From 0261e875679f1bf63c8d689da7fc7e014597885d Mon Sep 17 00:00:00 2001 From: Stonewall Jackson Date: Sat, 4 Feb 2023 01:23:43 -0500 Subject: initial commit --- roles/apache_vhost/defaults/main.yml | 14 +++ roles/apache_vhost/meta/main.yml | 2 + roles/apache_vhost/tasks/main.yml | 18 +++ .../templates/etc/httpd/conf.d/vhost.conf.j2 | 135 +++++++++++++++++++++ roles/apache_vhost/vars/main.yml | 26 ++++ 5 files changed, 195 insertions(+) create mode 100644 roles/apache_vhost/defaults/main.yml create mode 100644 roles/apache_vhost/meta/main.yml create mode 100644 roles/apache_vhost/tasks/main.yml create mode 100644 roles/apache_vhost/templates/etc/httpd/conf.d/vhost.conf.j2 create mode 100644 roles/apache_vhost/vars/main.yml (limited to 'roles/apache_vhost') diff --git a/roles/apache_vhost/defaults/main.yml b/roles/apache_vhost/defaults/main.yml new file mode 100644 index 0000000..c9bc05c --- /dev/null +++ b/roles/apache_vhost/defaults/main.yml @@ -0,0 +1,14 @@ +apache_server_name: '{{ ansible_fqdn }}' +apache_server_aliases: '{{ [] if apache_letsencrypt else cnames }}' + +apache_default_vhost: no +apache_autoindex: no + +apache_letsencrypt: no +apache_use_ssl: yes +apache_use_http2: yes +apache_redirect_to_https: yes + +apache_ldap_servers: '{{ freeipa_hosts }}' + +apache_config: '' diff --git a/roles/apache_vhost/meta/main.yml b/roles/apache_vhost/meta/main.yml new file mode 100644 index 0000000..98821ae --- /dev/null +++ b/roles/apache_vhost/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: + - role: apache diff --git a/roles/apache_vhost/tasks/main.yml b/roles/apache_vhost/tasks/main.yml new file mode 100644 index 0000000..ebe6fe6 --- /dev/null +++ b/roles/apache_vhost/tasks/main.yml @@ -0,0 +1,18 @@ +- name: request https certificate + include_role: + name: '{{ "certbot" if apache_letsencrypt else "getcert_request" }}' + vars: + certificate_sans: '{{ [apache_server_name] + apache_server_aliases }}' + certificate_path: '{{ apache_certificate_path }}' + certificate_key_path: '{{ apache_certificate_key_path }}' + certificate_use_apache: yes + certificate_hook: systemctl reload httpd + when: apache_use_ssl + +- name: generate vhost configuration + template: + src: etc/httpd/conf.d/vhost.conf.j2 + dest: /etc/httpd/conf.d/vhost-{{ '000-default' if apache_default_vhost else (apache_config_name | default(apache_server_name)) }}.conf + mode: 0640 + lstrip_blocks: yes + notify: reload apache diff --git a/roles/apache_vhost/templates/etc/httpd/conf.d/vhost.conf.j2 b/roles/apache_vhost/templates/etc/httpd/conf.d/vhost.conf.j2 new file mode 100644 index 0000000..a925372 --- /dev/null +++ b/roles/apache_vhost/templates/etc/httpd/conf.d/vhost.conf.j2 @@ -0,0 +1,135 @@ +{% if apache_use_ssl and apache_redirect_to_https %} + + ServerName {{ apache_server_name }} + {% for alias in apache_server_aliases %} + ServerAlias {{ alias }} + {% endfor %} + + ErrorLog "logs/{{ apache_server_name }}.error_log" + CustomLog "logs/{{ apache_server_name }}.access_log" combined + + Protocols {% if apache_use_http2 %}h2c {% endif %}http/1.1 + + RewriteEngine On + RewriteCond %{REQUEST_URI} !^\/\.well-known\/acme-challenge\/.*$ + RewriteRule (.*) https://%{HTTP_HOST}$1 [R=permanent,L] + + +{% else %} + +{% if apache_canonical_hostname is defined and (apache_server_aliases | length > 0) %} + + {% for alias in ([apache_server_name] + apache_server_aliases) | reject('equalto', apache_canonical_hostname) | list %} + {% if loop.first %} + ServerName {{ alias }} + {% else %} + ServerAlias {{ alias }} + {% endif %} + {% endfor %} + + ErrorLog "logs/{{ apache_server_name }}.error_log" + CustomLog "logs/{{ apache_server_name }}.access_log" combined + + Protocols {% if apache_use_http2 %}h2c {% endif %}http/1.1 + + RedirectMatch Permanent ^(?!/\.well-known/acme-challenge/).* http://{{ apache_canonical_hostname }}/$0 + +{% endif %} + + + {% if apache_document_root is defined %} + DocumentRoot "{{ apache_document_root }}" + {% endif %} + + {% if apache_canonical_hostname is defined %} + ServerName {{ apache_canonical_hostname }} + {% else %} + ServerName {{ apache_server_name }} + {% for alias in apache_server_aliases %} + ServerAlias {{ alias }} + {% endfor %} + {% endif %} + + ErrorLog "logs/{{ apache_server_name }}.error_log" + CustomLog "logs/{{ apache_server_name }}.access_log" combined + + Protocols {% if apache_use_http2 %}h2c {% endif %}http/1.1 + + {% if apache_document_root is defined and not apache_config is search('') %} + + Options +FollowSymLinks + AllowOverride None + Require all granted + {% if apache_autoindex %} + Options +Indexes + {% endif %} + + {% endif %} + + {{ apache_config }} + +{% endif %} + +{% if apache_use_ssl %} + +{% if apache_canonical_hostname is defined and (apache_server_aliases | length > 0) %} + + {% for alias in ([apache_server_name] + apache_server_aliases) | reject('equalto', apache_canonical_hostname) | list %} + {% if loop.first %} + ServerName {{ alias }} + {% else %} + ServerAlias {{ alias }} + {% endif %} + {% endfor %} + + ErrorLog "logs/{{ apache_server_name }}.error_log" + CustomLog "logs/{{ apache_server_name }}.access_log" combined + + Protocols {% if apache_use_http2 %}h2 {% endif %}http/1.1 + + SSLEngine on + SSLCertificateFile {{ apache_certificate_path }} + SSLCertificateKeyFile {{ apache_certificate_key_path }} + Header always set Strict-Transport-Security "max-age=63072000" + + Redirect permanent / https://{{ apache_canonical_hostname }}/ + +{% endif %} + + + {% if apache_document_root is defined %} + DocumentRoot "{{ apache_document_root }}" + {% endif %} + {% if apache_canonical_hostname is defined %} + ServerName {{ apache_canonical_hostname }} + {% else %} + ServerName {{ apache_server_name }} + {% for alias in apache_server_aliases %} + ServerAlias {{ alias }} + {% endfor %} + {% endif %} + + ErrorLog "logs/{{ apache_server_name }}.error_log" + CustomLog "logs/{{ apache_server_name }}.access_log" combined + + Protocols {% if apache_use_http2 %}h2 {% endif %}http/1.1 + + SSLEngine on + SSLCertificateFile {{ apache_certificate_path }} + SSLCertificateKeyFile {{ apache_certificate_key_path }} + Header always set Strict-Transport-Security "max-age=63072000" + + {% if apache_document_root is defined and not apache_config is search('') %} + + Options +FollowSymLinks + AllowOverride None + Require all granted + {% if apache_autoindex %} + Options +Indexes + {% endif %} + + {% endif %} + + {{ apache_config }} + +{% endif %} diff --git a/roles/apache_vhost/vars/main.yml b/roles/apache_vhost/vars/main.yml new file mode 100644 index 0000000..bbfba62 --- /dev/null +++ b/roles/apache_vhost/vars/main.yml @@ -0,0 +1,26 @@ +apache_certificate_path: /etc/pki/tls/certs/httpd-{{ apache_server_name }}.pem +apache_certificate_key_path: /etc/pki/tls/private/httpd-{{ apache_server_name }}.key + +apache_ldap_url: "ldaps://{{ freeipa_hosts | join(' ') }}/{{ freeipa_user_basedn }}" +apache_ldap_creds: | + AuthLDAPBindDN uid={{ apache_sysaccount_username }},{{ freeipa_sysaccount_basedn }} + AuthLDAPBindPassword {{ apache_sysaccount_password }} +apache_ldap_config: | + AuthLDAPUrl "{{ apache_ldap_url }}?uid" + {{ apache_ldap_creds }} + +apache_gssapi_session_config: | + GssapiUseSessions On + Session On + SessionCookieName gssapi_session path=/;httponly;secure;samesite=strict + GssapiSessionKey file:{{ apache_gssapi_session_key }} + +apache_proxy_vhost_config: | + ProxyPreserveHost On + ProxyRequests Off +apache_proxy_header_config: | + RequestHeader set X-Forwarded-Proto "https" + RequestHeader set X-Real-IP %{REMOTE_ADDR}s +apache_proxy_config: | + {{ apache_proxy_vhost_config }} + {{ apache_proxy_header_config }} -- cgit