Home

Awesome

Ansible role that allows for quickly deploying a redirector to an existing server with mod_rewrite proxy rules,

Supports Debian and Ubuntu, tested in Digital ocean and Azure

See threat.tevora.com/automating-redirector-deployment-with-ansible for a blog walking through redirectors, ansible, and a deep dive on this role

To get started, clone this repo, install ansible, and place this repo in your roles folder. See sample playbook below for an example of how to build your redirector instance config

Instance Playbook Sample provision_redirector_example.yml

- hosts: EnigmaticEmu
  gather_facts: False
  user: root
  pre_tasks:
  - name: Install python for Ansible
    raw: test -e /usr/bin/python || (apt -y update && apt install -y python-minimal)
    changed_when: False
  - setup: # aka gather_facts 
  tasks: 
  - include_role:
      name: redirectors
    vars:
      le_email: 'threat@tevora.com'
      hop_dir: hops/empire_hop
      vhosts: [
        {
          servername: 'fakeamazon.com',
          http_port: 80,
          https_port: 443,
          c2filters: [
            {
              rewritefilter: '^/orders/track/?$',
              host: '123.124.125.126'
            }
          ],
          configs: [ 
            'RewriteRule !\.php$ https://www.amazon.com/%{REQUEST_URI} [L,R=302]'
          ]
        },
 {
          servername: 'fakegoogle.com',
          http_port: 80,
          https_port: 443,
          config_files: [
            "redirectors.txt",
            "apache_tweaks.conf"
          ],
        }
      ] 

Breakdown of the example:

We formatted this config mostly in JSON (YAML is a superset of JSON) but you can format it however you like as long as it matches up.

Notice in the config how there are multiple vhosts, and each one can use one or more methods of specifying how it is injecting into the configuration templates

We create one configuration file per vhost is that Letsencrypt, specifically the certbot-apache component, does not support more than one vhost per config file. Because of this we will be provisioning multiple configuration files to the server.

Running the Playbook

To run the role. Create your playbook in the form of the example we covered and run ansible-playbook -i <your_hosts_file> <your_playbook>. Ensure that this roles is in the roles directory in the same path of your playbook, and your hop and/or config files are placed correctly. Your directory layout should look like:

├── my_playbook.yml
├── files
│   └── empire_hop
│       └── news
│           └── login.php
└── roles
    ├── redirectors
    │   ├── files
    │   ├── handlers
    │   │   └── main.yaml
    │   ├── meta
    │   ├── tasks
    │   │   ├── apache.yml
    │   │   ├── letsencrypt.yml
    │   │   └── main.yml
    │   ├── templates
    │   │   ├── apache_sslvhost.conf.j2
    │   │   └── apache_vhost.conf.j2
    │   └── vars