From 37172332242967cf211f16c179c2a69135aa9b52 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Sun, 8 Apr 2018 13:12:39 +0200 Subject: [PATCH] add shared apache config --- base.yml | 4 +- email.yml | 2 +- roles/apache/files/acme-challenge.conf | 7 + .../apache/files/other-vhosts-access-log.conf | 4 + roles/apache/files/php5.conf | 17 ++ roles/apache/files/security.conf | 65 ++++++++ roles/apache/files/ssl.conf | 156 ++++++++++++++++++ roles/apache/handlers/main.yml | 2 + roles/apache/tasks/main.yml | 36 ++++ roles/apache/templates/000-default.conf | 8 + web.yml | 3 + 11 files changed, 301 insertions(+), 3 deletions(-) create mode 100644 roles/apache/files/acme-challenge.conf create mode 100644 roles/apache/files/other-vhosts-access-log.conf create mode 100644 roles/apache/files/php5.conf create mode 100644 roles/apache/files/security.conf create mode 100644 roles/apache/files/ssl.conf create mode 100644 roles/apache/handlers/main.yml create mode 100644 roles/apache/tasks/main.yml create mode 100644 roles/apache/templates/000-default.conf create mode 100644 web.yml diff --git a/base.yml b/base.yml index face9a3..031a720 100644 --- a/base.yml +++ b/base.yml @@ -16,8 +16,8 @@ apt: name=exim4-base,rpcbind state=absent autoremove=yes - name: install needrestart (from backports) apt: name=needrestart state=latest default_release={{ansible_distribution_release}}-backports - - name: install aptitude, rsync, git - apt: name=aptitude,rsync,git state=latest + - name: install some basic tools + apt: name=aptitude,rsync,git,curl,apt-transport-https state=latest # server-scripts - name: clone server-scripts git repository git: diff --git a/email.yml b/email.yml index 91f02f9..fe289b5 100644 --- a/email.yml +++ b/email.yml @@ -1,4 +1,4 @@ -- hosts: all:!base_only +- hosts: email roles: - postfix - journalwatch diff --git a/roles/apache/files/acme-challenge.conf b/roles/apache/files/acme-challenge.conf new file mode 100644 index 0000000..ff1c051 --- /dev/null +++ b/roles/apache/files/acme-challenge.conf @@ -0,0 +1,7 @@ +Alias /.well-known/acme-challenge/ /srv/acme-challenge/ + + + ForceType text/plain + AllowOverride none + Require all granted + diff --git a/roles/apache/files/other-vhosts-access-log.conf b/roles/apache/files/other-vhosts-access-log.conf new file mode 100644 index 0000000..284c0cd --- /dev/null +++ b/roles/apache/files/other-vhosts-access-log.conf @@ -0,0 +1,4 @@ +# Define an access log for VirtualHosts that don't define their own logfile +#CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log vhost_combined + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/roles/apache/files/php5.conf b/roles/apache/files/php5.conf new file mode 100644 index 0000000..8b6e856 --- /dev/null +++ b/roles/apache/files/php5.conf @@ -0,0 +1,17 @@ +# FCGID-Config +# PHP should not terminate itself, let FCGID do that +FcgidInitialEnv PHP_FCGI_MAX_REQUESTS 1000 +FcgidMaxRequestsPerProcess 500 +FcgidMaxProcesses 16 +# Allow requests up to 8MB +FcgidMaxRequestLen 8388608 + + +# macro to allow executing PHP scripts + + Options +ExecCGI + FcgidWrapper $wrapper .php + + SetHandler fcgid-script + + diff --git a/roles/apache/files/security.conf b/roles/apache/files/security.conf new file mode 100644 index 0000000..adefdd8 --- /dev/null +++ b/roles/apache/files/security.conf @@ -0,0 +1,65 @@ +# Block access to some directories that are allowed per default + + Require all denied + + +# Changing the following options will not really affect the security of the +# server, but might make attacks slightly more difficult in some cases. + +# +# ServerTokens +# This directive configures what you return as the Server HTTP response +# Header. The default is 'Full' which sends information about the OS-Type +# and compiled in modules. +# Set to one of: Full | OS | Minimal | Minor | Major | Prod +# where Full conveys the most information, and Prod the least. +#ServerTokens Minimal +ServerTokens Minor +#ServerTokens Full + +# +# Optionally add a line containing the server version and virtual host +# name to server-generated pages (internal error documents, FTP directory +# listings, mod_status and mod_info output etc., but not CGI generated +# documents or custom error documents). +# Set to "EMail" to also include a mailto: link to the ServerAdmin. +# Set to one of: On | Off | EMail +ServerSignature Off +#ServerSignature On + +# +# Allow TRACE method +# +# Set to "extended" to also reflect the request body (only for testing and +# diagnostic purposes). +# +# Set to one of: On | Off | extended +TraceEnable Off +#TraceEnable On + +# +# Forbid access to version control directories +# +# If you use version control systems in your document root, you should +# probably deny access to their directories. For example, for subversion: +# +# +# Require all denied +# + +# +# Setting this header will prevent MSIE from interpreting files as something +# else than declared by the content type in the HTTP headers. +# Requires mod_headers to be enabled. +# +Header set X-Content-Type-Options: "nosniff" + +# +# Setting this header will prevent other sites from embedding pages from this +# site as frames. This defends against clickjacking attacks. +# Requires mod_headers to be enabled. +# +Header set X-Frame-Options: "sameorigin" + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/roles/apache/files/ssl.conf b/roles/apache/files/ssl.conf new file mode 100644 index 0000000..bb80746 --- /dev/null +++ b/roles/apache/files/ssl.conf @@ -0,0 +1,156 @@ +# SSL OCSP stapling +#SSLStaplingCache shmcb:/var/cache/apache2/ssl_stapling_cache(256000) +#SSLUseStapling on + +# Redirects + + + ServerName $domain + Redirect permanent / https://$domain/ + + + + +# SSL Macros + + # Use HTTP Strict Transport Security to force client to use secure connections only + Header unset Strict-Transport-Security + Header set Strict-Transport-Security "max-age=864000" + # Make sure we load everything via HTTPS + Header set Content-Security-Policy "upgrade-insecure-requests" + + ######################################################### + # SSL configuration below ############################### + ######################################################### + # SSL Engine Switch: + # Enable/Disable SSL for this virtual host. + SSLEngine on + + # configure SSL ciphers and protocols + SSLProtocol All -SSLv2 -SSLv3 + # TODO: Once OpenSSL supports GCM with more than just AES, revisit this + # NOTE: The reason we support non-FS ciphers is stupid middleboxes like the one used by Frauenhofer in SB, that don't support FS + SSLCipherSuite 'kEECDH+AESGCM:kEDH+AESGCM:kEECDH:kEDH:AESGCM:ALL:!3DES:!EXPORT:!LOW:!MEDIUM:!aNULL:!eNULL' + SSLHonorCipherOrder on + + # Certificate, DH parameters and key + SSLCertificateFile /etc/ssl/mycerts/$cert.crt+dh + SSLCertificateKeyFile /etc/ssl/private/$cert.key + + # Server Certificate Chain: + # Point SSLCertificateChainFile at a file containing the + # concatenation of PEM encoded CA certificates which form the + # certificate chain for the server certificate. Alternatively + # the referenced file can be the same as SSLCertificateFile + # when the CA certificates are directly appended to the server + # certificate for convinience. + SSLCertificateChainFile /etc/ssl/mycerts/$cert.chain + + # Certificate Authority (CA): + # Set the CA certificate verification path where to find CA + # certificates for client authentication or alternatively one + # huge file containing all of them (file must be PEM encoded) + # Note: Inside SSLCACertificatePath you need hash symlinks + # to point to the certificate files. Use the provided + # Makefile to update the hash symlinks after changes. + #SSLCACertificatePath /etc/ssl/certs/ + #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt + + # Certificate Revocation Lists (CRL): + # Set the CA revocation path where to find CA CRLs for client + # authentication or alternatively one huge file containing all + # of them (file must be PEM encoded) + # Note: Inside SSLCARevocationPath you need hash symlinks + # to point to the certificate files. Use the provided + # Makefile to update the hash symlinks after changes. + #SSLCARevocationPath /etc/apache2/ssl.crl/ + #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl + + # Client Authentication (Type): + # Client certificate verification type and depth. Types are + # none, optional, require and optional_no_ca. Depth is a + # number which specifies how deeply to verify the certificate + # issuer chain before deciding the certificate is not valid. + #SSLVerifyClient require + #SSLVerifyDepth 10 + + # Access Control: + # With SSLRequire you can do per-directory access control based + # on arbitrary complex boolean expressions containing server + # variable checks and other lookup directives. The syntax is a + # mixture between C and Perl. See the mod_ssl documentation + # for more details. + # + #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ + # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ + # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ + # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ + # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ + # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ + # + + # SSL Engine Options: + # Set various options for the SSL engine. + # o FakeBasicAuth: + # Translate the client X.509 into a Basic Authorisation. This means that + # the standard Auth/DBMAuth methods can be used for access control. The + # user name is the `one line' version of the client's X.509 certificate. + # Note that no password is obtained from the user. Every entry in the user + # file needs this password: `xxj31ZMTZzkVA'. + # o ExportCertData: + # This exports two additional environment variables: SSL_CLIENT_CERT and + # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the + # server (always existing) and the client (only existing when client + # authentication is used). This can be used to import the certificates + # into CGI scripts. + # o StdEnvVars: + # This exports the standard SSL/TLS related `SSL_*' environment variables. + # Per default this exportation is switched off for performance reasons, + # because the extraction step is an expensive operation and is usually + # useless for serving static content. So one usually enables the + # exportation for CGI and SSI requests only. + # o StrictRequire: + # This denies access when "SSLRequireSSL" or "SSLRequire" applied even + # under a "Satisfy any" situation, i.e. when it applies access is denied + # and no other module can change it. + # o OptRenegotiate: + # This enables optimized SSL connection renegotiation handling when SSL + # directives are used in per-directory context. + #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire + # + # SSLOptions +StdEnvVars + # + # + # SSLOptions +StdEnvVars + # + + # SSL Protocol Adjustments: + # The safe and default but still SSL/TLS standard compliant shutdown + # approach is that mod_ssl sends the close notify alert but doesn't wait for + # the close notify alert from client. When you need a different shutdown + # approach you can use one of the following variables: + # o ssl-unclean-shutdown: + # This forces an unclean shutdown when the connection is closed, i.e. no + # SSL close notify alert is send or allowed to received. This violates + # the SSL/TLS standard but is needed for some brain-dead browsers. Use + # this when you receive I/O errors because of the standard approach where + # mod_ssl sends the close notify alert. + # o ssl-accurate-shutdown: + # This forces an accurate shutdown when the connection is closed, i.e. a + # SSL close notify alert is send and mod_ssl waits for the close notify + # alert of the client. This is 100% SSL/TLS standard compliant, but in + # practice often causes hanging connections with brain-dead browsers. Use + # this only for browsers where you know that their SSL implementation + # works correctly. + # Notice: Most problems of broken clients are also related to the HTTP + # keep-alive facility, so you usually additionally want to disable + # keep-alive for those clients, too. Use variable "nokeepalive" for this. + # Similarly, one has to force some clients to use HTTP/1.0 to workaround + # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and + # "force-response-1.0" for this. + #BrowserMatch "MSIE [2-6]" \ + # nokeepalive ssl-unclean-shutdown \ + # downgrade-1.0 force-response-1.0 + # MSIE 7 and newer should be able to use keepalive + #BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown + diff --git a/roles/apache/handlers/main.yml b/roles/apache/handlers/main.yml new file mode 100644 index 0000000..26b58ed --- /dev/null +++ b/roles/apache/handlers/main.yml @@ -0,0 +1,2 @@ +- name: apache + service: name=apache2 state=restarted enabled=yes diff --git a/roles/apache/tasks/main.yml b/roles/apache/tasks/main.yml new file mode 100644 index 0000000..9b6c82e --- /dev/null +++ b/roles/apache/tasks/main.yml @@ -0,0 +1,36 @@ +- name: install apache + apt: name=apache2 state=latest +- name: enable apache + service: name=apache2 enabled=yes +# config +- name: enable modules + apache2_module: + state: present + name: "{{ item }}" + loop: + - headers + - ssl + - macro + notify: apache +- name: install shared config files + copy: + dest: /etc/apache2/conf-available/{{ item }} + src: files/{{ item }} + loop: + - ssl.conf + - acme-challenge.conf + - php5.conf + - security.conf + - other-vhosts-access-log.conf + notify: apache +- name: enable config files + command: a2enconf {{ item }} + args: + creates: /etc/apache2/conf-enabled/{{ item }}.conf + loop: + - ssl +- name: install default site + template: + dest: /etc/apache2/sites-available/000-default.conf + src: templates/000-default.conf + notify: apache diff --git a/roles/apache/templates/000-default.conf b/roles/apache/templates/000-default.conf new file mode 100644 index 0000000..8865a0a --- /dev/null +++ b/roles/apache/templates/000-default.conf @@ -0,0 +1,8 @@ +# redirect all undefined virtual hosts to {{ apache.default_host }} + + Redirect temp / https://{{ apache.default_host }}/ + + + Use SSL letsencrypt/live + Redirect temp / https://{{ apache.default_host }}/ + diff --git a/web.yml b/web.yml new file mode 100644 index 0000000..a7a85fd --- /dev/null +++ b/web.yml @@ -0,0 +1,3 @@ +- hosts: apache + roles: + - apache -- 2.30.2