Turgon37.apache2
Ansible Role Apache2
Description
⚠️ Important: This role is designed specifically for my IT setup. While it aims to be general, it may not fit your needs perfectly. Please review its functionality carefully to ensure it can be securely installed on your servers.
This role sets up an Apache2 web server.
Requirements
- Ansible version 2.4 or higher.
Dependencies
If you're using the Zabbix monitoring profile, you'll also need the ansible-zabbix-agent role.
OS Family
This role works with Debian.
Features
Currently, this role can:
- Install Apache2
- Configure the main Apache server file
- Create virtual host configurations
- Manage enabled modules
- Override certain module configurations
- Monitor items for Zabbix
- Manage local facts
Configuration
Server
You can override the following variables stored in the defaults/main.yml file. To see the default values, please check that file.
| Name | Description |
|---|---|
apache2__version |
Choose the version of Apache2 to install (available in OS repositories) Ex: 2.4.25-3+deb9u5 |
apache2__service_enabled |
Boolean to enable the Apache service on boot and at runtime |
apache2__service_restartable |
If true, restart Apache automatically on configuration changes (set to false in production) |
apache2__server_tokens |
Set the verbosity of server tokens in error pages |
apache2__server_signature |
Option to display server signatures on error pages |
apache2__trace_enable |
Configure the HTTP TRACE method |
apache2__ssl_ciphers |
List of available SSL ciphers; only a recommended subset is configured by default |
apache2__ssl_protocols |
List of enabled SSL protocols; all except SSL 2/3 are enabled by default |
apache2__ssl_honorciphers |
Instruct the server to prefer its own cipher order |
apache2__log_formats |
Dictionary of available log formats in Apache |
apache2__listen_http |
List of port/host:port combinations for listening to HTTP requests |
apache2__listen_https |
List of port/host:port combinations for listening to HTTPS requests |
Note: Currently, the apache2__listen_http(s) directives must be filled manually due to complexity in generating them automatically with virtual hosts.
The following variables apply to the server and can be overridden for each virtual host:
| Name | Description |
|---|---|
apache2__serveradmin |
Optional email address of the administrator |
apache2__allow_override_list |
The AllowOverrideList directive |
apache2__allow_override |
The AllowOverride directive |
apache2__options |
The Option directive |
To configure enabled modules, declare module names in one of these lists:
apache2__modules_enabled_globalapache2__modules_enabled_groupapache2__modules_enabled_host
By default, no modules are enabled, meaning Apache will not start without at least one MPM (multi-processing module) enabled. Each entry in these lists should be the module name. If a module has both '.conf' and '.load' files, they will be included automatically. Templates in templates/modules.conf/(module name) directory will replace any existing configuration files.
Virtual Hosts
Each virtual host must be defined with a vhost block, placed in one of these lists:
apache2__virtual_hosts_globalapache2__virtual_hosts_groupapache2__virtual_hosts_host
By default, each virtual host listens on '*' and the appropriate default port based on HTTP(s) status: 443 for HTTPS and 80 otherwise.
Only a limited number of Apache directives and sections are implemented; you can find them in the [directives](templates/_directives.j2) and [sections](templates/_sections.j2) files. If a required directive is missing, use the extra_parameters item. For missing section types, you'll need to fork and implement them in the role.
Each vhost block should be a dictionary with the filename of the vhost configuration as the key. Each vhost can have the following variables:
| Name | Type | Description |
|---|---|---|
| hosts | string or array of strings | List of interfaces for the vhost to listen on |
| hosts[] | string | If an item is a string, it's treated as "IP:PORT" |
| hosts[].ip | string | If an item is a dict with 'ip' key, it's treated as "IP" |
| hosts[].port | int | If an item is a dict with 'port', it's used as the listen port. Defaults to HTTP protocol if this key is missing |
| server_name | string | The host for the vhost |
| server_alias | string | Hostname alias |
| server_admin | string | Optional administrator email address |
| document_root | string | Path to the document root folder; will be created if missing |
| document_root_user | string | Owner of the document root folder (if defined) |
| document_root_group | string | Group of the document root folder (if defined) |
| document_root_mode | string | Unix mode of the document root folder (if defined); ensure Apache has at least read access |
| error_log | string | Path to the error log file; will be created in this directory |
| error_log_user | string | Owner of the error log directory |
| error_log_group | string | Group of the error log directory |
| allow_override | string | The AllowOverride directive |
| allow_override_list | string | The AllowOverrideList directive |
| options | string | The Option directive |
| headers | array | Array of Header directives |
| files_match | array of dict | Contains FileMatch definitions; each must be a dict with specific keys |
| extra_parameters | array of string | Any extra Apache directives |
| https | dict | Subkeys for https configuration |
| https.enabled | boolean | True by default; can be used to disable https configurations, keeping other settings intact |
| https.certificate_chain_file | string | Path to the certificate chain |
| https.verify_client | string | Type of client certificate verification |
| https.verify_client_depth | int | Maximum depth for client certificate verification |
| https.ca_certificate_path | string | Path to the CA certificate directory |
| https.ca_certificate_file | string | Path to the CA certificate file |
| https.crl_path | string | Path to the CRL (Certificate Revocation List) folder |
| https.crl_file | string | Path to the CRL file |
Facts
By default, local facts are installed and expose the following variables:
ansible_local.apache2.version_fullansible_local.apache2.version_major
Example
Playbook
Use it in a playbook like this:
- hosts: all
roles:
- turgon37.apache2
Inventory
Here are some example configurations:
Manually loaded Apache modules
apache2__modules_enabled_group:
- access_compat # Support for old deprecated directives
- alias # Alias support
- authn_core
- authz_core
- deflate # Gzip compression
- dir # DirectoryIndex
- env # SetEnv
- headers # RequestHeader
- mime
- mpm_prefork
- ssl # Handle SSL
- socache_shmcb # Required by mod_ssl
Default Debian Virtual Host
apache2__host_virtual_hosts:
000-default:
server_name: www.example.com
server_admin: webmaster@localhost
document_root: /var/www/html
sections:
- type: directory
path: /var/www/html
directives:
- require: all granted
error_log: '{{ apache2__log_directory }}/error.log'
custom_log: '{{ apache2__log_directory }}/access.log combined'
Simple Permanent Redirect from HTTP to HTTPS
apache2__host_virtual_hosts:
web-redirect:
hosts:
- ip: "10.0.0.1"
server_name: www.example.net
server_alias: www2.example.net
extra_parameters:
- RedirectPermanent / https://www.example.net/
Proxy Pass from HTTPS to HTTP
apache2__host_virtual_hosts:
proxy-https:
hosts:
- ip: 10.0.0.1
- ip: 192.168.56.12
server_name: www.example.net
server_alias: www2.example.net
extra_parameters:
- 'ProxyRequests Off'
- 'ProxyPreserveHost On'
- 'ProxyPass / http://localhost:3001/'
- 'ProxyPassReverse / https://localhost:3001/'
https:
certificate_file: /etc/ssl/apache2/www.example.net.pem
certificate_key_file: /etc/ssl/apache2/www.example.net.key
HTTP Virtual Host with Document Root and a PHP Application (Jeedom)
apache2__host_virtual_hosts:
hosts:
- 10.0.0.1
- "127.0.0.1:443"
server_name: jeedom.example.net
document_root: '{{ jeedom__install_directory }}'
document_root_user: '{{ apache2__service_user }}'
document_root_group: '{{ apache2__service_user }}'
error_log: '{{ jeedom__install_directory }}/log/http.error'
error_log_user: '{{ apache2__service_user }}'
error_log_group: '{{ apache2__service_user }}'
sections:
- type: directory
path: '{{ jeedom__install_directory }}'
directives:
- allow_override: All
- options: -Indexes -ExecCGI -FollowSymLinks
- require: all granted
...
HTTPS Virtual Host with Document Root and a PHP Application (Jeedom)
apache2__host_virtual_hosts:
jeedom-https:
hosts:
- ip: 10.0.0.1
- ip: 127.0.0.1
port: 4343
server_name: jeedom.example.net
document_root: /var/www/html
allow_override: All
options: '-Indexes -ExecCGI -FollowSymLinks'
headers:
- set X-Content-Type-Options "nosniff"
- always set Strict-Transport-Security "max-age=16070400; includeSubDomains"
- set X-XSS-Protection "1; mode=block"
- unset X-Powered-By
...
This simplified explanation should help you understand how to use the Ansible Role for Apache2.
This role install and configure Apache2 webserver
ansible-galaxy install Turgon37.apache2