public_git
/
ansibleguy.infra_apache
mirror of https://github.com/ansibleguy/infra_apache.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

updated readme layout

This commit is contained in:
AnsibleGuy 2024-06-02 12:30:22 +02:00
parent 2d13301250
commit 11bcfd178d
No known key found for this signature in database
GPG Key ID: 52984C069F5AD3CD
1 changed files with 79 additions and 74 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

153
README.md
View File

@ -33,80 +33,7 @@ ansible-galaxy install ansibleguy.infra_apache --roles-path ./roles
ansible-galaxy install -r requirements.yml
```
## Functionality
* **Package installation**
* Ansible dependencies (_minimal_)
* Apache2
* **Configuration**
* Support for multiple sites/servers
* Two **config-modes**:
* serve (_default_)
* redirect
* Support for specific configurations using the 'config' and 'config_additions' parameters
* **Default config**:
* Disabled: <TLS1.2, unsecure ciphers, autoindex, servertokens/-signature, ServerSideIncludes, CGI
* Security headers: HSTS, X-Frame, Referrer-Policy, Content-Type nosniff, X-Domain-Policy, XXS-Protection
* Limits to prevent DDoS
* Using a Self-Signed certificate
* Modules: +ssl, +http2, headers, rewrite; -autoindex
* HTTP2 enabled with fallback to HTTP1.1
* IPv6 support disabled (*at least one ipv6 address MUST EXIST*)
* **SSL modes** (_for more info see: [CERT ROLE](https://github.com/ansibleguy/infra_certs)_)
* **selfsigned** => Generate self-signed ones
* **ca** => Generate a minimal Certificate Authority and certificate signed by it
* **letsencrypt** => Uses the LetsEncrypt certbot
* **existing** => Copy certificate files or use existing ones
* **Default opt-ins**:
* restricting methods to POST/GET/HEAD
* status-page listener on localhost
* Logging to syslog
* http2
* **Default opt-outs**:
* Include the config file 'sites-available/site_{{ site_name }}_app.conf' for advanced usage
Options to provide module config will be added in the future!<br>
Also some basic mods will get a pre-config added. (_prefork, evasive_)
## Info
* **Note:** Most of the role's functionality can be opted in or out.
For all available options - see the default-config located in the main/site defaults-file!
* **Note:** this role currently only supports debian-based systems
* **Note:** This role expects that the site's unencrypted 'server' will only redirect to its encrypted connection.
* **Note:** If you want any requested domain to get handled by a site/server you need to add a **wildcard** '*' as alias!<br>
BUT: You still have to provide a main domain!
* **Warning:** Not every setting/variable you provide will be checked for validity. Bad config might break the role!
* **Info:** To disable default settings and headers => just set their value to: ''
* **Info:** For LetsEncrypt renewal to work, you must allow outgoing connections to:
80/tcp, 443/tcp+udp to acme-v02.api.letsencrypt.org, staging-v02.api.letsencrypt.org (_debug mode_) and r3.o.lencr.org
----
## Usage
@ -172,3 +99,81 @@ To debug errors - you can set the 'debug' variable at runtime:
```bash
ansible-playbook -K -D -i inventory/hosts.yml playbook.yml -e debug=yes
```
----
## Functionality
* **Package installation**
* Ansible dependencies (_minimal_)
* Apache2
* **Configuration**
* Support for multiple sites/servers
* Two **config-modes**:
* serve (_default_)
* redirect
* Support for specific configurations using the 'config' and 'config_additions' parameters
* **Default config**:
* Disabled: <TLS1.2, unsecure ciphers, autoindex, servertokens/-signature, ServerSideIncludes, CGI
* Security headers: HSTS, X-Frame, Referrer-Policy, Content-Type nosniff, X-Domain-Policy, XXS-Protection
* Limits to prevent DDoS
* Using a Self-Signed certificate
* Modules: +ssl, +http2, headers, rewrite; -autoindex
* HTTP2 enabled with fallback to HTTP1.1
* IPv6 support disabled (*at least one ipv6 address MUST EXIST*)
* **SSL modes** (_for more info see: [CERT ROLE](https://github.com/ansibleguy/infra_certs)_)
* **selfsigned** => Generate self-signed ones
* **ca** => Generate a minimal Certificate Authority and certificate signed by it
* **letsencrypt** => Uses the LetsEncrypt certbot
* **existing** => Copy certificate files or use existing ones
* **Default opt-ins**:
* restricting methods to POST/GET/HEAD
* status-page listener on localhost
* Logging to syslog
* http2
* **Default opt-outs**:
* Include the config file 'sites-available/site_{{ site_name }}_app.conf' for advanced usage
Options to provide module config will be added in the future!<br>
Also some basic mods will get a pre-config added. (_prefork, evasive_)
----
## Info
* **Note:** Most of the role's functionality can be opted in or out.
For all available options - see the default-config located in the main/site defaults-file!
* **Note:** this role currently only supports debian-based systems
* **Note:** This role expects that the site's unencrypted 'server' will only redirect to its encrypted connection.
* **Note:** If you want any requested domain to get handled by a site/server you need to add a **wildcard** '*' as alias!<br>
BUT: You still have to provide a main domain!
* **Warning:** Not every setting/variable you provide will be checked for validity. Bad config might break the role!
* **Info:** To disable default settings and headers => just set their value to: ''
* **Info:** For LetsEncrypt renewal to work, you must allow outgoing connections to:
80/tcp, 443/tcp+udp to acme-v02.api.letsencrypt.org, staging-v02.api.letsencrypt.org (_debug mode_) and r3.o.lencr.org