initial commit

3 files changed, 123 insertions, 0 deletions

diff --git a/roles/apache/templates/etc/httpd/conf.d/letsencrypt.conf.j2 b/roles/apache/templates/etc/httpd/conf.d/letsencrypt.conf.j2
new file mode 100644
index 0000000..60d092e
--- /dev/null
+++ b/roles/apache/templates/etc/httpd/conf.d/letsencrypt.conf.j2
@@ -0,0 +1,8 @@
+Alias /.well-known/acme-challenge/ {{ apache_letsencrypt_dir}}/.well-known/acme-challenge/
+ProxyPass /.well-known/acme-challenge/ !
+<Directory "{{ apache_letsencrypt_dir }}/.well-known/acme-challenge/">
+  Options None
+  AllowOverride None
+  ForceType text/plain
+  RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
+</Directory>
diff --git a/roles/apache/templates/etc/httpd/conf.d/ssl.conf.j2 b/roles/apache/templates/etc/httpd/conf.d/ssl.conf.j2
new file mode 100644
index 0000000..eb85a29
--- /dev/null
+++ b/roles/apache/templates/etc/httpd/conf.d/ssl.conf.j2
@@ -0,0 +1,17 @@
+Listen 443 https
+
+SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
+
+SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
+SSLSessionCacheTimeout  300
+
+SSLCryptoDevice builtin
+
+SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
+SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+SSLHonorCipherOrder     off
+SSLSessionTickets       off
+
+# Stapling causes all kinds of hard-to-debug problems on Android clients!
+#SSLUseStapling On
+#SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
diff --git a/roles/apache/templates/etc/httpd/conf/httpd.conf.j2 b/roles/apache/templates/etc/httpd/conf/httpd.conf.j2
new file mode 100644
index 0000000..d34c4a9
--- /dev/null
+++ b/roles/apache/templates/etc/httpd/conf/httpd.conf.j2
@@ -0,0 +1,98 @@
+ServerRoot "/etc/httpd"
+
+Listen 80
+
+Include conf.modules.d/*.conf
+
+User apache
+Group apache
+
+ServerAdmin root@localhost
+ServerName {{ ansible_fqdn }}
+
+ServerTokens Prod
+ServerSignature Off
+
+# default deny
+<Directory />
+    AllowOverride none
+    Require all denied
+</Directory>
+
+DocumentRoot "{{ apache_public_dir }}/html"
+
+KeepAlive On
+
+# relax access to content within {{ apache_public_dir }}.
+<Directory "{{ apache_public_dir }}">
+    AllowOverride None
+    Require all granted
+</Directory>
+
+# further relax access to the default document root:
+<Directory "{{ apache_public_dir }}/html">
+    Options FollowSymLinks
+
+    AllowOverride None
+
+    Require all granted
+</Directory>
+
+# serve index.html if a directory is requested
+<IfModule dir_module>
+    DirectoryIndex index.html
+</IfModule>
+
+# deny .htaccess, .htpasswd
+<Files ".ht*">
+    Require all denied
+</Files>
+
+ErrorLog "logs/error_log"
+
+LogLevel warn
+
+<IfModule log_config_module>
+    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+    LogFormat "%h %l %u %t \"%r\" %>s %b" common
+
+    <IfModule logio_module>
+      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
+    </IfModule>
+
+    CustomLog "logs/access_log" combined
+</IfModule>
+
+<IfModule alias_module>
+    ScriptAlias /cgi-bin/ "{{ apache_public_dir }}/cgi-bin/"
+
+</IfModule>
+
+<Directory "{{ apache_public_dir }}/cgi-bin">
+    AllowOverride None
+    Options None
+    Require all granted
+</Directory>
+
+<IfModule mime_module>
+    TypesConfig /etc/mime.types
+
+    AddType application/x-compress .Z
+    AddType application/x-gzip .gz .tgz
+
+    AddType text/html .shtml
+    AddOutputFilter INCLUDES .shtml
+</IfModule>
+
+AddDefaultCharset UTF-8
+
+<IfModule mime_magic_module>
+    MIMEMagicFile conf/magic
+</IfModule>
+
+EnableSendfile on
+
+AddOutputFilterByType DEFLATE {{ apache_gzip_types | join(" ") }}
+
+# Load config files in the "/etc/httpd/conf.d" directory, if any.
+IncludeOptional conf.d/*.conf