diff --git a/configure_ufw.yml b/configure_ufw.yml index 2d00d2fdc477566a3c09af6ff10fab943fd2f36e..f74ede57ea2e4c3cc22ddb1a964f5af72a9d11aa 100644 --- a/configure_ufw.yml +++ b/configure_ufw.yml @@ -3,43 +3,32 @@ become: true hosts: all tasks: - # setup ufw ssh rules - - name: allow ssh access from uni-hamburg ip range + # setup ufw ssh exception/limiting rules + - name: allow ssh access from specified ip ranges ufw: rule: allow app: OpenSSH - from_ip: 134.100.0.0/16 - - - name: allow ssh access from internal ip range a) - ufw: - rule: allow - app: OpenSSH - from_ip: 192.168.0.0/16 - - - name: allow ssh access from internal ip range b) - ufw: - rule: allow - app: OpenSSH - from_ip: 172.16.0.0/12 + from_ip: "{{ item }}" + with_items: "{{ ufw_ssh_allowed_from }}" - name: rate limiting ssh access ufw: rule: limit app: OpenSSH - # setup nginx web server rule + # setup nginx web server exception rule - name: allow access of nginx webserver from everywhere ufw: rule: allow name: Nginx Full - # set default rules + # set default deny rules - name: deny any other incoming traffic by default ufw: state: enabled default: deny direction: incoming - + # set default allow rule for outgoing, FIXME: do it more granulary (only http/https) - name: allow any outgoing traffic by default ufw: state: enabled diff --git a/group_vars/otree_servers.yml.example b/group_vars/otree_servers.yml.example index 225b0ca69810ccceadc80e3a102b951bdc03b480..be821da2c81082ceae7306d7eb6be96eac97b9f9 100644 --- a/group_vars/otree_servers.yml.example +++ b/group_vars/otree_servers.yml.example @@ -53,3 +53,6 @@ otree_users: ssl_certificate_path: "/etc/ssl/certs/{{ otree_domain }}.crt" ssl_certificate_key_path: "/etc/ssl/private/{{ otree_domain }}.key" +ufw_ssh_allowed_from: + - "192.168.0.0/16" + - "172.16.0.0/12"