---

# default config => is overwritten by provided config
defaults_apache:
  sites: {}

  ipv6: false  # IMPORTANT: at least one ipv6 address MUST BE defined on your system! else apache2 will fail to start

  status_page:
    state: 'present'
    bind: '127.0.0.1'
    port: 8888
    path: 'server-status'

  log:
    path: '/var/log/apache2'
    per_site: true
    syslog: true
    syslog_host:
    syslog_port: 514
    syslog_max_size: '4KiB'  # see: https://manpages.ubuntu.com/manpages/xenial/man1/logger.1.html
    prefix_ue: 'apache_'  # log prefix for http site
    prefix_ssl: 'apache_'  # log prefix for ssl site

  user: 'www-data'
  group: 'www-data'

  settings:
    # setting to be set in apache2.conf
    ServerTokens: 'Prod'
    ServerSignature: 'Off'

  # additions to the main apache config
  config:  # see: https://httpd.apache.org/docs/2.4/mod/core.html
    FileETag: 'None'
    KeepAlive: 'On'
    KeepAliveTimeout: 5
    MaxKeepAliveRequests: 100
    LimitRequestBody: 51200000  # 50MB => if you use file-uploads you might need to change this (0=unlimited, max=2147483647 [2GB])
    LimitRequestFields: 50
    LimitRequestFieldSize: 8190
    LimitRequestLine: 8190
    LimitXMLRequestBody: 1000000
    TimeOut: 60
    TraceEnable: 'off'
    # ssl option => see: https://httpd.apache.org/docs/2.4/mod/mod_ssl.html
    SSLProtocol: 'ALL -TLSv1.1 -TLSv1 -SSLv2 -SSLv3'
    SSLCipherSuite: 'ALL:+HIGH:!ADH:!EXP:!SSLv2:!SSLv3:!MEDIUM:!LOW:!NULL:!aNULL'
    SSLHonorCipherOrder: 'on'
    SSLOptions: '+StrictRequire'
    SSLSessionTickets: 'off'
    SSLCompression: 'off'

  headers:  # https://htaccessbook.com/important-security-headers/ | https://geekflare.com/http-header-implementation/
    # if first key does not include 'Header' => prepend 'Header set'
    'Header always set Strict-Transport-Security': '"max-age=31536000; includeSubDomains; preload"'
    'Referrer-Policy': '"same-origin"'
    # 'Content-Security-Policy': "\"default-src 'self';\""  # disabled since it blocks too many common use-cases
    'X-Frame-Options': 'SAMEORIGIN'
    'X-Content-Type-Options': 'nosniff'
    'X-Permitted-Cross-Domain-Policies': '"none"'
    'Header always edit Set-Cookie ^(.*)$': '$1;HttpOnly;Secure;SameSite=None'
    # 'Header set Permissions-Policy': '"none"'
    # 'Header set Content-Security-Policy': '"default-src https:; font-src https:; img-src https:; script-src https:; style-src https:;"'

  ssl:  # see: https://github.com/O-X-L/ansible-role-certs
    path: '/etc/apache2/ssl'
    ca:
      file:  # can be used if you want to use an existing ca
      cn: 'Apache CA Certificate'
      org: 'AnsibleGuy'
      ou:
      country:
      state:
      locality:
      email:
      pwd:  # it's highly recommended setting a passphrase!

  modules:
    present: ['ssl', 'headers', 'rewrite', 'http2']
    absent: ['autoindex']

  letsencrypt:
    key_size: 4096
    path: '/etc/letsencrypt'
    renew_timer: 'Mon *-*-* 03:00:00'
    verbosity: 'v'
    email:
    renew: false  # if a renewal should be started by the role; the renewal service will auto-renew the certificates otherwise

  security:
    restricted_methods: ['GET', 'POST', 'HEAD']
    dangerous_methods: ['TRACE', 'CONNECT']

debug: false