96 lines
3.2 KiB
YAML
96 lines
3.2 KiB
YAML
---
|
|
|
|
# default config => is overwritten by provided config
|
|
defaults_apache:
|
|
sites: {}
|
|
|
|
ipv6: false # IMPORTANT: at least one ipv6 address MUST BE defined on your system! else apache2 will fail to start
|
|
|
|
status_page:
|
|
state: 'present'
|
|
bind: '127.0.0.1'
|
|
port: 8888
|
|
path: 'server-status'
|
|
|
|
log:
|
|
path: '/var/log/apache2'
|
|
per_site: true
|
|
syslog: true
|
|
syslog_host:
|
|
syslog_port: 514
|
|
syslog_max_size: '4KiB' # see: https://manpages.ubuntu.com/manpages/xenial/man1/logger.1.html
|
|
prefix_ue: 'apache_' # log prefix for http site
|
|
prefix_ssl: 'apache_' # log prefix for ssl site
|
|
|
|
user: 'www-data'
|
|
group: 'www-data'
|
|
|
|
settings:
|
|
# setting to be set in apache2.conf
|
|
ServerTokens: 'Prod'
|
|
ServerSignature: 'Off'
|
|
|
|
# additions to the main apache config
|
|
config: # see: https://httpd.apache.org/docs/2.4/mod/core.html
|
|
FileETag: 'None'
|
|
KeepAlive: 'On'
|
|
KeepAliveTimeout: 5
|
|
MaxKeepAliveRequests: 100
|
|
LimitRequestBody: 51200000 # 50MB => if you use file-uploads you might need to change this (0=unlimited, max=2147483647 [2GB])
|
|
LimitRequestFields: 50
|
|
LimitRequestFieldSize: 8190
|
|
LimitRequestLine: 8190
|
|
LimitXMLRequestBody: 1000000
|
|
TimeOut: 60
|
|
TraceEnable: 'off'
|
|
# ssl option => see: https://httpd.apache.org/docs/2.4/mod/mod_ssl.html
|
|
SSLProtocol: 'ALL -TLSv1.1 -TLSv1 -SSLv2 -SSLv3'
|
|
SSLCipherSuite: 'ALL:+HIGH:!ADH:!EXP:!SSLv2:!SSLv3:!MEDIUM:!LOW:!NULL:!aNULL'
|
|
SSLHonorCipherOrder: 'on'
|
|
SSLOptions: '+StrictRequire'
|
|
SSLSessionTickets: 'off'
|
|
SSLCompression: 'off'
|
|
|
|
headers: # https://htaccessbook.com/important-security-headers/ | https://geekflare.com/http-header-implementation/
|
|
# if first key does not include 'Header' => prepend 'Header set'
|
|
'Header always set Strict-Transport-Security': '"max-age=31536000; includeSubDomains; preload"'
|
|
'Referrer-Policy': '"same-origin"'
|
|
# 'Content-Security-Policy': "\"default-src 'self';\"" # disabled since it blocks too many common use-cases
|
|
'X-Frame-Options': 'SAMEORIGIN'
|
|
'X-Content-Type-Options': 'nosniff'
|
|
'X-Permitted-Cross-Domain-Policies': '"none"'
|
|
'X-XSS-Protection': '"1; mode=block"'
|
|
'Header always edit Set-Cookie ^(.*)$': '$1;HttpOnly;Secure;SameSite=None'
|
|
# 'Header set Permissions-Policy': '"none"'
|
|
# 'Header set Content-Security-Policy': '"default-src https:; font-src https:; img-src https:; script-src https:; style-src https:;"'
|
|
|
|
ssl: # see: https://github.com/ansibleguy/infra_certs
|
|
path: '/etc/apache2/ssl'
|
|
ca:
|
|
file: # can be used if you want to use an existing ca
|
|
cn: 'Apache CA Certificate'
|
|
org: 'AnsibleGuy'
|
|
ou:
|
|
country:
|
|
state:
|
|
locality:
|
|
email:
|
|
pwd: # it's highly recommended setting a passphrase!
|
|
|
|
modules:
|
|
present: ['ssl', 'headers', 'rewrite', 'http2']
|
|
absent: ['autoindex']
|
|
|
|
letsencrypt:
|
|
key_size: 4096
|
|
path: '/etc/letsencrypt'
|
|
renew_timer: 'Mon *-*-* 03:00:00'
|
|
verbosity: 'v'
|
|
email:
|
|
renew: false # if a renewal should be started by the role; the renewal service will auto-renew the certificates otherwise
|
|
|
|
security:
|
|
restricted_methods: ['GET', 'POST', 'HEAD']
|
|
|
|
debug: false
|