forked from evolix/ansible-roles
Fix default web page
* split 80/443 * use modern authorization syntax * reorganize the VHost file
This commit is contained in:
parent
34f6354a9e
commit
242c005f6d
|
@ -1,2 +1,2 @@
|
||||||
# Whitelisted IP addresses, add `Include ipaddr_whitelist.conf` to use it
|
# Whitelisted IP addresses, add `Include ipaddr_whitelist.conf` to use it
|
||||||
#Allow from 192.0.2.42
|
#Require ip 192.0.2.42
|
||||||
|
|
|
@ -103,7 +103,7 @@
|
||||||
- name: add IP addresses to private IP whitelist
|
- name: add IP addresses to private IP whitelist
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: /etc/apache2/private_ipaddr_whitelist.conf
|
dest: /etc/apache2/private_ipaddr_whitelist.conf
|
||||||
line: "Allow from {{ item }}"
|
line: "Require ip {{ item }}"
|
||||||
state: present
|
state: present
|
||||||
with_items: "{{ apache_private_ipaddr_whitelist_present }}"
|
with_items: "{{ apache_private_ipaddr_whitelist_present }}"
|
||||||
notify: reload apache
|
notify: reload apache
|
||||||
|
@ -113,13 +113,20 @@
|
||||||
- name: remove IP addresses from private IP whitelist
|
- name: remove IP addresses from private IP whitelist
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: /etc/apache2/private_ipaddr_whitelist.conf
|
dest: /etc/apache2/private_ipaddr_whitelist.conf
|
||||||
line: "Allow from {{ item }}"
|
line: "Require ip {{ item }}"
|
||||||
state: absent
|
state: absent
|
||||||
with_items: "{{ apache_private_ipaddr_whitelist_absent }}"
|
with_items: "{{ apache_private_ipaddr_whitelist_absent }}"
|
||||||
notify: reload apache
|
notify: reload apache
|
||||||
tags:
|
tags:
|
||||||
- apache
|
- apache
|
||||||
|
|
||||||
|
- name: include private IP whitelist for server-status
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/apache2/mods-available/status.conf
|
||||||
|
line: " include /etc/apache2/private_ipaddr_whitelist.conf"
|
||||||
|
insertafter: 'SetHandler server-status'
|
||||||
|
state: present
|
||||||
|
|
||||||
- name: Copy private_htpasswd
|
- name: Copy private_htpasswd
|
||||||
copy:
|
copy:
|
||||||
src: private_htpasswd
|
src: private_htpasswd
|
||||||
|
|
|
@ -1,36 +1,40 @@
|
||||||
<VirtualHost *:80 *:443>
|
<VirtualHost *:80>
|
||||||
ServerName {{ ansible_fqdn }}
|
ServerName {{ ansible_fqdn }}
|
||||||
ServerAdmin webmaster@localhost
|
ServerAdmin webmaster@localhost
|
||||||
|
|
||||||
|
RewriteEngine on
|
||||||
|
RewriteCond %{REQUEST_URI} !^/server-status.*$ [NC]
|
||||||
|
# RewriteCond %{REQUEST_URI} !^/munin_opcache.php$ [NC]
|
||||||
|
RewriteRule ^/(.*) https://{{ ansible_fqdn }}/$1 [L,R=permanent]
|
||||||
|
</VirtualHost>
|
||||||
|
|
||||||
|
<VirtualHost *:443>
|
||||||
|
ServerName {{ ansible_fqdn }}
|
||||||
|
ServerAdmin webmaster@localhost
|
||||||
|
|
||||||
DocumentRoot /var/www/
|
DocumentRoot /var/www/
|
||||||
|
|
||||||
SSLEngine on
|
SSLEngine on
|
||||||
SSLCertificateFile /etc/ssl/certs/{{ ansible_fqdn }}.crt
|
SSLCertificateFile /etc/ssl/certs/{{ ansible_fqdn }}.crt
|
||||||
SSLCertificateKeyFile /etc/ssl/private/{{ ansible_fqdn }}.key
|
SSLCertificateKeyFile /etc/ssl/private/{{ ansible_fqdn }}.key
|
||||||
SSLProtocol all -SSLv2 -SSLv3
|
# SSLProtocol all -SSLv2 -SSLv3
|
||||||
|
|
||||||
# Redirect to HTTPS, execpt for server-status, because Munin plugin
|
<Directory /var/www/>
|
||||||
# can't handle HTTPS! :(
|
Options +Indexes +FollowSymLinks +MultiViews
|
||||||
RewriteEngine on
|
|
||||||
RewriteCond %{HTTPS} !=on
|
|
||||||
RewriteCond %{REQUEST_URI} !^/server-status.*$ [NC]
|
|
||||||
RewriteCond %{REQUEST_URI} !^/munin_opcache.php$ [NC]
|
|
||||||
RewriteRule ^/(.*) https://{{ ansible_fqdn }}/$1 [L,R=permanent]
|
|
||||||
|
|
||||||
<Directory />
|
|
||||||
Options FollowSymLinks
|
|
||||||
AllowOverride None
|
AllowOverride None
|
||||||
Deny from all
|
|
||||||
Include /etc/apache2/private_ipaddr_whitelist.conf
|
Include /etc/apache2/private_ipaddr_whitelist.conf
|
||||||
</Directory>
|
</Directory>
|
||||||
|
|
||||||
<Directory /var/www/>
|
Alias /munin /var/cache/munin/www
|
||||||
Options Indexes FollowSymLinks MultiViews
|
<Directory /var/cache/munin/www/>
|
||||||
|
Options +Indexes +FollowSymLinks +MultiViews
|
||||||
AllowOverride None
|
AllowOverride None
|
||||||
|
|
||||||
|
Include /etc/apache2/private_ipaddr_whitelist.conf
|
||||||
</Directory>
|
</Directory>
|
||||||
|
|
||||||
<Location /munin_opcache.php>
|
<Location /munin_opcache.php>
|
||||||
Deny from all
|
|
||||||
Allow from 127.0.0.1
|
|
||||||
Include /etc/apache2/private_ipaddr_whitelist.conf
|
Include /etc/apache2/private_ipaddr_whitelist.conf
|
||||||
</Location>
|
</Location>
|
||||||
|
|
||||||
|
@ -41,11 +45,11 @@
|
||||||
</Directory>
|
</Directory>
|
||||||
|
|
||||||
ErrorDocument 403 {{ apache_default_redirect_url }}
|
ErrorDocument 403 {{ apache_default_redirect_url }}
|
||||||
|
|
||||||
CustomLog /var/log/apache2/access.log vhost_combined
|
CustomLog /var/log/apache2/access.log vhost_combined
|
||||||
ErrorLog /var/log/apache2/error.log
|
ErrorLog /var/log/apache2/error.log
|
||||||
LogLevel warn
|
LogLevel warn
|
||||||
|
|
||||||
Alias /munin /var/cache/munin/www
|
|
||||||
Alias /phpmyadmin-{{ apache_phpmyadmin_suffix }} /usr/share/phpmyadmin/
|
Alias /phpmyadmin-{{ apache_phpmyadmin_suffix }} /usr/share/phpmyadmin/
|
||||||
IncludeOptional /etc/apache2/conf-available/phpmyadmin*
|
IncludeOptional /etc/apache2/conf-available/phpmyadmin*
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue