public_git
/
ansibleguy.infra_apache
mirror of https://github.com/ansibleguy/infra_apache.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
ansibleguy.infra_apache/defaults/main.yml

206 lines
6.4 KiB
YAML
Raw Blame History

---
# main switches
configure_anti_ddos: true # mod_evasive
configure_security: true # https://www.digitalocean.com/community/tutorials/how-to-set-up-mod_security-with-apache-on-debian-ubuntu
# default config => is overwritten by provided config
default_apache:
sites: {}
ipv6: false # IMPORTANT: at least one ipv6 address MUST BE defined on your system! else apache2 will fail to start
status_page:
state: 'present'
bind: '127.0.0.1'
port: 80
path: 'server-status'
log:
path: '/var/log/apache2'
per_site: true
syslog: true
syslog_host:
syslog_port: 514
syslog_max_size: '4KiB' # see: https://manpages.ubuntu.com/manpages/xenial/man1/logger.1.html
prefix_ue: 'apache_' # log prefix for http site
prefix_ssl: 'apache_' # log prefix for ssl site
user: 'www-data'
group: 'www-data'
settings:
# setting to be set in apache2.conf
ServerTokens: 'Prod'
ServerSignature: 'Off'
# additions to the main apache config
config: # see: https://httpd.apache.org/docs/2.4/mod/core.html
FileETag: 'None'
KeepAlive: 'On'
KeepAliveTimeout: 5
MaxKeepAliveRequests: 100
LimitRequestBody: 51200000 # 50MB => if you use file-uploads you might need to change this (0=unlimited, max=2147483647 [2GB])
LimitRequestFields: 50
LimitRequestFieldSize: 8190
LimitRequestLine: 8190
LimitXMLRequestBody: 1000000
TimeOut: 60
TraceEnable: 'off'
# ssl option => see: https://httpd.apache.org/docs/2.4/mod/mod_ssl.html
SSLProtocol: 'ALL -TLSv1.1 -TLSv1 -SSLv2 -SSLv3'
SSLCipherSuite: 'ALL:+HIGH:!ADH:!EXP:!SSLv2:!SSLv3:!MEDIUM:!LOW:!NULL:!aNULL'
SSLHonorCipherOrder: 'on'
SSLOptions: '+StrictRequire'
SSLSessionTickets: 'off'
SSLCompression: 'off'
headers: # https://htaccessbook.com/important-security-headers/ | https://geekflare.com/http-header-implementation/
# if first key does not include 'Header' => prepend 'Header set'
'Header always set Strict-Transport-Security': '"max-age=31536000; includeSubDomains; preload"'
'Referrer-Policy': '"same-origin"'
# 'Content-Security-Policy': "\"default-src 'self';\"" # disabled since it blocks too many common use-cases
'X-Frame-Options': 'SAMEORIGIN'
'X-Content-Type-Options': 'nosniff'
'X-Permitted-Cross-Domain-Policies': '"none"'
'X-XSS-Protection': '"1; mode=block"'
'Header always edit Set-Cookie ^(.*)$': '$1;HttpOnly;Secure;SameSite=None'
# 'Header set Permissions-Policy': '"none"'
# 'Header set Content-Security-Policy': '"default-src https:; font-src https:; img-src https:; script-src https:; style-src https:;"'
ssl: # see: https://github.com/ansibleguy/infra_certs
path: '/etc/apache2/ssl'
ca:
file: # can be used if you want to use an existing ca
cn: 'Apache CA Certificate'
org: 'AnsibleGuy'
ou:
country:
state:
locality:
email:
pwd: # it's highly recommended setting a passphrase!
modules:
present: ['ssl', 'headers', 'rewrite', 'http2']
absent: ['autoindex']
letsencrypt:
key_size: 4096
path: '/etc/letsencrypt'
renew_timer: 'Mon *-*-* 03:00:00'
verbosity: 'v'
email:
renew: false # if a renewal should be started by the role; the renewal service will auto-renew the certificates otherwise
security:
restricted_methods: ['GET', 'POST', 'HEAD']
APACHE_CONFIG: "{{ default_apache | combine(apache, recursive=true) }}"
APACHE_HC:
packages: ['systemd', 'apache2']
# site-specific config
default_site_config:
mode: 'serve'
state: 'present'
admin: 'apache@template.ansibleguy.net'
port_plain: 80
port_ssl: 443
listen: '*'
domain:
aliases: []
ip:
http_versions: [2, 1]
plain_site: true # if http site (only used for redirect to https) should be created
plain_redirect: 'preserve_domain' # keep hostname from plain request => any other value will set the redirect to the main-domain
config: {} # site-specific setting-value pairs
config_additions: [] # lines that will 1-to-1 be appended to the site-config
app_include: false
headers: {}
security: # https://www.nixpal.com/apache-httpd-hardening/
disable_root_index: true
disable_ssi_cgi: true
restrict_methods: true
redirect:
target: 'https://github.com/ansibleguy'
request_uri: false
serve:
path: '/var/www/html'
ssl: # see: https://github.com/ansibleguy/infra_certs
mode: 'selfsigned' # existing/selfsigned/ca/letsencrypt
# existing:
# We expect the certs to be placed in the role's 'files' directory named like the site
# Example: files/certs/ansibleguy.key and files/certs/ansibleguy.crt
# letsencrypt:
# Host needs to have a valid public dns record pointed at it
# Needs to be publicly reachable over port 80/tcp
cert:
name:
cn: 'Apache Certificate'
org: 'AnsibleGuy'
ou:
country:
state:
locality:
email:
crl_distribution: []
ca:
file: # can be used if you want to use an existing ca
cn:
org:
ou:
country:
state:
locality:
email:
pwd: # it's highly recommended setting a passphrase!
letsencrypt:
key_size:
email:
default_modules:
# <IfModule ${MOD}>
# </IfModule>
prefork: # see: https://httpd.apache.org/docs/2.4/mod/mpm_common.html
ifname: 'prefork.c'
settings:
StartServers: 5
MinSpareServers: 5
MaxSpareServers: 10
MaxRequestWorkers: 256
MaxConnectionsPerChild: 0
mod_evasive:
ifname: 'mod_evasive20.c'
settings:
DOSHashTableSize: 4096
DOSPageCount: 25
DOSSiteCount: 100
DOSPageInterval: 1
DOSSiteInterval: 1
DOSBlockingPeriod: 60
DOSLogDir: "{{ CONFIG.log.path }}"
# DOSSystemCommand:
# DOSEmailNotify: mail@yourdomain.com
DOSWhitelist: [
'127.0.0.*', '192.168.*.*', '10.*.*.*', '172.16.*.*', '172.17.*.*', '172.18.*.*', '172.19.*.*',
'172.20.*.*', '172.21.*.*', '172.22.*.*', '172.23.*.*', '172.24.*.*', '172.25.*.*', '172.26.*.*',
'172.27.*.*', '172.28.*.*', '172.29.*.*', '172.30.*.*', '172.31.*.*', '172.32.*.*',
]
APACHE_MODULES: "{{ default_modules | combine(modules, recursive=true) }}"
apache_config_graylist: [
'SSLEngine', 'SSLCertificateKeyFile', 'SSLCertificateFile', 'SSLCertificateChainFile', 'ErrorLog', 'CustomLog', 'ServerAdmin',
'ServerAlias', 'ServerName', 'Redirect'
]
force_removal: false
NONE_VALUES: [none, '', ' ']
Reference in New Issue View Git Blame Copy Permalink