ansible-roles/apache/templates/evolinux-default.conf.j2

<VirtualHost *:80>
    ServerName {{ ansible_fqdn }}
    #ServerAlias {{ ansible_fqdn }}

    DocumentRoot /var/www/

    <Directory />
        Include /etc/apache2/private_ipaddr_whitelist.conf
    </Directory>
    <Directory /var/www/>
        Options -Indexes
        Require all denied
        Include /etc/apache2/private_ipaddr_whitelist.conf
    </Directory>

    # Munin. We need to set Directory directive as Alias take precedence.
    Alias /munin /var/cache/munin/www
    <Directory /var/cache/munin/>
        Require all denied
        Include /etc/apache2/private_ipaddr_whitelist.conf
    </Directory>
    <Directory /usr/lib/munin/cgi/>
        Options -Indexes
        Require all denied
        Include /etc/apache2/private_ipaddr_whitelist.conf
    </Directory>

    # For CGI Scripts. We need to set Directory directive as ScriptAlias take precedence.
    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    <Directory /usr/lib/cgi-bin>
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        Require all denied
        Include /etc/apache2/private_ipaddr_whitelist.conf
    </Directory>

    CustomLog /var/log/apache2/access.log vhost_combined
    ErrorLog /var/log/apache2/error.log
    LogLevel warn

    <IfModule mod_ssl.c>
    RewriteEngine on
    # Redirect to HTTPS, execpt for munin, because some plugins
    # can't handle HTTPS! :(
    RewriteCond %{REQUEST_URI} !^/server-status.*$ [NC] [OR]
    RewriteCond %{REQUEST_URI} !^/munin_opcache.php$ [NC]
    RewriteRule ^/(.*) https://{{ ansible_fqdn }}/$1 [L,R=permanent]
    </IfModule>

    <Location /munin_opcache.php>
        Require ip 127.0.0.1
    </Location>
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName {{ ansible_fqdn }}
    #ServerAlias {{ ansible_fqdn }}

    DocumentRoot /var/www/

    <Directory />
        Include /etc/apache2/private_ipaddr_whitelist.conf
    </Directory>
    <Directory /var/www/>
        Options -Indexes
        Require all denied
        Include /etc/apache2/private_ipaddr_whitelist.conf
    </Directory>

    SSLEngine on
    SSLCertificateFile    {{ apache_evolinux_default_ssl_cert }}
    SSLCertificateKeyFile {{ apache_evolinux_default_ssl_key }}

    # We override these 2 Directory directives setted in apache2.conf.
    # We want no access except from allowed IP address.
    <Directory />
        Include /etc/apache2/private_ipaddr_whitelist.conf
    </Directory>

    # Munin. We need to set Directory directive as Alias take precedence.
    Alias /munin /var/cache/munin/www
    <Directory /var/cache/munin/>
        Require all denied
        Include /etc/apache2/private_ipaddr_whitelist.conf
    </Directory>
    <Directory /usr/lib/munin/cgi/>
        Options -Indexes
        Require all denied
        Include /etc/apache2/private_ipaddr_whitelist.conf
    </Directory>

    # For CGI Scripts. We need to set Directory directive as ScriptAlias take precedence.
    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    <Directory /usr/lib/cgi-bin>
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        Require all denied
        Include /etc/apache2/private_ipaddr_whitelist.conf
    </Directory>

    CustomLog /var/log/apache2/access.log vhost_combined
    ErrorLog /var/log/apache2/error.log
    LogLevel warn
</VirtualHost>
</IfModule>
Fix default web page * split 80/443 * use modern authorization syntax * reorganize the VHost file 2017-07-06 14:51:40 +02:00			`<VirtualHost *:80>`
Squash: conventions, evolinux, etc-git… 2016-11-07 14:00:57 +01:00			`ServerName {{ ansible_fqdn }}`
Review of role Apache, sync with https://wiki.evolix.org/HowtoApache 2017-07-22 22:40:31 +02:00			`#ServerAlias {{ ansible_fqdn }}`
Fix default web page * split 80/443 * use modern authorization syntax * reorganize the VHost file 2017-07-06 14:51:40 +02:00
A better default vhost for Apache. This is my proposal to a better vhost. I added comments to understand the tricky behavior of Directory directive when using Alias or ScriptAlias. 2017-07-18 17:05:47 +02:00			`DocumentRoot /var/www/`

Review of role Apache, sync with https://wiki.evolix.org/HowtoApache 2017-07-22 22:40:31 +02:00			`<Directory />`
			`Include /etc/apache2/private_ipaddr_whitelist.conf`
			`</Directory>`
			`<Directory /var/www/>`
			`Options -Indexes`
			`Require all denied`
			`Include /etc/apache2/private_ipaddr_whitelist.conf`
			`</Directory>`

			`# Munin. We need to set Directory directive as Alias take precedence.`
			`Alias /munin /var/cache/munin/www`
			`<Directory /var/cache/munin/>`
			`Require all denied`
			`Include /etc/apache2/private_ipaddr_whitelist.conf`
			`</Directory>`
			`<Directory /usr/lib/munin/cgi/>`
			`Options -Indexes`
			`Require all denied`
			`Include /etc/apache2/private_ipaddr_whitelist.conf`
			`</Directory>`

			`# For CGI Scripts. We need to set Directory directive as ScriptAlias take precedence.`
			`ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/`
			`<Directory /usr/lib/cgi-bin>`
			`Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch`
			`Require all denied`
			`Include /etc/apache2/private_ipaddr_whitelist.conf`
			`</Directory>`

			`CustomLog /var/log/apache2/access.log vhost_combined`
			`ErrorLog /var/log/apache2/error.log`
			`LogLevel warn`

			`<IfModule mod_ssl.c>`
Fix default web page * split 80/443 * use modern authorization syntax * reorganize the VHost file 2017-07-06 14:51:40 +02:00			`RewriteEngine on`
A better default vhost for Apache. This is my proposal to a better vhost. I added comments to understand the tricky behavior of Directory directive when using Alias or ScriptAlias. 2017-07-18 17:05:47 +02:00			`# Redirect to HTTPS, execpt for munin, because some plugins`
			`# can't handle HTTPS! :(`
			`RewriteCond %{REQUEST_URI} !^/server-status.*$ [NC] [OR]`
			`RewriteCond %{REQUEST_URI} !^/munin_opcache.php$ [NC]`
Fix default web page * split 80/443 * use modern authorization syntax * reorganize the VHost file 2017-07-06 14:51:40 +02:00			`RewriteRule ^/(.*) https://{{ ansible_fqdn }}/$1 [L,R=permanent]`
Review of role Apache, sync with https://wiki.evolix.org/HowtoApache 2017-07-22 22:40:31 +02:00			`</IfModule>`
A better default vhost for Apache. This is my proposal to a better vhost. I added comments to understand the tricky behavior of Directory directive when using Alias or ScriptAlias. 2017-07-18 17:05:47 +02:00
			`<Location /munin_opcache.php>`
			`Require ip 127.0.0.1`
			`</Location>`
Fix default web page * split 80/443 * use modern authorization syntax * reorganize the VHost file 2017-07-06 14:51:40 +02:00			`</VirtualHost>`

Review of role Apache, sync with https://wiki.evolix.org/HowtoApache 2017-07-22 22:40:31 +02:00			`<IfModule mod_ssl.c>`
Fix default web page * split 80/443 * use modern authorization syntax * reorganize the VHost file 2017-07-06 14:51:40 +02:00			`<VirtualHost *:443>`
			`ServerName {{ ansible_fqdn }}`
Review of role Apache, sync with https://wiki.evolix.org/HowtoApache 2017-07-22 22:40:31 +02:00			`#ServerAlias {{ ansible_fqdn }}`
Fix default web page * split 80/443 * use modern authorization syntax * reorganize the VHost file 2017-07-06 14:51:40 +02:00
Squash: conventions, evolinux, etc-git… 2016-11-07 14:00:57 +01:00			`DocumentRoot /var/www/`

Review of role Apache, sync with https://wiki.evolix.org/HowtoApache 2017-07-22 22:40:31 +02:00			`<Directory />`
			`Include /etc/apache2/private_ipaddr_whitelist.conf`
			`</Directory>`
			`<Directory /var/www/>`
			`Options -Indexes`
			`Require all denied`
			`Include /etc/apache2/private_ipaddr_whitelist.conf`
			`</Directory>`

Squash: conventions, evolinux, etc-git… 2016-11-07 14:00:57 +01:00			`SSLEngine on`
apache: use snakeoil cert by default 2017-07-13 16:44:39 +02:00			`SSLCertificateFile {{ apache_evolinux_default_ssl_cert }}`
			`SSLCertificateKeyFile {{ apache_evolinux_default_ssl_key }}`
Squash: conventions, evolinux, etc-git… 2016-11-07 14:00:57 +01:00
A better default vhost for Apache. This is my proposal to a better vhost. I added comments to understand the tricky behavior of Directory directive when using Alias or ScriptAlias. 2017-07-18 17:05:47 +02:00			`# We override these 2 Directory directives setted in apache2.conf.`
			`# We want no access except from allowed IP address.`
			`<Directory />`
Squash: conventions, evolinux, etc-git… 2016-11-07 14:00:57 +01:00			`Include /etc/apache2/private_ipaddr_whitelist.conf`
			`</Directory>`

A better default vhost for Apache. This is my proposal to a better vhost. I added comments to understand the tricky behavior of Directory directive when using Alias or ScriptAlias. 2017-07-18 17:05:47 +02:00			`# Munin. We need to set Directory directive as Alias take precedence.`
Fix default web page * split 80/443 * use modern authorization syntax * reorganize the VHost file 2017-07-06 14:51:40 +02:00			`Alias /munin /var/cache/munin/www`
A better default vhost for Apache. This is my proposal to a better vhost. I added comments to understand the tricky behavior of Directory directive when using Alias or ScriptAlias. 2017-07-18 17:05:47 +02:00			`<Directory /var/cache/munin/>`
			`Require all denied`
Fix default web page * split 80/443 * use modern authorization syntax * reorganize the VHost file 2017-07-06 14:51:40 +02:00			`Include /etc/apache2/private_ipaddr_whitelist.conf`
Squash: conventions, evolinux, etc-git… 2016-11-07 14:00:57 +01:00			`</Directory>`
A better default vhost for Apache. This is my proposal to a better vhost. I added comments to understand the tricky behavior of Directory directive when using Alias or ScriptAlias. 2017-07-18 17:05:47 +02:00			`<Directory /usr/lib/munin/cgi/>`
			`Options -Indexes`
			`Require all denied`
Squash: conventions, evolinux, etc-git… 2016-11-07 14:00:57 +01:00			`Include /etc/apache2/private_ipaddr_whitelist.conf`
A better default vhost for Apache. This is my proposal to a better vhost. I added comments to understand the tricky behavior of Directory directive when using Alias or ScriptAlias. 2017-07-18 17:05:47 +02:00			`</Directory>`
Squash: conventions, evolinux, etc-git… 2016-11-07 14:00:57 +01:00
A better default vhost for Apache. This is my proposal to a better vhost. I added comments to understand the tricky behavior of Directory directive when using Alias or ScriptAlias. 2017-07-18 17:05:47 +02:00			`# For CGI Scripts. We need to set Directory directive as ScriptAlias take precedence.`
Squash: conventions, evolinux, etc-git… 2016-11-07 14:00:57 +01:00			`ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/`
A better default vhost for Apache. This is my proposal to a better vhost. I added comments to understand the tricky behavior of Directory directive when using Alias or ScriptAlias. 2017-07-18 17:05:47 +02:00			`<Directory /usr/lib/cgi-bin>`
Squash: conventions, evolinux, etc-git… 2016-11-07 14:00:57 +01:00			`Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch`
A better default vhost for Apache. This is my proposal to a better vhost. I added comments to understand the tricky behavior of Directory directive when using Alias or ScriptAlias. 2017-07-18 17:05:47 +02:00			`Require all denied`
			`Include /etc/apache2/private_ipaddr_whitelist.conf`
Squash: conventions, evolinux, etc-git… 2016-11-07 14:00:57 +01:00			`</Directory>`

			`CustomLog /var/log/apache2/access.log vhost_combined`
			`ErrorLog /var/log/apache2/error.log`
			`LogLevel warn`
			`</VirtualHost>`
Review of role Apache, sync with https://wiki.evolix.org/HowtoApache 2017-07-22 22:40:31 +02:00			`</IfModule>`