119 lines
2.8 KiB
Markdown
119 lines
2.8 KiB
Markdown
# Apache2 Role
|
|
Ansible role to install apache2 sites on the target server.
|
|
|
|
**Tested:**
|
|
* Debian 11
|
|
|
|
## Functionality
|
|
|
|
* **Package installation**
|
|
* Ansible dependencies (_minimal_)
|
|
* Apache2
|
|
|
|
|
|
* **Configuration**
|
|
* Support for multiple sites/servers
|
|
* Two **config-modes**:
|
|
* serve (_default_)
|
|
* redirect
|
|
|
|
|
|
* **Default config**:
|
|
* Disabled: <TLS1.2, unsecure ciphers, autoindex, servertokens/-signature, ServerSideIncludes, CGI
|
|
* Security headers: HSTS, X-Frame, Referrer-Policy, Content-Type nosniff, X-Domain-Policy, XXS-Protection
|
|
* Limits to prevent DDoS
|
|
* Logging to syslog
|
|
* Using a Self-Signed certificate
|
|
* Modules: +ssl, headers, rewrite; -autoindex
|
|
|
|
|
|
* **SSL modes** (_for more info see: [CERT ROLE](https://github.com/ansibleguy/infra_certs)_)
|
|
* **selfsigned** => Generate self-signed ones
|
|
* **ca** => Generate a minimal Certificate Authority and certificate signed by it
|
|
* **letsencrypt** => Uses the LetsEncrypt certbot
|
|
* **existing** => Copy certificate files or use existing ones
|
|
|
|
|
|
* **Default opt-ins**:
|
|
* restricting methods to POST/GET/HEAD
|
|
|
|
|
|
* **Default opt-outs**:
|
|
* Include the config file 'site_{{ site_name }}_app.conf' for advanced usage
|
|
|
|
|
|
Options to provide module config will be added in the future!<br>
|
|
Also some basic mods will get a pre-config added. (_prefork, evasive_)
|
|
|
|
## Info
|
|
|
|
* **Note:** Most of this functionality can be opted in or out using the main defaults file and variables!
|
|
|
|
|
|
* **Note:** this role currently only supports debian-based systems
|
|
|
|
|
|
* **Note:** This role expects that the site's unencrypted 'server' will only redirect to its encrypted connection.
|
|
|
|
|
|
* **Note:** If you want all domain-names to get 'caught' by a site/server you need to add an underline '*' as alias or domain!<br>
|
|
This will also be done automatically if no domain is supplied.
|
|
|
|
## Requirements
|
|
|
|
* Community collection and certificate role: ```ansible-galaxy install -r requirements.yml```
|
|
|
|
|
|
## Usage
|
|
|
|
### Config
|
|
|
|
Define the apache dictionary as needed!
|
|
|
|
```yaml
|
|
apache:
|
|
headers:
|
|
mySuperCustom: 'headerContent'
|
|
|
|
modules:
|
|
present: ['evasive']
|
|
|
|
guys_statics:
|
|
mode: 'serve'
|
|
domain: 'static.guy.net'
|
|
serve:
|
|
path: '/var/www/static'
|
|
|
|
ssl:
|
|
mode: 'ca' # create minimal ca with signed server-certificate
|
|
|
|
config:
|
|
KeepAliveTimeout: 10
|
|
|
|
git_stuff:
|
|
mode: 'redirect'
|
|
domain: 'ansibleguy.net'
|
|
aliases: ['www.ansibleguy.net']
|
|
redirect:
|
|
target: 'https://github.com/ansibleguy'
|
|
|
|
ssl:
|
|
mode: 'letsencrypt'
|
|
|
|
letsencrypt:
|
|
email: 'apache@template.ansibleguy.net'
|
|
```
|
|
|
|
### Execution
|
|
|
|
Run the playbook:
|
|
```bash
|
|
ansible-playbook -K -D -i inventory/hosts.yml playbook.yml
|
|
```
|
|
|
|
There are also some useful **tags** available:
|
|
* base => only configure basics; sites will not be touched
|
|
* sites
|
|
* config => configuration (base and instances)
|
|
* certs
|