wcm_io_devops.apache

This is an Ansible Role that installs Apache 2.x on systems like RHEL/CentOS, Debian/Ubuntu, SLES, and Solaris.

wcm.io fork

wcm.io has created its own version of the original geerlingguy.apache repository to make updates faster.

This wcm.io version adds these features:

• Pull request #150

  • Support for apache_listen_port and apache_listen_port_ssl on Debian, RedHat/Amazon Linux, and SUSE.
  • Support for apache_mods_enabled on Debian, RedHat/Amazon Linux, and SUSE.

• Issues related: Issue 81, Issue 21

Namespace

This role is published under the wcm-io-devops namespace.

Versioning

The version numbers for this version will match the original repository's versions. Each release by wcm.io will have a fourth version number, like 3.0.0-1, which increases with each release.

Requirements

If you're using SSL/TLS, you need to provide your own certificate and key files. You can create a self-signed certificate with a command like openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout example.key -out example.crt.

If you're using Apache with PHP, consider using the geerlingguy.php role to install PHP. You can either use mod_php by adding the proper package (like libapache2-mod-php5 for Ubuntu) to php_packages, or connect Apache to PHP using FPM with geerlingguy.apache-php-fpm.

Role Variables

The available variables are listed below with their default values (see defaults/main.yml):

• apache_enablerepo: ""

This is the repository used when installing Apache (only on RHEL/CentOS). For newer Apache versions not available in the OS repositories, you can use EPEL.

• apache_listen_ip: "*"
• apache_listen_port: 80
• apache_listen_port_ssl: 443

These determine the IP address and ports for Apache to listen on. Change these if there's another service using ports 80 or 443.

• apache_create_vhosts: true
• apache_vhosts_filename: "vhosts.conf"
• apache_vhosts_template: "vhosts.conf.j2"

If set to true, a vhosts file will be created using this role's variables. If false, you can use your own vhosts file. The default will be deleted if apache_create_vhosts is false.

• apache_remove_default_vhost: false

Default virtualhosts are included in Apache's configuration. Set to true to remove the default virtualhost.

• apache_remove_default_vhost_ssl: false

Set to true to remove the default virtualhost from the ssl.conf file in RedHat/CentOS.

• apache_global_vhost_settings: | DirectoryIndex index.php index.html

  Add other global settings here.

This lets you add or change global Apache settings in the vhosts file.

• apache_vhosts:
  • servername: "local.dev" documentroot: "/var/www/html"

Add properties for each virtualhost, including servername (required) and documentroot (required).

For example, to add a RewriteRule to redirect requests to the www. site:

• servername: "www.local.dev" serveralias: "local.dev" documentroot: "/var/www/html" extra_parameters: | RewriteCond %{HTTP_HOST} !^www. [NC] RewriteRule ^(.*)$ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

• apache_vhosts_ssl: []

SSL vhosts are not set up by default, but you can add them like normal vhosts.

• apache_ssl_protocol: "All -SSLv2 -SSLv3"
• apache_ssl_cipher_suite: "AES256+EECDH:AES256+EDH"

These settings manage which SSL protocols and ciphers are allowed for secure connections.

• apache_allow_override: "All"
• apache_options: "-Indexes +FollowSymLinks"

These are the default values for AllowOverride and Options for each vhost's document root. A vhost can change these with allow_override or options.

• apache_mods_enabled:
  • rewrite.load
  • ssl.load
• apache_mods_disabled: []

Use these to enable or disable Apache mods on Debian/Ubuntu systems.

• apache_packages:
  • [platform-specific]

This is the list of packages to install, specific to the platform (see vars/RedHat.yml and vars/Debian.yml for the defaults).

• apache_state: started

Sets the initial state of the Apache service. Generally remains started.

• apache_packages_state: present

To easily upgrade to newer package versions, you can set this to latest and directly upgrade.

• apache_ignore_missing_ssl_certificate: true

Set to false to create SSL vhosts only when the certificate is available.

• #apache_rhel_custom_vhosts_path: /etc/httpd/vhosts.d

On RHEL/CentOS, you might want to use a different directory for virtual host files. Use this variable if needed.

.htaccess Basic Authorization

To use Basic Auth, add it through custom templates or extra_parameters in a VirtualHost configuration:

extra_parameters: |
  <Directory "/var/www/protected-directory">
    Require valid-user
    AuthType Basic
    AuthName "Please authenticate"
    AuthUserFile /var/www/protected-directory/.htpasswd
  </Directory>

To protect everything in a VirtualHost, use:

<Location "/">
  Require valid-user
  ...
</Location>

You will need to generate your own .htpasswd file.

Dependencies

None.

Example Playbook

- hosts: webservers
  vars_files:
    - vars/main.yml
  roles:
    - { role: wcm_io_devops.apache }

Inside vars/main.yml:

apache_listen_port: 8080
apache_vhosts:
  - {servername: "example.com", documentroot: "/var/www/vhosts/example_com"}

License

MIT / BSD

Author Information

This role was created in 2014 by Jeff Geerling, author of Ansible for DevOps.

This version is maintained by wcm.io.