From 9f0b8896734f976bc201306e13f763e41a56d3e7 Mon Sep 17 00:00:00 2001 From: AnsibleGuy Date: Thu, 11 Aug 2022 02:11:32 +0200 Subject: [PATCH] re-organized defaults and site-config, added debugging option --- README.md | 5 + defaults/main/0_hardcoded.yml | 11 ++ defaults/{main.yml => main/1_main.yml} | 79 +------- defaults/main/2_site.yml | 66 +++++++ tasks/debian/add_site.yml | 16 ++ tasks/debian/main.yml | 20 +- .../apache2/sites-available/inc/site_http.j2 | 30 +++ .../sites-available/inc/site_http_log.j2 | 15 ++ .../apache2/sites-available/inc/site_https.j2 | 60 ++++++ .../sites-available/inc/site_https_config.j2 | 32 +++ .../sites-available/inc/site_https_headers.j2 | 32 +++ .../sites-available/inc/site_https_log.j2 | 15 ++ .../sites-available/inc/site_https_ssl.j2 | 10 + .../etc/apache2/sites-available/site.conf.j2 | 184 +----------------- 14 files changed, 313 insertions(+), 262 deletions(-) create mode 100644 defaults/main/0_hardcoded.yml rename defaults/{main.yml => main/1_main.yml} (60%) create mode 100644 defaults/main/2_site.yml create mode 100644 templates/etc/apache2/sites-available/inc/site_http.j2 create mode 100644 templates/etc/apache2/sites-available/inc/site_http_log.j2 create mode 100644 templates/etc/apache2/sites-available/inc/site_https.j2 create mode 100644 templates/etc/apache2/sites-available/inc/site_https_config.j2 create mode 100644 templates/etc/apache2/sites-available/inc/site_https_headers.j2 create mode 100644 templates/etc/apache2/sites-available/inc/site_https_log.j2 create mode 100644 templates/etc/apache2/sites-available/inc/site_https_ssl.j2 diff --git a/README.md b/README.md index 41c315a..11d9162 100644 --- a/README.md +++ b/README.md @@ -138,3 +138,8 @@ There are also some useful **tags** available: * sites * config => configuration (base and instances) * certs + +To debug errors - you can set the 'debug' variable at runtime: +```bash +ansible-playbook -K -D -i inventory/hosts.yml playbook.yml -e debug=yes +``` diff --git a/defaults/main/0_hardcoded.yml b/defaults/main/0_hardcoded.yml new file mode 100644 index 0000000..989c4e2 --- /dev/null +++ b/defaults/main/0_hardcoded.yml @@ -0,0 +1,11 @@ +--- + +APACHE_HC: + packages: ['systemd', 'apache2'] + config_graylist: [ + 'SSLEngine', 'SSLCertificateKeyFile', 'SSLCertificateFile', 'SSLCertificateChainFile', 'ErrorLog', 'CustomLog', 'ServerAdmin', + 'ServerAlias', 'ServerName', 'Redirect' + ] + +force_removal: false +NONE_VALUES: [none, '', ' '] diff --git a/defaults/main.yml b/defaults/main/1_main.yml similarity index 60% rename from defaults/main.yml rename to defaults/main/1_main.yml index b424232..e6e2030 100644 --- a/defaults/main.yml +++ b/defaults/main/1_main.yml @@ -1,7 +1,7 @@ --- # default config => is overwritten by provided config -default_apache: +defaults_apache: sites: {} ipv6: false # IMPORTANT: at least one ipv6 address MUST BE defined on your system! else apache2 will fail to start @@ -92,79 +92,4 @@ default_apache: security: restricted_methods: ['GET', 'POST', 'HEAD'] -APACHE_CONFIG: "{{ default_apache | combine(apache, recursive=true) }}" - -APACHE_HC: - packages: ['systemd', 'apache2'] - -# site-specific config -default_site_config: - mode: 'serve' - state: 'present' - admin: 'apache@template.ansibleguy.net' - port_plain: 80 - port_ssl: 443 - listen: '*' - domain: - aliases: [] - ip: - http_versions: [2, 1] - plain_site: true # if http site (only used for redirect to https) should be created - plain_redirect: 'preserve_domain' # keep hostname from plain request => any other value will set the redirect to the main-domain - - config: {} # site-specific setting-value pairs - config_additions: [] # lines that will 1-to-1 be appended to the site-config - app_include: false - headers: {} - - security: # https://www.nixpal.com/apache-httpd-hardening/ - disable_root_index: true - disable_ssi_cgi: true - restrict_methods: true - - redirect: - target: 'https://github.com/ansibleguy' - request_uri: false - - serve: - path: '/var/www/html' - - ssl: # see: https://github.com/ansibleguy/infra_certs - mode: 'ca' # existing/selfsigned/ca/letsencrypt - # existing: - # We expect the certs to be placed in the role's 'files' directory named like the site - # Example: files/certs/ansibleguy.key and files/certs/ansibleguy.crt - # letsencrypt: - # Host needs to have a valid public dns record pointed at it - # Needs to be publicly reachable over port 80/tcp - cert: - name: - cn: 'Apache Certificate' - org: 'AnsibleGuy' - ou: - country: - state: - locality: - email: - crl_distribution: [] - ca: - file: # can be used if you want to use an existing ca - cn: - org: - ou: - country: - state: - locality: - email: - pwd: # it's highly recommended setting a passphrase! - - letsencrypt: - key_size: - email: - -apache_config_graylist: [ - 'SSLEngine', 'SSLCertificateKeyFile', 'SSLCertificateFile', 'SSLCertificateChainFile', 'ErrorLog', 'CustomLog', 'ServerAdmin', - 'ServerAlias', 'ServerName', 'Redirect' -] -force_removal: false -NONE_VALUES: [none, '', ' '] +APACHE_CONFIG: "{{ defaults_apache | combine(apache, recursive=true) }}" diff --git a/defaults/main/2_site.yml b/defaults/main/2_site.yml new file mode 100644 index 0000000..4f85ee4 --- /dev/null +++ b/defaults/main/2_site.yml @@ -0,0 +1,66 @@ +--- + +# site-specific config +defaults_site: + mode: 'serve' + state: 'present' + admin: 'apache@template.ansibleguy.net' + port_plain: 80 + port_ssl: 443 + listen: '*' + domain: + aliases: [] + ip: + http_versions: [2, 1] + plain_site: true # if http site (only used for redirect to https) should be created + plain_redirect: 'preserve_domain' # keep hostname from plain request => any other value will set the redirect to the main-domain + + config: {} # site-specific setting-value pairs + config_additions: [] # lines that will 1-to-1 be appended to the site-config + app_include: false + headers: {} + + security: # https://www.nixpal.com/apache-httpd-hardening/ + disable_root_index: true + disable_ssi_cgi: true + restrict_methods: true + + redirect: + target: 'https://github.com/ansibleguy' + request_uri: false + + serve: + path: '/var/www/html' + + ssl: # see: https://github.com/ansibleguy/infra_certs + mode: 'ca' # existing/selfsigned/ca/letsencrypt + # existing: + # We expect the certs to be placed in the role's 'files' directory named like the site + # Example: files/certs/ansibleguy.key and files/certs/ansibleguy.crt + # letsencrypt: + # Host needs to have a valid public dns record pointed at it + # Needs to be publicly reachable over port 80/tcp + cert: + name: + cn: 'Apache Certificate' + org: 'AnsibleGuy' + ou: + country: + state: + locality: + email: + crl_distribution: [] + ca: + file: # can be used if you want to use an existing ca + cn: + org: + ou: + country: + state: + locality: + email: + pwd: # it's highly recommended setting a passphrase! + + letsencrypt: + key_size: + email: diff --git a/tasks/debian/add_site.yml b/tasks/debian/add_site.yml index 4607b4c..f51741b 100644 --- a/tasks/debian/add_site.yml +++ b/tasks/debian/add_site.yml @@ -1,5 +1,21 @@ --- +# todo: option for security.txt + +- name: "Apache | Debian | Site '{{ name }}' | Showing debug info - user provided config" + ansible.builtin.debug: + var: site_item.value + when: + - debug is defined + - debug + +- name: "Apache | Debian | Site '{{ name }}' | Showing debug info - running config" + ansible.builtin.debug: + var: site + when: + - debug is defined + - debug + - name: "Apache | Debian | Site '{{ name }}' | Checking config" ansible.builtin.fail: msg: "The required site-configuration was not provided! diff --git a/tasks/debian/main.yml b/tasks/debian/main.yml index 058e883..2e5a2c5 100644 --- a/tasks/debian/main.yml +++ b/tasks/debian/main.yml @@ -1,5 +1,19 @@ --- +- name: Apache | Debian | Showing debug info - user provided config + ansible.builtin.debug: + var: apache + when: + - debug is defined + - debug + +- name: Apache | Debian | Showing debug info - running config + ansible.builtin.debug: + var: APACHE_CONFIG + when: + - debug is defined + - debug + - name: Apache | Debian | Install apache ansible.builtin.apt: name: "{{ APACHE_HC.packages }}" @@ -71,7 +85,7 @@ name: ansibleguy.infra_certs when: site.ssl.mode == 'letsencrypt' vars: - site: "{{ default_site_config | combine(site_item.value, recursive=true) }}" + site: "{{ defaults_site | combine(site_item.value, recursive=true) }}" name: "{{ site_item.key | safe_key }}" certs: mode: 'le_certbot' @@ -112,7 +126,7 @@ ansible.builtin.include_tasks: rm_site.yml when: site.state != 'present' vars: - site: "{{ default_site_config | combine(site_item.value, recursive=true) }}" + site: "{{ defaults_site | combine(site_item.value, recursive=true) }}" name: "{{ site_item.key | safe_key }}" path: "{{ site.serve.path }}" loop_control: @@ -137,7 +151,7 @@ ansible.builtin.include_tasks: add_site.yml when: site.state == 'present' vars: - site: "{{ default_site_config | combine(site_item.value, recursive=true) }}" + site: "{{ defaults_site | combine(site_item.value, recursive=true) }}" name: "{{ site_item.key | safe_key }}" path: "{{ site.serve.path }}" loop_control: diff --git a/templates/etc/apache2/sites-available/inc/site_http.j2 b/templates/etc/apache2/sites-available/inc/site_http.j2 new file mode 100644 index 0000000..6545234 --- /dev/null +++ b/templates/etc/apache2/sites-available/inc/site_http.j2 @@ -0,0 +1,30 @@ + +{% if site.plain_site %} +# http listener + + ServerName {{ site.domain }} + +{% if site.aliases | length > 0 %} + ServerAlias {% for name in site.aliases %} {{ name }} {% endfor %}{% if site.ip is not none %} {{ site.ip }}{% endif %} +{% endif %} + ServerAdmin {{ site.admin }} + + # http versions + Protocols {% if 2 in site.http_versions %}h2c {% endif %}{% if 1 in site.http_versions or 2 not in site.http_versions %}http/1.1{% endif %} + +{% include "inc/site_http_log.j2" %} + + RewriteEngine On +{% if site.ssl.mode != 'letsencrypt' %} + # welcome letsencrypt bots + RewriteCond %{REQUEST_URI} !^\/\.well-known\/acme-challenge\/.*$ +{% endif %} + # redirect all to secure connection +{% if site.plain_redirect == 'preserve_domain' %} + RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} +{% else %} + RewriteRule ^ https://{{ site.domain }}%{REQUEST_URI} +{% endif %} + + +{% endif %} diff --git a/templates/etc/apache2/sites-available/inc/site_http_log.j2 b/templates/etc/apache2/sites-available/inc/site_http_log.j2 new file mode 100644 index 0000000..23987c4 --- /dev/null +++ b/templates/etc/apache2/sites-available/inc/site_http_log.j2 @@ -0,0 +1,15 @@ + + # log config +{% if APACHE_CONFIG.log.syslog and APACHE_CONFIG.log.syslog_host is not none %} + ErrorLog "| /usr/bin/logger -n {{ APACHE_CONFIG.log.syslog_host }} -P {{ APACHE_CONFIG.log.syslog_port }} -p local1.error -t {{ APACHE_CONFIG.log.prefix_ue }}{{ name }}" + CustomLog "| /usr/bin/logger -n {{ APACHE_CONFIG.log.syslog_host }} -P {{ APACHE_CONFIG.log.syslog_port }} -p local1.info -t {{ APACHE_CONFIG.log.prefix_ue }}{{ name }}" combined +{% elif APACHE_CONFIG.log.syslog %} + ErrorLog "| /usr/bin/logger -p local1.error -t {{ APACHE_CONFIG.log.prefix_ue }}{{ name }}" + CustomLog "| /usr/bin/logger -p local1.info -t {{ APACHE_CONFIG.log.prefix_ue }}{{ name }}" combined +{% elif APACHE_CONFIG.log.per_site %} + ErrorLog {{ APACHE_CONFIG.log.path }}/{{ name }}_error.log + CustomLog {{ APACHE_CONFIG.log.path }}/{{ name }}_access.log combined +{% else %} + ErrorLog {{ APACHE_CONFIG.log.path }}/error.log + CustomLog {{ APACHE_CONFIG.log.path }}/access.log combined +{% endif %} diff --git a/templates/etc/apache2/sites-available/inc/site_https.j2 b/templates/etc/apache2/sites-available/inc/site_https.j2 new file mode 100644 index 0000000..7dd3d6c --- /dev/null +++ b/templates/etc/apache2/sites-available/inc/site_https.j2 @@ -0,0 +1,60 @@ + +# https listener + + ServerName {{ site.domain }} + +{% if site.aliases | length > 0 %} + ServerAlias {% for alias in site.aliases %} {{ alias }} {% endfor %}{% if site.ip is not none %} {{ site.ip }}{% endif %} +{% endif %} + + ServerAdmin {{ site.admin }} + + # http versions + Protocols {% if 2 in site.http_versions %}h2 {% endif %}{% if 1 in site.http_versions or 2 not in site.http_versions %}http/1.1{% endif %} + +{% include "inc/site_https_log.j2" %} +{% include "inc/site_https_ssl.j2" %} +{% include "inc/site_https_config.j2" %} +{% include "inc/site_https_headers.j2" %} + +{% if site.mode == 'redirect' %} + # redirect-mode config + Redirect permanent / {{ site.redirect.target }} +{% if site.redirect.request_uri %} + RedirectMatch permanent ^/(.*)$ {{ site.redirect.target }}/$1 +{% else %} + RedirectMatch permanent ^/(.*)$ {{ site.redirect.target }} +{% endif %} + +{% elif site.mode == 'serve' %} + # serve-mode config + DocumentRoot {{ site.serve.path }} + + # mode-specific security config + +{% if site.security.disable_ssi_cgi %} + Options -FollowSymLinks -ExecCGI -Includes + AllowOverride None +{% endif %} +{% if site.security.disable_root_index %} + Options -Indexes +{% endif %} + Require all granted + + + +{% endif %} + +{% if site.config_additions | length > 0 %} + # additional lines +{% endif %} +{% for line in site.config_additions %} + {{ line }} +{% endfor %} + +{% if site.app_include %} + # additional application config include + IncludeOptional /etc/apache2/sites-available/site_{{ name }}_app.conf +{% endif %} + + diff --git a/templates/etc/apache2/sites-available/inc/site_https_config.j2 b/templates/etc/apache2/sites-available/inc/site_https_config.j2 new file mode 100644 index 0000000..26b318a --- /dev/null +++ b/templates/etc/apache2/sites-available/inc/site_https_config.j2 @@ -0,0 +1,32 @@ + +{% if APACHE_CONFIG.config | length > 0 %} + # global config +{% for setting, value in APACHE_CONFIG.config.items() %} +{% if setting not in APACHE_HC.config_graylist and value not in NONE_VALUES %} + {{ setting }} {{ value }} +{% endif %} +{% endfor %} +{% endif %} + +{% if site.config | length > 0 %} + # site-specific config +{% for setting, value in site.config.items() %} +{% if setting not in APACHE_HC.config_graylist and value not in NONE_VALUES %} + {{ setting }} {{ value }} +{% endif %} +{% endfor %} +{% endif %} + + # security config +{% if site.security.restrict_methods %} + + RewriteEngine On + RewriteCond %{REQUEST_METHOD} ^(?!{% for method in APACHE_CONFIG.security.restricted_methods %}{{ method }}{% if not loop.last %}|{% endif %}{% endfor %}) + RewriteRule .* - [F] + + + + Require all denied + + +{% endif %} diff --git a/templates/etc/apache2/sites-available/inc/site_https_headers.j2 b/templates/etc/apache2/sites-available/inc/site_https_headers.j2 new file mode 100644 index 0000000..84eab2e --- /dev/null +++ b/templates/etc/apache2/sites-available/inc/site_https_headers.j2 @@ -0,0 +1,32 @@ + +{% if APACHE_CONFIG.headers | length > 0 %} + # global headers + +{% for header, value in APACHE_CONFIG.headers.items() %} +{% if header not in site.headers and value not in NONE_VALUES %} +{% if 'Header' in header %} + {{ header }} {{ value }} +{% else %} + Header set {{ header }} {{ value }} +{% endif %} +{% endif %} +{% endfor %} + + +{% endif %} + +{% if site.headers | length > 0 %} + # site-specific headers + +{% for header, value in site.headers.items() %} +{% if value not in NONE_VALUES %} +{% if 'Header' in header %} + {{ header }} {{ value }} +{% else %} + Header set {{ header }} {{ value }} +{% endif %} +{% endif %} +{% endfor %} + + +{% endif %} diff --git a/templates/etc/apache2/sites-available/inc/site_https_log.j2 b/templates/etc/apache2/sites-available/inc/site_https_log.j2 new file mode 100644 index 0000000..522ce70 --- /dev/null +++ b/templates/etc/apache2/sites-available/inc/site_https_log.j2 @@ -0,0 +1,15 @@ + + # log config +{% if APACHE_CONFIG.log.syslog and APACHE_CONFIG.log.syslog_host is not none %} + ErrorLog "| /usr/bin/logger -n {{ APACHE_CONFIG.log.syslog_host }} -P {{ APACHE_CONFIG.log.syslog_port }} -p local1.error -t {{ APACHE_CONFIG.log.prefix_ssl }}{{ name }}" + CustomLog "| /usr/bin/logger -n {{ APACHE_CONFIG.log.syslog_host }} -P {{ APACHE_CONFIG.log.syslog_port }} -p local1.info -t {{ APACHE_CONFIG.log.prefix_ssl }}{{ name }}" combined +{% elif APACHE_CONFIG.log.syslog %} + ErrorLog "| /usr/bin/logger -p local1.error -t {{ APACHE_CONFIG.log.prefix_ssl }}{{ name }}" + CustomLog "| /usr/bin/logger -p local1.info -t {{ APACHE_CONFIG.log.prefix_ssl }}{{ name }}" combined +{% elif APACHE_CONFIG.log.per_site %} + ErrorLog {{ APACHE_CONFIG.log.path }}/{{ name }}_error.log + CustomLog {{ APACHE_CONFIG.log.path }}/{{ name }}_access.log combined +{% else %} + ErrorLog {{ APACHE_CONFIG.log.path }}/error.log + CustomLog {{ APACHE_CONFIG.log.path }}/access.log combined +{% endif %} diff --git a/templates/etc/apache2/sites-available/inc/site_https_ssl.j2 b/templates/etc/apache2/sites-available/inc/site_https_ssl.j2 new file mode 100644 index 0000000..eab4113 --- /dev/null +++ b/templates/etc/apache2/sites-available/inc/site_https_ssl.j2 @@ -0,0 +1,10 @@ + + # ssl config + + SSLEngine on + SSLCertificateKeyFile {{ APACHE_CONFIG.ssl.path }}/{{ name }}.key + SSLCertificateFile {{ APACHE_CONFIG.ssl.path }}/{{ name }}.crt +{% if site.ssl.mode != 'selfsigned' %} + SSLCertificateChainFile {{ APACHE_CONFIG.ssl.path }}/{{ name }}{% if site.ssl.mode == 'letsencrypt' %}.fullchain{% else %}.chain{% endif %}.crt +{% endif %} + diff --git a/templates/etc/apache2/sites-available/site.conf.j2 b/templates/etc/apache2/sites-available/site.conf.j2 index ad63b27..118c623 100644 --- a/templates/etc/apache2/sites-available/site.conf.j2 +++ b/templates/etc/apache2/sites-available/site.conf.j2 @@ -1,187 +1,7 @@ # {{ ansible_managed }} # ansibleguy.infra_apache -{% if site.plain_site %} -# http listener - - ServerName {{ site.domain }} - -{% if site.aliases | length > 0 %} - ServerAlias {% for name in site.aliases %} {{ name }} {% endfor %}{% if site.ip is not none %} {{ site.ip }}{% endif %} -{% endif %} - ServerAdmin {{ site.admin }} - - # log config -{% if APACHE_CONFIG.log.syslog and APACHE_CONFIG.log.syslog_host is not none %} - ErrorLog "| /usr/bin/logger -n {{ APACHE_CONFIG.log.syslog_host }} -P {{ APACHE_CONFIG.log.syslog_port }} -p local1.error -t {{ APACHE_CONFIG.log.prefix_ue }}{{ name }}" - CustomLog "| /usr/bin/logger -n {{ APACHE_CONFIG.log.syslog_host }} -P {{ APACHE_CONFIG.log.syslog_port }} -p local1.info -t {{ APACHE_CONFIG.log.prefix_ue }}{{ name }}" combined -{% elif APACHE_CONFIG.log.syslog %} - ErrorLog "| /usr/bin/logger -p local1.error -t {{ APACHE_CONFIG.log.prefix_ue }}{{ name }}" - CustomLog "| /usr/bin/logger -p local1.info -t {{ APACHE_CONFIG.log.prefix_ue }}{{ name }}" combined -{% elif APACHE_CONFIG.log.per_site %} - ErrorLog {{ APACHE_CONFIG.log.path }}/{{ name }}_error.log - CustomLog {{ APACHE_CONFIG.log.path }}/{{ name }}_access.log combined -{% else %} - ErrorLog {{ APACHE_CONFIG.log.path }}/error.log - CustomLog {{ APACHE_CONFIG.log.path }}/access.log combined -{% endif %} - - # http versions - Protocols {% if 2 in site.http_versions %}h2c {% endif %}{% if 1 in site.http_versions or 2 not in site.http_versions %}http/1.1{% endif %} - - # redirect all to secure connection - RewriteEngine On -{% if site.plain_redirect == 'preserve_domain' %} - RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} -{% else %} - RewriteRule ^ https://{{ site.domain }}%{REQUEST_URI} -{% endif %} - - -{% endif %} - -# https listener - - ServerName {{ site.domain }} - -{% if site.aliases | length > 0 %} - ServerAlias {% for alias in site.aliases %} {{ alias }} {% endfor %}{% if site.ip is not none %} {{ site.ip }}{% endif %} -{% endif %} - - ServerAdmin {{ site.admin }} - - # log config -{% if APACHE_CONFIG.log.syslog and APACHE_CONFIG.log.syslog_host is not none %} - ErrorLog "| /usr/bin/logger -n {{ APACHE_CONFIG.log.syslog_host }} -P {{ APACHE_CONFIG.log.syslog_port }} -p local1.error -t {{ APACHE_CONFIG.log.prefix_ssl }}{{ name }}" - CustomLog "| /usr/bin/logger -n {{ APACHE_CONFIG.log.syslog_host }} -P {{ APACHE_CONFIG.log.syslog_port }} -p local1.info -t {{ APACHE_CONFIG.log.prefix_ssl }}{{ name }}" combined -{% elif APACHE_CONFIG.log.syslog %} - ErrorLog "| /usr/bin/logger -p local1.error -t {{ APACHE_CONFIG.log.prefix_ssl }}{{ name }}" - CustomLog "| /usr/bin/logger -p local1.info -t {{ APACHE_CONFIG.log.prefix_ssl }}{{ name }}" combined -{% elif APACHE_CONFIG.log.per_site %} - ErrorLog {{ APACHE_CONFIG.log.path }}/{{ name }}_error.log - CustomLog {{ APACHE_CONFIG.log.path }}/{{ name }}_access.log combined -{% else %} - ErrorLog {{ APACHE_CONFIG.log.path }}/error.log - CustomLog {{ APACHE_CONFIG.log.path }}/access.log combined -{% endif %} - - # http versions - Protocols {% if 2 in site.http_versions %}h2 {% endif %}{% if 1 in site.http_versions or 2 not in site.http_versions %}http/1.1{% endif %} - - # ssl config - - SSLEngine on - SSLCertificateKeyFile {{ APACHE_CONFIG.ssl.path }}/{{ name }}.key - SSLCertificateFile {{ APACHE_CONFIG.ssl.path }}/{{ name }}.crt -{% if site.ssl.mode != 'selfsigned' %} - SSLCertificateChainFile {{ APACHE_CONFIG.ssl.path }}/{{ name }}{% if site.ssl.mode == 'letsencrypt' %}.fullchain{% else %}.chain{% endif %}.crt -{% endif %} - - -{% if APACHE_CONFIG.config | length > 0 %} - # global config -{% for setting, value in APACHE_CONFIG.config.items() %} -{% if setting not in apache_config_graylist and value not in NONE_VALUES %} - {{ setting }} {{ value }} -{% endif %} -{% endfor %} -{% endif %} - -{% if site.config | length > 0 %} - # site-specific config -{% for setting, value in site.config.items() %} -{% if setting not in apache_config_graylist and value not in NONE_VALUES %} - {{ setting }} {{ value }} -{% endif %} -{% endfor %} -{% endif %} - -{% if APACHE_CONFIG.headers | length > 0 %} - # global headers - -{% for header, value in APACHE_CONFIG.headers.items() %} -{% if header not in site.headers and value not in NONE_VALUES %} -{% if 'Header' in header %} - {{ header }} {{ value }} -{% else %} - Header set {{ header }} {{ value }} -{% endif %} -{% endif %} -{% endfor %} - - -{% endif %} - -{% if site.headers | length > 0 %} - # site-specific headers - -{% for header, value in site.headers.items() %} -{% if value not in NONE_VALUES %} -{% if 'Header' in header %} - {{ header }} {{ value }} -{% else %} - Header set {{ header }} {{ value }} -{% endif %} -{% endif %} -{% endfor %} - - -{% endif %} - - # security config -{% if site.security.restrict_methods %} - - RewriteEngine On - RewriteCond %{REQUEST_METHOD} ^(?!{% for method in APACHE_CONFIG.security.restricted_methods %}{{ method }}{% if not loop.last %}|{% endif %}{% endfor %}) - RewriteRule .* - [F] - - - - Require all denied - - -{% endif %} - -{% if site.mode == 'redirect' %} - # redirect-mode config - Redirect permanent / {{ site.redirect.target }} -{% if site.redirect.request_uri %} - RedirectMatch permanent ^/(.*)$ {{ site.redirect.target }}/$1 -{% else %} - RedirectMatch permanent ^/(.*)$ {{ site.redirect.target }} -{% endif %} - -{% elif site.mode == 'serve' %} - # serve-mode config - DocumentRoot {{ site.serve.path }} - - # mode-specific security config - -{% if site.security.disable_ssi_cgi %} - Options -FollowSymLinks -ExecCGI -Includes - AllowOverride None -{% endif %} -{% if site.security.disable_root_index %} - Options -Indexes -{% endif %} - Require all granted - - - -{% endif %} - -{% if site.config_additions | length > 0 %} - # additional lines -{% endif %} -{% for line in site.config_additions %} - {{ line }} -{% endfor %} - -{% if site.app_include %} - # additional application config include - IncludeOptional /etc/apache2/sites-available/site_{{ name }}_app.conf -{% endif %} - - +{% include "inc/site_http.j2" %} +{% include "inc/site_https.j2" %} ServerName {{ site.domain }}