Update to 2021-12-01 19:13

roles/httpd_common/templates/00-base_mod.conf.j2

@@ -0,0 +1,6 @@
+{% for module in httpd_modules %}
+LoadModule {{ module }}_module modules/mod_{{ module }}.so
+{% endfor %}
+{% for module in httpd_modules_extras | default([]) %}
+LoadModule {{ module }}_module modules/mod_{{ module }}.so
+{% endfor %}

roles/httpd_common/templates/10-mpm.conf.j2

@@ -0,0 +1 @@
+LoadModule mpm_{{ httpd_mpm }}_module modules/mod_mpm_{{ httpd_mpm }}.so

roles/httpd_common/templates/20-cgi.conf.j2

@@ -0,0 +1,5 @@
+{% if httpd_mpm == 'prefork' %}
+LoadModule cgi_module modules/mod_cgi.so
+{% else %}
+LoadModule cgid_module modules/mod_cgid.so
+{% endif %}

roles/httpd_common/templates/autoindex.conf.j2

@@ -0,0 +1,45 @@
+IndexOptions FancyIndexing HTMLTable VersionSort
+Alias /icons/ "/usr/share/httpd/icons/"
+
+<Directory "/usr/share/httpd/icons">
+    Options Indexes MultiViews FollowSymlinks
+    AllowOverride None
+    Require all granted
+</Directory>
+
+AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
+
+AddIconByType (TXT,/icons/text.gif) text/*
+AddIconByType (IMG,/icons/image2.gif) image/*
+AddIconByType (SND,/icons/sound2.gif) audio/*
+AddIconByType (VID,/icons/movie.gif) video/*
+
+AddIcon /icons/binary.gif .bin .exe
+AddIcon /icons/binhex.gif .hqx
+AddIcon /icons/tar.gif .tar
+AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
+AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
+AddIcon /icons/a.gif .ps .ai .eps
+AddIcon /icons/layout.gif .html .shtml .htm .pdf
+AddIcon /icons/text.gif .txt
+AddIcon /icons/c.gif .c
+AddIcon /icons/p.gif .pl .py
+AddIcon /icons/f.gif .for
+AddIcon /icons/dvi.gif .dvi
+AddIcon /icons/uuencoded.gif .uu
+AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
+AddIcon /icons/tex.gif .tex
+AddIcon /icons/bomb.gif /core
+AddIcon /icons/bomb.gif */core.*
+
+AddIcon /icons/back.gif ..
+AddIcon /icons/hand.right.gif README
+AddIcon /icons/folder.gif ^^DIRECTORY^^
+AddIcon /icons/blank.gif ^^BLANKICON^^
+
+DefaultIcon /icons/unknown.gif
+
+ReadmeName README.html
+HeaderName HEADER.html
+
+IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t

roles/httpd_common/templates/common_env.inc.j2

@@ -0,0 +1,7 @@
+# Determine which protocol to use
+RewriteRule   .*         -      [E=HTTP:http]
+RewriteCond   %{HTTPS}   =on
+RewriteRule   .*         -      [E=HTTP:https]
+{% if httpd_log_format == 'combined_virtual_backend' %}
+SetEnvIf X-Forwarded-Proto https HTTPS=on
+{% endif %}

roles/httpd_common/templates/dir_ansible.conf.j2

@@ -0,0 +1,34 @@
+
+# {{ ansible_managed }}
+
+{% for dir in httpd_ansible_directories | default([]) %}
+  <Directory {{ dir.path }}>
+{% if dir.full_config is defined %}
+{{ dir.full_config | indent(4, true) }}
+{% else %}
+{% if dir.custom_pre is defined %}
+{{ dir.custom_pre | indent(4, true) }}
+{% endif %}
+    AllowOverride {{ dir.allow_override | default('All') }}
+{% if dir.options is defined %}
+    Options {{ dir.options | join(' ') }}
+{% endif %}
+{% if dir.allowed_ip is not defined or dir.allowed_ip == 'all' %}
+    Require all granted
+{% elif dir.allowed_ip == 'none' %}
+    Require all denied
+{% else %}
+    Require ip {{ dir.allowed_ip | join(' ') }}
+{% endif %}
+{% if dir.php is defined and dir.php.enabled | default(False) %}
+    <FilesMatch \.php$>
+      SetHandler "proxy:unix:/run/php-fpm/{{ dir.php.pool | default('php70') }}.sock|fcgi://localhost"
+    </FilesMatch>
+{% endif %}
+{% if dir.custom_post is defined %}
+{{ dir.custom_post | indent(4, true) }}
+{% endif %}
+{% endif %}
+  </Directory>
+
+{% endfor %}

roles/httpd_common/templates/errors.conf.j2

@@ -0,0 +1,30 @@
+Alias /_deferror/ "/usr/share/httpd/error/"
+
+<Directory "/usr/share/httpd/error">
+    AllowOverride None
+    Options IncludesNoExec
+    AddOutputFilter Includes html
+    AddHandler type-map var
+    Require all granted
+    LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
+    ForceLanguagePriority Prefer Fallback
+</Directory>
+
+ErrorDocument 400 /_deferror/HTTP_BAD_REQUEST.html.var
+ErrorDocument 401 /_deferror/HTTP_UNAUTHORIZED.html.var
+ErrorDocument 403 /_deferror/HTTP_FORBIDDEN.html.var
+ErrorDocument 404 /_deferror/HTTP_NOT_FOUND.html.var
+ErrorDocument 405 /_deferror/HTTP_METHOD_NOT_ALLOWED.html.var
+ErrorDocument 408 /_deferror/HTTP_REQUEST_TIME_OUT.html.var
+ErrorDocument 410 /_deferror/HTTP_GONE.html.var
+ErrorDocument 411 /_deferror/HTTP_LENGTH_REQUIRED.html.var
+ErrorDocument 412 /_deferror/HTTP_PRECONDITION_FAILED.html.var
+ErrorDocument 413 /_deferror/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
+ErrorDocument 414 /_deferror/HTTP_REQUEST_URI_TOO_LARGE.html.var
+ErrorDocument 415 /_deferror/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var
+ErrorDocument 500 /_deferror/HTTP_INTERNAL_SERVER_ERROR.html.var
+ErrorDocument 501 /_deferror/HTTP_NOT_IMPLEMENTED.html.var
+ErrorDocument 502 /_deferror/HTTP_BAD_GATEWAY.html.var
+ErrorDocument 503 /_deferror/HTTP_SERVICE_UNAVAILABLE.html.var
+ErrorDocument 506 /_deferror/HTTP_VARIANT_ALSO_VARIES.html.var
+

roles/httpd_common/templates/filebeat.yml.j2

@@ -0,0 +1,15 @@
+---
+- module: apache
+  access:
+    enabled: True
+    input:
+      exclude_files:
+        - '\.[gx]z$'
+        - '\d+$'
+  error:
+    enabled: True
+    input:
+      exclude_files: 
+        - '\.[gx]z$'
+        - '\d+$'
+

roles/httpd_common/templates/httpd.conf.j2

@@ -0,0 +1,55 @@
+ServerRoot "/etc/httpd"
+{% for port in httpd_ports %}
+Listen {{ port }} http
+{% endfor %}
+Include ansible_conf.modules.d/*.conf
+User {{ httpd_user }}
+Group {{ httpd_group }}
+ServerAdmin root@{{ inventory_hostname }}
+ServerName {{ inventory_hostname }}
+ServerTokens Prod
+
+ProxyTimeout {{ httpd_proxy_timeout }}
+
+<Directory />
+    AllowOverride none
+    Require all denied
+</Directory>
+DocumentRoot "/var/www/html/default"
+<Directory "/var/www/html/default">
+    AllowOverride None
+    Require all granted
+</Directory>
+<IfModule dir_module>
+    DirectoryIndex index.html index.php
+</IfModule>
+<Files ".ht*">
+    Require all denied
+</Files>
+ErrorLog "logs/error_log"
+LogLevel warn
+<IfModule log_config_module>
+    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" scheme=\"%{HTTP}e\"" combined
+    LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" scheme=\"%{HTTP}e\"" combined_virtual
+    LogFormat "%V %{X-Forwarded-For}i %l %{Auth-User}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" scheme=\"%{HTTP}e\"" combined_virtual_backend
+    LogFormat "%h %l %u %t \"%r\" %>s %b" common
+    <IfModule logio_module>
+      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
+    </IfModule>
+    CustomLog "logs/access_log" {{ httpd_log_format | default('combined_virtual') }}
+
+</IfModule>
+<IfModule mime_module>
+    TypesConfig /etc/mime.types
+    AddType application/x-compress .Z
+    AddType application/x-gzip .gz .tgz
+    AddType text/html .shtml
+    AddOutputFilter INCLUDES .shtml
+</IfModule>
+AddDefaultCharset UTF-8
+<IfModule mime_magic_module>
+    MIMEMagicFile conf/magic
+</IfModule>
+EnableSendfile on
+IncludeOptional ansible_conf.d/*.conf
+IncludeOptional custom_conf.d/*.conf

roles/httpd_common/templates/logrotate.conf.j2

@@ -0,0 +1,11 @@
+/var/log/httpd/*log {
+    daily
+    rotate 60
+    missingok
+    notifempty
+    compress
+    sharedscripts
+    postrotate
+        /bin/systemctl reload httpd.service > /dev/null 2>/dev/null || true
+    endscript
+}

roles/httpd_common/templates/status.conf.j2

@@ -0,0 +1,7 @@
+{% if httpd_status_ip is defined and httpd_status_ip | length > 0 %}
+<Location /server-status>
+    SetHandler server-status
+    Require ip {{ httpd_status_ip | join(' ') }}
+</Location>
+ExtendedStatus On
+{% endif %}

roles/httpd_common/templates/vhost_ansible.conf.j2

@@ -0,0 +1,204 @@
+# {{ ansible_managed }}
+
+{% for vhost in httpd_ansible_vhosts | default([]) %}
+
+#####################################
+## Plain vhost for {{ vhost.name }}
+#####################################
+
+<VirtualHost *:{{ vhost.port | default(httpd_port) | default('80') }}>
+  ServerName {{ vhost.name }}
+{% if vhost.full_config is defined %}
+{{ vhost.full_config | indent(2, true) }}
+{% else %}
+{% if vhost.aliases is defined %}
+  ServerAlias {{ vhost.aliases | default([]) | join(' ') }}
+{% endif %}
+{% if vhost.webmaster_email is defined %}
+  ServerAdmin {{ vhost.webmaster_email }}
+{% endif %}
+{% if vhost.custom_pre is defined %}
+{{ vhost.custom_pre | indent(2, true) }}
+{% endif %}
+{% if vhost.set_remote_user_from_header is defined %}
+  # Read {{ vhost.set_remote_user_from_header }} header from proxy and set REMOTE_USER
+  RewriteEngine On
+  RewriteCond %{HTTP:{{ vhost.set_remote_user_from_header }}} ^(\w+)$
+  RewriteRule .* - [E=REMOTE_USER:%1]
+{% endif %}
+  DocumentRoot {{ vhost.document_root | default('/var/www/html/default') }}
+{% if vhost.maintenance | default(False) %}
+  Include ansible_conf.d/common_maintenance.inc
+{% else %}
+  Alias /_deferror/ "/usr/share/httpd/error/"
+  Include ansible_conf.d/common_env.inc
+{% if vhost.common_perf | default((httpd_log_format == 'combined_virtual_backend') | ternary(False,True)) %}
+  Include ansible_conf.d/common_perf.inc
+{% endif %}
+{% if vhost.common_filter | default((httpd_log_format == 'combined_virtual_backend') | ternary(False,True)) %}
+  Include ansible_conf.d/common_filter.inc
+{% endif %}
+{% if vhost.common_cache | default(False) %}
+  Include ansible_conf.d/common_cache.inc
+{% endif %}
+{% if vhost.ssl is defined and vhost.ssl.enabled | default((httpd_log_format == 'combined_virtual_backend') | ternary(False,True)) and vhost.ssl.forced | default((httpd_log_format == 'combined_virtual_backend') | ternary(False,True)) %}
+  Include ansible_conf.d/common_force_ssl.inc
+{% endif %}
+{% if ((vhost.common_letsencrypt is defined and vhost.common_letsencrypt) or (vhost.ssl is defined and vhost.ssl.letsencrypt_cert is defined )) | default(False) %}
+  Include ansible_conf.d/common_letsencrypt.inc
+{% endif %}
+{% if vhost.common_mod_security | default(False) == True or vhost.common_mod_security | default(False) == 'audit' %}
+  Include ansible_conf.d/common_mod_security2.inc
+{% if vhost.common_mod_security | default(False) == 'audit' %}
+  SecRuleEngine DetectionOnly
+{% endif %}
+{% for id in vhost.mod_security_disabled_rules | default([]) %}
+  SecRuleRemoveById {{ id }}
+{% endfor %}
+{% endif %}
+{% if vhost.include_conf is defined %}
+{% for include in vhost.include_conf | default([]) %}
+  Include {{ include }}
+{% endfor %}
+{% endif %}
+{% if vhost.proxypass is defined %}
+{% if vhost.proxypass is match('^https://') %}
+  SSLProxyEngine On
+{% endif %}
+  RequestHeader set X-Forwarded-Proto "http"
+  ProxyPass /.well-known/acme-challenge !
+  ProxyPass /_deferror/ !
+  ProxyPreserveHost {{  vhost.proxypreservehost | default(True) | ternary('On','Off') }}
+  # WebSocket proxy handling
+  RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
+  RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
+  RewriteRule .* {{ vhost.proxypass | regex_replace('^http','ws') }}%{REQUEST_URI} [P]
+  # Normal proxy
+  ProxyPass / {{ vhost.proxypass }}
+  ProxyPassReverse / {{ vhost.proxypass }}
+{% endif %}
+{% if vhost.src_ip is defined %}
+  <Location />
+{% if vhost.src_ip | length < 1 %}
+    Require all denied
+{% else %}
+    Require ip {{ vhost.src_ip | join(' ') }}
+{% endif %}
+  </Location>
+{% endif %}
+{% if vhost.custom_post is defined %}
+{{ vhost.custom_post | indent(2, true) }}
+{% endif %}
+{% endif %}
+{% endif %}
+</VirtualHost>
+{% if vhost.ssl is defined and vhost.ssl.enabled | default((httpd_log_format == 'combined_virtual_backend') | ternary(False,True)) %}
+
+#####################################
+## SSL vhost for {{ vhost.name }}
+#####################################
+
+<IfModule mod_ssl.c>
+  <VirtualHost *:{{ vhost.ssl.port | default(httpd_ssl_port) | default('443') }}>
+    ServerName {{ vhost.name }}
+{% if vhost.ssl.full_config is defined %}
+{{ vhost.ssl.full_config | indent(4, true) }}
+{% else %}
+{% if vhost.aliases is defined %}
+    ServerAlias {{ vhost.aliases | default([]) | join(' ') }}
+{% endif %}
+{% if vhost.webmaster_email is defined %}
+    ServerAdmin {{ vhost.webmaster_email }}
+{% endif %}
+{% if vhost.custom_pre is defined %}
+{{ vhost.custom_pre | indent(4, true) }}
+{% endif %}
+{% if vhost.set_remote_user_from_header is defined %}
+    # Read {{ vhost.set_remote_user_from_header }} header from proxy and set REMOTE_USER
+    RewriteEngine On
+    RewriteCond %{HTTP:{{ vhost.set_remote_user_from_header }}} ^(\w+)$
+    RewriteRule .* - [E=REMOTE_USER:%1]
+{% endif %}
+    DocumentRoot {{ vhost.document_root | default('/var/www/html/default') }}
+    SSLEngine On
+{% if vhost.maintenance | default(False) %}
+    Include ansible_conf.d/common_maintenance.inc
+{% else %}
+    Alias /_deferror/ "/usr/share/httpd/error/"
+{% if vhost.ssl.cert is defined and vhost.ssl.key is defined %}
+    SSLCertificateFile {{ vhost.ssl.cert }}
+    SSLCertificateKeyFile {{ vhost.ssl.key }}
+{% if vhost.ssl.cert_chain is defined %}
+    SSLCertificateChainFile {{ vhost.ssl.cert_chain }}
+{% endif %}
+{% elif vhost.ssl.letsencrypt_cert is defined %}
+    SSLCertificateFile      /var/lib/dehydrated/certificates/certs/{{ vhost.ssl.letsencrypt_cert }}/cert.pem
+    SSLCertificateKeyFile   /var/lib/dehydrated/certificates/certs/{{ vhost.ssl.letsencrypt_cert }}/privkey.pem
+    SSLCertificateChainFile /var/lib/dehydrated/certificates/certs/{{ vhost.ssl.letsencrypt_cert }}/chain.pem
+{% endif %}
+    Include ansible_conf.d/common_env.inc
+{% if vhost.common_perf | default(True) %}
+    Include ansible_conf.d/common_perf.inc
+{% endif %}
+{% if vhost.common_filter | default(True) %}
+    Include ansible_conf.d/common_filter.inc
+{% endif %}
+{% if vhost.common_cache | default(False) %}
+    Include ansible_conf.d/common_cache.inc
+{% endif %}
+{% if vhost.include_conf is defined %}
+{% for include in vhost.include_conf | default([]) %}
+    Include {{ include }}
+{% endfor %}
+{% endif %}
+{% if ((vhost.common_letsencrypt is defined and vhost.common_letsencrypt) or (vhost.ssl is defined and vhost.ssl.letsencrypt_cert is defined )) | default(False) %}
+    Include ansible_conf.d/common_letsencrypt.inc
+{% endif %}
+{% if vhost.common_mod_security | default(False) == True or vhost.common_mod_security | default(False) == 'audit' %}
+  Include ansible_conf.d/common_mod_security2.inc
+{% if vhost.common_mod_security | default(False) == 'audit' %}
+  SecRuleEngine DetectionOnly
+{% endif %}
+{% for id in vhost.mod_security_disabled_rules | default([]) %}
+  SecRuleRemoveById {{ id }}
+{% endfor %}
+{% endif %}
+{% if vhost.proxypass is defined %}
+{% if vhost.proxypass is match('^https://') %}
+    SSLProxyEngine On
+{% endif %}
+    RequestHeader set X-Forwarded-Proto "https"
+    ProxyPass /.well-known/acme-challenge !
+    ProxyPass /_deferror/ !
+    ProxyPreserveHost {{  vhost.proxypreservehost | default(True) | ternary('On','Off') }}
+    # WebSocket proxy handling
+    RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
+    RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
+    RewriteRule .* {{ vhost.proxypass | regex_replace('^http','ws') }}%{REQUEST_URI} [P]
+    # Normal proxy
+    ProxyPass / {{ vhost.proxypass }}
+    ProxyPassReverse / {{ vhost.proxypass }}
+{% endif %}
+{% if vhost.src_ip is defined %}
+  <Location />
+{% if vhost.src_ip | length < 1 %}
+    Require all denied
+{% else %}
+    Require ip {{ vhost.src_ip | join(' ') }}
+{% endif %}
+  </Location>
+{% endif %}
+{% if vhost.custom_post is defined %}
+{{ vhost.custom_post | indent(4, true) }}
+{% endif %}
+{% endif %}
+{% endif %}
+  </VirtualHost>
+</IfModule>
+{% endif %}
+
+#####################################
+## End of config for {{ vhost.name }}
+#####################################
+
+{% endfor %}

roles/httpd_common/templates/vhost_default.conf.j2

@@ -0,0 +1,24 @@
+<Directory /var/www/html/default>
+  Require all granted
+  AllowOverride None
+  Options None
+</Directory>
+<Directory /var/www/html/default/cgi-bin>
+  Require all granted
+  AllowOverride None
+  SetHandler cgi-script
+  Options ExecCGI
+</Directory>
+
+<VirtualHost *:{{ httpd_port | default('80') }}>
+  ServerName {{ httpd_default_vhost | default(inventory_hostname) }}
+  DocumentRoot /var/www/html/default
+  Include ansible_conf.d/common_letsencrypt.inc
+</VirtualHost>
+<IfModule mod_ssl.c>
+  <VirtualHost *:{{ httpd_ssl_port | default('443') }}>
+    ServerName {{ httpd_default_vhost | default(inventory_hostname) }}
+    SSLEngine On
+    DocumentRoot /var/www/html/default
+  </VirtualHost>
+</IfModule>