update scan

.gitignore

@@ -3,4 +3,6 @@ scaleway/
 .vagrant/
 ressources
 SecLists/
-scan/
+scan/
+dirsearch/
+reports/

scan.yml

@@ -1,6 +1,6 @@
 ---
 - name: Scan
-  hosts: localhost
+  hosts: tower
   become: true
   gather_facts: false
   vars: 
@@ -15,7 +15,8 @@
               37653135666331633532653436656461396131623736353962643632316135633562346631313036
               6137356332636431643830666461333862613835336631333037
   # 163.172.0.0/24
-    target_network: 163.172.80.0/28
+  # 163.172.80.0/28 
+    target_network: 163.172.80.139
     ansible_user: stephane 
     ansible_password: stephane 
     ansible_become_password: stephane
@@ -33,8 +34,17 @@
 # # @author Stéphane Gratias (2021).
 #
 
-  pre_tasks:
 
+  # roles:
+  #   - { role: geerlingguy.pip, tags: pip }
+  tasks:
+
+
+  - name: Update repositories and install packages needed
+    ansible.builtin.apt:
+      name: masscan
+      update_cache: true
+    # delegate_to: localhost
 
 
   - ansible.builtin.git:
@@ -45,19 +55,23 @@
     delegate_to: localhost
 
 
-  # - ansible.builtin.git:
-  #     repo: https://github.com/danielmiessler/SecLists.git
-  #     dest: "{{ playbook_dir }}/SecLists"
-  #     single_branch: yes
-  #     force: true
-  #   delegate_to: localhost
+  - ansible.builtin.git:
+      repo: https://github.com/maurosoria/dirsearch.git
+      dest: "{{ playbook_dir }}/dirsearch"
+      single_branch: yes
+      force: true
+    delegate_to: localhost
+
+  - name: Install specified python requirements
+    ansible.builtin.pip:
+      requirements: "{{ playbook_dir }}/dirsearch/requirements.txt"
 
   # apt install masscan
   - ansible.builtin.command:
       cmd: "masscan {{ target_network }} -p443"
     become: true
     register: scan_output
-    delegate_to: localhost
+
 
   - debug:
       msg: "{{ item }}"
@@ -90,18 +104,16 @@
 
   # apt install masscan
   - ansible.builtin.command:
-      cmd: " dirsearch -u https://{{ item.item.split('on')[-1].strip() }} -i 200 -t 100"
+      cmd: "python3 {{ playbook_dir }}/dirsearch/dirsearch.py -u https://{{ item.item.split('on')[-1].strip() }} -i 200 -t 100"
     become: true
     loop: "{{ cert.results }}"
+    # vars:
+    #   ansible_command_timeout: 500
     ignore_errors: true
     register: fuff
-    delegate_to: localhost
 
 #ffuf -w SecLists/Discovery/Web-Content/directory-list-1.0.txt -u https://dstrn.if.ua/FUZZ
 
-  # - debug:
-  #     msg: "{{ item }}"
-  #   loop: "{{ cert.results }}"
   #   # loop: "{{ scan443.stdout_lines }}"
   #   #   - "{{ cert.not_after }}"
   #   #   - "{{ ansible_date_time.iso8601_basic }}"
@@ -122,23 +134,27 @@
     delegate_to: localhost
 
 
-  - debug:
-      msg: "{{ item.stdout.split('\n\nError Log')[0].split('Output File: ')[-1] }}"
-    loop: "{{ fuff.results }}"
-    # when: item.stdout_lines is search('200 -')
-    # loop: "{{ scan443.stdout_lines }}"
-    #   - "{{ cert.not_after }}"
-    #   - "{{ ansible_date_time.iso8601_basic }}"
-    tags: test
-    ignore_errors: true
-    delegate_to: localhost
+  # - debug:
+  #     msg: "{{ item.stdout.split('\n\nError Log')[0].split('Output File: ')[-1] }}"
+  #   loop: "{{ fuff.results }}"
+  #   # when: item.stdout_lines is search('200 -')
+  #   # loop: "{{ scan443.stdout_lines }}"
+  #   #   - "{{ cert.not_after }}"
+  #   #   - "{{ ansible_date_time.iso8601_basic }}"
+  #   tags: test
+  #   ignore_errors: true
+  #   delegate_to: localhost
 
-  - name: Copy a "sudoers" file on the remote machine for editing
+
+
+  - debug:
+      msg: "{{ fuff }}"
+
+  - name: Copy 
     ansible.builtin.copy:
-      src: "{{ item.stdout.split('\n\nError Log')[0].split('Output File: ')[-1] }}"
-      dest: "{{ playbook_dir }}/scan/{{ item.stdout.split('\n\nError Log')[0].split('Output File: ')[-1].split('/')[-2] }}"
+      src: "{{ playbook_dir }}/reports"
+      dest: "{{ playbook_dir }}/scan/"
       remote_src: yes
-    loop: "{{ fuff.results }}"
     delegate_to: localhost
 
 

swarm.yml

@@ -203,8 +203,6 @@
                 secrets:
                   - wildcard-jingoh-private.crt
                   - wildcard-jingoh-private.key
-                labels:
-                  - "io.portainer.accesscontrol.public"
                 deploy:
                   mode: replicated
                   replicas: 1
@@ -231,7 +229,8 @@
                     - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
                     - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
                     - "traefik.http.middlewares.privatevpn.ipwhitelist.sourcerange=100.96.0.0/16"
-                    # - "traefik.http.routers.dashboard.middlewares=privatevpn"
+                    - "io.portainer.accesscontrol.public"
+                    - "traefik.http.routers.dashboard.middlewares=privatevpn"
               agent:
                 image: portainer/agent:latest
                 environment:
@@ -261,14 +260,13 @@
                 networks:
                   - public
                   - agent_network
-                labels:
-                  - "io.portainer.accesscontrol.public"
                 deploy:
                   mode: replicated
                   replicas: 1
                   placement:
                     constraints: [node.role == manager]
                   labels:
+                  - "io.portainer.accesscontrol.public"
                   # Frontend
                   - "traefik.enable=true"
                   - "traefik.docker.network=public"
@@ -287,10 +285,9 @@
                   - "traefik.http.routers.edge.middlewares=privatevpn"
               whoami:
                 image: "traefik/whoami"
-                labels:
-                  - "io.portainer.accesscontrol.public"
                 deploy:
                   labels:
+                    - "io.portainer.accesscontrol.public"
                     - "traefik.enable=true"
                     - "traefik.docker.network=public"
                     - "traefik.http.routers.whoami.rule=Host(`whoamitest.jingoh.private`)"
@@ -301,6 +298,34 @@
                 networks:
                   - public
 
+              # forward-auth:
+              #   image: thomseddon/traefik-forward-auth:2.2.0
+              #   environment:
+              #   # env_file: ./appdata/dex/traefik-auth-conf.env
+              #   container_name: forward-auth
+              #   volumes:
+              #   # - ./config.ini:/config.ini:ro
+              #   - ./appdata/dex/traefik-auth-conf.env:/config.ini:ro
+              #   # - /var/data/config/traefik-forward-auth/config.ini:/config.ini:ro
+              #   networks:
+              #     t2_proxy:
+              #       ipv4_address: 192.168.90.193
+              #   labels:
+              #     # traefikv2
+              #     - "traefik.enable=true"
+              #     - "traefik.docker.network=t2_proxy"
+              #     - "traefik.http.routers.auth.rule=Host(`auth.jingoh.fr`)"
+              #     - "traefik.http.routers.auth.entrypoints=https"
+              #     - "traefik.http.routers.auth.tls=true"
+              #     # - "traefik.http.routers.auth.tls.domains[0].main=jingoh.fr"
+              #     # - "traefik.http.routers.auth.tls.domains[0].sans=*.jingoh.fr"        
+              #     - "traefik.http.routers.auth.tls.certresolver=letsencrypt-resolver"
+              #     - "traefik.http.routers.auth.service=auth@docker"
+              #     - "traefik.http.services.auth.loadbalancer.server.port=4181"
+              #     - "traefik.http.middlewares.forward-auth.forwardauth.address=http://forward-auth:4181"
+              #     - "traefik.http.middlewares.forward-auth.forwardauth.trustForwardHeader=true"
+              #     - "traefik.http.middlewares.forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
+
             networks:
               public:
                 external: true
@@ -325,6 +350,7 @@
 
       run_once: true
       when: inventory_hostname in groups['docker_swarm_manager']
+      tags: deploy
 
 #  docker network create -d overlay agent_network
 #  docker network create -d overlay public