188 lines
6.4 KiB
Django/Jinja
188 lines
6.4 KiB
Django/Jinja
# {{ ansible_managed }}
|
|
# ansibleguy.infra_apache
|
|
|
|
{% if site.plain_site %}
|
|
# http listener
|
|
<VirtualHost {{ site.listen }}:{{ site.port_plain }}>
|
|
ServerName {{ site.domain }}
|
|
|
|
{% if site.aliases | length > 0 %}
|
|
ServerAlias {% for name in site.aliases %} {{ name }} {% endfor %}{% if site.ip is not none %} {{ site.ip }}{% endif %}
|
|
{% endif %}
|
|
ServerAdmin {{ site.admin }}
|
|
|
|
# log config
|
|
{% if APACHE_CONFIG.log.syslog and APACHE_CONFIG.log.syslog_host is not none %}
|
|
ErrorLog "| /usr/bin/logger -n {{ APACHE_CONFIG.log.syslog_host }} -P {{ APACHE_CONFIG.log.syslog_port }} -p local1.error -t {{ APACHE_CONFIG.log.prefix_ue }}{{ name }}"
|
|
CustomLog "| /usr/bin/logger -n {{ APACHE_CONFIG.log.syslog_host }} -P {{ APACHE_CONFIG.log.syslog_port }} -p local1.info -t {{ APACHE_CONFIG.log.prefix_ue }}{{ name }}" combined
|
|
{% elif APACHE_CONFIG.log.syslog %}
|
|
ErrorLog "| /usr/bin/logger -p local1.error -t {{ APACHE_CONFIG.log.prefix_ue }}{{ name }}"
|
|
CustomLog "| /usr/bin/logger -p local1.info -t {{ APACHE_CONFIG.log.prefix_ue }}{{ name }}" combined
|
|
{% elif APACHE_CONFIG.log.per_site %}
|
|
ErrorLog {{ APACHE_CONFIG.log.path }}/{{ name }}_error.log
|
|
CustomLog {{ APACHE_CONFIG.log.path }}/{{ name }}_access.log combined
|
|
{% else %}
|
|
ErrorLog {{ APACHE_CONFIG.log.path }}/error.log
|
|
CustomLog {{ APACHE_CONFIG.log.path }}/access.log combined
|
|
{% endif %}
|
|
|
|
# http versions
|
|
Protocols {% if 2 in site.http_versions %}h2c {% endif %}{% if 1 in site.http_versions or 2 not in site.http_versions %}http/1.1{% endif %}
|
|
|
|
# redirect all to secure connection
|
|
RewriteEngine On
|
|
{% if site.plain_redirect == 'preserve_domain' %}
|
|
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI}
|
|
{% else %}
|
|
RewriteRule ^ https://{{ site.domain }}%{REQUEST_URI}
|
|
{% endif %}
|
|
|
|
</VirtualHost>
|
|
{% endif %}
|
|
|
|
# https listener
|
|
<VirtualHost {{ site.listen }}:{{ site.port_ssl }}>
|
|
ServerName {{ site.domain }}
|
|
|
|
{% if site.aliases | length > 0 %}
|
|
ServerAlias {% for alias in site.aliases %} {{ alias }} {% endfor %}{% if site.ip is not none %} {{ site.ip }}{% endif %}
|
|
{% endif %}
|
|
|
|
ServerAdmin {{ site.admin }}
|
|
|
|
# log config
|
|
{% if APACHE_CONFIG.log.syslog and APACHE_CONFIG.log.syslog_host is not none %}
|
|
ErrorLog "| /usr/bin/logger -n {{ APACHE_CONFIG.log.syslog_host }} -P {{ APACHE_CONFIG.log.syslog_port }} -p local1.error -t {{ APACHE_CONFIG.log.prefix_ssl }}{{ name }}"
|
|
CustomLog "| /usr/bin/logger -n {{ APACHE_CONFIG.log.syslog_host }} -P {{ APACHE_CONFIG.log.syslog_port }} -p local1.info -t {{ APACHE_CONFIG.log.prefix_ssl }}{{ name }}" combined
|
|
{% elif APACHE_CONFIG.log.syslog %}
|
|
ErrorLog "| /usr/bin/logger -p local1.error -t {{ APACHE_CONFIG.log.prefix_ssl }}{{ name }}"
|
|
CustomLog "| /usr/bin/logger -p local1.info -t {{ APACHE_CONFIG.log.prefix_ssl }}{{ name }}" combined
|
|
{% elif APACHE_CONFIG.log.per_site %}
|
|
ErrorLog {{ APACHE_CONFIG.log.path }}/{{ name }}_error.log
|
|
CustomLog {{ APACHE_CONFIG.log.path }}/{{ name }}_access.log combined
|
|
{% else %}
|
|
ErrorLog {{ APACHE_CONFIG.log.path }}/error.log
|
|
CustomLog {{ APACHE_CONFIG.log.path }}/access.log combined
|
|
{% endif %}
|
|
|
|
# http versions
|
|
Protocols {% if 2 in site.http_versions %}h2 {% endif %}{% if 1 in site.http_versions or 2 not in site.http_versions %}http/1.1{% endif %}
|
|
|
|
# ssl config
|
|
<IfModule mod_ssl.c>
|
|
SSLEngine on
|
|
SSLCertificateKeyFile {{ APACHE_CONFIG.ssl.path }}/{{ name }}.key
|
|
SSLCertificateFile {{ APACHE_CONFIG.ssl.path }}/{{ name }}.crt
|
|
{% if site.ssl.mode != 'selfsigned' %}
|
|
SSLCertificateChainFile {{ APACHE_CONFIG.ssl.path }}/{{ name }}{% if site.ssl.mode == 'letsencrypt' %}.fullchain{% else %}.chain{% endif %}.crt
|
|
{% endif %}
|
|
</IfModule>
|
|
|
|
{% if APACHE_CONFIG.config | length > 0 %}
|
|
# global config
|
|
{% for setting, value in APACHE_CONFIG.config.items() %}
|
|
{% if setting not in apache_config_graylist and value not in NONE_VALUES %}
|
|
{{ setting }} {{ value }}
|
|
{% endif %}
|
|
{% endfor %}
|
|
{% endif %}
|
|
|
|
{% if site.config | length > 0 %}
|
|
# site-specific config
|
|
{% for setting, value in site.config.items() %}
|
|
{% if setting not in apache_config_graylist and value not in NONE_VALUES %}
|
|
{{ setting }} {{ value }}
|
|
{% endif %}
|
|
{% endfor %}
|
|
{% endif %}
|
|
|
|
{% if APACHE_CONFIG.headers | length > 0 %}
|
|
# global headers
|
|
<IfModule mod_headers.c>
|
|
{% for header, value in APACHE_CONFIG.headers.items() %}
|
|
{% if header not in site.headers and value not in NONE_VALUES %}
|
|
{% if 'Header' in header %}
|
|
{{ header }} {{ value }}
|
|
{% else %}
|
|
Header set {{ header }} {{ value }}
|
|
{% endif %}
|
|
{% endif %}
|
|
{% endfor %}
|
|
|
|
</IfModule>
|
|
{% endif %}
|
|
|
|
{% if site.headers | length > 0 %}
|
|
# site-specific headers
|
|
<IfModule mod_headers.c>
|
|
{% for header, value in site.headers.items() %}
|
|
{% if value not in NONE_VALUES %}
|
|
{% if 'Header' in header %}
|
|
{{ header }} {{ value }}
|
|
{% else %}
|
|
Header set {{ header }} {{ value }}
|
|
{% endif %}
|
|
{% endif %}
|
|
{% endfor %}
|
|
|
|
</IfModule>
|
|
{% endif %}
|
|
|
|
# security config
|
|
{% if site.security.restrict_methods %}
|
|
<IfModule mod_rewrite.c>
|
|
RewriteEngine On
|
|
RewriteCond %{REQUEST_METHOD} ^(?!{% for method in APACHE_CONFIG.security.restricted_methods %}{{ method }}{% if not loop.last %}|{% endif %}{% endfor %})
|
|
RewriteRule .* - [F]
|
|
</IfModule>
|
|
<Directory />
|
|
<LimitExcept {% for method in APACHE_CONFIG.security.restricted_methods %}{{ method }} {% endfor %}>
|
|
deny from all
|
|
</LimitExcept>
|
|
</Directory>
|
|
{% endif %}
|
|
|
|
{% if site.mode == 'redirect' %}
|
|
# redirect-mode config
|
|
Redirect permanent / {{ site.redirect.target }}
|
|
{% if site.redirect.request_uri %}
|
|
RedirectMatch permanent ^/(.*)$ {{ site.redirect.target }}/$1
|
|
{% else %}
|
|
RedirectMatch permanent ^/(.*)$ {{ site.redirect.target }}
|
|
{% endif %}
|
|
|
|
{% elif site.mode == 'serve' %}
|
|
# serve-mode config
|
|
DocumentRoot {{ site.serve.path }}
|
|
|
|
# mode-specific security config
|
|
<Directory {{ site.serve.path }}>
|
|
{% if site.security.disable_ssi_cgi %}
|
|
Options -FollowSymLinks -ExecCGI -Includes
|
|
AllowOverride None
|
|
{% endif %}
|
|
{% if site.security.disable_root_index %}
|
|
Options -Indexes
|
|
{% endif %}
|
|
Require all granted
|
|
</Directory>
|
|
|
|
|
|
{% endif %}
|
|
|
|
{% if site.config_additions | length > 0 %}
|
|
# additional lines
|
|
{% endif %}
|
|
{% for line in site.config_additions %}
|
|
{{ line }}
|
|
{% endfor %}
|
|
|
|
{% if site.app_include %}
|
|
# additional application config include
|
|
IncludeOptional /etc/apache2/sites-available/site_{{ name }}_app.conf
|
|
{% endif %}
|
|
|
|
</VirtualHost>
|
|
|
|
ServerName {{ site.domain }}
|