# {{ ansible_managed }}


BufferedLogs Off
TraceEnable Off
Timeout 300
KeepAlive On
MaxKeepAliveRequests 512
KeepAliveTimeout 15

# Configuration MPM Event
ServerLimit              64
ThreadsPerChild          32
AsyncRequestWorkerFactor 2
MaxRequestWorkers        2048
MaxRequestsPerChild      16384
GracefulShutdownTimeout  2


# Supprime les informations version
ServerTokens ProductOnly
ServerSignature Off
SecServerSignature ";-)"


# Configuration headers
Header unset X-Powered-By
Header unset X-AspNet-Version
Header unset Server
Header set X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection 1;mode=block
Header set X-Content-Type-Options nosniff
Header set Strict-Transport-Security "max-age=16070400"

# Configuration Modsecurity par défaut pour l'analyse des requêtes
SecResponseBodyAccess Off
SecRequestBodyLimit 104857600
SecRequestBodyNoFilesLimit 131072
SecRequestBodyInMemoryLimit 131072
SecRequestBodyLimitAction ProcessPartial

# Macros
<Macro Empty>
</Macro>

<Macro OpenAccessPolicy>
  Require all granted
</Macro>

<Macro InternalAccessPolicy>
  Require ip 10.0.0.0/8
  Require ip 172.16.0.0/12
  Require ip 192.168.0.0/16
</Macro>

<Macro LDAPUserAccessPolicy>
    Authname "Acces reserve aux utilisateurs disposant d'un compte valide (annuaire)"
    Authtype Basic
    AuthBasicProvider ldap
    AuthLDAPBindAuthoritative on
    AuthLDAPBindDN {{ reverse_proxy_ldap_bind_dn }}
    AuthLDAPBindPassword {{ reverse_proxy_ldap_bind_password }}
    AuthLDAPUrl ldap://{{ reverse_proxy_ldap_srv }}/{{ reverse_proxy_ldap_basedn }}?{{ reverse_proxy_ldap_userdn }}
    Require valid-user
</Macro>

<Macro LDAPAdminAccessPolicy>
    Authname "Acces reserve aux administrateurs (annuaire)"
    Authtype Basic
    AuthBasicProvider ldap
    AuthLDAPBindAuthoritative on
    AuthLDAPBindDN {{ reverse_proxy_ldap_bind_dn }}
    AuthLDAPBindPassword {{ reverse_proxy_ldap_bind_password }}
    AuthLDAPUrl ldap://{{ reverse_proxy_ldap_srv }}/{{ reverse_proxy_ldap_basedn }}?{{ reverse_proxy_ldap_userdn }}
    Require valid-user
    Require ldap-user {{ reverse_proxy_ldap_admins }}
</Macro>


<Macro BlockCrawlerIndexing>
  Header set X-Robots-Tag "noindex, nofollow"
  ProxyPass /robots.txt !
  RewriteEngine On
  RewriteRule ^/robots\.txt$ /rp_ressources/robots_disabled.txt [L]
</Macro>

<Macro AllowCrawlerIndexing>
  Header set X-Robots-Tag "all"
  ProxyPass /robots.txt !
  RewriteEngine On
  RewriteRule  ^/robots\.txt$ /rp_ressources/robots_enabled.txt [L]
</Macro>


<Macro ErrorDocumentPages>
  ProxyErrorOverride On
  ErrorDocument 400 /rp_ressources/400.html
  ErrorDocument 401 /rp_ressources/401.html
  ErrorDocument 403 /rp_ressources/403.html
  ErrorDocument 404 /rp_ressources/404.html
  ErrorDocument 500 /rp_ressources/500.html
  ErrorDocument 502 /rp_ressources/502.html
  ErrorDocument 503 /rp_ressources/503.html
  ErrorDocument 504 /rp_ressources/504.html
  ErrorDocument {{ reverse_proxy_http_modsecurity_error_code }} /rp_ressources/{{ reverse_proxy_http_modsecurity_error_code }}.html
</Macro>


<Macro CheckMaintenancePage $vhostFQDN>
  RewriteEngine On

  <Location "/rp_maintenance/auth/">
    Use LDAPAdminAccessPolicy
  </Location>

  # Si on est en maintenance
  <If "-f %{DOCUMENT_ROOT} . '/rp_maintenance/$vhostFQDN.html'">
    RewriteCond %{REMOTE_ADDR} !127.0.0.1
    RewriteCond %{REQUEST_URI} !^/rp_ressources/*
    RewriteCond %{REQUEST_URI} !^/rp_maintenance/*
    RewriteCond %{HTTP_COOKIE} !rp_acces_maintenance=([^;]+)
    RewriteRule ^.*$ %{DOCUMENT_ROOT}/rp_maintenance/$vhostFQDN.html
    Header Set Cache-Control "no-store"
  </If>
</Macro>


# Configuration de la fonction reverse proxy
<Macro ProxyCommon $vhostFQDN $protoDest $urlDest $logPolicy $accessPolicy $indexingConf>
  # Definition du virtualhost
  ServerName $vhostFQDN
  DocumentRoot "/var/www/html"

  # Niveau de log souhaite
  LogLevel $logPolicy
  ErrorLog ${APACHE_LOG_DIR}/$vhostFQDN-error.log
  CustomLog ${APACHE_LOG_DIR}/$vhostFQDN-access.log combined

  # Politique vis a vis des moteurs de recherche
  Use $indexingConf

  # Configuration de l'accessibilite du virtualhost (public, interne, restreint)
  <Location />
      Use $accessPolicy
  </Location>
  # On autorise quand même l'accès a .well-known pour letsencrypt
  <Location /.well-known>
      Use OpenAccessPolicy
  </Location>
  ProxyRequests Off
  ProxyVia Off
  ProxyPreserveHost On
  ProxyPass /rp_ressources !
  ProxyPass /rp_maintenance !
  ProxyPass /balancer-manager !
  ProxyPass / $protoDest://$urlDest/
  ProxyPassReverse / $protoDest://$vhostFQDN/
  # Configuration du chemin vers la page de status du load balancer
  <Location "/balancer-manager">
      SecRuleEngine off
      SetHandler balancer-manager
      Use InternalAccessPolicy
  </Location>
  # Configuration du chemin vers les ressources reverse proxy
  <Location "/rp_ressources">
      SecRuleEngine off
      Use OpenAccessPolicy
  </Location>
  # Definition des pages d'erreur
  Use ErrorDocumentPages 
  # Gestion de la page de maintenance
  Use CheckMaintenancePage $vhostFQDN
</Macro>


# Redirige un domaine http vers https
<Macro vhost_redirect_http-https $domain>
  <VirtualHost *:80>
    ServerName $domain
    Redirect permanent / https://$domain/
  </VirtualHost>
</Macro>


# Redirige un domaine http vers n'importe qu'elle autre adresse http où https
<Macro vhost_redirect_http_generic $domainSource $domainDest $accessPolicy>
  <VirtualHost *:80>
    ServerName $domainSource
    Redirect permanent / $domainDest/

    #Restriction configuration
    <Location />
        Use $accessPolicy
        Use ErrorDocumentPages
    </Location>
  </VirtualHost>
</Macro>




<Macro vhost_HTTPS_Generic $vhostFQDN $cert $protoDest $urlDest $logPolicy $accessPolicy $indexingConf $modsecurityStatus>
Use vhost_redirect_http-https $vhostFQDN

<Perl>
    if ( $cert eq "LE" )
    {
        print "------- Utilisation d'un certificat LetsEncrypt pour $vhostFQDN -------\n";
        $MDomain{"$vhostFQDN"} = {
          MDCertificateAgreement => 'accepted',
          MDContactEmail => '{{ reverse_proxy_default_serveradmin_email }}',
          MDStapling             => 'on',
        };
    }
</Perl>

<VirtualHost *:443>
    <Perl>
        $ENV{'PERL_CONF_DEBUG'} and print "------- Generation du vhosts $vhostFQDN -------\n";
    </Perl>

    Use ProxyCommon $vhostFQDN $protoDest $urlDest $logPolicy $accessPolicy $indexingConf

    SSLEngine on
    # Inclusion de la configuration de certificat spécifique (wildcard ou autre)
    <Perl>
        if ( $cert ne "LE" )
        {
            my $dir=$ENV{"$vhostFQDN"};
            my $config_file="$dir/../../certs-conf/cert_$cert.conf";
            print "------- Utilisation de la configuration certificat $config_file pour $vhostFQDN -------\n";
            push @Include, "$config_file";
        }
    </Perl>

    # Inclusion de la configuration additionnelle
    <Perl>
        my $dir=$ENV{"$vhostFQDN"};
        my $config_file="$dir/1_vhost_additional.conf";
        if( -f $config_file)
        {
            $ENV{'PERL_CONF_DEBUG'} and print "Inclusion du fichier '$config_file'\n";
            push @Include, "$config_file";
        }
    </Perl>

    <If "'$protoDest' == 'http'">
        RequestHeader set X-Forwarded-Proto "https"
    </If>

    # Gestion mod_security et inclusion des exceptions
    <IfModule mod_security2.c>
        SecRuleEngine $modsecurityStatus
        <Perl>
            my $dir=$ENV{"$vhostFQDN"};
            my $config_file="$dir/2_mds_exclusion.conf";
            if( -f $config_file)
            {
                $ENV{'PERL_CONF_DEBUG'} and print "Inclusion du fichier '$config_file'\n";
                push @Include, "$config_file";
            }
        </Perl>
    </IfModule>

    <Perl>
        $ENV{'PERL_CONF_DEBUG'} and print "----------------------------------------------\n";
    </Perl>

</VirtualHost>
</Macro>




<Macro vhost_HTTP_Generic $vhostFQDN $protoDest $urlDest $logPolicy $accessPolicy $indexingConf $modsecurityStatus>

<VirtualHost *:80>
    <Perl>
        $ENV{'PERL_CONF_DEBUG'} and print "------- Generation du vhosts $vhostFQDN -------\n";
    </Perl>

    Use ProxyCommon $vhostFQDN $protoDest $urlDest $logPolicy $accessPolicy $indexingConf

    # Inclusion de la configuration additionnelle
    <Perl>
        my $dir=$ENV{"$vhostFQDN"};
        my $config_file="$dir/1_vhost_additional.conf";
        if( -f $config_file)
        {
            $ENV{'PERL_CONF_DEBUG'} and print "Inclusion du fichier '$config_file'\n";
            push @Include, "$config_file";
        }
    </Perl>

    <If "'$protoDest' == 'https'">
        RequestHeader set X-Forwarded-Proto "http"
    </If>

    # Gestion mod_security et inclusion des exceptions
    <IfModule mod_security2.c>
        SecRuleEngine $modsecurityStatus
        <Perl>
            my $dir=$ENV{"$vhostFQDN"};
            my $config_file="$dir/2_mds_exclusion.conf";
            if( -f $config_file)
            {
                $ENV{'PERL_CONF_DEBUG'} and print "Inclusion du fichier '$config_file'\n";
                push @Include, "$config_file";
            }
        </Perl>
    </IfModule>

    <Perl>
        $ENV{'PERL_CONF_DEBUG'} and print "----------------------------------------------\n";
    </Perl>

</VirtualHost>
</Macro>




# Virtualhosts techniques

# Fait en sorte que si fqdn demandé ne correspond a aucun connu apache ne serve pas le 1er
<VirtualHost *:80>
    Redirect / https://www.libretic.fr/error
</VirtualHost>


# Permet l'acces a des pages d'info apache
ExtendedStatus on
Listen 9090 http
<VirtualHost *:9090>
    ServerName localhost
    DocumentRoot /var/www/html/
    <Location /server-info>
        SetHandler server-info
        Use InternalAccessPolicy
        Require host localhost
    </Location> 
    <Location /status>
        SetHandler server-status
        Use InternalAccessPolicy
        Require host localhost
    </Location>
    LogLevel info
    ErrorLog ${APACHE_LOG_DIR}/monitoring-page-error.log
    CustomLog ${APACHE_LOG_DIR}/monitoring-page-access.log combined
</VirtualHost>



# Perl scan vhosts.d
PerlSetEnv VHOSTS_DIR /etc/apache2/vhosts.d
PerlSetEnv VHOST_DEFAULT_FILE 0_vhost.conf
PerlSetEnv PERL_CONF_DEBUG 1

PerlSetVar StatusOptionsAll On
PerlSetVar StatusDeparseOptions "-p -sC"

<Perl>
    $Apache2::Server::SaveConfig = 1
</Perl>

<Perl>
    my $VHOSTS_REGEX='^\s*Use\s+vhost.+?\s+(.+?)\s+?';
    my @vhosts_sub_dirs=`find $ENV{'VHOSTS_DIR'} -mindepth 1 -maxdepth 1 -type d`;
    $ENV{'PERL_CONF_DEBUG'} and print "------ Pre-Traitement ------\n";
    for my $subdir (@vhosts_sub_dirs)
    {
        chomp $subdir;
        my $config_file="${subdir}/$ENV{'VHOST_DEFAULT_FILE'}";
        open my $vhost_file, "<", $config_file or die;
        while(my $line = <$vhost_file>)
        {
            if(my @matches = $line =~ /$VHOSTS_REGEX/)
            {    
                my $vhost_name=${matches[0]};
                $ENV{'PERL_CONF_DEBUG'} and  print "Identification du vhost: $vhost_name\n";
                push @PerlSetEnv, ["$vhost_name" => "$subdir"];
            }
        }
        close $config_file;
    }
    $ENV{'PERL_CONF_DEBUG'} and print "----------------------------\n";
</Perl>

<Perl>
    use Apache2::PerlSections ( );
    $ENV{'PERL_CONF_DEBUG'} and print "------ Chargement des vhosts ------\n";
    foreach my $key (keys %ENV) { 
        my $subdir=$ENV{$key};
        my $config_file="${subdir}/$ENV{'VHOST_DEFAULT_FILE'}";
        if(  -f $config_file  )
        {
            $ENV{'PERL_CONF_DEBUG'} and  print "Ajout du vhost: $key\n";
            push @Include, "$config_file";
        }
     }
    $ENV{'PERL_CONF_DEBUG'} and print "-----------------------------------\n";
     print STDERR Apache::PerlSections->dump( );
</Perl>