Add support for securing web interface with SSL

README.md

@@ -51,6 +51,9 @@ Role Variables
 * `monit_webinterface_enabled`: Enable monit web interface. Defaults to `true`.
 * `monit_webinterface_bind`: IP address to bind web interface. Defaults to `0.0.0.0` (listen for external requests).
 * `monit_webinterface_port`: Port for web interface. Defaults to `2812`.
+* `monit_webinterface_ssl_enabled`: Enable SSL for monit web interface. Defaults to `false`.
+* `monit_webinterface_ssl_pemfile`: Path to the cerficate in PEM format (required when SSL is enabled for web interface). If you are using Lets Encrypt for generating the certificate, concatenate the ca chain and private key using  `cat /etc/letsencrypt/live/YOUR_DOMAIN/{privkey,fullchain}.pem  > /etc/monit/cert.pem`.
+* `monit_webinterface_ssl_selfsigned`: Allow/reject self signed certificate. Defaults to `reject`.
 * `monit_webinterface_rw_group`: Define group of users allowed to read and write on web interface. It is only applied when defined and is empty by default.
 * `monit_webinterface_r_group`: Define group of users allowed to read on web interface. It is only applied when defined and is empty by default.
 * `monit_webinterface_acl_rules`: List of ACL rules for the web interface, such as "localhost" or "hauk:password". It is only applied when defined and is empty by default. You should probably define at least one for the httpd service to start.

defaults/main.yml

@@ -14,3 +14,7 @@ monit_mailserver_port: 25
 monit_webinterface_enabled: true
 monit_webinterface_bind: 0.0.0.0
 monit_webinterface_port: 2812
+
+monit_webinterface_ssl_enabled: false
+monit_webinterface_ssl_pemfile: ''
+monit_webinterface_ssl_selfsigned: 'reject'

tasks/certificate.yml

@@ -0,0 +1,20 @@
+---
+- name: certificate - ensure directory exists for local self-signed TLS cert
+  file:
+    path: "{{ monit_webinterface_ssl_pemfile | dirname }}"
+    state: directory
+
+- name: certificate - generate certificate
+  shell: >
+    openssl req -new -x509 -days 365 -nodes
+    -out {{ monit_webinterface_ssl_pemfile }}
+    -keyout {{ monit_webinterface_ssl_pemfile }}
+    -subj "/C=XX/ST=YY/L=ZZ/O=Acme Corporation/OU=IT Department/CN={{ ansible_fqdn }}"
+
+- name: certificate - generate dhparams
+  shell: "openssl dhparam -2 2048 >> {{ monit_webinterface_ssl_pemfile }}"
+
+- name: certificate - change file permission
+  file:
+    path: "{{ monit_webinterface_ssl_pemfile }}"
+    mode: '0600'

tasks/config.yml

@@ -10,7 +10,7 @@
 
 - name: create lib folder
   file: path="{{ monit_lib_folder }}" state=directory mode=0600
-  
+
 - name: config - Setup monitrc
   template:
     src: monitrc.j2
@@ -21,13 +21,7 @@
   notify: restart monit
 
 - name: config - Setup webinterface
-  template:
-    src: webinterface.j2
-    dest: "{{ monit_includes }}/webinterface"
-    owner: root
-    group: root
-    mode: 0644
-  notify: restart monit
+  include: web.yml
 
 - name: config - Setup mail alerts
   template:

tasks/web.yml

@@ -1,4 +1,14 @@
 ---
+- name: web - check monit certificate exists
+  stat:
+    path: "{{ monit_webinterface_ssl_pemfile }}"
+  register: stat_result
+  when: monit_webinterface_ssl_enabled and monit_webinterface_ssl_pemfile != ''
+
+- name: web - create self signed certificate
+  include: certificate.yml
+  when: stat_result is defined and stat_result.stat.exists == False
+
 - name: web - Setup webinterface
   template:
     src: webinterface.j2

templates/webinterface.j2

@@ -8,6 +8,12 @@ set httpd
     allow {{ rule }}
 {% endfor %}
 {% endif %}
+{%if monit_webinterface_ssl_enabled and monit_webinterface_ssl_pemfile != '' %}
+    with ssl {
+       pemfile: {{ monit_webinterface_ssl_pemfile }}
+       selfsigned: {{ monit_webinterface_ssl_selfsigned }}
+    }
+{% endif %}
 {% if monit_webinterface_rw_group is defined %}
     allow @{{ monit_webinterface_rw_group }}
 {% endif %}