apache

Ansible Role: Apache Web Server

Build GPL License Donate

An Ansible Role that install, secure Apache Web Server on Ubuntu and EL (RHEL and derived Linux distributions)

Role Variables

The available variables are listed below, for all references see defaults/main.yml

apache_mpm

Define the mandatory mpm to use: event, prefork, worker

apache_extra_packages

Extra package for Apache (use mod_ssl on RHEL OS to use mod ssl)

apache_modules

List of Apache module to enable/disable

apache_modules:
  - name: rewrite
    state: present

apache_vhost_disable_default

Boolean value to disable default vhost (es. on Debian/Ubuntu '000-default.conf')

default: true

apache_vhost_disable_default: true

apache_listens

List of apache port to listen on.

Insert any valid value for Apache Listen option (see https://httpd.apache.org/docs/2.4/mod/mpm\_common.html#listen)

default: 80

apache_ssl_listens:
  - 80

apache_ssl_listens

List of apache port to listen as SSL on (default 443, for other port use trailing string "https")

Insert any valid value for Apache Listen option (see https://httpd.apache.org/docs/2.4/mod/mpm\_common.html#listen)

default: 443

apache_ssl_listens:
  - 443

apache_virtualhost

List of vhost where a vhost is a hash with this meanings:

  • state: if 'present' vhost must be created and enabled while 'absent' the vhost must be disabled and deleted
  • addr: value after virtualhost (), default to '*:80' ;
  • file_suffix: suffix to add to vhost's filename (ex. "-ssl" or "-port8080") to quickly recognize the "virtualhost" from the file name if "ServerName" is identical but enabled on a different port (example port 80 and 443)
  • ServerName: is the 'ServerName';
  • ServerAlias: is the 'ServerAlias';
  • DocumentRoot: is the 'DocumentRoot';
  • ServerAdmin: is the 'ServerAdmin';
  • Directory_DocumentRoot_default: if true (default) create a block like this (DocumentRoot: /var/www/html): (see below apache_virtualhost_def_directory_options, apache_virtualhost_def_directory_allowoverride) <Directory "/var/www/html"> Options FollowSymLinks AllowOverride All use **directory_options** and **directory_allowoverride** to override default value For ssl connections the following variables can be entered (**sslengine** must be 'on' to enable the others):
  • sslengine, sslprotocol, sslciphersuite, sslhonorcipherorder, sslsessiontickets, ssloptions, sslcertificatefile, sslcertificatekeyfile, sslcertificatechainfile
  • sslcertificatefile and sslcertificatekeyfile must exists or defalt to value of apache_virtualhost_def_sslcertificatefile and apache_virtualhost_def_sslcertificatekeyfile defined per OS
  • ErrorLog: is the 'ErrorLog' (def. {{ apache_log_dir }}/{ServerName}-errorlog);
  • CustomLog: is the 'CustomLog'(def. {{ apache_log_dir }}/{ServerName}-access:log);
  • Extra: a multiline string of extra options to add to the VirtualHost;
  • add_rewrite_rule_to_ssl: if true add the following rules (use ServerName: host.example.com)

    use must enable RewriteEngine in 'apache_modules'

    RewriteCond %{SERVER_NAME} =host.example.com RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

default: []

apache_virtualhost: []

apache_virtualhost_def_directory_options

Default value for Options in directory

default: apache_virtualhost_def_directory_options: FollowSymLinks

apache_virtualhost_def_directory_allowoverride

Default AllowOverride in directory

default: apache_virtualhost_def_directory_allowoverride: All

apache_virtualhost_def_sslprotocol

Default sslprotocol variable if non defined in apache_virtualhost

default: apache_virtualhost_def_sslprotocol: 'all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1'

apache_virtualhost_def_sslciphersuite

Default sslciphersuite variable if non defined in apache_virtualhost

default: apache_virtualhost_def_sslciphersuite: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'

apache_virtualhost_def_sslhonorcipherorder

Default sslhonorcipherorder variable if non defined in apache_virtualhost

default: apache_virtualhost_def_sslhonorcipherorder: 'off'

apache_virtualhost_def_sslsessiontickets

Default sslsessiontickets variable if non defined in apache_virtualhost

default: apache_virtualhost_def_sslsessiontickets: 'off'

apache_virtualhost_def_ssloptions

Default ssloptions variable if non defined in apache_virtualhost

default: apache_virtualhost_def_ssloptions: '+StrictRequire'

apache_servertokens

See Apache ServerTokens (https://httpd.apache.org/docs/2.4/mod/core.html#servertokens)

default: apache_servertokens: Prod

apache_serversignature

See Apache ServerSignature (https://httpd.apache.org/docs/2.4/mod/core.html#serversignature)

default: apache_serversignature: 'Off'

firewall

Bool to enable Apache firewall rules only for Ufw or Firewalld

default: firewall: false

firewall_force_install

If true install and active Ufw or Firewalld based on OS

default: firewall_force_install: false

firewall_ports

List of firewall rules where each rule use the keys: port, proto, from, to, interface, zone

default: firewall_ports: []

# Example for firewalld:
firewall_ports:
  - port: 80
    proto: tcp
    zone: public
  - port: 443
# Example for Ufw:
firewall_ports:
  - port: "80,443"
    proto: tcp

Example Playbook

Install with:

ansible-galaxy install eniocarboni.apache

Example 1: use default variables

---
- hosts: all
  become: true

  roles:
    - eniocarboni.apache

Example 2: with use of custom variables

---
- hosts: all
  become: true

  roles:
    - role: eniocarboni.apache
      apache_mpm: event
      apache_extra_packages:
        - mod_ssl
      apache_modules:
        - name: rewrite
          state: present
        - name: ssl
          state: present

Example 3: virtualhost

- hosts: all
  become: true

  roles:
    - role: eniocarboni.apache
      apache_virtualhost:
        - state: present
          addr: '*:80'
          ServerName: 'host.example.com'
          ServerAlias: 'myhost.example.com'
          DocumentRoot: '/var/www/html'
          ServerAdmin: '[email protected]'
          Directory_DocumentRoot_default: true
          add_rewrite_rule_to_ssl: false

License

GNU General Public License v3.0, see LICENSE file

Author Information

This role was created in 2023 by Enio Carboni

About

Configure Apache Web Server

Install
ansible-galaxy install eniocarboni/ec-ansible-apache-role
GitHub repository
License
gpl-3.0
Downloads
12