Ansible Role: Apache 2.x

This Ansible Role installs Apache 2.x on RHEL/CentOS, Debian/Ubuntu, SLES, and Solaris.

Requirements

If you need to use SSL/TLS, you will have to provide your own certificate and key files. You can create a self-signed certificate using a command like: openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout example.key -out example.crt.

If you're using Apache with PHP, it's a good idea to use the geerlingguy.php role for PHP installation. You can set it up with mod_php (by including a proper package, like libapache2-mod-php5 for Ubuntu, in php_packages), or use geerlingguy.apache-php-fpm to connect Apache to PHP through FPM. Check that role's README for details.

Role Variables

Here are the available variables along with their default values (see defaults/main.yml):

• apache_enablerepo: ""

This is the repository used to install Apache (only used on RHEL/CentOS). If you want newer versions than those in your OS's repositories, you can use a repository like EPEL (which can be added with the geerlingguy.repo-epel role).

• apache_listen_ip: "*"
• apache_listen_port: 80
• apache_listen_port_ssl: 443

These settings define the IP address and ports that Apache listens to. This is helpful if another service uses port 80 or 443 and you need to change the defaults.

• apache_create_vhosts: true
• apache_vhosts_filename: "vhosts.conf"
• apache_vhosts_template: "vhosts.conf.j2"

Setting this to true creates a vhosts file using this role's variables. Setting it to false lets you use your own vhosts file. You can also provide your own template if needed.

• apache_remove_default_vhost: false

On Debian/Ubuntu, a default virtual host is included. Set this to true to remove it.

• apache_global_vhost_settings: |

  DirectoryIndex index.php index.html

  Add other global settings on new lines.

You can set or change global Apache settings in the provided vhosts file if apache_create_vhosts is true. By default, it sets the DirectoryIndex.

• apache_vhosts:

Add properties for each virtual host, which must include servername (required) and documentroot (required). Other properties like serveradmin, serveralias, and extra_parameters are optional.

Example using extra_parameters to redirect all requests to the www. site:

• server_name: "www.local.dev"

• serveralias: "local.dev"

• documentroot: "/var/www/html"

• extra_parameters: |

  RewriteCond %{HTTP_HOST} !^www. [NC] RewriteRule ^(.*)$ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

The | indicates that the following lines are part of a block and will preserve line breaks.

• apache_vhosts_ssl: []

No SSL virtual hosts are set up by default, but you can add them similarly to apache_vhosts, with some extra settings.

Example:

• apache_vhosts_ssl:

  • servername: "local.dev" documentroot: "/var/www/html" certificate_file: "/home/vagrant/example.crt" certificate_key_file: "/home/vagrant/example.key" certificate_chain_file: "/path/to/certificate_chain.crt" extra_parameters: |

    RewriteCond %{HTTP_HOST} !^www\. [NC]
    RewriteRule ^(.*)$ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    

Other SSL settings can be managed with related role variables.

• apache_ssl_protocol: "All -SSLv2 -SSLv3"
• apache_ssl_cipher_suite: "AES256+EECDH:AES256+EDH"

These settings determine which SSL protocols and ciphers are acceptable for secure connections.

• apache_allow_override: "All"
• apache_options: "-Indexes +FollowSymLinks"

These are the default values for AllowOverride and Options for each virtual host's documentroot. Specific vhosts can change these values.

• apache_mods_enabled:

  • rewrite.load
  • ssl.load

• apache_mods_disabled: []

For Debian/Ubuntu ONLY, specify which Apache modules to enable or disable. Check the mods-available directory in your Apache configuration to see what is available.

• apache_packages:

This is a list of packages to install, which automatically defaults to platform-specific packages for RedHat or Debian systems.

• apache_state: started

This sets the initial state of the Apache service. It is usually set to started but can be set to stopped if configuration changes are needed without starting the server.

• apache_packages_state: present

If you have additional repositories enabled, you can set this to latest to upgrade to a different Apache version.

• apache_ignore_missing_ssl_certificate: true

If you want to create SSL virtual hosts only when their certificates are available (e.g., with Let’s Encrypt), set this to false. You might need to run your playbook multiple times for all virtual hosts to be configured.

Basic Authorization with .htaccess

For Basic Auth, you can set it up using a custom template or add extra_parameters in a VirtualHost configuration like this:

extra_parameters: |
  <Directory "/var/www/password-protected-directory">
    Require valid-user
    AuthType Basic
    AuthName "Please authenticate"
    AuthUserFile /var/www/password-protected-directory/.htpasswd
  </Directory>

To protect everything in a VirtualHost, use a Location block:

<Location "/">
  Require valid-user
  ....
</Location>

You'll need to create/upload your own .htpasswd file through your playbook.

Dependencies

None.

Example Playbook

- hosts: webservers
  vars_files:
    - vars/main.yml
  roles:
    - { role: geerlingguy.apache }

Inside vars/main.yml:

apache_listen_port: 8080
apache_vhosts:
  - {servername: "example.com", documentroot: "/var/www/vhosts/example_com"}

License

MIT / BSD

Author Information

This role was created in 2014 by Jeff Geerling, author of Ansible for DevOps.