Role: httpd templating updates
This commit is contained in:
parent
217591d525
commit
9280faab4f
@ -1,2 +1,69 @@
|
|||||||
---
|
---
|
||||||
httpd_php: true
|
httpd_php: true
|
||||||
|
httpd_tls_site_root: /srv/roundcube/roundcubemail-{{ roundcube_version }}/public_html
|
||||||
|
httpd_optional_enabled_modules:
|
||||||
|
- deflate
|
||||||
|
- expires
|
||||||
|
- headers
|
||||||
|
httpd_tls_vhost_raw: |
|
||||||
|
<IfModule mod_rewrite.c>
|
||||||
|
Options +SymLinksIfOwnerMatch
|
||||||
|
RewriteEngine On
|
||||||
|
RewriteRule ^favicon\.ico$ skins/elastic/images/favicon.ico
|
||||||
|
|
||||||
|
# security rules:
|
||||||
|
# - deny access to files not containing a dot or starting with a dot
|
||||||
|
# in all locations except installer directory
|
||||||
|
RewriteRule ^(?!installer|\.well-known\/|[a-zA-Z0-9]{16})(\.?[^\.]+)$ - [F]
|
||||||
|
# - deny access to some locations
|
||||||
|
RewriteRule ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|vendor|program\/(include|lib|localization|steps)) - [F]
|
||||||
|
# - deny access to some documentation files
|
||||||
|
RewriteRule /?(README.*|CHANGELOG.*|SECURITY.*|meta\.json|composer\..*|jsdeps.json)$ - [F]
|
||||||
|
</IfModule>
|
||||||
|
|
||||||
|
<IfModule mod_deflate.c>
|
||||||
|
SetOutputFilter DEFLATE
|
||||||
|
</IfModule>
|
||||||
|
|
||||||
|
# prefer to brotli over gzip if brotli is available
|
||||||
|
<IfModule mod_brotli.c>
|
||||||
|
SetOutputFilter BROTLI_COMPRESS
|
||||||
|
# some assets have been compressed, so no need to do it again
|
||||||
|
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|web[pm]|woff2?)$ no-brotli
|
||||||
|
</IfModule>
|
||||||
|
|
||||||
|
<IfModule mod_expires.c>
|
||||||
|
ExpiresActive On
|
||||||
|
ExpiresDefault "access plus 1 month"
|
||||||
|
</IfModule>
|
||||||
|
|
||||||
|
FileETag MTime Size
|
||||||
|
|
||||||
|
<IfModule mod_autoindex.c>
|
||||||
|
Options -Indexes
|
||||||
|
</IfModule>
|
||||||
|
|
||||||
|
<IfModule mod_headers.c>
|
||||||
|
# Disable page indexing
|
||||||
|
Header set X-Robots-Tag "noindex, nofollow"
|
||||||
|
# replace 'merge' with 'append' for Apache < 2.2.9
|
||||||
|
#Header merge Cache-Control public env=!NO_CACHE
|
||||||
|
# Optional security headers
|
||||||
|
# Only provides increased security if the browser supports those features
|
||||||
|
# Be careful! Testing is required! They should be adjusted to your installation / user environment
|
||||||
|
# HSTS - HTTP Strict Transport Security
|
||||||
|
#Header always set Strict-Transport-Security "max-age=31536000; preload" env=HTTPS
|
||||||
|
# HPKP - HTTP Public Key Pinning
|
||||||
|
# Only template - fill with your values
|
||||||
|
#Header always set Public-Key-Pins "max-age=3600; report-uri=\"\"; pin-sha256=\"\"; pin-sha256=\"\"" env=HTTPS
|
||||||
|
# X-Xss-Protection
|
||||||
|
# This header is used to configure the built in reflective XSS protection found in Internet Explorer, Chrome and Safari (Webkit).
|
||||||
|
#Header set X-XSS-Protection "1; mode=block"
|
||||||
|
# X-Frame-Options
|
||||||
|
# The X-Frame-Options header (RFC), or XFO header, protects your visitors against clickjacking attacks
|
||||||
|
# Already set by php code! Do not activate both options
|
||||||
|
#Header set X-Frame-Options SAMEORIGIN
|
||||||
|
# X-Content-Type-Options
|
||||||
|
# It prevents Google Chrome and Internet Explorer from trying to mime-sniff the content-type of a response away from the one being declared by the server.
|
||||||
|
#Header set X-Content-Type-Options "nosniff"
|
||||||
|
</IfModule>
|
@ -1,8 +1,25 @@
|
|||||||
|
httpd_pkgs:
|
||||||
|
- apache2
|
||||||
|
httpd_pkgs_plugins: []
|
||||||
|
|
||||||
httpd_site_name: 'default'
|
httpd_site_name: 'default'
|
||||||
httpd_site_root: '/var/www/html'
|
httpd_site_root: '/var/www/html'
|
||||||
|
httpd_default_enabled_modules:
|
||||||
|
- ssl
|
||||||
|
httpd_optional_enabled_modules: []
|
||||||
|
|
||||||
|
httpd_tls_certbot: true
|
||||||
|
httpd_tls_auto_redirect: true
|
||||||
|
httpd_tls_certbot_additonal_args: ''
|
||||||
|
httpd_tls_site_root:
|
||||||
|
|
||||||
|
httpd_tls_vhost_default: true
|
||||||
|
|
||||||
|
httpd_tls_vhost_raw: ''
|
||||||
|
|
||||||
httpd_php: false
|
httpd_php: false
|
||||||
httpd_php_version: 8.3
|
httpd_php_version: 8.3
|
||||||
|
httpd_php_socket: '/run/php/php{{ httpd_php_version }}-fpm.sock'
|
||||||
httpd_php_pkgs:
|
httpd_php_pkgs:
|
||||||
- php
|
- php
|
||||||
- php-fpm
|
- php-fpm
|
||||||
@ -13,4 +30,7 @@ httpd_php_pkgs:
|
|||||||
- php-mbstring
|
- php-mbstring
|
||||||
- php-xml
|
- php-xml
|
||||||
- php-zip
|
- php-zip
|
||||||
|
httpd_php_enabled_modules:
|
||||||
|
- proxy_fcgi
|
||||||
|
- setenvif
|
||||||
|
- php{{ httpd_php_version }}
|
||||||
|
20
ANSIBLE/roles/httpd/tasks/httpd_certbot_tls.yml
Normal file
20
ANSIBLE/roles/httpd/tasks/httpd_certbot_tls.yml
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
---
|
||||||
|
- name: Install Certbot and Apache plugin
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name:
|
||||||
|
- certbot
|
||||||
|
- python3-certbot-apache
|
||||||
|
state: present
|
||||||
|
- name: Ensure Apache is running and enabled
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: apache2
|
||||||
|
state: started
|
||||||
|
enabled: true
|
||||||
|
- name: Obtain Let's Encrypt certificate using certbot
|
||||||
|
ansible.builtin.command: >
|
||||||
|
certbot --apache -n --agree-tos --redirect
|
||||||
|
-d {{ httpd_site_name }}
|
||||||
|
--email {{ admin_email }} {{ httpd_tls_certbot_additonal_args }}
|
||||||
|
args:
|
||||||
|
creates: "/etc/letsencrypt/live/{{ httpd_site_name }}/fullchain.pem"
|
||||||
|
|
@ -11,12 +11,21 @@
|
|||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: httpd/vhost.conf.j2
|
src: httpd/vhost.conf.j2
|
||||||
dest: "/etc/apache2/sites-available/{{ httpd_site_name }}.conf"
|
dest: "/etc/apache2/sites-available/{{ httpd_site_name }}.conf"
|
||||||
|
owner: www-data
|
||||||
|
group: www-data
|
||||||
|
mode: '0644'
|
||||||
notify: Reload Apache
|
notify: Reload Apache
|
||||||
|
|
||||||
- name: Enable site
|
- name: "Enable http site {{ httpd_site_name }}"
|
||||||
ansible.builtin.command: "a2ensite {{ httpd_site_name }}"
|
ansible.builtin.command: "a2ensite {{ httpd_site_name }}"
|
||||||
|
args:
|
||||||
|
creates: "/etc/apache2/sites-enabled/{{ httpd_site_name }}.conf"
|
||||||
notify: Reload Apache
|
notify: Reload Apache
|
||||||
|
|
||||||
- name: Enable SSL module
|
- name: Enable modules
|
||||||
ansible.builtin.command: a2enmod ssl
|
ansible.builtin.command: " a2enmod {{ item }}"
|
||||||
|
args:
|
||||||
|
creates: "/etc/apache2/mods-enabled/{{ item }}*"
|
||||||
|
loop: "{{ httpd_default_enabled_modules + httpd_optional_enabled_modules }}"
|
||||||
notify: Reload Apache
|
notify: Reload Apache
|
||||||
|
|
||||||
|
@ -1,17 +1,10 @@
|
|||||||
---
|
---
|
||||||
- name: Install Apache2
|
- name: Install Apache2 and plugins
|
||||||
ansible.builtin.apt:
|
ansible.builtin.apt:
|
||||||
name: apache2
|
name: "{{ httpd_pkgs + httpd_pkgs_plugins }}"
|
||||||
state: present
|
state: present
|
||||||
update_cache: true
|
update_cache: true
|
||||||
|
|
||||||
- name: Install Certbot and Apache plugin
|
|
||||||
ansible.builtin.apt:
|
|
||||||
name:
|
|
||||||
- certbot
|
|
||||||
- python3-certbot-apache
|
|
||||||
state: present
|
|
||||||
|
|
||||||
- name: Ensure site root exists
|
- name: Ensure site root exists
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: "{{ httpd_site_root }}"
|
path: "{{ httpd_site_root }}"
|
||||||
@ -20,3 +13,9 @@
|
|||||||
group: www-data
|
group: www-data
|
||||||
mode: '0755'
|
mode: '0755'
|
||||||
|
|
||||||
|
- name: Ensure Apache is running and enabled
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: apache2
|
||||||
|
state: started
|
||||||
|
enabled: true
|
||||||
|
|
||||||
|
19
ANSIBLE/roles/httpd/tasks/httpd_vhost_tls.yml
Normal file
19
ANSIBLE/roles/httpd/tasks/httpd_vhost_tls.yml
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
---
|
||||||
|
- name: "Disable Certbot autocreated {{ httpd_site_name }}-le-ssl"
|
||||||
|
ansible.builtin.command: "a2dissite {{ httpd_site_name }}-le-ssl"
|
||||||
|
args:
|
||||||
|
removes: "/etc/apache2/sites-enabled/{{ httpd_site_name }}-le-ssl.conf"
|
||||||
|
notify: Reload Apache
|
||||||
|
- name: Create Apache TLS virtual host config
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: httpd/tls_vhost.conf.j2
|
||||||
|
dest: "/etc/apache2/sites-available/{{ httpd_site_name }}_tls.conf"
|
||||||
|
owner: www-data
|
||||||
|
group: www-data
|
||||||
|
mode: '0644'
|
||||||
|
notify: Reload Apache
|
||||||
|
- name: "Enable http site {{ httpd_site_name }}_tls"
|
||||||
|
ansible.builtin.command: "a2ensite {{ httpd_site_name }}_tls"
|
||||||
|
args:
|
||||||
|
creates: "/etc/apache2/sites-enabled/{{ httpd_site_name }}_tls.conf"
|
||||||
|
notify: Reload Apache
|
@ -4,21 +4,11 @@
|
|||||||
ansible.builtin.include_tasks: httpd_install.yml
|
ansible.builtin.include_tasks: httpd_install.yml
|
||||||
- name: Apache2 Default Config
|
- name: Apache2 Default Config
|
||||||
ansible.builtin.include_tasks: httpd_default_config.yml
|
ansible.builtin.include_tasks: httpd_default_config.yml
|
||||||
|
- name: Certbot TLS
|
||||||
- name: Ensure Apache is running and enabled
|
when: httpd_tls_certbot
|
||||||
ansible.builtin.service:
|
ansible.builtin.include_tasks: httpd_certbot_tls.yml
|
||||||
name: apache2
|
|
||||||
state: started
|
|
||||||
enabled: true
|
|
||||||
|
|
||||||
- name: Obtain Let's Encrypt certificate using certbot
|
|
||||||
ansible.builtin.command: >
|
|
||||||
certbot --apache -n --agree-tos --redirect
|
|
||||||
-d {{ httpd_site_name }}
|
|
||||||
--email {{ admin_email }}
|
|
||||||
args:
|
|
||||||
creates: "/etc/letsencrypt/live/{{ httpd_site_name }}/fullchain.pem"
|
|
||||||
|
|
||||||
- name: PHP Application
|
- name: PHP Application
|
||||||
when: httpd_php
|
when: httpd_php
|
||||||
ansible.builtin.include_tasks: php.yml
|
ansible.builtin.include_tasks: php.yml
|
||||||
|
- name: TLS Enabled Site
|
||||||
|
ansible.builtin.include_tasks: httpd_vhost_tls.yml
|
||||||
|
@ -6,12 +6,12 @@
|
|||||||
update_cache: true
|
update_cache: true
|
||||||
- name: Enable Apache modules for PHP-FPM
|
- name: Enable Apache modules for PHP-FPM
|
||||||
ansible.builtin.command: a2enmod {{ item }}
|
ansible.builtin.command: a2enmod {{ item }}
|
||||||
loop:
|
args:
|
||||||
- proxy_fcgi
|
creates: "/etc/apache2/mods-enabled/{{ item }}*"
|
||||||
- setenvif
|
loop: "{{ httpd_php_enabled_modules }}"
|
||||||
- php{{ httpd_php_version }} # or php8.1 depending on your distro
|
|
||||||
notify: Reload Apache
|
notify: Reload Apache
|
||||||
ignore_errors: true # in case some modules aren't available
|
ignore_errors: true # in case some modules aren't available
|
||||||
|
register: httpd_php_modules_errors
|
||||||
|
|
||||||
- name: Ensure PHP-FPM service is running
|
- name: Ensure PHP-FPM service is running
|
||||||
ansible.builtin.service:
|
ansible.builtin.service:
|
||||||
@ -29,4 +29,3 @@
|
|||||||
mode: '0644'
|
mode: '0644'
|
||||||
notify: Restart PHP-FPM
|
notify: Restart PHP-FPM
|
||||||
|
|
||||||
|
|
||||||
|
33
ANSIBLE/roles/httpd/templates/httpd/tls_vhost.conf.j2
Normal file
33
ANSIBLE/roles/httpd/templates/httpd/tls_vhost.conf.j2
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
<IfModule mod_ssl.c>
|
||||||
|
<VirtualHost *:443>
|
||||||
|
# General vhost config
|
||||||
|
ServerName {{ httpd_site_name }}
|
||||||
|
DocumentRoot {{ httpd_tls_site_root }}
|
||||||
|
#TLS Config
|
||||||
|
SSLCertificateFile /etc/letsencrypt/live/{{ httpd_site_name }}/fullchain.pem
|
||||||
|
SSLCertificateKeyFile /etc/letsencrypt/live/{{ httpd_site_name }}/privkey.pem
|
||||||
|
Include /etc/letsencrypt/options-ssl-apache.conf
|
||||||
|
# Standardised Access & error Logging locations
|
||||||
|
ErrorLog ${APACHE_LOG_DIR}/{{ httpd_site_name }}_error.log
|
||||||
|
CustomLog ${APACHE_LOG_DIR}/{{ httpd_site_name }}_access.log combined
|
||||||
|
{% if httpd_tls_vhost_default %}
|
||||||
|
<Directory {{ httpd_tls_site_root }} >
|
||||||
|
Options Indexes FollowSymLinks
|
||||||
|
AllowOverride All
|
||||||
|
Require all granted
|
||||||
|
{% if httpd_php %}
|
||||||
|
<FilesMatch \.php$>
|
||||||
|
SetHandler "proxy:unix:{{ httpd_php_socket }}|fcgi://localhost/"
|
||||||
|
</FilesMatch>
|
||||||
|
{% endif %}
|
||||||
|
</Directory>
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
{% if httpd_tls_vhost_raw != '' %}
|
||||||
|
|
||||||
|
{{ httpd_tls_vhost_raw }}
|
||||||
|
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
</VirtualHost>
|
||||||
|
</IfModule>
|
@ -3,7 +3,7 @@
|
|||||||
user = www-data
|
user = www-data
|
||||||
group = www-data
|
group = www-data
|
||||||
|
|
||||||
listen = /run/php/php{{ httpd_php_version }}-fpm.sock
|
listen = {{ httpd_php_socket }}
|
||||||
|
|
||||||
listen.owner = www-data
|
listen.owner = www-data
|
||||||
listen.group = www-data
|
listen.group = www-data
|
||||||
|
Loading…
x
Reference in New Issue
Block a user