Update to 2021-12-01 19:13

roles/httpd_common/defaults/main.yml

@@ -0,0 +1,67 @@
+---
+httpd_ports: ['80']
+httpd_src_ip:
+  - 0.0.0.0/0
+httpd_user: apache
+httpd_group: apache
+httpd_modules:
+  - unixd
+  - access_compat
+  - alias
+  - allowmethods
+  - auth_basic
+  - authn_core
+  - authn_file
+  - authz_core
+  - authz_host
+  - authz_user
+  - authnz_pam
+  - autoindex
+  - deflate
+  - dir
+  - env
+  - expires
+  - filter
+  - headers
+  - log_config
+  - logio
+  - mime_magic
+  - mime
+  - include
+  - remoteip
+  - rewrite
+  - setenvif
+  - systemd
+  - status
+  - negotiation
+  - fcgid
+  - proxy
+  - proxy_fcgi
+  - proxy_http
+  - proxy_wstunnel
+# Optional extra module to load
+# httpd_modules_extras: []
+httpd_mpm: prefork
+httpd_primary_domain: 'firewall-services.com'
+httpd_log_format: 'combined_virtual'
+httpd_status_ip:
+  - '127.0.0.1'
+
+httpd_proxy_timeout: 90
+
+httpd_ansible_vhosts: []
+httpd_ansible_directories: []
+httpd_custom_conf: |
+  # Custom config directives here
+
+httpd_htpasswd: []
+# httpd_htpasswd:
+#   - path: /etc/httpd/conf/customers.htpasswd
+#     users:
+#       - login: client1
+#         password: s3crEt.
+
+# The default vhost will have the name of the server in the inventory.
+# But you can overwrite it with this var
+# httpd_default_vhost: 
+...

roles/httpd_common/files/index_maintenance.html

@@ -0,0 +1 @@
+Maintenance en cours...

roles/httpd_common/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+
+- include: ../common/handlers/main.yml
+
+- name: reload httpd
+  service: name=httpd state=reloaded
+
+- name: restart httpd
+  service: name=httpd state=restarted
+...

roles/httpd_common/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: mkdir

roles/httpd_common/tasks/filebeat.yml

@@ -0,0 +1,5 @@
+---
+- name: Deploy filebeat module
+  template: src=filebeat.yml.j2 dest=/etc/filebeat/ansible_modules.d/httpd.yml
+  tags: web,log
+

roles/httpd_common/tasks/main.yml

@@ -0,0 +1,164 @@
+---
+
+- include_vars: "{{ item }}"
+  with_first_found:
+    - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_distribution }}.yml
+    - vars/{{ ansible_os_family }}.yml
+    - vars/defaults.yml
+  tags: web
+
+- name: Install packages
+  yum: name={{ httpd_common_packages }}
+  tags: web
+
+- name: List httpd ports
+  set_fact: httpd_ports={{ httpd_ports + (httpd_ansible_vhosts | selectattr('port','defined') | map(attribute='port') | list) | unique }}
+  tags: [firewall,web]
+  
+- name: Allow httpd to bind on ports
+  seport: ports={{ httpd_ports | join(',') }} proto=tcp setype=http_port_t state=present
+  when: ansible_selinux.status == 'enabled'
+  tags: web
+
+- name: Creates default root directory
+  file: path={{ item }} state=directory mode=755
+  with_items:
+    - /var/www/html/default
+    - /var/www/html/default/cgi-bin
+    - /var/www/html/downtime
+    - /etc/httpd/ansible_conf.d
+    - /etc/httpd/custom_conf.d
+    - /etc/httpd/ansible_conf.modules.d
+  tags: web
+
+- name: Deploy an empty default index for the catch all vhost
+  copy: src=index_default.html dest=/var/www/html/default/index.html
+  tags: web
+
+- name: Deploy the maintenance page
+  copy: src=index_maintenance.html dest=/var/www/html/default/maintenance.html
+  tags: web
+
+- name: Remove obsolete configuration files
+  file: path={{ item }} state=absent
+  with_items:
+    - /etc/httpd/ansible_conf.d/10-welcome.conf
+  tags: web
+
+- name: Deploy mpm configuration
+  template: src=10-mpm.conf.j2 dest=/etc/httpd/ansible_conf.modules.d/10-mpm.conf
+  notify: restart httpd
+  tags: [conf,web]
+
+- name: Deploy main httpd configuration
+  template: src={{ item.src }} dest={{ item.dest }}
+  with_items:
+    - src: httpd.conf.j2
+      dest: /etc/httpd/conf/httpd.conf
+    - src: common_env.inc.j2
+      dest: /etc/httpd/ansible_conf.d/common_env.inc
+    - src: autoindex.conf.j2
+      dest: /etc/httpd/ansible_conf.d/10-autoindex.conf
+    - src: status.conf.j2
+      dest: /etc/httpd/ansible_conf.d/10-status.conf
+    - src: errors.conf.j2
+      dest: /etc/httpd/ansible_conf.d/10-errors.conf
+    - src: vhost_default.conf.j2
+      dest: /etc/httpd/ansible_conf.d/20-vhost_default.conf
+    - src: 00-base_mod.conf.j2
+      dest: /etc/httpd/ansible_conf.modules.d/00-base_mod.conf
+    - src: 20-cgi.conf.j2
+      dest: /etc/httpd/ansible_conf.modules.d/20-cgi.conf
+  notify: reload httpd
+  tags: [conf,web]
+
+- name: Check if common config templates are present
+  stat: path=/etc/httpd/ansible_conf.d/{{ item }}
+  with_items:
+    - common_perf.inc
+    - common_filter.inc
+    - common_force_ssl.inc
+    - common_letsencrypt.inc
+    - common_cache.inc
+    - common_mod_security2.inc
+  register: common_files
+  tags: [conf,web]
+
+- name: Deploy dummy config files if needed
+  copy: content="# Dummy config file. Use httpd_front / letsencrypt roles to get the real config" dest=/etc/httpd/ansible_conf.d/{{ item.item }}
+  when: not item.stat.exists
+  with_items: "{{ common_files.results }}"
+  notify: reload httpd
+  tags: [conf,web]
+
+- name: Deploy ansible vhosts configuration
+  template: src=vhost_ansible.conf.j2 dest=/etc/httpd/ansible_conf.d/30-vhost_ansible.conf
+  notify: reload httpd
+  tags: [conf,web]
+
+- name: Create ansible directories
+  file: path={{ item.path }} state=directory
+  with_items: "{{ httpd_ansible_directories }}"
+  tags: [conf,web]
+
+- name: Deploy ansible directories configuration
+  template: src=dir_ansible.conf.j2 dest=/etc/httpd/ansible_conf.d/10-dir_ansible.conf
+  notify: reload httpd
+  tags: [conf,web]
+
+- name: Deploy custom global configuration
+  copy: content={{ httpd_custom_conf }} dest=/etc/httpd/ansible_conf.d/10-custom_ansible.conf
+  notify: reload httpd
+  tags: [conf,web]
+
+- name: Configure log rotation
+  template: src=logrotate.conf.j2 dest=/etc/logrotate.d/httpd
+  tags: [conf,web]
+
+- name: Remove old iptables rule
+  iptables_raw:
+    name: httpd_port
+    state: absent
+  when: iptables_manage | default(True)
+  tags: [firewall,web]
+
+- name: Handle HTTP ports
+  iptables_raw:
+    name: httpd_ports
+    state: "{{ (httpd_src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state new -p tcp -m multiport --dports {{ httpd_ports | join(',') }} -s {{ httpd_src_ip | join(',') }} -j ACCEPT"
+  when: iptables_manage | default(True)
+  tags: [firewall,web]
+
+- name: Start and enable the service
+  service: name=httpd state=started enabled=yes
+  tags: web
+
+- name: Allow network connections in SELinux
+  seboolean: name={{ item }} state=yes persistent=yes
+  with_items:
+    - httpd_can_connect_ldap
+    - httpd_unified
+    - httpd_can_network_connect
+    - httpd_mod_auth_pam
+  when: ansible_selinux.status == 'enabled'
+  tags: web
+
+- name: Create or update htpasswd files
+  htpasswd:
+    path: "{{ item[0].path }}"
+    name: "{{ item[1].login }}"
+    password: "{{ item[1].pass | default(omit) }}"
+    owner: root
+    group: "{{ httpd_user }}"
+    mode: 0640
+    state: "{{ (item[1].state | default('present')) }}"
+  with_subelements:
+    - "{{ httpd_htpasswd }}"
+    - users
+  tags: web
+
+- include: filebeat.yml
+...

roles/httpd_common/templates/00-base_mod.conf.j2

@@ -0,0 +1,6 @@
+{% for module in httpd_modules %}
+LoadModule {{ module }}_module modules/mod_{{ module }}.so
+{% endfor %}
+{% for module in httpd_modules_extras | default([]) %}
+LoadModule {{ module }}_module modules/mod_{{ module }}.so
+{% endfor %}

roles/httpd_common/templates/10-mpm.conf.j2

@@ -0,0 +1 @@
+LoadModule mpm_{{ httpd_mpm }}_module modules/mod_mpm_{{ httpd_mpm }}.so

roles/httpd_common/templates/20-cgi.conf.j2

@@ -0,0 +1,5 @@
+{% if httpd_mpm == 'prefork' %}
+LoadModule cgi_module modules/mod_cgi.so
+{% else %}
+LoadModule cgid_module modules/mod_cgid.so
+{% endif %}

roles/httpd_common/templates/autoindex.conf.j2

@@ -0,0 +1,45 @@
+IndexOptions FancyIndexing HTMLTable VersionSort
+Alias /icons/ "/usr/share/httpd/icons/"
+
+<Directory "/usr/share/httpd/icons">
+    Options Indexes MultiViews FollowSymlinks
+    AllowOverride None
+    Require all granted
+</Directory>
+
+AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
+
+AddIconByType (TXT,/icons/text.gif) text/*
+AddIconByType (IMG,/icons/image2.gif) image/*
+AddIconByType (SND,/icons/sound2.gif) audio/*
+AddIconByType (VID,/icons/movie.gif) video/*
+
+AddIcon /icons/binary.gif .bin .exe
+AddIcon /icons/binhex.gif .hqx
+AddIcon /icons/tar.gif .tar
+AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
+AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
+AddIcon /icons/a.gif .ps .ai .eps
+AddIcon /icons/layout.gif .html .shtml .htm .pdf
+AddIcon /icons/text.gif .txt
+AddIcon /icons/c.gif .c
+AddIcon /icons/p.gif .pl .py
+AddIcon /icons/f.gif .for
+AddIcon /icons/dvi.gif .dvi
+AddIcon /icons/uuencoded.gif .uu
+AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
+AddIcon /icons/tex.gif .tex
+AddIcon /icons/bomb.gif /core
+AddIcon /icons/bomb.gif */core.*
+
+AddIcon /icons/back.gif ..
+AddIcon /icons/hand.right.gif README
+AddIcon /icons/folder.gif ^^DIRECTORY^^
+AddIcon /icons/blank.gif ^^BLANKICON^^
+
+DefaultIcon /icons/unknown.gif
+
+ReadmeName README.html
+HeaderName HEADER.html
+
+IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t

roles/httpd_common/templates/common_env.inc.j2

@@ -0,0 +1,7 @@
+# Determine which protocol to use
+RewriteRule   .*         -      [E=HTTP:http]
+RewriteCond   %{HTTPS}   =on
+RewriteRule   .*         -      [E=HTTP:https]
+{% if httpd_log_format == 'combined_virtual_backend' %}
+SetEnvIf X-Forwarded-Proto https HTTPS=on
+{% endif %}

roles/httpd_common/templates/dir_ansible.conf.j2

@@ -0,0 +1,34 @@
+
+# {{ ansible_managed }}
+
+{% for dir in httpd_ansible_directories | default([]) %}
+  <Directory {{ dir.path }}>
+{% if dir.full_config is defined %}
+{{ dir.full_config | indent(4, true) }}
+{% else %}
+{% if dir.custom_pre is defined %}
+{{ dir.custom_pre | indent(4, true) }}
+{% endif %}
+    AllowOverride {{ dir.allow_override | default('All') }}
+{% if dir.options is defined %}
+    Options {{ dir.options | join(' ') }}
+{% endif %}
+{% if dir.allowed_ip is not defined or dir.allowed_ip == 'all' %}
+    Require all granted
+{% elif dir.allowed_ip == 'none' %}
+    Require all denied
+{% else %}
+    Require ip {{ dir.allowed_ip | join(' ') }}
+{% endif %}
+{% if dir.php is defined and dir.php.enabled | default(False) %}
+    <FilesMatch \.php$>
+      SetHandler "proxy:unix:/run/php-fpm/{{ dir.php.pool | default('php70') }}.sock|fcgi://localhost"
+    </FilesMatch>
+{% endif %}
+{% if dir.custom_post is defined %}
+{{ dir.custom_post | indent(4, true) }}
+{% endif %}
+{% endif %}
+  </Directory>
+
+{% endfor %}

roles/httpd_common/templates/errors.conf.j2

@@ -0,0 +1,30 @@
+Alias /_deferror/ "/usr/share/httpd/error/"
+
+<Directory "/usr/share/httpd/error">
+    AllowOverride None
+    Options IncludesNoExec
+    AddOutputFilter Includes html
+    AddHandler type-map var
+    Require all granted
+    LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
+    ForceLanguagePriority Prefer Fallback
+</Directory>
+
+ErrorDocument 400 /_deferror/HTTP_BAD_REQUEST.html.var
+ErrorDocument 401 /_deferror/HTTP_UNAUTHORIZED.html.var
+ErrorDocument 403 /_deferror/HTTP_FORBIDDEN.html.var
+ErrorDocument 404 /_deferror/HTTP_NOT_FOUND.html.var
+ErrorDocument 405 /_deferror/HTTP_METHOD_NOT_ALLOWED.html.var
+ErrorDocument 408 /_deferror/HTTP_REQUEST_TIME_OUT.html.var
+ErrorDocument 410 /_deferror/HTTP_GONE.html.var
+ErrorDocument 411 /_deferror/HTTP_LENGTH_REQUIRED.html.var
+ErrorDocument 412 /_deferror/HTTP_PRECONDITION_FAILED.html.var
+ErrorDocument 413 /_deferror/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
+ErrorDocument 414 /_deferror/HTTP_REQUEST_URI_TOO_LARGE.html.var
+ErrorDocument 415 /_deferror/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var
+ErrorDocument 500 /_deferror/HTTP_INTERNAL_SERVER_ERROR.html.var
+ErrorDocument 501 /_deferror/HTTP_NOT_IMPLEMENTED.html.var
+ErrorDocument 502 /_deferror/HTTP_BAD_GATEWAY.html.var
+ErrorDocument 503 /_deferror/HTTP_SERVICE_UNAVAILABLE.html.var
+ErrorDocument 506 /_deferror/HTTP_VARIANT_ALSO_VARIES.html.var
+

roles/httpd_common/templates/filebeat.yml.j2

@@ -0,0 +1,15 @@
+---
+- module: apache
+  access:
+    enabled: True
+    input:
+      exclude_files:
+        - '\.[gx]z$'
+        - '\d+$'
+  error:
+    enabled: True
+    input:
+      exclude_files: 
+        - '\.[gx]z$'
+        - '\d+$'
+

roles/httpd_common/templates/httpd.conf.j2

@@ -0,0 +1,55 @@
+ServerRoot "/etc/httpd"
+{% for port in httpd_ports %}
+Listen {{ port }} http
+{% endfor %}
+Include ansible_conf.modules.d/*.conf
+User {{ httpd_user }}
+Group {{ httpd_group }}
+ServerAdmin root@{{ inventory_hostname }}
+ServerName {{ inventory_hostname }}
+ServerTokens Prod
+
+ProxyTimeout {{ httpd_proxy_timeout }}
+
+<Directory />
+    AllowOverride none
+    Require all denied
+</Directory>
+DocumentRoot "/var/www/html/default"
+<Directory "/var/www/html/default">
+    AllowOverride None
+    Require all granted
+</Directory>
+<IfModule dir_module>
+    DirectoryIndex index.html index.php
+</IfModule>
+<Files ".ht*">
+    Require all denied
+</Files>
+ErrorLog "logs/error_log"
+LogLevel warn
+<IfModule log_config_module>
+    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" scheme=\"%{HTTP}e\"" combined
+    LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" scheme=\"%{HTTP}e\"" combined_virtual
+    LogFormat "%V %{X-Forwarded-For}i %l %{Auth-User}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" scheme=\"%{HTTP}e\"" combined_virtual_backend
+    LogFormat "%h %l %u %t \"%r\" %>s %b" common
+    <IfModule logio_module>
+      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
+    </IfModule>
+    CustomLog "logs/access_log" {{ httpd_log_format | default('combined_virtual') }}
+
+</IfModule>
+<IfModule mime_module>
+    TypesConfig /etc/mime.types
+    AddType application/x-compress .Z
+    AddType application/x-gzip .gz .tgz
+    AddType text/html .shtml
+    AddOutputFilter INCLUDES .shtml
+</IfModule>
+AddDefaultCharset UTF-8
+<IfModule mime_magic_module>
+    MIMEMagicFile conf/magic
+</IfModule>
+EnableSendfile on
+IncludeOptional ansible_conf.d/*.conf
+IncludeOptional custom_conf.d/*.conf

roles/httpd_common/templates/logrotate.conf.j2

@@ -0,0 +1,11 @@
+/var/log/httpd/*log {
+    daily
+    rotate 60
+    missingok
+    notifempty
+    compress
+    sharedscripts
+    postrotate
+        /bin/systemctl reload httpd.service > /dev/null 2>/dev/null || true
+    endscript
+}

roles/httpd_common/templates/status.conf.j2

@@ -0,0 +1,7 @@
+{% if httpd_status_ip is defined and httpd_status_ip | length > 0 %}
+<Location /server-status>
+    SetHandler server-status
+    Require ip {{ httpd_status_ip | join(' ') }}
+</Location>
+ExtendedStatus On
+{% endif %}

roles/httpd_common/templates/vhost_ansible.conf.j2

@@ -0,0 +1,204 @@
+# {{ ansible_managed }}
+
+{% for vhost in httpd_ansible_vhosts | default([]) %}
+
+#####################################
+## Plain vhost for {{ vhost.name }}
+#####################################
+
+<VirtualHost *:{{ vhost.port | default(httpd_port) | default('80') }}>
+  ServerName {{ vhost.name }}
+{% if vhost.full_config is defined %}
+{{ vhost.full_config | indent(2, true) }}
+{% else %}
+{% if vhost.aliases is defined %}
+  ServerAlias {{ vhost.aliases | default([]) | join(' ') }}
+{% endif %}
+{% if vhost.webmaster_email is defined %}
+  ServerAdmin {{ vhost.webmaster_email }}
+{% endif %}
+{% if vhost.custom_pre is defined %}
+{{ vhost.custom_pre | indent(2, true) }}
+{% endif %}
+{% if vhost.set_remote_user_from_header is defined %}
+  # Read {{ vhost.set_remote_user_from_header }} header from proxy and set REMOTE_USER
+  RewriteEngine On
+  RewriteCond %{HTTP:{{ vhost.set_remote_user_from_header }}} ^(\w+)$
+  RewriteRule .* - [E=REMOTE_USER:%1]
+{% endif %}
+  DocumentRoot {{ vhost.document_root | default('/var/www/html/default') }}
+{% if vhost.maintenance | default(False) %}
+  Include ansible_conf.d/common_maintenance.inc
+{% else %}
+  Alias /_deferror/ "/usr/share/httpd/error/"
+  Include ansible_conf.d/common_env.inc
+{% if vhost.common_perf | default((httpd_log_format == 'combined_virtual_backend') | ternary(False,True)) %}
+  Include ansible_conf.d/common_perf.inc
+{% endif %}
+{% if vhost.common_filter | default((httpd_log_format == 'combined_virtual_backend') | ternary(False,True)) %}
+  Include ansible_conf.d/common_filter.inc
+{% endif %}
+{% if vhost.common_cache | default(False) %}
+  Include ansible_conf.d/common_cache.inc
+{% endif %}
+{% if vhost.ssl is defined and vhost.ssl.enabled | default((httpd_log_format == 'combined_virtual_backend') | ternary(False,True)) and vhost.ssl.forced | default((httpd_log_format == 'combined_virtual_backend') | ternary(False,True)) %}
+  Include ansible_conf.d/common_force_ssl.inc
+{% endif %}
+{% if ((vhost.common_letsencrypt is defined and vhost.common_letsencrypt) or (vhost.ssl is defined and vhost.ssl.letsencrypt_cert is defined )) | default(False) %}
+  Include ansible_conf.d/common_letsencrypt.inc
+{% endif %}
+{% if vhost.common_mod_security | default(False) == True or vhost.common_mod_security | default(False) == 'audit' %}
+  Include ansible_conf.d/common_mod_security2.inc
+{% if vhost.common_mod_security | default(False) == 'audit' %}
+  SecRuleEngine DetectionOnly
+{% endif %}
+{% for id in vhost.mod_security_disabled_rules | default([]) %}
+  SecRuleRemoveById {{ id }}
+{% endfor %}
+{% endif %}
+{% if vhost.include_conf is defined %}
+{% for include in vhost.include_conf | default([]) %}
+  Include {{ include }}
+{% endfor %}
+{% endif %}
+{% if vhost.proxypass is defined %}
+{% if vhost.proxypass is match('^https://') %}
+  SSLProxyEngine On
+{% endif %}
+  RequestHeader set X-Forwarded-Proto "http"
+  ProxyPass /.well-known/acme-challenge !
+  ProxyPass /_deferror/ !
+  ProxyPreserveHost {{  vhost.proxypreservehost | default(True) | ternary('On','Off') }}
+  # WebSocket proxy handling
+  RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
+  RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
+  RewriteRule .* {{ vhost.proxypass | regex_replace('^http','ws') }}%{REQUEST_URI} [P]
+  # Normal proxy
+  ProxyPass / {{ vhost.proxypass }}
+  ProxyPassReverse / {{ vhost.proxypass }}
+{% endif %}
+{% if vhost.src_ip is defined %}
+  <Location />
+{% if vhost.src_ip | length < 1 %}
+    Require all denied
+{% else %}
+    Require ip {{ vhost.src_ip | join(' ') }}
+{% endif %}
+  </Location>
+{% endif %}
+{% if vhost.custom_post is defined %}
+{{ vhost.custom_post | indent(2, true) }}
+{% endif %}
+{% endif %}
+{% endif %}
+</VirtualHost>
+{% if vhost.ssl is defined and vhost.ssl.enabled | default((httpd_log_format == 'combined_virtual_backend') | ternary(False,True)) %}
+
+#####################################
+## SSL vhost for {{ vhost.name }}
+#####################################
+
+<IfModule mod_ssl.c>
+  <VirtualHost *:{{ vhost.ssl.port | default(httpd_ssl_port) | default('443') }}>
+    ServerName {{ vhost.name }}
+{% if vhost.ssl.full_config is defined %}
+{{ vhost.ssl.full_config | indent(4, true) }}
+{% else %}
+{% if vhost.aliases is defined %}
+    ServerAlias {{ vhost.aliases | default([]) | join(' ') }}
+{% endif %}
+{% if vhost.webmaster_email is defined %}
+    ServerAdmin {{ vhost.webmaster_email }}
+{% endif %}
+{% if vhost.custom_pre is defined %}
+{{ vhost.custom_pre | indent(4, true) }}
+{% endif %}
+{% if vhost.set_remote_user_from_header is defined %}
+    # Read {{ vhost.set_remote_user_from_header }} header from proxy and set REMOTE_USER
+    RewriteEngine On
+    RewriteCond %{HTTP:{{ vhost.set_remote_user_from_header }}} ^(\w+)$
+    RewriteRule .* - [E=REMOTE_USER:%1]
+{% endif %}
+    DocumentRoot {{ vhost.document_root | default('/var/www/html/default') }}
+    SSLEngine On
+{% if vhost.maintenance | default(False) %}
+    Include ansible_conf.d/common_maintenance.inc
+{% else %}
+    Alias /_deferror/ "/usr/share/httpd/error/"
+{% if vhost.ssl.cert is defined and vhost.ssl.key is defined %}
+    SSLCertificateFile {{ vhost.ssl.cert }}
+    SSLCertificateKeyFile {{ vhost.ssl.key }}
+{% if vhost.ssl.cert_chain is defined %}
+    SSLCertificateChainFile {{ vhost.ssl.cert_chain }}
+{% endif %}
+{% elif vhost.ssl.letsencrypt_cert is defined %}
+    SSLCertificateFile      /var/lib/dehydrated/certificates/certs/{{ vhost.ssl.letsencrypt_cert }}/cert.pem
+    SSLCertificateKeyFile   /var/lib/dehydrated/certificates/certs/{{ vhost.ssl.letsencrypt_cert }}/privkey.pem
+    SSLCertificateChainFile /var/lib/dehydrated/certificates/certs/{{ vhost.ssl.letsencrypt_cert }}/chain.pem
+{% endif %}
+    Include ansible_conf.d/common_env.inc
+{% if vhost.common_perf | default(True) %}
+    Include ansible_conf.d/common_perf.inc
+{% endif %}
+{% if vhost.common_filter | default(True) %}
+    Include ansible_conf.d/common_filter.inc
+{% endif %}
+{% if vhost.common_cache | default(False) %}
+    Include ansible_conf.d/common_cache.inc
+{% endif %}
+{% if vhost.include_conf is defined %}
+{% for include in vhost.include_conf | default([]) %}
+    Include {{ include }}
+{% endfor %}
+{% endif %}
+{% if ((vhost.common_letsencrypt is defined and vhost.common_letsencrypt) or (vhost.ssl is defined and vhost.ssl.letsencrypt_cert is defined )) | default(False) %}
+    Include ansible_conf.d/common_letsencrypt.inc
+{% endif %}
+{% if vhost.common_mod_security | default(False) == True or vhost.common_mod_security | default(False) == 'audit' %}
+  Include ansible_conf.d/common_mod_security2.inc
+{% if vhost.common_mod_security | default(False) == 'audit' %}
+  SecRuleEngine DetectionOnly
+{% endif %}
+{% for id in vhost.mod_security_disabled_rules | default([]) %}
+  SecRuleRemoveById {{ id }}
+{% endfor %}
+{% endif %}
+{% if vhost.proxypass is defined %}
+{% if vhost.proxypass is match('^https://') %}
+    SSLProxyEngine On
+{% endif %}
+    RequestHeader set X-Forwarded-Proto "https"
+    ProxyPass /.well-known/acme-challenge !
+    ProxyPass /_deferror/ !
+    ProxyPreserveHost {{  vhost.proxypreservehost | default(True) | ternary('On','Off') }}
+    # WebSocket proxy handling
+    RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
+    RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
+    RewriteRule .* {{ vhost.proxypass | regex_replace('^http','ws') }}%{REQUEST_URI} [P]
+    # Normal proxy
+    ProxyPass / {{ vhost.proxypass }}
+    ProxyPassReverse / {{ vhost.proxypass }}
+{% endif %}
+{% if vhost.src_ip is defined %}
+  <Location />
+{% if vhost.src_ip | length < 1 %}
+    Require all denied
+{% else %}
+    Require ip {{ vhost.src_ip | join(' ') }}
+{% endif %}
+  </Location>
+{% endif %}
+{% if vhost.custom_post is defined %}
+{{ vhost.custom_post | indent(4, true) }}
+{% endif %}
+{% endif %}
+{% endif %}
+  </VirtualHost>
+</IfModule>
+{% endif %}
+
+#####################################
+## End of config for {{ vhost.name }}
+#####################################
+
+{% endfor %}

roles/httpd_common/templates/vhost_default.conf.j2

@@ -0,0 +1,24 @@
+<Directory /var/www/html/default>
+  Require all granted
+  AllowOverride None
+  Options None
+</Directory>
+<Directory /var/www/html/default/cgi-bin>
+  Require all granted
+  AllowOverride None
+  SetHandler cgi-script
+  Options ExecCGI
+</Directory>
+
+<VirtualHost *:{{ httpd_port | default('80') }}>
+  ServerName {{ httpd_default_vhost | default(inventory_hostname) }}
+  DocumentRoot /var/www/html/default
+  Include ansible_conf.d/common_letsencrypt.inc
+</VirtualHost>
+<IfModule mod_ssl.c>
+  <VirtualHost *:{{ httpd_ssl_port | default('443') }}>
+    ServerName {{ httpd_default_vhost | default(inventory_hostname) }}
+    SSLEngine On
+    DocumentRoot /var/www/html/default
+  </VirtualHost>
+</IfModule>

roles/httpd_common/vars/RedHat-7.yml

@@ -0,0 +1,8 @@
+---
+
+httpd_common_packages:
+  - httpd
+  - mod_fcgid
+  - policycoreutils-python
+  - python-passlib
+  - mod_authnz_pam

roles/httpd_common/vars/RedHat-8.yml

@@ -0,0 +1,8 @@
+---
+
+httpd_common_packages:
+  - httpd
+  - mod_fcgid
+  - python3-policycoreutils
+  - python3-passlib
+  - mod_authnz_pam

roles/httpd_common/vars/defaults.yml

@@ -0,0 +1,4 @@
+---
+
+httpd_common_packages:
+  - httpd