juju4.harden_apache
Apache Webserver Hardening Ansible Role
This is an Ansible role designed to enhance the security of the Apache2 webserver.
Requirements & Dependencies
Ansible
Tested on the following versions:
- 2.1
- 2.2 (required for LetsEncrypt module)
- 2.3
- 2.4 If you want to use the role with Ansible versions older than 2.2, comment out the LetsEncrypt tasks in tasks/apache-ssl.yml.
Operating Systems
This works on:
- Ubuntu 14.04 (Apache 2.4.7), 16.04 (2.4.18)
- CentOS 7 (2.4.6)
Example Playbook
To use this role, include it in your playbook like this:
- host: all
roles:
- juju4.harden_apache
Variables
You need to configure Apache Single-Sign-On (SSO) with Active Directory via Kerberos. This role does not set up anything on the Windows side, so review it carefully before using it in production.
Continuous Integration
This role includes a basic test on Travis (for GitHub) and more advanced tests with Kitchen and a Vagrantfile (test/vagrant). The default Kitchen config (.kitchen.yml) uses LXD, while (.kitchen.vagrant.yml) uses Vagrant/VirtualBox.
Ensure all necessary roles are present, and then you can test this role with:
$ gem install kitchen-ansible kitchen-lxd_cli kitchen-sync kitchen-vagrant
$ cd /path/to/roles/juju4.harden_apache
$ kitchen verify
$ kitchen login
$ KITCHEN_YAML=".kitchen.vagrant.yml" kitchen verify
or
$ pip install molecule docker
$ molecule test
$ MOLECULE_DISTRO=ubuntu:20.04 molecule test --destroy=never
or
$ cd /path/to/roles/juju4.harden_apache/test/vagrant
$ vagrant up
$ vagrant ssh
Troubleshooting & Known Issues
To check AD SSO with Kerberos:
$ kinit <account>@LOCAL.DOMAIN
$ klist
$ kvno HTTP/<[email protected]>
$ kinit -k -t /etc/apache2/krb5.keytab HTTP/<[email protected]>
Extras
If you want to alert users with old browsers, consider these projects for warning messages: browser-update.org or outdatedbrowser.com.
On CentOS 8 Stream, GitHub CI might fail with
ERROR! couldn't resolve module/action 'openssl_privatekey'.It works fine when run manually.
License
BSD 2-clause