From 242c005f6d35d929a612e1710d2293558e7ae966 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 6 Jul 2017 14:51:40 +0200 Subject: [PATCH] Fix default web page * split 80/443 * use modern authorization syntax * reorganize the VHost file --- apache/files/private_ipaddr_whitelist.conf | 2 +- apache/tasks/main.yml | 11 ++++-- apache/templates/evolinux-default.conf.j2 | 40 ++++++++++++---------- 3 files changed, 32 insertions(+), 21 deletions(-) diff --git a/apache/files/private_ipaddr_whitelist.conf b/apache/files/private_ipaddr_whitelist.conf index 34e7da20..6c42b58c 100644 --- a/apache/files/private_ipaddr_whitelist.conf +++ b/apache/files/private_ipaddr_whitelist.conf @@ -1,2 +1,2 @@ # Whitelisted IP addresses, add `Include ipaddr_whitelist.conf` to use it -#Allow from 192.0.2.42 +#Require ip 192.0.2.42 diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index 78055141..a90a3144 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -103,7 +103,7 @@ - name: add IP addresses to private IP whitelist lineinfile: dest: /etc/apache2/private_ipaddr_whitelist.conf - line: "Allow from {{ item }}" + line: "Require ip {{ item }}" state: present with_items: "{{ apache_private_ipaddr_whitelist_present }}" notify: reload apache @@ -113,13 +113,20 @@ - name: remove IP addresses from private IP whitelist lineinfile: dest: /etc/apache2/private_ipaddr_whitelist.conf - line: "Allow from {{ item }}" + line: "Require ip {{ item }}" state: absent with_items: "{{ apache_private_ipaddr_whitelist_absent }}" notify: reload apache tags: - apache +- name: include private IP whitelist for server-status + lineinfile: + dest: /etc/apache2/mods-available/status.conf + line: " include /etc/apache2/private_ipaddr_whitelist.conf" + insertafter: 'SetHandler server-status' + state: present + - name: Copy private_htpasswd copy: src: private_htpasswd diff --git a/apache/templates/evolinux-default.conf.j2 b/apache/templates/evolinux-default.conf.j2 index 3c56568a..744c4319 100644 --- a/apache/templates/evolinux-default.conf.j2 +++ b/apache/templates/evolinux-default.conf.j2 @@ -1,36 +1,40 @@ - + ServerName {{ ansible_fqdn }} ServerAdmin webmaster@localhost + + RewriteEngine on + RewriteCond %{REQUEST_URI} !^/server-status.*$ [NC] + # RewriteCond %{REQUEST_URI} !^/munin_opcache.php$ [NC] + RewriteRule ^/(.*) https://{{ ansible_fqdn }}/$1 [L,R=permanent] + + + + ServerName {{ ansible_fqdn }} + ServerAdmin webmaster@localhost + DocumentRoot /var/www/ SSLEngine on SSLCertificateFile /etc/ssl/certs/{{ ansible_fqdn }}.crt SSLCertificateKeyFile /etc/ssl/private/{{ ansible_fqdn }}.key - SSLProtocol all -SSLv2 -SSLv3 + # SSLProtocol all -SSLv2 -SSLv3 - # Redirect to HTTPS, execpt for server-status, because Munin plugin - # can't handle HTTPS! :( - RewriteEngine on - RewriteCond %{HTTPS} !=on - RewriteCond %{REQUEST_URI} !^/server-status.*$ [NC] - RewriteCond %{REQUEST_URI} !^/munin_opcache.php$ [NC] - RewriteRule ^/(.*) https://{{ ansible_fqdn }}/$1 [L,R=permanent] - - - Options FollowSymLinks + + Options +Indexes +FollowSymLinks +MultiViews AllowOverride None - Deny from all + Include /etc/apache2/private_ipaddr_whitelist.conf - - Options Indexes FollowSymLinks MultiViews + Alias /munin /var/cache/munin/www + + Options +Indexes +FollowSymLinks +MultiViews AllowOverride None + + Include /etc/apache2/private_ipaddr_whitelist.conf - Deny from all - Allow from 127.0.0.1 Include /etc/apache2/private_ipaddr_whitelist.conf @@ -41,11 +45,11 @@ ErrorDocument 403 {{ apache_default_redirect_url }} + CustomLog /var/log/apache2/access.log vhost_combined ErrorLog /var/log/apache2/error.log LogLevel warn - Alias /munin /var/cache/munin/www Alias /phpmyadmin-{{ apache_phpmyadmin_suffix }} /usr/share/phpmyadmin/ IncludeOptional /etc/apache2/conf-available/phpmyadmin*