ansible-roles/apache/templates/evolinux-default.conf.j2

<VirtualHost *:80>
    ServerName {{ ansible_fqdn }}
    ServerAdmin webmaster@localhost

    DocumentRoot /var/www/

    RewriteEngine on
    # Redirect to HTTPS, execpt for munin, because some plugins
    # can't handle HTTPS! :(
    RewriteCond %{REQUEST_URI} !^/server-status.*$ [NC] [OR]
    RewriteCond %{REQUEST_URI} !^/munin_opcache.php$ [NC]
    RewriteRule ^/(.*) https://{{ ansible_fqdn }}/$1 [L,R=permanent]

    <Location /munin_opcache.php>
        Require ip 127.0.0.1
    </Location>

</VirtualHost>

<VirtualHost *:443>
    ServerName {{ ansible_fqdn }}
    ServerAdmin webmaster@localhost

    DocumentRoot /var/www/

    SSLEngine on
    SSLCertificateFile    {{ apache_evolinux_default_ssl_cert }}
    SSLCertificateKeyFile {{ apache_evolinux_default_ssl_key }}

    # We override these 2 Directory directives setted in apache2.conf.
    # We want no access except from allowed IP address.
    <Directory />
        Options -Indexes
        Require all denied
        Include /etc/apache2/private_ipaddr_whitelist.conf
    </Directory>
    <Directory /var/www/>
        Options -Indexes
        Require all denied
        Include /etc/apache2/private_ipaddr_whitelist.conf
    </Directory>

    # Munin. We need to set Directory directive as Alias take precedence.
    Alias /munin /var/cache/munin/www
    <Directory /var/cache/munin/>
        Options -Indexes
        Require all denied
        Include /etc/apache2/private_ipaddr_whitelist.conf
    </Directory>
    <Directory /usr/lib/munin/cgi/>
        Options -Indexes
        Require all denied
        Include /etc/apache2/private_ipaddr_whitelist.conf
    </Directory>

    # Munin cgi
    # Ensure we can run (fast)cgi scripts
    ScriptAlias /munin-cgi/munin-cgi-graph /usr/lib/munin/cgi/munin-cgi-graph
    <Location /munin-cgi/munin-cgi-graph>
        Options +ExecCGI
        <IfModule mod_fcgid.c>
            SetHandler fcgid-script
        </IfModule>
        <IfModule mod_fastcgi.c>
            SetHandler fastcgi-script
        </IfModule>
        <IfModule !mod_fastcgi.c>
            <IfModule !mod_fcgid.c>
                SetHandler cgi-script
            </IfModule>
        </IfModule>
        Allow from all
    </Location>

    # For CGI Scripts. We need to set Directory directive as ScriptAlias take precedence.
    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    <Directory /usr/lib/cgi-bin>
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        Require all denied
        Include /etc/apache2/private_ipaddr_whitelist.conf
    </Directory>

    CustomLog /var/log/apache2/access.log vhost_combined
    ErrorLog /var/log/apache2/error.log
    LogLevel warn

    Alias /phpmyadmin-{{ apache_phpmyadmin_suffix }} /usr/share/phpmyadmin/
    IncludeOptional /etc/apache2/conf-available/phpmyadmin*

    <Files ~ "\.(inc|bak)$">
        Require all denied
    </Files>

</VirtualHost>