From 49f6feb4d90e83f65908d21f22209ef81c3a59cb Mon Sep 17 00:00:00 2001 From: Jeff Geerling Date: Thu, 14 Jan 2016 21:04:09 -0600 Subject: [PATCH 1/3] Add notes about using geerlingguy.apache-php-fpm role with this role. --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index cd4ade4..f173879 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,8 @@ An Ansible Role that installs Apache 2.x on RHEL/CentOS and Debian/Ubuntu. If you are using SSL/TLS, you will need to provide your own certificate and key files. You can generate a self-signed certificate with a command like `openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout example.key -out example.crt`. +If you are using Apache with PHP, I recommend using the `geerlingguy.php` role to install PHP, and you can either use mod_php (by adding the proper package, e.g. `libapache2-mod-php5` for Ubuntu, to `php_packages`), or by also using `geerlingguy.apache-php-fpm` to connect Apache to PHP via FPM. See that role's README for more info. + ## Role Variables Available variables are listed below, along with default values (see `defaults/main.yml`): From 097ddd2eb46c2cd74142a1bf519486e15f4408ea Mon Sep 17 00:00:00 2001 From: Andreas Wolf Date: Sat, 16 Jan 2016 16:55:07 +0100 Subject: [PATCH 2/3] Only create vHosts if certificate exists --- README.md | 4 ++++ defaults/main.yml | 2 ++ tasks/configure-Debian.yml | 5 +++++ tasks/configure-RedHat.yml | 5 +++++ templates/vhosts-2.4.conf.j2 | 2 ++ 5 files changed, 18 insertions(+) diff --git a/README.md b/README.md index f173879..d9bf1b9 100644 --- a/README.md +++ b/README.md @@ -92,6 +92,10 @@ The list of packages to be installed. This defaults to a set of platform-specifi Set initial Apache daemon state to be enforced when this role is run. This should generally remain `started`, but you can set it to `stopped` if you need to fix the Apache config during a playbook run or otherwise would not like Apache started at the time this role is run. + apache_ignore_missing_ssl_certificate: true + +Create SSL vHosts regardless of whether their certificate exists or not. It might be handy to set this to `false` if you e.g. use Let’s encrypt, which triggers certificate generation with a running webserver. You might need to run your playbook multiple times to really get all SSL vHosts going if another part of your playbook takes care of certificate generation. (but OTOH Apache won’t complain about missing certificates anymore). + ## Dependencies None. diff --git a/defaults/main.yml b/defaults/main.yml index d827d1a..84f95a3 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -28,6 +28,8 @@ apache_vhosts_ssl: [] # # Optional. # certificate_chain_file: "/path/to/certificate_chain.crt" +apache_ignore_missing_ssl_certificate: true + apache_ssl_protocol: "All -SSLv2 -SSLv3" apache_ssl_cipher_suite: "AES256+EECDH:AES256+EDH" diff --git a/tasks/configure-Debian.yml b/tasks/configure-Debian.yml index b39e191..8a3abfe 100644 --- a/tasks/configure-Debian.yml +++ b/tasks/configure-Debian.yml @@ -23,6 +23,11 @@ with_items: apache_mods_disabled notify: restart apache +- name: Check whether certificates defined in vhosts exist. + stat: path={{ item.certificate_file }} + register: apache_ssl_certificates + with_items: apache_vhosts_ssl + - name: Add apache vhosts configuration. template: src: "vhosts-{{ apache_vhosts_version }}.conf.j2" diff --git a/tasks/configure-RedHat.yml b/tasks/configure-RedHat.yml index 695a9cf..3df9692 100644 --- a/tasks/configure-RedHat.yml +++ b/tasks/configure-RedHat.yml @@ -8,6 +8,11 @@ with_items: apache_ports_configuration_items notify: restart apache +- name: Check whether certificates defined in vhosts exist. + stat: path={{ item.certificate_file }} + register: apache_ssl_certificates + with_items: apache_vhosts_ssl + - name: Add apache vhosts configuration. template: src: "vhosts-{{ apache_vhosts_version }}.conf.j2" diff --git a/templates/vhosts-2.4.conf.j2 b/templates/vhosts-2.4.conf.j2 index fe1b3b8..c120fc2 100644 --- a/templates/vhosts-2.4.conf.j2 +++ b/templates/vhosts-2.4.conf.j2 @@ -30,6 +30,7 @@ {# Set up SSL VirtualHosts #} {% for vhost in apache_vhosts_ssl %} +{% if apache_ignore_missing_ssl_certificate or apache_ssl_certificates.results[loop.index0].stat.exists %} ServerName {{ vhost.servername }} {% if vhost.serveralias is defined %} @@ -65,4 +66,5 @@ {% endif %} +{% endif %} {% endfor %} From 4e1dc8434aab847b8755c9f31d423d5ca2d83d81 Mon Sep 17 00:00:00 2001 From: Jeff Geerling Date: Mon, 18 Jan 2016 10:40:40 -0600 Subject: [PATCH 3/3] PR #69: Adjust the wording for new variable. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d9bf1b9..a505193 100644 --- a/README.md +++ b/README.md @@ -94,7 +94,7 @@ Set initial Apache daemon state to be enforced when this role is run. This shoul apache_ignore_missing_ssl_certificate: true -Create SSL vHosts regardless of whether their certificate exists or not. It might be handy to set this to `false` if you e.g. use Let’s encrypt, which triggers certificate generation with a running webserver. You might need to run your playbook multiple times to really get all SSL vHosts going if another part of your playbook takes care of certificate generation. (but OTOH Apache won’t complain about missing certificates anymore). +If you would like to only create SSL vhosts when the vhost certificate is present (e.g. when using Let’s Encrypt), set `apache_ignore_missing_ssl_certificate` to `false`. When doing this, you might need to run your playbook more than once so all the vhosts are configured (if another part of the playbook generates the SSL certificates). ## Dependencies