mirror of
https://github.com/geerlingguy/ansible-role-apache
synced 2025-01-03 00:30:18 +01:00
Issue #17: SSL Support.
This commit is contained in:
parent
a0e4fe4c6e
commit
8abd97bb32
4 changed files with 110 additions and 13 deletions
31
README.md
31
README.md
|
@ -6,7 +6,7 @@ An Ansible Role that installs Apache 2.x on RHEL/CentOS and Debian/Ubuntu.
|
||||||
|
|
||||||
## Requirements
|
## Requirements
|
||||||
|
|
||||||
None.
|
If you are using SSL/TLS, you will need to provide your own certificate and key files. You can generate a self-signed certificate with a command like `openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout example.key -out example.crt`.
|
||||||
|
|
||||||
## Role Variables
|
## Role Variables
|
||||||
|
|
||||||
|
@ -17,8 +17,9 @@ Available variables are listed below, along with default values (see `defaults/m
|
||||||
The repository to use when installing Apache (only used on RHEL/CentOS systems). If you'd like later versions of Apache than are available in the OS's core repositories, use a repository like EPEL (which can be installed with the `geerlingguy.repo-epel` role).
|
The repository to use when installing Apache (only used on RHEL/CentOS systems). If you'd like later versions of Apache than are available in the OS's core repositories, use a repository like EPEL (which can be installed with the `geerlingguy.repo-epel` role).
|
||||||
|
|
||||||
apache_listen_port: 80
|
apache_listen_port: 80
|
||||||
|
apache_listen_port_ssl: 443
|
||||||
|
|
||||||
The port on which apache should be listening. Useful if you have another service (like a reverse proxy) listening on port 80.
|
The ports on which apache should be listening. Useful if you have another service (like a reverse proxy) listening on port 80 or 443 and need to change the defaults.
|
||||||
|
|
||||||
apache_create_vhosts: true
|
apache_create_vhosts: true
|
||||||
|
|
||||||
|
@ -30,10 +31,29 @@ If set to true, a vhosts file, managed by this role's variables (see below), wil
|
||||||
|
|
||||||
Add a set of properties per virtualhost, including `servername` (required), `documentroot` (required), `serveradmin` (optional: the admin email address for this server), and `extra_parameters` (you can add whatever you'd like in here).
|
Add a set of properties per virtualhost, including `servername` (required), `documentroot` (required), `serveradmin` (optional: the admin email address for this server), and `extra_parameters` (you can add whatever you'd like in here).
|
||||||
|
|
||||||
Note that this role doesn't configure SSL support out of the box; you would need to add in additional tasks to listen on port 443 and add your own VirtualHost directives for SSL. This may be improved in the future :)
|
apache_vhosts_ssl: []
|
||||||
|
|
||||||
|
No SSL vhosts are configured by default, but you can add them using the same pattern as `apache_vhosts`, with a few additional directives, like the following example:
|
||||||
|
|
||||||
|
apache_vhosts_ssl:
|
||||||
|
- {
|
||||||
|
servername: "local.dev",
|
||||||
|
documentroot: "/var/www/html",
|
||||||
|
certificate_file: "/home/vagrant/example.crt",
|
||||||
|
certificate_key_file: "/home/vagrant/example.key",
|
||||||
|
certificate_chain_file: "/path/to/certificate_chain.crt"
|
||||||
|
}
|
||||||
|
|
||||||
|
Other SSL directives can be managed with other SSL-related role variables.
|
||||||
|
|
||||||
|
apache_ssl_protocol: "All -SSLv2 -SSLv3"
|
||||||
|
apache_ssl_cipher_suite: "AES256+EECDH:AES256+EDH"
|
||||||
|
|
||||||
|
The SSL protocols and cipher suites that are used/allowed when clients make secure connections to your server. These are secure/sane defaults, but for maximum security, performand, and/or compatibility, you may need to adjust these settings.
|
||||||
|
|
||||||
apache_mods_enabled:
|
apache_mods_enabled:
|
||||||
- rewrite.load
|
- rewrite.load
|
||||||
|
- ssl.load
|
||||||
|
|
||||||
(Debian/Ubuntu ONLY) Which Apache mods to enable (these will be symlinked into the apporopriate location). See the `mods-available` directory inside the apache configuration directory (`/etc/apache2/mods-available` by default) for all the available mods.
|
(Debian/Ubuntu ONLY) Which Apache mods to enable (these will be symlinked into the apporopriate location). See the `mods-available` directory inside the apache configuration directory (`/etc/apache2/mods-available` by default) for all the available mods.
|
||||||
|
|
||||||
|
@ -55,11 +75,6 @@ None.
|
||||||
apache_vhosts:
|
apache_vhosts:
|
||||||
- {servername: "example.com", documentroot: "/var/www/vhosts/example_com"}
|
- {servername: "example.com", documentroot: "/var/www/vhosts/example_com"}
|
||||||
|
|
||||||
On Debian/Ubuntu hosts, if you get the error `Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?`, You should add a task to make sure your apt_cache is up to date, like:
|
|
||||||
|
|
||||||
- name: Update apt cache if needed.
|
|
||||||
apt: update_cache=yes cache_valid_time=3600
|
|
||||||
|
|
||||||
## License
|
## License
|
||||||
|
|
||||||
MIT / BSD
|
MIT / BSD
|
||||||
|
|
|
@ -2,9 +2,7 @@
|
||||||
apache_enablerepo: ""
|
apache_enablerepo: ""
|
||||||
|
|
||||||
apache_listen_port: 80
|
apache_listen_port: 80
|
||||||
|
apache_listen_port_ssl: 443
|
||||||
apache_mods_enabled:
|
|
||||||
- rewrite.load
|
|
||||||
|
|
||||||
apache_create_vhosts: true
|
apache_create_vhosts: true
|
||||||
|
|
||||||
|
@ -12,4 +10,22 @@ apache_vhosts:
|
||||||
# Additional properties: 'serveradmin, extra_parameters'.
|
# Additional properties: 'serveradmin, extra_parameters'.
|
||||||
- {servername: "local.dev", documentroot: "/var/www/html"}
|
- {servername: "local.dev", documentroot: "/var/www/html"}
|
||||||
|
|
||||||
|
apache_vhosts_ssl: []
|
||||||
|
# Additional properties: 'serveradmin, extra_parameters'.
|
||||||
|
# - {
|
||||||
|
# servername: "local.dev",
|
||||||
|
# documentroot: "/var/www/html",
|
||||||
|
# certificate_file: "/path/to/certificate.crt",
|
||||||
|
# certificate_key_file: "/path/to/certificate.key",
|
||||||
|
# # Optional.
|
||||||
|
# certificate_chain_file: "/path/to/certificate_chain.crt"
|
||||||
|
# }
|
||||||
|
|
||||||
|
apache_ssl_protocol: "All -SSLv2 -SSLv3"
|
||||||
|
apache_ssl_cipher_suite: "AES256+EECDH:AES256+EDH"
|
||||||
|
|
||||||
apache_vhosts_version: "2.2"
|
apache_vhosts_version: "2.2"
|
||||||
|
|
||||||
|
apache_mods_enabled:
|
||||||
|
- rewrite.load
|
||||||
|
- ssl.load
|
||||||
|
|
|
@ -1,11 +1,44 @@
|
||||||
|
|
||||||
DirectoryIndex index.php index.html
|
DirectoryIndex index.php index.html
|
||||||
|
|
||||||
{# Set up VirtualHosts - servername and documentroot are required. #}
|
{# Set up VirtualHosts #}
|
||||||
{% for vhost in apache_vhosts %}
|
{% for vhost in apache_vhosts %}
|
||||||
<VirtualHost *:{{ apache_listen_port }}>
|
<VirtualHost *:{{ apache_listen_port }}>
|
||||||
ServerName {{ vhost.servername }}
|
ServerName {{ vhost.servername }}
|
||||||
DocumentRoot {{ vhost.documentroot }}
|
DocumentRoot {{ vhost.documentroot }}
|
||||||
|
|
||||||
|
{% if vhost.serveradmin is defined %}
|
||||||
|
ServerAdmin {{ vhost.serveradmin }}
|
||||||
|
{% endif %}
|
||||||
|
<Directory "{{ vhost.documentroot }}">
|
||||||
|
AllowOverride All
|
||||||
|
Options -Indexes FollowSymLinks
|
||||||
|
Order allow,deny
|
||||||
|
Allow from all
|
||||||
|
</Directory>
|
||||||
|
{% if vhost.extra_parameters is defined %}
|
||||||
|
{{ vhost.extra_parameters }}
|
||||||
|
{% endif %}
|
||||||
|
</VirtualHost>
|
||||||
|
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
{# Set up SSL VirtualHosts. #}
|
||||||
|
{% for vhost in apache_vhosts_ssl %}
|
||||||
|
<VirtualHost *:{{ apache_listen_port_ssl }}>
|
||||||
|
ServerName {{ vhost.servername }}
|
||||||
|
DocumentRoot {{ vhost.documentroot }}
|
||||||
|
|
||||||
|
SSLEngine on
|
||||||
|
SSLCipherSuite {{ apache_ssl_cipher_suite }}
|
||||||
|
SSLProtocol {{ apache_ssl_protocol }}
|
||||||
|
SSLHonorCipherOrder On
|
||||||
|
SSLCertificateFile {{ vhost.certificate_file }}
|
||||||
|
SSLCertificateKeyFile {{ vhost.certificate_key_file }}
|
||||||
|
{% if vhost.certificate_chain_file is defined %}
|
||||||
|
SSLCertificateChainFile {{ vhost.certificate_chain_file }}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
{% if vhost.serveradmin is defined %}
|
{% if vhost.serveradmin is defined %}
|
||||||
ServerAdmin {{ vhost.serveradmin }}
|
ServerAdmin {{ vhost.serveradmin }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
|
@ -1,11 +1,44 @@
|
||||||
|
|
||||||
DirectoryIndex index.php index.html
|
DirectoryIndex index.php index.html
|
||||||
|
|
||||||
{# Set up VirtualHosts - servername and documentroot are required. #}
|
{# Set up VirtualHosts #}
|
||||||
{% for vhost in apache_vhosts %}
|
{% for vhost in apache_vhosts %}
|
||||||
<VirtualHost *:{{ apache_listen_port }}>
|
<VirtualHost *:{{ apache_listen_port }}>
|
||||||
ServerName {{ vhost.servername }}
|
ServerName {{ vhost.servername }}
|
||||||
DocumentRoot {{ vhost.documentroot }}
|
DocumentRoot {{ vhost.documentroot }}
|
||||||
|
|
||||||
|
{% if vhost.serveradmin is defined %}
|
||||||
|
ServerAdmin {{ vhost.serveradmin }}
|
||||||
|
{% endif %}
|
||||||
|
<Directory "{{ vhost.documentroot }}">
|
||||||
|
AllowOverride All
|
||||||
|
Options -Indexes +FollowSymLinks
|
||||||
|
Require all granted
|
||||||
|
</Directory>
|
||||||
|
{% if vhost.extra_parameters is defined %}
|
||||||
|
{{ vhost.extra_parameters }}
|
||||||
|
{% endif %}
|
||||||
|
</VirtualHost>
|
||||||
|
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
{# Set up SSL VirtualHosts #}
|
||||||
|
{% for vhost in apache_vhosts_ssl %}
|
||||||
|
<VirtualHost *:{{ apache_listen_port_ssl }}>
|
||||||
|
ServerName {{ vhost.servername }}
|
||||||
|
DocumentRoot {{ vhost.documentroot }}
|
||||||
|
|
||||||
|
SSLEngine on
|
||||||
|
SSLCipherSuite {{ apache_ssl_cipher_suite }}
|
||||||
|
SSLProtocol {{ apache_ssl_protocol }}
|
||||||
|
SSLHonorCipherOrder On
|
||||||
|
SSLCompression off
|
||||||
|
SSLCertificateFile {{ vhost.certificate_file }}
|
||||||
|
SSLCertificateKeyFile {{ vhost.certificate_key_file }}
|
||||||
|
{% if vhost.certificate_chain_file is defined %}
|
||||||
|
SSLCertificateChainFile {{ vhost.certificate_chain_file }}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
{% if vhost.serveradmin is defined %}
|
{% if vhost.serveradmin is defined %}
|
||||||
ServerAdmin {{ vhost.serveradmin }}
|
ServerAdmin {{ vhost.serveradmin }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
Loading…
Reference in a new issue