From b0e6b7ed5a5ca1660cbffa1cd3e809ef2523225f Mon Sep 17 00:00:00 2001 From: Jeff Geerling Date: Tue, 29 Dec 2015 16:46:39 -0600 Subject: [PATCH 1/6] Always run apt-get update inside Docker containers. --- tests/Dockerfile.ubuntu-12.04 | 1 + tests/Dockerfile.ubuntu-14.04 | 1 + 2 files changed, 2 insertions(+) diff --git a/tests/Dockerfile.ubuntu-12.04 b/tests/Dockerfile.ubuntu-12.04 index 40be740..d0c130c 100644 --- a/tests/Dockerfile.ubuntu-12.04 +++ b/tests/Dockerfile.ubuntu-12.04 @@ -1,4 +1,5 @@ FROM ubuntu:12.04 +RUN apt-get update # Install Ansible RUN apt-get install -y software-properties-common python-software-properties git diff --git a/tests/Dockerfile.ubuntu-14.04 b/tests/Dockerfile.ubuntu-14.04 index 1475a46..ca33287 100644 --- a/tests/Dockerfile.ubuntu-14.04 +++ b/tests/Dockerfile.ubuntu-14.04 @@ -1,4 +1,5 @@ FROM ubuntu:14.04 +RUN apt-get update # Install Ansible RUN apt-get install -y software-properties-common git From 2f9c001145a12255432eda38fa29f107f25ef25b Mon Sep 17 00:00:00 2001 From: Jeff Geerling Date: Sat, 2 Jan 2016 22:25:49 -0600 Subject: [PATCH 2/6] Fixes #28: Allow for virtualhost without documentroot. --- templates/vhosts-2.2.conf.j2 | 2 ++ templates/vhosts-2.4.conf.j2 | 2 ++ 2 files changed, 4 insertions(+) diff --git a/templates/vhosts-2.2.conf.j2 b/templates/vhosts-2.2.conf.j2 index 3368d65..6fd67aa 100644 --- a/templates/vhosts-2.2.conf.j2 +++ b/templates/vhosts-2.2.conf.j2 @@ -7,7 +7,9 @@ {% if vhost.serveralias is defined %} ServerAlias {{ vhost.serveralias }} {% endif %} +{% if vhost.documentroot is defined %} DocumentRoot {{ vhost.documentroot }} +{% endif %} {% if vhost.serveradmin is defined %} ServerAdmin {{ vhost.serveradmin }} diff --git a/templates/vhosts-2.4.conf.j2 b/templates/vhosts-2.4.conf.j2 index 3151a59..602cf3f 100644 --- a/templates/vhosts-2.4.conf.j2 +++ b/templates/vhosts-2.4.conf.j2 @@ -7,7 +7,9 @@ {% if vhost.serveralias is defined %} ServerAlias {{ vhost.serveralias }} {% endif %} +{% if vhost.documentroot is defined %} DocumentRoot {{ vhost.documentroot }} +{% endif %} {% if vhost.serveradmin is defined %} ServerAdmin {{ vhost.serveradmin }} From 554c74730ccf45fd0f76ad10b62f5c44fa684c0d Mon Sep 17 00:00:00 2001 From: Jeff Geerling Date: Sat, 2 Jan 2016 22:46:25 -0600 Subject: [PATCH 3/6] Actually fixes #28: Allow for virtualhost without documentroot. --- templates/vhosts-2.2.conf.j2 | 6 ++++++ templates/vhosts-2.4.conf.j2 | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/templates/vhosts-2.2.conf.j2 b/templates/vhosts-2.2.conf.j2 index 6fd67aa..4f922f4 100644 --- a/templates/vhosts-2.2.conf.j2 +++ b/templates/vhosts-2.2.conf.j2 @@ -14,12 +14,14 @@ {% if vhost.serveradmin is defined %} ServerAdmin {{ vhost.serveradmin }} {% endif %} +{% if vhost.documentroot is defined %} AllowOverride All Options -Indexes FollowSymLinks Order allow,deny Allow from all +{% endif %} {% if vhost.extra_parameters is defined %} {{ vhost.extra_parameters }} {% endif %} @@ -34,7 +36,9 @@ {% if vhost.serveralias is defined %} ServerAlias {{ vhost.serveralias }} {% endif %} +{% if vhost.documentroot is defined %} DocumentRoot {{ vhost.documentroot }} +{% endif %} SSLEngine on SSLCipherSuite {{ apache_ssl_cipher_suite }} @@ -49,12 +53,14 @@ {% if vhost.serveradmin is defined %} ServerAdmin {{ vhost.serveradmin }} {% endif %} +{% if vhost.documentroot is defined %} AllowOverride All Options -Indexes FollowSymLinks Order allow,deny Allow from all +{% endif %} {% if vhost.extra_parameters is defined %} {{ vhost.extra_parameters }} {% endif %} diff --git a/templates/vhosts-2.4.conf.j2 b/templates/vhosts-2.4.conf.j2 index 602cf3f..fe1b3b8 100644 --- a/templates/vhosts-2.4.conf.j2 +++ b/templates/vhosts-2.4.conf.j2 @@ -14,11 +14,13 @@ {% if vhost.serveradmin is defined %} ServerAdmin {{ vhost.serveradmin }} {% endif %} +{% if vhost.documentroot is defined %} AllowOverride All Options -Indexes +FollowSymLinks Require all granted +{% endif %} {% if vhost.extra_parameters is defined %} {{ vhost.extra_parameters }} {% endif %} @@ -33,7 +35,9 @@ {% if vhost.serveralias is defined %} ServerAlias {{ vhost.serveralias }} {% endif %} +{% if vhost.documentroot is defined %} DocumentRoot {{ vhost.documentroot }} +{% endif %} SSLEngine on SSLCipherSuite {{ apache_ssl_cipher_suite }} @@ -49,11 +53,13 @@ {% if vhost.serveradmin is defined %} ServerAdmin {{ vhost.serveradmin }} {% endif %} +{% if vhost.documentroot is defined %} AllowOverride All Options -Indexes +FollowSymLinks Require all granted +{% endif %} {% if vhost.extra_parameters is defined %} {{ vhost.extra_parameters }} {% endif %} From 49f6feb4d90e83f65908d21f22209ef81c3a59cb Mon Sep 17 00:00:00 2001 From: Jeff Geerling Date: Thu, 14 Jan 2016 21:04:09 -0600 Subject: [PATCH 4/6] Add notes about using geerlingguy.apache-php-fpm role with this role. --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index cd4ade4..f173879 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,8 @@ An Ansible Role that installs Apache 2.x on RHEL/CentOS and Debian/Ubuntu. If you are using SSL/TLS, you will need to provide your own certificate and key files. You can generate a self-signed certificate with a command like `openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout example.key -out example.crt`. +If you are using Apache with PHP, I recommend using the `geerlingguy.php` role to install PHP, and you can either use mod_php (by adding the proper package, e.g. `libapache2-mod-php5` for Ubuntu, to `php_packages`), or by also using `geerlingguy.apache-php-fpm` to connect Apache to PHP via FPM. See that role's README for more info. + ## Role Variables Available variables are listed below, along with default values (see `defaults/main.yml`): From 097ddd2eb46c2cd74142a1bf519486e15f4408ea Mon Sep 17 00:00:00 2001 From: Andreas Wolf Date: Sat, 16 Jan 2016 16:55:07 +0100 Subject: [PATCH 5/6] Only create vHosts if certificate exists --- README.md | 4 ++++ defaults/main.yml | 2 ++ tasks/configure-Debian.yml | 5 +++++ tasks/configure-RedHat.yml | 5 +++++ templates/vhosts-2.4.conf.j2 | 2 ++ 5 files changed, 18 insertions(+) diff --git a/README.md b/README.md index f173879..d9bf1b9 100644 --- a/README.md +++ b/README.md @@ -92,6 +92,10 @@ The list of packages to be installed. This defaults to a set of platform-specifi Set initial Apache daemon state to be enforced when this role is run. This should generally remain `started`, but you can set it to `stopped` if you need to fix the Apache config during a playbook run or otherwise would not like Apache started at the time this role is run. + apache_ignore_missing_ssl_certificate: true + +Create SSL vHosts regardless of whether their certificate exists or not. It might be handy to set this to `false` if you e.g. use Let’s encrypt, which triggers certificate generation with a running webserver. You might need to run your playbook multiple times to really get all SSL vHosts going if another part of your playbook takes care of certificate generation. (but OTOH Apache won’t complain about missing certificates anymore). + ## Dependencies None. diff --git a/defaults/main.yml b/defaults/main.yml index d827d1a..84f95a3 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -28,6 +28,8 @@ apache_vhosts_ssl: [] # # Optional. # certificate_chain_file: "/path/to/certificate_chain.crt" +apache_ignore_missing_ssl_certificate: true + apache_ssl_protocol: "All -SSLv2 -SSLv3" apache_ssl_cipher_suite: "AES256+EECDH:AES256+EDH" diff --git a/tasks/configure-Debian.yml b/tasks/configure-Debian.yml index b39e191..8a3abfe 100644 --- a/tasks/configure-Debian.yml +++ b/tasks/configure-Debian.yml @@ -23,6 +23,11 @@ with_items: apache_mods_disabled notify: restart apache +- name: Check whether certificates defined in vhosts exist. + stat: path={{ item.certificate_file }} + register: apache_ssl_certificates + with_items: apache_vhosts_ssl + - name: Add apache vhosts configuration. template: src: "vhosts-{{ apache_vhosts_version }}.conf.j2" diff --git a/tasks/configure-RedHat.yml b/tasks/configure-RedHat.yml index 695a9cf..3df9692 100644 --- a/tasks/configure-RedHat.yml +++ b/tasks/configure-RedHat.yml @@ -8,6 +8,11 @@ with_items: apache_ports_configuration_items notify: restart apache +- name: Check whether certificates defined in vhosts exist. + stat: path={{ item.certificate_file }} + register: apache_ssl_certificates + with_items: apache_vhosts_ssl + - name: Add apache vhosts configuration. template: src: "vhosts-{{ apache_vhosts_version }}.conf.j2" diff --git a/templates/vhosts-2.4.conf.j2 b/templates/vhosts-2.4.conf.j2 index fe1b3b8..c120fc2 100644 --- a/templates/vhosts-2.4.conf.j2 +++ b/templates/vhosts-2.4.conf.j2 @@ -30,6 +30,7 @@ {# Set up SSL VirtualHosts #} {% for vhost in apache_vhosts_ssl %} +{% if apache_ignore_missing_ssl_certificate or apache_ssl_certificates.results[loop.index0].stat.exists %} ServerName {{ vhost.servername }} {% if vhost.serveralias is defined %} @@ -65,4 +66,5 @@ {% endif %} +{% endif %} {% endfor %} From 4e1dc8434aab847b8755c9f31d423d5ca2d83d81 Mon Sep 17 00:00:00 2001 From: Jeff Geerling Date: Mon, 18 Jan 2016 10:40:40 -0600 Subject: [PATCH 6/6] PR #69: Adjust the wording for new variable. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d9bf1b9..a505193 100644 --- a/README.md +++ b/README.md @@ -94,7 +94,7 @@ Set initial Apache daemon state to be enforced when this role is run. This shoul apache_ignore_missing_ssl_certificate: true -Create SSL vHosts regardless of whether their certificate exists or not. It might be handy to set this to `false` if you e.g. use Let’s encrypt, which triggers certificate generation with a running webserver. You might need to run your playbook multiple times to really get all SSL vHosts going if another part of your playbook takes care of certificate generation. (but OTOH Apache won’t complain about missing certificates anymore). +If you would like to only create SSL vhosts when the vhost certificate is present (e.g. when using Let’s Encrypt), set `apache_ignore_missing_ssl_certificate` to `false`. When doing this, you might need to run your playbook more than once so all the vhosts are configured (if another part of the playbook generates the SSL certificates). ## Dependencies