Issue #17: SSL Support.

2024-12-22 02:50:19 +01:00 · 2014-11-05 10:07:20 -06:00 · 2014-11-05 10:07:20 -06:00 · 8abd97bb32
commit 8abd97bb32
parent a0e4fe4c6e
4 changed files with 110 additions and 13 deletions
--- a/README.md
+++ b/README.md
@ -6,7 +6,7 @@ An Ansible Role that installs Apache 2.x on RHEL/CentOS and Debian/Ubuntu.

 ## Requirements

-None.
+If you are using SSL/TLS, you will need to provide your own certificate and key files. You can generate a self-signed certificate with a command like `openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout example.key -out example.crt`.

 ## Role Variables

@ -17,8 +17,9 @@ Available variables are listed below, along with default values (see `defaults/m
 The repository to use when installing Apache (only used on RHEL/CentOS systems). If you'd like later versions of Apache than are available in the OS's core repositories, use a repository like EPEL (which can be installed with the `geerlingguy.repo-epel` role).

    apache_listen_port: 80
+    apache_listen_port_ssl: 443

-The port on which apache should be listening. Useful if you have another service (like a reverse proxy) listening on port 80.
+The ports on which apache should be listening. Useful if you have another service (like a reverse proxy) listening on port 80 or 443 and need to change the defaults.

    apache_create_vhosts: true

@ -30,10 +31,29 @@ If set to true, a vhosts file, managed by this role's variables (see below), wil

 Add a set of properties per virtualhost, including `servername` (required), `documentroot` (required), `serveradmin` (optional: the admin email address for this server), and `extra_parameters` (you can add whatever you'd like in here).

-Note that this role doesn't configure SSL support out of the box; you would need to add in additional tasks to listen on port 443 and add your own VirtualHost directives for SSL. This may be improved in the future :)
+    apache_vhosts_ssl: []
+
+No SSL vhosts are configured by default, but you can add them using the same pattern as `apache_vhosts`, with a few additional directives, like the following example:
+
+    apache_vhosts_ssl:
+      - {
+        servername: "local.dev",
+        documentroot: "/var/www/html",
+        certificate_file: "/home/vagrant/example.crt",
+        certificate_key_file: "/home/vagrant/example.key",
+        certificate_chain_file: "/path/to/certificate_chain.crt"
+      }
+
+Other SSL directives can be managed with other SSL-related role variables.
+
+    apache_ssl_protocol: "All -SSLv2 -SSLv3"
+    apache_ssl_cipher_suite: "AES256+EECDH:AES256+EDH"
+
+The SSL protocols and cipher suites that are used/allowed when clients make secure connections to your server. These are secure/sane defaults, but for maximum security, performand, and/or compatibility, you may need to adjust these settings.

    apache_mods_enabled:
      - rewrite.load
+      - ssl.load

 (Debian/Ubuntu ONLY) Which Apache mods to enable (these will be symlinked into the apporopriate location). See the `mods-available` directory inside the apache configuration directory (`/etc/apache2/mods-available` by default) for all the available mods.

@ -55,11 +75,6 @@ None.
    apache_vhosts:
      - {servername: "example.com", documentroot: "/var/www/vhosts/example_com"}

-On Debian/Ubuntu hosts, if you get the error `Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?`, You should add a task to make sure your apt_cache is up to date, like:
-
-    - name: Update apt cache if needed.
-      apt: update_cache=yes cache_valid_time=3600
-
 ## License

 MIT / BSD
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -2,9 +2,7 @@
 apache_enablerepo: ""

 apache_listen_port: 80
-
-apache_mods_enabled:
-  - rewrite.load
+apache_listen_port_ssl: 443

 apache_create_vhosts: true

@ -12,4 +10,22 @@ apache_vhosts:
  # Additional properties: 'serveradmin, extra_parameters'.
  - {servername: "local.dev", documentroot: "/var/www/html"}

+apache_vhosts_ssl: []
+  # Additional properties: 'serveradmin, extra_parameters'.
+  # - {
+  #   servername: "local.dev",
+  #   documentroot: "/var/www/html",
+  #   certificate_file: "/path/to/certificate.crt",
+  #   certificate_key_file: "/path/to/certificate.key",
+  #   # Optional.
+  #   certificate_chain_file: "/path/to/certificate_chain.crt"
+  # }
+
+apache_ssl_protocol: "All -SSLv2 -SSLv3"
+apache_ssl_cipher_suite: "AES256+EECDH:AES256+EDH"
+
 apache_vhosts_version: "2.2"
+
+apache_mods_enabled:
+  - rewrite.load
+  - ssl.load
--- a/templates/vhosts-2.2.conf.j2
+++ b/templates/vhosts-2.2.conf.j2
@ -1,11 +1,44 @@

 DirectoryIndex index.php index.html

-{# Set up VirtualHosts - servername and documentroot are required. #}
+{# Set up VirtualHosts #}
 {% for vhost in apache_vhosts %}
 <VirtualHost *:{{ apache_listen_port }}>
  ServerName {{ vhost.servername }}
  DocumentRoot {{ vhost.documentroot }}
+
+{% if vhost.serveradmin is defined %}
+  ServerAdmin {{ vhost.serveradmin }}
+{% endif %}
+  <Directory "{{ vhost.documentroot }}">
+    AllowOverride All
+    Options -Indexes FollowSymLinks
+    Order allow,deny
+    Allow from all
+  </Directory>
+{% if vhost.extra_parameters is defined %}
+  {{ vhost.extra_parameters }}
+{% endif %}
+</VirtualHost>
+
+{% endfor %}
+
+{# Set up SSL VirtualHosts. #}
+{% for vhost in apache_vhosts_ssl %}
+<VirtualHost *:{{ apache_listen_port_ssl }}>
+  ServerName {{ vhost.servername }}
+  DocumentRoot {{ vhost.documentroot }}
+
+  SSLEngine on
+  SSLCipherSuite {{ apache_ssl_cipher_suite }}
+  SSLProtocol {{ apache_ssl_protocol }}
+  SSLHonorCipherOrder On
+  SSLCertificateFile {{ vhost.certificate_file }}
+  SSLCertificateKeyFile {{ vhost.certificate_key_file }}
+{% if vhost.certificate_chain_file is defined %}
+  SSLCertificateChainFile {{ vhost.certificate_chain_file }}
+{% endif %}
+
 {% if vhost.serveradmin is defined %}
  ServerAdmin {{ vhost.serveradmin }}
 {% endif %}
--- a/templates/vhosts-2.4.conf.j2
+++ b/templates/vhosts-2.4.conf.j2
@ -1,11 +1,44 @@

 DirectoryIndex index.php index.html

-{# Set up VirtualHosts - servername and documentroot are required. #}
+{# Set up VirtualHosts #}
 {% for vhost in apache_vhosts %}
 <VirtualHost *:{{ apache_listen_port }}>
  ServerName {{ vhost.servername }}
  DocumentRoot {{ vhost.documentroot }}
+
+{% if vhost.serveradmin is defined %}
+  ServerAdmin {{ vhost.serveradmin }}
+{% endif %}
+  <Directory "{{ vhost.documentroot }}">
+    AllowOverride All
+    Options -Indexes +FollowSymLinks
+    Require all granted
+  </Directory>
+{% if vhost.extra_parameters is defined %}
+  {{ vhost.extra_parameters }}
+{% endif %}
+</VirtualHost>
+
+{% endfor %}
+
+{# Set up SSL VirtualHosts #}
+{% for vhost in apache_vhosts_ssl %}
+<VirtualHost *:{{ apache_listen_port_ssl }}>
+  ServerName {{ vhost.servername }}
+  DocumentRoot {{ vhost.documentroot }}
+
+  SSLEngine on
+  SSLCipherSuite {{ apache_ssl_cipher_suite }}
+  SSLProtocol {{ apache_ssl_protocol }}
+  SSLHonorCipherOrder On
+  SSLCompression off
+  SSLCertificateFile {{ vhost.certificate_file }}
+  SSLCertificateKeyFile {{ vhost.certificate_key_file }}
+{% if vhost.certificate_chain_file is defined %}
+  SSLCertificateChainFile {{ vhost.certificate_chain_file }}
+{% endif %}
+
 {% if vhost.serveradmin is defined %}
  ServerAdmin {{ vhost.serveradmin }}
 {% endif %}