Login>
+  <Set operation="add">
+    <WebPolicy>
+      <Name>{{ item.name }}</Name>
+      <Domain>{{ item.domain }}</Domain>
+      <ListeningIP>{{ item.listening_ip }}</ListeningIP>
+      <ListeningPort>{{ item.listening_port }}</ListeningPort>
+      <Protocol>{{ item.protocol | upper }}</Protocol>
+      {% if item.ssl_certificate is defined %}
+      <SSLCertificate>{{ item.ssl_certificate }}</SSLCertificate>
+      {% endif %}
+      <BackendServers>
+        {% for backend in item.backend_servers %}
+        <Server>{{ backend }}</Server>
+        {% endfor %}
+      </BackendServers>
+      <LoadBalancing>{{ item.load_balancing | default('round-robin') }}</LoadBalancing>
+      <ProtectionPolicy>{{ item.protection_policy }}</ProtectionPolicy>
+      <SessionTimeout>{{ item.session_timeout | default(1800) }}</SessionTimeout>
+      <HSTS>{{ 'Enable' if item.enable_hsts | default(false) else 'Disable' }}</HSTS>
+      <Compression>{{ 'Enable' if item.enable_compression | default(false) else 'Disable' }}</Compression>
+      {% if item.websocket_support is defined %}
+      <WebSocketSupport>{{ 'Enable' if item.websocket_support else 'Disable' }}</WebSocketSupport>
+      {% endif %}
+    </WebPolicy>
+  </Set>
+</Request>