Fix default web page

* split 80/443
* use modern authorization syntax
* reorganize the VHost file

apache/files/private_ipaddr_whitelist.conf

@@ -1,2 +1,2 @@
 # Whitelisted IP addresses, add `Include ipaddr_whitelist.conf` to use it
-#Allow from 192.0.2.42
+#Require ip 192.0.2.42

apache/tasks/main.yml

@@ -103,7 +103,7 @@
 - name: add IP addresses to private IP whitelist
   lineinfile:
     dest: /etc/apache2/private_ipaddr_whitelist.conf
-    line: "Allow from {{ item }}"
+    line: "Require ip {{ item }}"
     state: present
   with_items: "{{ apache_private_ipaddr_whitelist_present }}"
   notify: reload apache
@@ -113,13 +113,20 @@
 - name: remove IP addresses from private IP whitelist
   lineinfile:
     dest: /etc/apache2/private_ipaddr_whitelist.conf
-    line: "Allow from {{ item }}"
+    line: "Require ip {{ item }}"
     state: absent
   with_items: "{{ apache_private_ipaddr_whitelist_absent }}"
   notify: reload apache
   tags:
   - apache
 
+- name: include private IP whitelist for server-status
+  lineinfile:
+    dest: /etc/apache2/mods-available/status.conf
+    line: "        include /etc/apache2/private_ipaddr_whitelist.conf"
+    insertafter: 'SetHandler server-status'
+    state: present
+
 - name: Copy private_htpasswd
   copy:
     src: private_htpasswd

apache/templates/evolinux-default.conf.j2

@@ -1,36 +1,40 @@
-<VirtualHost *:80 *:443>
+<VirtualHost *:80>
     ServerName {{ ansible_fqdn }}
     ServerAdmin webmaster@localhost
+
+    RewriteEngine on
+    RewriteCond %{REQUEST_URI} !^/server-status.*$ [NC]
+    # RewriteCond %{REQUEST_URI} !^/munin_opcache.php$ [NC]
+    RewriteRule ^/(.*) https://{{ ansible_fqdn }}/$1 [L,R=permanent]
+</VirtualHost>
+
+<VirtualHost *:443>
+    ServerName {{ ansible_fqdn }}
+    ServerAdmin webmaster@localhost
+
     DocumentRoot /var/www/
 
     SSLEngine on
     SSLCertificateFile    /etc/ssl/certs/{{ ansible_fqdn }}.crt
     SSLCertificateKeyFile /etc/ssl/private/{{ ansible_fqdn }}.key
-    SSLProtocol all -SSLv2 -SSLv3
+    # SSLProtocol all -SSLv2 -SSLv3
 
-    # Redirect to HTTPS, execpt for server-status, because Munin plugin
+    <Directory /var/www/>
-    # can't handle HTTPS! :(
+        Options +Indexes +FollowSymLinks +MultiViews
-    RewriteEngine on
-    RewriteCond %{HTTPS} !=on
-    RewriteCond %{REQUEST_URI} !^/server-status.*$ [NC]
-    RewriteCond %{REQUEST_URI} !^/munin_opcache.php$ [NC]
-    RewriteRule ^/(.*) https://{{ ansible_fqdn }}/$1 [L,R=permanent]
-
-    <Directory />
-        Options FollowSymLinks
         AllowOverride None
-        Deny from all
+
         Include /etc/apache2/private_ipaddr_whitelist.conf
     </Directory>
 
-    <Directory /var/www/>
+    Alias /munin /var/cache/munin/www
-        Options Indexes FollowSymLinks MultiViews
+    <Directory /var/cache/munin/www/>
+        Options +Indexes +FollowSymLinks +MultiViews
         AllowOverride None
+
+        Include /etc/apache2/private_ipaddr_whitelist.conf
     </Directory>
 
     <Location /munin_opcache.php>
-        Deny from all
-        Allow from 127.0.0.1
         Include /etc/apache2/private_ipaddr_whitelist.conf
     </Location>
 
@@ -41,11 +45,11 @@
     </Directory>
 
     ErrorDocument 403 {{ apache_default_redirect_url }}
+
     CustomLog /var/log/apache2/access.log vhost_combined
     ErrorLog /var/log/apache2/error.log
     LogLevel warn
 
-    Alias /munin /var/cache/munin/www
     Alias /phpmyadmin-{{ apache_phpmyadmin_suffix }} /usr/share/phpmyadmin/
     IncludeOptional /etc/apache2/conf-available/phpmyadmin*