Using Ansible to protect against 'Connection attempts using mod_proxy'

I regularly encounter issues that arise from reviews of server security, log reviews etc that provide good examples of how Ansible can be used to respond to an issue.
Once such example is making sure that all of your servers are protected from being used as a Proxy.
In our case we use Ansible to provision and monitor the configuration of our servers and we have a set of playbooks that secure our servers and set up security applications and firewalls to ensure they are not vulnerable.
A common set up is to secure you servers with IPTables and Fail2ban and use Logwatch to monitor your logs for common signs of unwanted activity. You should monitor these reports regularly and respond to any unusual activity; in most cases these should already be protected against.
But if you are using a utility like Logwatch to keep an eye on activity on your servers you may occasionally see an entry such as

   Connection attempts using mod_proxy:
   1.164.40.29 -> mx3.mail2000.com.tw:25: 1 Time(s)

This indicates that someone is scanning your server to see if they are able to use it as a Proxy to attach to a mail server or some other service. This is definitely not wanted and it is worth checking that your are not vulnerable to this exploit.
By default, Apache has ProxyRequests set to Off and doesn't by default install with the proxy modules enabled - but it is worthwhile checking to ensure that that is the case.
To do so by hand would involve something like the following:

1. Visit every server and check that the relevant modules are disabled.
2. Limit use of the CONNECT verb to ensure that such connections are denied.

That can be time consuming and you would need to do it regularly to ensure that the module is not enabled later on.

So using Ansible we can do the following:

1. Provide a list of modules we always want to see disabled on a server and create a task that will ensure they are disabled.
2. Provide a default configuration file on the server to limit use of the CONNECT verb and create a task that puts that in the correct place and restarts the web server. Note that the examples will require adaptation for some distros (i.e. Centos) and will require a handler for the Apache restart. In most cases these would be additions to your existuing playbook for controlling your web servers.

Doing it this way :

1. Documents the change to your build spec
2. Applies the measure to all servers.
3. Maintains the state of the measure
4. Enables you to extend how you respond to the issue

So we create a variables list (apache_mods_disabled) that contains all of the modules we want to be sure are disabled.

---
- hosts: webservers
vars:
apache_mods_disabled:
- proxy
- proxy_ftp
- proxy_http
- proxy_connect

We then use this list in a task that disables the modules if they are enabled (and does nothing if they are already disabled).

 - name: Apache | Disable Apache Mods
   apache2_module: state=absent name={{ item }}
   with_items: apache_mods_disabled
   notify: restart apache

We also create a small configuration file to limit the Connect verb and place that in the conf.d folder (read in by Apache on a restart)

# {{ ansible_managed }}
<Location />
<Limit CONNECT>
Order deny,allow
Deny from all
</Limit>
</Location>

and place that on the server using the template module.

 - name: Apache | Limit Connect verb
   template: src=apache_conf_connect.j2 dest=/etc/apache2/conf.d/proxy_connect.conf
   notify: restart apache

Each of these tasks will notify a handler to restart Apache if needed.
Typically you would simple add the variables and tasks to your existing playbooks.
You can the be confident that the protection measure is in place on all of your web servers and that state is maintained.
See a full Gist here: