目标:基于Asible对目标主机Apache进行用户加密控制
基本结构:
##基本结构
[root@contral practice]# tree .
.
├── ansible.cfg ##目录下的配置文件
├── files ##配置apache的文件
│ ├── htpasswd ##用户加密文件
│ └── httpd.conf ##Apache配置文件
├── inventory ##管理主机清单
├── vars ##用户密码加密文件
│ └── secret.yml
└── webser_pa.yml ##主playbook
2 directories, 6 files
内容设计:
管理主机清单:
##这里为了防止其他因素干扰,所以只设置单目录 ,方便调试
1 [web]
2 servera.linux.com
配置文件:
##配置文件
1 [defaults]
2 inventory = ./inventory
主配置文件:
##主配置文件内容
1 ---
2 - name: Install Apache and secret
3 hosts: all
4 vars:
5 firewall_pak: firewalld
6 firewall_srv: firewalld
7 web_pak: httpd
8 web_srv: httpd
9 web_root: /var/www/html/index.html
10 ssl_pkg: mod_ssl
11 httpdconf_srv: files/httpd.conf
12 httpdconf_dest: /etc/httpd/conf/httpd.conf
13 secrets_dir: /etc/httpd/
14 secrets_srv: files/htpasswd
15 secrets_dest: "{{ secrets_dir }}/htpasswd"
16 tasks:
17 - name: Install packages ##安装apache加密时所需的软件包
18 yum:
19 name:
20 - "{{ firewall_pak }}"
21 - "{{ web_pak }}"
22 - "{{ ssl_pkg }}"
23 state: latest
24 - name: Configure service ##配置Apache服务
25 copy:
26 src: "{{ httpdconf_srv }}"
27 dest: "{{ httpdconf_dest }}"
28 owner: root
29 group: root
30 mode: 0644
31 - name: Create secrets dirctory ##创建加密文件
32 file:
33 path: "{{ secrets_dir }}"
34 state: directory
35 owner: apache
36 group: apache
37 mode: 0500
38 - name: Create htpasswd ##配置用户访问密码及路径
39 copy:
40 src: "{{ secrets_srv }}"
41 dest: "{{ secrets_dest }}"
42 owner: apache
43 group: apache
44 mode: 0400
45 - name: Create index.html ##配置默认发布页
46 copy:
47 content: "{{ ansible_facts['fqdn']}}({{ansible_facts['all_ipv4_addresses' ] }})\n"
48 dest: "{{ web_root }}"
49 - name: Configure firewalld service ##开启火墙服务
50 service:
51 name: "{{ firewall_srv }}"
52 state: started
53 enabled: true
54 - name: Firewalld permits http ##配置火墙服务
55 firewalld:
56 service: https
57 state: enabled
58 immediate: true
59 permanent: true
60 - name: Configure apache ##开启Apache服务
61 service:
62 name: "{{ web_srv }}"
63 state: started
64 enabled: true
65 - name: Test apache ## 测试Apache服务
66 hosts: localhost
67 become: no
68 vars:
69 - web_user: admin ##设置登录控管主机的用户
70 vars_files:
71 - vars/secret.yml ##控管用户的密码
72 tasks:
73 - name: Connect to apache
74 uri:
75 url: http://servera.linux.com
76 validate_certs: no ##不需要证书
77 force_basic_auth: yes ##强制认证
78 user: "{{ web_user }}"
79 password: "{{ web_pass }}"
80 return_content: yes ##返回结果
81 status_code: 200
82 register: auth_test
83 - debug:
84 var: auth_test.content
85 ...
创建用户访问时的加密文件,并设定密码:
##创建用户访问时的加密文件,并且文件中放用户访问时的密码
[root@contral practice]# ansible-vault create vars/secret.yml
New Vault password:
Confirm New Vault password:
##用户访问时的密码文件
[root@contral practice]# ansible-vault view vars/secret.yml
Vault password:
web_pass: linux ##内容以键值对的方式存在
对用户进行加密:
##该文件需要在受控主机上产生:htpasswd -cm htpasswd admin
##创建完成,将文件传输到控制主机上
[root@contral practice]# cat files/htpasswd
admin:$apr1$mry.fxsj$T2p5LEjXesyxEBJ1.sb1M/
配置Apache服务的加密访问:
##对加密用户访问控制
....
133 <Directory "/var/www/html">
134 #
135 AuthUserFile /etc/httpd/htpasswd ##加密文件路径
136 AuthType basic ##加密类型
137 AuthName "Please input your name and passwd"
138 Require user admin ##加密用户
139 Require valid-user ##权限设定
......
用交互式进行运行检测:
##结果测试
[root@contral practice]# ansible-playbook --vault-id @prompt webser_pa.yml
Vault password (default): ###输入加密文件的密码
PLAY [Install Apache and secret] ******************************************************
TASK [Gathering Facts] ****************************************************************
ok: [servera.linux.com]
TASK [Install packages] ***************************************************************
changed: [servera.linux.com]
TASK [Configure service] **************************************************************
changed: [servera.linux.com]
......
......
TASK [debug] **************************************************************************
ok: [localhost] => {
"auth_test.content": "servera.********.com([u'172.25.254.200', u'192.168.122.1'])\n"
} ###输出测试页面
思路总结:这里是先写配置文件和用户清单,明确以什么身份去管理那台主机;然后写主playbook;最后写playbook中调用的一些文件参数,避免直接写一些调用参数,之后写主Playbook会更麻烦。