Issue #17: SSL Support.

This commit is contained in:
Jeff Geerling 2014-11-05 10:07:20 -06:00
parent a0e4fe4c6e
commit 8abd97bb32
4 changed files with 110 additions and 13 deletions

View file

@ -6,7 +6,7 @@ An Ansible Role that installs Apache 2.x on RHEL/CentOS and Debian/Ubuntu.
## Requirements ## Requirements
None. If you are using SSL/TLS, you will need to provide your own certificate and key files. You can generate a self-signed certificate with a command like `openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout example.key -out example.crt`.
## Role Variables ## Role Variables
@ -17,8 +17,9 @@ Available variables are listed below, along with default values (see `defaults/m
The repository to use when installing Apache (only used on RHEL/CentOS systems). If you'd like later versions of Apache than are available in the OS's core repositories, use a repository like EPEL (which can be installed with the `geerlingguy.repo-epel` role). The repository to use when installing Apache (only used on RHEL/CentOS systems). If you'd like later versions of Apache than are available in the OS's core repositories, use a repository like EPEL (which can be installed with the `geerlingguy.repo-epel` role).
apache_listen_port: 80 apache_listen_port: 80
apache_listen_port_ssl: 443
The port on which apache should be listening. Useful if you have another service (like a reverse proxy) listening on port 80. The ports on which apache should be listening. Useful if you have another service (like a reverse proxy) listening on port 80 or 443 and need to change the defaults.
apache_create_vhosts: true apache_create_vhosts: true
@ -30,10 +31,29 @@ If set to true, a vhosts file, managed by this role's variables (see below), wil
Add a set of properties per virtualhost, including `servername` (required), `documentroot` (required), `serveradmin` (optional: the admin email address for this server), and `extra_parameters` (you can add whatever you'd like in here). Add a set of properties per virtualhost, including `servername` (required), `documentroot` (required), `serveradmin` (optional: the admin email address for this server), and `extra_parameters` (you can add whatever you'd like in here).
Note that this role doesn't configure SSL support out of the box; you would need to add in additional tasks to listen on port 443 and add your own VirtualHost directives for SSL. This may be improved in the future :) apache_vhosts_ssl: []
No SSL vhosts are configured by default, but you can add them using the same pattern as `apache_vhosts`, with a few additional directives, like the following example:
apache_vhosts_ssl:
- {
servername: "local.dev",
documentroot: "/var/www/html",
certificate_file: "/home/vagrant/example.crt",
certificate_key_file: "/home/vagrant/example.key",
certificate_chain_file: "/path/to/certificate_chain.crt"
}
Other SSL directives can be managed with other SSL-related role variables.
apache_ssl_protocol: "All -SSLv2 -SSLv3"
apache_ssl_cipher_suite: "AES256+EECDH:AES256+EDH"
The SSL protocols and cipher suites that are used/allowed when clients make secure connections to your server. These are secure/sane defaults, but for maximum security, performand, and/or compatibility, you may need to adjust these settings.
apache_mods_enabled: apache_mods_enabled:
- rewrite.load - rewrite.load
- ssl.load
(Debian/Ubuntu ONLY) Which Apache mods to enable (these will be symlinked into the apporopriate location). See the `mods-available` directory inside the apache configuration directory (`/etc/apache2/mods-available` by default) for all the available mods. (Debian/Ubuntu ONLY) Which Apache mods to enable (these will be symlinked into the apporopriate location). See the `mods-available` directory inside the apache configuration directory (`/etc/apache2/mods-available` by default) for all the available mods.
@ -55,11 +75,6 @@ None.
apache_vhosts: apache_vhosts:
- {servername: "example.com", documentroot: "/var/www/vhosts/example_com"} - {servername: "example.com", documentroot: "/var/www/vhosts/example_com"}
On Debian/Ubuntu hosts, if you get the error `Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?`, You should add a task to make sure your apt_cache is up to date, like:
- name: Update apt cache if needed.
apt: update_cache=yes cache_valid_time=3600
## License ## License
MIT / BSD MIT / BSD

View file

@ -2,9 +2,7 @@
apache_enablerepo: "" apache_enablerepo: ""
apache_listen_port: 80 apache_listen_port: 80
apache_listen_port_ssl: 443
apache_mods_enabled:
- rewrite.load
apache_create_vhosts: true apache_create_vhosts: true
@ -12,4 +10,22 @@ apache_vhosts:
# Additional properties: 'serveradmin, extra_parameters'. # Additional properties: 'serveradmin, extra_parameters'.
- {servername: "local.dev", documentroot: "/var/www/html"} - {servername: "local.dev", documentroot: "/var/www/html"}
apache_vhosts_ssl: []
# Additional properties: 'serveradmin, extra_parameters'.
# - {
# servername: "local.dev",
# documentroot: "/var/www/html",
# certificate_file: "/path/to/certificate.crt",
# certificate_key_file: "/path/to/certificate.key",
# # Optional.
# certificate_chain_file: "/path/to/certificate_chain.crt"
# }
apache_ssl_protocol: "All -SSLv2 -SSLv3"
apache_ssl_cipher_suite: "AES256+EECDH:AES256+EDH"
apache_vhosts_version: "2.2" apache_vhosts_version: "2.2"
apache_mods_enabled:
- rewrite.load
- ssl.load

View file

@ -1,11 +1,44 @@
DirectoryIndex index.php index.html DirectoryIndex index.php index.html
{# Set up VirtualHosts - servername and documentroot are required. #} {# Set up VirtualHosts #}
{% for vhost in apache_vhosts %} {% for vhost in apache_vhosts %}
<VirtualHost *:{{ apache_listen_port }}> <VirtualHost *:{{ apache_listen_port }}>
ServerName {{ vhost.servername }} ServerName {{ vhost.servername }}
DocumentRoot {{ vhost.documentroot }} DocumentRoot {{ vhost.documentroot }}
{% if vhost.serveradmin is defined %}
ServerAdmin {{ vhost.serveradmin }}
{% endif %}
<Directory "{{ vhost.documentroot }}">
AllowOverride All
Options -Indexes FollowSymLinks
Order allow,deny
Allow from all
</Directory>
{% if vhost.extra_parameters is defined %}
{{ vhost.extra_parameters }}
{% endif %}
</VirtualHost>
{% endfor %}
{# Set up SSL VirtualHosts. #}
{% for vhost in apache_vhosts_ssl %}
<VirtualHost *:{{ apache_listen_port_ssl }}>
ServerName {{ vhost.servername }}
DocumentRoot {{ vhost.documentroot }}
SSLEngine on
SSLCipherSuite {{ apache_ssl_cipher_suite }}
SSLProtocol {{ apache_ssl_protocol }}
SSLHonorCipherOrder On
SSLCertificateFile {{ vhost.certificate_file }}
SSLCertificateKeyFile {{ vhost.certificate_key_file }}
{% if vhost.certificate_chain_file is defined %}
SSLCertificateChainFile {{ vhost.certificate_chain_file }}
{% endif %}
{% if vhost.serveradmin is defined %} {% if vhost.serveradmin is defined %}
ServerAdmin {{ vhost.serveradmin }} ServerAdmin {{ vhost.serveradmin }}
{% endif %} {% endif %}

View file

@ -1,11 +1,44 @@
DirectoryIndex index.php index.html DirectoryIndex index.php index.html
{# Set up VirtualHosts - servername and documentroot are required. #} {# Set up VirtualHosts #}
{% for vhost in apache_vhosts %} {% for vhost in apache_vhosts %}
<VirtualHost *:{{ apache_listen_port }}> <VirtualHost *:{{ apache_listen_port }}>
ServerName {{ vhost.servername }} ServerName {{ vhost.servername }}
DocumentRoot {{ vhost.documentroot }} DocumentRoot {{ vhost.documentroot }}
{% if vhost.serveradmin is defined %}
ServerAdmin {{ vhost.serveradmin }}
{% endif %}
<Directory "{{ vhost.documentroot }}">
AllowOverride All
Options -Indexes +FollowSymLinks
Require all granted
</Directory>
{% if vhost.extra_parameters is defined %}
{{ vhost.extra_parameters }}
{% endif %}
</VirtualHost>
{% endfor %}
{# Set up SSL VirtualHosts #}
{% for vhost in apache_vhosts_ssl %}
<VirtualHost *:{{ apache_listen_port_ssl }}>
ServerName {{ vhost.servername }}
DocumentRoot {{ vhost.documentroot }}
SSLEngine on
SSLCipherSuite {{ apache_ssl_cipher_suite }}
SSLProtocol {{ apache_ssl_protocol }}
SSLHonorCipherOrder On
SSLCompression off
SSLCertificateFile {{ vhost.certificate_file }}
SSLCertificateKeyFile {{ vhost.certificate_key_file }}
{% if vhost.certificate_chain_file is defined %}
SSLCertificateChainFile {{ vhost.certificate_chain_file }}
{% endif %}
{% if vhost.serveradmin is defined %} {% if vhost.serveradmin is defined %}
ServerAdmin {{ vhost.serveradmin }} ServerAdmin {{ vhost.serveradmin }}
{% endif %} {% endif %}