diff options
author | Stonewall Jackson <stonewall@sacredheartsc.com> | 2023-02-04 01:23:43 -0500 |
---|---|---|
committer | Stonewall Jackson <stonewall@sacredheartsc.com> | 2023-02-04 01:52:13 -0500 |
commit | 0261e875679f1bf63c8d689da7fc7e014597885d (patch) | |
tree | 3f19cd74a0c1070944f75437f30b098d6ef2ffcb /roles/apache/templates/etc/httpd | |
download | selfhosted-0261e875679f1bf63c8d689da7fc7e014597885d.tar.gz selfhosted-0261e875679f1bf63c8d689da7fc7e014597885d.zip |
initial commit
Diffstat (limited to 'roles/apache/templates/etc/httpd')
-rw-r--r-- | roles/apache/templates/etc/httpd/conf.d/letsencrypt.conf.j2 | 8 | ||||
-rw-r--r-- | roles/apache/templates/etc/httpd/conf.d/ssl.conf.j2 | 17 | ||||
-rw-r--r-- | roles/apache/templates/etc/httpd/conf/httpd.conf.j2 | 98 |
3 files changed, 123 insertions, 0 deletions
diff --git a/roles/apache/templates/etc/httpd/conf.d/letsencrypt.conf.j2 b/roles/apache/templates/etc/httpd/conf.d/letsencrypt.conf.j2 new file mode 100644 index 0000000..60d092e --- /dev/null +++ b/roles/apache/templates/etc/httpd/conf.d/letsencrypt.conf.j2 @@ -0,0 +1,8 @@ +Alias /.well-known/acme-challenge/ {{ apache_letsencrypt_dir}}/.well-known/acme-challenge/ +ProxyPass /.well-known/acme-challenge/ ! +<Directory "{{ apache_letsencrypt_dir }}/.well-known/acme-challenge/"> + Options None + AllowOverride None + ForceType text/plain + RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)" +</Directory> diff --git a/roles/apache/templates/etc/httpd/conf.d/ssl.conf.j2 b/roles/apache/templates/etc/httpd/conf.d/ssl.conf.j2 new file mode 100644 index 0000000..eb85a29 --- /dev/null +++ b/roles/apache/templates/etc/httpd/conf.d/ssl.conf.j2 @@ -0,0 +1,17 @@ +Listen 443 https + +SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog + +SSLSessionCache shmcb:/run/httpd/sslcache(512000) +SSLSessionCacheTimeout 300 + +SSLCryptoDevice builtin + +SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 +SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 +SSLHonorCipherOrder off +SSLSessionTickets off + +# Stapling causes all kinds of hard-to-debug problems on Android clients! +#SSLUseStapling On +#SSLStaplingCache "shmcb:logs/ssl_stapling(32768)" diff --git a/roles/apache/templates/etc/httpd/conf/httpd.conf.j2 b/roles/apache/templates/etc/httpd/conf/httpd.conf.j2 new file mode 100644 index 0000000..d34c4a9 --- /dev/null +++ b/roles/apache/templates/etc/httpd/conf/httpd.conf.j2 @@ -0,0 +1,98 @@ +ServerRoot "/etc/httpd" + +Listen 80 + +Include conf.modules.d/*.conf + +User apache +Group apache + +ServerAdmin root@localhost +ServerName {{ ansible_fqdn }} + +ServerTokens Prod +ServerSignature Off + +# default deny +<Directory /> + AllowOverride none + Require all denied +</Directory> + +DocumentRoot "{{ apache_public_dir }}/html" + +KeepAlive On + +# relax access to content within {{ apache_public_dir }}. +<Directory "{{ apache_public_dir }}"> + AllowOverride None + Require all granted +</Directory> + +# further relax access to the default document root: +<Directory "{{ apache_public_dir }}/html"> + Options FollowSymLinks + + AllowOverride None + + Require all granted +</Directory> + +# serve index.html if a directory is requested +<IfModule dir_module> + DirectoryIndex index.html +</IfModule> + +# deny .htaccess, .htpasswd +<Files ".ht*"> + Require all denied +</Files> + +ErrorLog "logs/error_log" + +LogLevel warn + +<IfModule log_config_module> + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined + LogFormat "%h %l %u %t \"%r\" %>s %b" common + + <IfModule logio_module> + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio + </IfModule> + + CustomLog "logs/access_log" combined +</IfModule> + +<IfModule alias_module> + ScriptAlias /cgi-bin/ "{{ apache_public_dir }}/cgi-bin/" + +</IfModule> + +<Directory "{{ apache_public_dir }}/cgi-bin"> + AllowOverride None + Options None + Require all granted +</Directory> + +<IfModule mime_module> + TypesConfig /etc/mime.types + + AddType application/x-compress .Z + AddType application/x-gzip .gz .tgz + + AddType text/html .shtml + AddOutputFilter INCLUDES .shtml +</IfModule> + +AddDefaultCharset UTF-8 + +<IfModule mime_magic_module> + MIMEMagicFile conf/magic +</IfModule> + +EnableSendfile on + +AddOutputFilterByType DEFLATE {{ apache_gzip_types | join(" ") }} + +# Load config files in the "/etc/httpd/conf.d" directory, if any. +IncludeOptional conf.d/*.conf |