Update to 2021-12-01 19:13

roles/httpd_front/templates/01-front.conf.j2

@@ -0,0 +1,3 @@
+{% for module in httpd_front_modules %}
+LoadModule {{ module }}_module modules/mod_{{ module }}.so
+{% endfor %}

roles/httpd_front/templates/02-evasive.conf.j2

@@ -0,0 +1 @@
+LoadModule evasive20_module modules/mod_evasive24.so

roles/httpd_front/templates/common_cache.inc.j2

@@ -0,0 +1,15 @@
+CacheLock on
+CacheLockPath /tmp/mod_cache-lock
+CacheLockMaxAge 5
+CacheRoot /var/cache/httpd/proxy
+CacheEnable disk /
+CacheDirLevels 2
+CacheDirLength 1
+CacheIgnoreHeaders Set-Cookie
+CacheMaxFileSize {{ httpd_cache_max_file_size | default('1000000') }}
+CacheMinFileSize 1
+CacheIgnoreNoLastMod On
+CacheIgnoreQueryString Off
+CacheLastModifiedFactor 0.1
+CacheDefaultExpire {{ httpd_cache_default_expire | default('3600') }}
+CacheMaxExpire {{ httpd_cache_max_expire | default('86400') }}

roles/httpd_front/templates/common_filter.inc.j2

@@ -0,0 +1,153 @@
+# enable rewrite engine
+RewriteEngine on
+
+# block trace and track methods
+RewriteCond   %{REQUEST_METHOD}                   ^(TRACE|TRACK)
+RewriteRule   .*                                  -                                     [F]
+
+# block XSS attacks (attempted to hide query string)
+RewriteCond   %{THE_REQUEST}                      \?.*\?(\ |$)
+RewriteRule   .*                                  -                                     [F]
+
+# block XSS attacks (http)
+RewriteCond   %{THE_REQUEST}                      (\b|%\d\d)https?(:|%3A)(/|%\d\d){2}   [NC]
+RewriteRule   .*                                  -                                     [F]
+
+# block XSS attacks (ftp)
+RewriteCond   %{THE_REQUEST}                      (\b|%\d\d)ftp(:|%3A)(/|%\d\d){2}      [NC]
+RewriteRule   .*                                  -                                     [F]
+
+# block hack attempts (/etc/passwd)
+RewriteCond   %{THE_REQUEST}                      (/|%2F)etc(/|%2F)passwd               [NC]
+RewriteRule   .*                                  -                                     [R=404,L]
+
+# Block out some common exploits
+# If the request query string contains /proc/self/environ (by SigSiu.net)
+RewriteCond   %{QUERY_STRING}                     proc/self/environ                     [OR]
+
+# Block out any script trying to base64_encode or base64_decode data within the URL
+RewriteCond   %{QUERY_STRING}                     base64_(en|de)code[^(]*\([^)]*\)      [OR]
+
+# Block out any script that includes a <script> tag in URL
+RewriteCond   %{QUERY_STRING}                     (<|%3C)([^s]*s)+cript.*(>|%3E)        [NC,OR]
+
+# Block out any script trying to set a PHP GLOBALS variable via URL
+RewriteCond   %{QUERY_STRING}                     GLOBALS(=|\[|\%[0-9A-Z]{0,2})         [OR]
+
+# Block out any script trying to modify a _REQUEST variable via URL
+RewriteCond   %{QUERY_STRING}                     _REQUEST(=|\[|\%[0-9A-Z]{0,2})
+
+# Return 403 Forbidden header and show the content of the root homepage
+RewriteRule   .*                                  -                                     [F]
+
+# File injection protection
+RewriteCond   %{REQUEST_METHOD}                   GET
+RewriteCond   %{QUERY_STRING}                     [a-zA-Z0-9_]=http://                  [OR]
+RewriteCond   %{QUERY_STRING}                     [a-zA-Z0-9_]=(\.\.//?)+               [OR]
+RewriteCond   %{QUERY_STRING}                     [a-zA-Z0-9_]=/([a-z0-9_.]//?)+        [NC]
+RewriteRule   .*                                  -                                     [F]
+
+# Basic antispam Filter
+RewriteCond   %{QUERY_STRING}                     \b(ambien|blue\spill|cialis)\b        [NC,OR]
+RewriteCond   %{QUERY_STRING}                     \b(cocaine|ejaculation|erectile)\b    [NC,OR]
+RewriteCond   %{QUERY_STRING}                     \b(erections|hoodia)\b                [NC,OR]
+RewriteCond   %{QUERY_STRING}                     \b(huronriveracres|impotence)\b       [NC,OR]
+RewriteCond   %{QUERY_STRING}                     \b(levitra|libido|lipitor)\b          [NC,OR]
+RewriteCond   %{QUERY_STRING}                     \b(phentermin|pro[sz]ac|sandyauer)\b  [NC,OR]
+RewriteCond   %{QUERY_STRING}                     \b(tramadol|troyhamby|ultram)\b       [NC,OR]
+RewriteCond   %{QUERY_STRING}                     \b(unicauca|valium|viagra|vicodin)\b  [NC,OR]
+RewriteCond   %{QUERY_STRING}                     \b(xanax|ypxaieo)\b                   [NC]
+RewriteRule   .*                                  -                                     [F]
+
+## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine your PHP version
+RewriteCond   %{QUERY_STRING}                     \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC]
+RewriteRule   .*                                  -                                     [F]
+
+# SQLi basic protection
+RewriteCond   %{QUERY_STRING}                     concat[^\(]*\(                        [NC,OR]
+RewriteCond   %{QUERY_STRING}                     union([^s]*s)+elect                   [NC,OR]
+RewriteCond   %{QUERY_STRING}                     union([^a]*a)+ll([^s]*s)+elect        [NC]
+RewriteRule   .*                                  -                                     [F]
+
+# Block bad user agents
+RewriteCond   %{HTTP_USER_AGENT}                  ^Google\ Desktop                      [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^Baiduspider                          [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^BlackWidow                           [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^Bot\ mailto:craftbot@yahoo.com       [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^ChinaClaw                            [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^Custo                                [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^DISCo                                [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^Download\ Demon                      [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^eCatch                               [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^EirGrabber                           [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^EmailSiphon                          [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^EmailWolf                            [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^Express\ WebPictures                 [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^ExtractorPro                         [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^EyeNetIE                             [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^FlashGet                             [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^GetRight                             [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^GetWeb!                              [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^Go!Zilla                             [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^Go-Ahead-Got-It                      [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^GrabNet                              [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^Grafula                              [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^HMView                               [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  HTTrack                               [NC,OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^Image\ Stripper                      [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^Image\ Sucker                        [OR]
+RewriteCond   %{HTTP_USER_AGENT}                   Indy\ Library                        [NC,OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^InterGET                             [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^Internet\ Ninja                      [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^JetCar                               [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^JOC\ Web\ Spider                     [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^larbin                               [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^LeechFTP                             [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^Mass\ Downloader                     [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^MIDown\ tool                         [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^Mister\ PiX                          [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^Navroad                              [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^NearSite                             [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^NetAnts                              [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^NetSpider                            [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^Net\ Vampire                         [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^NetZIP                               [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^Octopus                              [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^Offline\ Explorer                    [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^Offline\ Navigator                   [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^PageGrabber                          [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^Papa\ Foto                           [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^pavuk                                [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^pcBrowser                            [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^RealDownload                         [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^ReGet                                [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^SiteSnagger                          [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^SmartDownload                        [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^SuperBot                             [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^SuperHTTP                            [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^Surfbot                              [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^tAkeOut                              [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^Teleport\ Pro                        [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^VoidEYE                              [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^Web\ Image\ Collector                [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^Web\ Sucker                          [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^WebAuto                              [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^WebCopier                            [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^WebFetch                             [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^WebGo\ IS                            [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^WebLeacher                           [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^WebReaper                            [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^WebSauger                            [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^Website\ eXtractor                   [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^Website\ Quester                     [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^WebStripper                          [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^WebWhacker                           [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^WebZIP                               [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^Widow                                [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^WWWOFFLE                             [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^Xaldon\ WebSpider                    [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^Typhoeus                             [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^Zeus                                 [OR]
+RewriteCond   %{HTTP_USER_AGENT}                  ^Mylyn/[\d\.]+\ BugzillaConnector\ Eclipse
+RewriteRule   .*                                  -                                     [F]
+

roles/httpd_front/templates/common_force_ssl.inc.j2

@@ -0,0 +1,5 @@
+RewriteEngine On
+RewriteCond   %{HTTPS}         =off
+RewriteCond   %{REQUEST_URI}   !^/.well-known/acme-challenge/.*
+RewriteRule   ^/(.*)$          https://%{HTTP_HOST}/$1 [R=301,L,NE,E=NOCACHE:1]
+Header always set Cache-Control "no-store, no-cache, must-revalidate" env=NOCACHE

roles/httpd_front/templates/common_maintenance.inc.j2

@@ -0,0 +1,7 @@
+RewriteEngine on
+{% for ip in httpd_maintenance_ip | default([]) %}
+RewriteCond %{REMOTE_ADDR} !^{{ ip | replace('.','\.') }}
+{% endfor %}
+RewriteRule ^(.*)$ https://downtime.{{ httpd_primary_domain | default(ansible_domain) }}/ [R=301,L,E=nocache:1]
+Header always set Cache-Control "no-store, no-cache, must-revalidate" env=nocache
+Header always set Expires "Thu, 01 Jan 1970 00:00:00 GMT" env=nocache

roles/httpd_front/templates/common_mod_security2.inc.j2

@@ -0,0 +1,15 @@
+# {{ ansible_managed }}
+{% if httpd_mod_security | default(True) %}
+Include modsecurity.d/*.conf
+Include modsecurity.d/activated_rules/*.conf
+{% if httpd_mod_security | default(True) == 'audit' %}
+SecRuleEngine DetectionOnly
+{% elif httpd_mod_security | default(True) == True %}
+SecRuleEngine On
+{% else %}
+SecRuleEngine Off
+{% endif %}
+{% for id in httpd_mod_security_disabled_rules | default(['960015', '981203']) %}
+SecRuleRemoveById {{ id }}
+{% endfor %}
+{% endif %}

roles/httpd_front/templates/common_perf.inc.j2

@@ -0,0 +1,70 @@
+# Compress output to make pages smaller
+<IfModule mod_deflate.c>
+  AddOutputFilterByType DEFLATE text/plain
+  AddOutputFilterByType DEFLATE text/xml
+  AddOutputFilterByType DEFLATE text/html
+  AddOutputFilterByType DEFLATE text/css
+  AddOutputFilterByType DEFLATE image/svg+xml
+  AddOutputFilterByType DEFLATE application/xhtml+xml
+  AddOutputFilterByType DEFLATE application/xml
+  AddOutputFilterByType DEFLATE application/rss+xml
+  AddOutputFilterByType DEFLATE application/atom_xml
+  AddOutputFilterByType DEFLATE application/x-javascript
+
+  BrowserMatch             ^Mozilla/4 gzip-only-text/html
+  BrowserMatch             ^Mozilla/4\.0[678] no-gzip
+  BrowserMatch             \bMSIE !no-gzip !gzip-only-text/html
+
+  <IfModule mod_headers.c>
+    Header append Vary User-Agent env=!dont-vary
+  </IfModule>
+</IfModule>
+
+
+# Remove ETag Headers
+<IfModule mod_headers.c>
+  Header unset ETag
+  FileETag None
+</IfModule>
+
+# Set Cache-Control, but only if not already set!
+SetEnvIf !Cache-Control value NO_CACHE_CONTROL
+
+<FilesMatch "\.(ico|jpg|jpeg|png|gif|js|css|swf|pdf|flv|mp3)$">
+  <IfModule mod_header.c>
+    Header set Cache-Control "public" env=NO_CACHE_CONTROL
+  </IfModule>
+</FilesMatch>
+
+<IfModule mod_expires.c>
+  ExpiresActive On
+  ExpiresDefault "now"
+
+  # Media files
+  ExpiresByType image/gif "access plus 1 week"
+  ExpiresByType image/png "access plus 1 week"
+  ExpiresByType image/jpg "access plus 1 week"
+  ExpiresByType image/jpeg "access plus 1 week"
+  ExpiresByType video/ogg "access plus 1 week"
+  ExpiresByType audio/ogg "access plus 1 week"
+  ExpiresByType video/mp4 "access plus 1 week"
+  ExpiresByType video/webm "access plus 1 week"
+  ExpiresByType image/x-icon "access plus 1 week"
+
+  # Fonts
+  ExpiresByType application/x-font-ttf "access plus 1 week"
+  ExpiresByType font/opentype "access plus 1 week"
+  ExpiresByType application/x-font-woff "access plus 1 week"
+  ExpiresByType image/svg+xml "access plus 1 week"
+  ExpiresByType application/vnd.ms-fontobject "access plus 1 week"
+
+  # Static assets
+  ExpiresByType text/css "access plus 1 week"
+  ExpiresByType application/javascript "access plus 1 week"
+  ExpiresByType text/javascript "access plus 1 week"
+
+  # Feeds can be cached, but not too long
+  ExpiresByType application/rss+xml "access plus 1 hour"
+  ExpiresByType application/atom+xml "access plus 1 hour"
+</IfModule>
+

roles/httpd_front/templates/evasive.conf.j2

@@ -0,0 +1,17 @@
+DOSHashTableSize    3097
+DOSPageCount        {{ httpd_dos_page_count | default('40') }}
+DOSSiteCount        {{ httpd_dos_site_count | default('150') }}
+DOSPageInterval     {{ httpd_dos_page_interval | default('1') }}
+DOSSiteInterval     {{ httpd_dos_site_interval | default('5') }}
+DOSBlockingPeriod   {{ httpd_dos_block_time | default('30') }}
+{% if system_admin_email is defined %}
+DOSEmailNotify      {{ system_admin_email }}
+{% endif %}
+
+DOSWhitelist   127.0.0.1
+{% for ip in trusted_ip | default([]) %}
+DOSWhitelist {{ ip }}
+{% endfor %}
+{% for ip in httpd_dos_whitelisted_ip | default([])%}
+DOSWhitelist {{ ip }}
+{% endfor %}

roles/httpd_front/templates/htcacheclean.j2

@@ -0,0 +1,4 @@
+INTERVAL=60
+CACHE_ROOT=/var/cache/httpd/proxy/
+LIMIT={{ httpd_cache_limit | default('200M') }}
+OPTIONS="-t"

roles/httpd_front/templates/security.conf.j2

@@ -0,0 +1,51 @@
+# {{ ansible_managed }}
+{% if httpd_mod_security | default(True) %}
+
+SecRuleEngine Off
+SecRequestBodyAccess Off
+SecRule REQUEST_HEADERS:Content-Type "text/xml" \
+     "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
+SecRequestBodyLimit {{ httpd_mod_security_request_body_limit | default('13107200') }}
+SecRequestBodyNoFilesLimit {{ httpd_mod_security_body_no_files_limit | default('131072') }}
+SecRequestBodyInMemoryLimit {{ httpd_mod_security_in_memory_limit | default('131072') }}
+SecRequestBodyLimitAction Reject
+SecRule REQBODY_ERROR "!@eq 0" \
+    "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
+SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
+    "id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
+    failed strict validation: \
+    PE %{REQBODY_PROCESSOR_ERROR}, \
+    BQ %{MULTIPART_BOUNDARY_QUOTED}, \
+    BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
+    DB %{MULTIPART_DATA_BEFORE}, \
+    DA %{MULTIPART_DATA_AFTER}, \
+    HF %{MULTIPART_HEADER_FOLDING}, \
+    LF %{MULTIPART_LF_LINE}, \
+    SM %{MULTIPART_MISSING_SEMICOLON}, \
+    IQ %{MULTIPART_INVALID_QUOTING}, \
+    IP %{MULTIPART_INVALID_PART}, \
+    IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
+    FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
+
+SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
+    "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
+
+    SecPcreMatchLimit 1000
+    SecPcreMatchLimitRecursion 1000
+
+    SecRule TX:/^MSC_/ "!@streq 0" \
+            "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
+
+    SecResponseBodyAccess Off
+    SecDebugLog /var/log/httpd/modsec_debug.log
+    SecDebugLogLevel {{ httpd_mod_security_debug_level | default(0) }}
+    SecAuditEngine RelevantOnly
+    SecAuditLogRelevantStatus "^(?:5|4(?!04))"
+    SecAuditLogParts ABIJDEFHZ
+    SecAuditLogType Serial
+    SecAuditLog /var/log/httpd/modsec_audit.log
+    SecArgumentSeparator &
+    SecCookieFormat 0
+    SecTmpDir /var/lib/mod_security
+    SecDataDir /var/lib/mod_security
+{% endif %}

roles/httpd_front/templates/ssl.conf.j2

@@ -0,0 +1,25 @@
+{% for port in httpd_ssl_ports %}
+Listen {{ port }} https
+{% endfor %}
+SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
+SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
+SSLSessionCacheTimeout  300
+SSLRandomSeed startup file:/dev/urandom  256
+SSLRandomSeed connect builtin
+SSLCryptoDevice builtin
+SSLEngine off
+SSLProtocol all -SSLv2 -SSLv3
+SSLCipherSuite {{ httpd_ssl_cipher_suite | default('ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA') }}
+SSLCertificateFile {{ httpd_cert_path }}
+SSLCertificateKeyFile {{ httpd_key_path }}
+{% if httpd_chain_path is defined %}
+SSLCertificateChainFile {{ httpd_chain_path }}
+{% endif %}
+SSLHonorCipherOrder     on
+SSLCompression          off
+<Files ~ "\.(cgi|shtml|phtml|php3?)$">
+    SSLOptions +StdEnvVars
+</Files>
+BrowserMatch "MSIE [2-5]" \
+         nokeepalive ssl-unclean-shutdown \
+         downgrade-1.0 force-response-1.0

roles/httpd_front/templates/vhost_downtime.conf.j2

@@ -0,0 +1,25 @@
+<Directory /var/www/html/downtime>
+  Require all granted
+  AllowOverride None
+  Options None
+</Directory>
+
+<VirtualHost *:{{ httpd_port | default('80') }}>
+  ServerName downtime.{{ ansible_domain }}
+  DocumentRoot /var/www/html/downtime/
+  ErrorDocument 404 /
+  Include ansible_conf.d/common_env.inc
+  #Include ansible_conf.d/common_letsencrypt.inc
+  Include ansible_conf.d/common_force_ssl.inc
+</VirtualHost>
+<IfModule mod_ssl.c>
+  <VirtualHost *:{{ httpd_ssl_port | default('443') }}>
+    ServerName downtime.{{ ansible_domain }}
+    SSLEngine on
+    DocumentRoot /var/www/html/downtime/
+    ErrorDocument 404 /
+    Include ansible_conf.d/common_env.inc
+    Include ansible_conf.d/common_filter.inc
+    Include ansible_conf.d/common_perf.inc
+  </VirtualHost>
+</IfModule>