evolix/ansible-roles
22
2
Fork 2
Code Issues 61 Pull requests 18 Releases 34 Wiki Activity

Merge branch 'apache-fix-default-vhost' into unstable

Browse source
This commit is contained in:
Jérémy Lecour 2017-07-19 14:02:52 +02:00 committed by Jérémy Lecour
parent f390638263 92f699b84c
commit 515460ee0a
1 changed files with 33 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

50
apache/templates/evolinux-default.conf.j2
View file

@ -2,10 +2,19 @@
ServerName {{ ansible_fqdn }} ServerName {{ ansible_fqdn }}
ServerAdmin webmaster@localhost ServerAdmin webmaster@localhost
DocumentRoot /var/www/
RewriteEngine on RewriteEngine on
RewriteCond %{REQUEST_URI} !^/server-status.*$ [NC] # Redirect to HTTPS, execpt for munin, because some plugins
# RewriteCond %{REQUEST_URI} !^/munin_opcache.php$ [NC] # can't handle HTTPS! :(
RewriteCond %{REQUEST_URI} !^/server-status.*$ [NC] [OR]
RewriteCond %{REQUEST_URI} !^/munin_opcache.php$ [NC]
RewriteRule ^/(.*) https://{{ ansible_fqdn }}/$1 [L,R=permanent] RewriteRule ^/(.*) https://{{ ansible_fqdn }}/$1 [L,R=permanent]
<Location /munin_opcache.php>
Require ip 127.0.0.1
</Location>
</VirtualHost> </VirtualHost>
<VirtualHost *:443> <VirtualHost *:443>
@ -17,32 +26,39 @@
SSLEngine on SSLEngine on
SSLCertificateFile {{ apache_evolinux_default_ssl_cert }} SSLCertificateFile {{ apache_evolinux_default_ssl_cert }}
SSLCertificateKeyFile {{ apache_evolinux_default_ssl_key }} SSLCertificateKeyFile {{ apache_evolinux_default_ssl_key }}
# SSLProtocol all -SSLv2 -SSLv3
<Directory /var/www/> # We override these 2 Directory directives setted in apache2.conf.
Options +Indexes +FollowSymLinks +MultiViews # We want no access except from allowed IP address.
AllowOverride None <Directory />
Options -Indexes
Require all denied
Include /etc/apache2/private_ipaddr_whitelist.conf
</Directory>
<Directory /var/www/>
Options -Indexes
Require all denied Require all denied
Include /etc/apache2/private_ipaddr_whitelist.conf Include /etc/apache2/private_ipaddr_whitelist.conf
</Directory> </Directory>
# Munin. We need to set Directory directive as Alias take precedence.
Alias /munin /var/cache/munin/www Alias /munin /var/cache/munin/www
<Directory /var/cache/munin/www/> <Directory /var/cache/munin/>
Options +Indexes +FollowSymLinks +MultiViews Options -Indexes
AllowOverride None Require all denied
Include /etc/apache2/private_ipaddr_whitelist.conf
</Directory>
<Directory /usr/lib/munin/cgi/>
Options -Indexes
Require all denied
Include /etc/apache2/private_ipaddr_whitelist.conf Include /etc/apache2/private_ipaddr_whitelist.conf
</Directory> </Directory>
<Location /munin_opcache.php> # For CGI Scripts. We need to set Directory directive as ScriptAlias take precedence.
Include /etc/apache2/private_ipaddr_whitelist.conf
</Location>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin"> <Directory /usr/lib/cgi-bin>
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Require all denied
Include /etc/apache2/private_ipaddr_whitelist.conf
</Directory> </Directory>
#ErrorDocument 403 {{ apache_default_redirect_url }} #ErrorDocument 403 {{ apache_default_redirect_url }}