User’s guide
Introduction
The role will install and configure Apache web server
The user is expected to have basic knowledge of Ansible
Installation
The most convenient way on how to install a Ansible role or collection is to use Ansible Galaxy CLI
ansible-galaxy. The utility is installed by the standard Ansible package and provides the user with
simple interface to the Ansible Galaxy’s services. For example take a look at the current status of
the role
shell> ansible-galaxy role info vbotka.apache
and install it
shell> ansible-galaxy role install vbotka.apache
Together with the role vbotka.apache dependent role jtyr.config_encoder_filters will be installed (see
meta/main.yml). This role provides the filter encode_apache used to encode YAML configuration
data to the Apache format.
Install the library vbotka.ansible_lib
shell> ansible-galaxy role install vbotka.ansible_lib
Install the collection community.general
shell> ansible-galaxy collection install community.general
See also
For details on how to install specific versions from various sources see Installing content.
Take a look at other roles
$ ansible-galaxy search --author=vbotka
Ansible playbook
Simple playbook to install and configure Apache at srv.example.com (2)
1shell> cat apache.yml
2- hosts: srv.example.com
3 gather_facts: true
4 connection: ssh
5 remote_user: admin
6 become: yes
7 become_user: root
8 become_method: sudo
9 roles:
10 - vbotka.apache
Note
gather_facts: true(3) must be set to collect variablesneeded to evaluate OS specific default variables and OS specific custom variables[ansible_distribution,ansible_distribution_release,ansible_os_family]- See Variables
See also
For details see Connection Plugins (4-5)
and Understanding Privilege Escalation (6-8).
Debug
To see additional debug information in the output enable debug output in the configuration
apache_debug: true
, or set the extra variable in the command
shell> ansible-playbook apache.yml -e 'apache_debug=true'
See also
Variables
In this guide we describe the role default variables in the directory defaults and variables
included from the directory vars
role defaults in the directory
{{ role_path }}/defaults(precedence 2.)include OS specific vars from the directory
{{ role_path }}/vars(precedence 18.)
Default variables
Most of the variables are self-explaining (4-9,14-15,69-70)
For Apache configuration (23-62,65) see Apache HTTP Server Documentation.
Other variables (75,78,81,84-85) will be explained in the next sections.
1---
2# defaults for vbotka.apache
3
4apache_install: true
5apache_enable: true
6apache_debug: false
7apache_ssl: false
8apache_php: false
9apache_backup_conf: false
10
11apache_sslengine: 'off'
12
13# httpd.conf
14apache_servername: www.example.com
15apache_serveradmin: admin@example.com
16apache_servertokens: Prod
17apache_httpd_conf:
18 - {regexp: ServerName, line: "{{ apache_servername }}"}
19 - {regexp: ServerAdmin, line: "{{ apache_serveradmin }}"}
20 - {regexp: ServerTokens, line: "{{ apache_servertokens }}"}
21
22# SSL
23apache_ssllisten: ''
24apache_sslcertificatefile: "/usr/local/etc/apache{{ apache_version }}/server.crt"
25apache_sslcertificatekeyfile: "/usr/local/etc/apache{{ apache_version }}/server.key"
26apache_sslprotocol: all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
27# apache_sslciphersuite: HIGH:!aNULL:!MD5
28# apache_sslciphersuite: RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5
29apache_sslciphersuite: "ECDHE-ECDSA-AES256-GCM-SHA384:\
30ECDHE-RSA-AES256-GCM-SHA384:\
31ECDHE-ECDSA-CHACHA20-POLY1305:\
32ECDHE-RSA-CHACHA20-POLY1305:\
33ECDHE-ECDSA-AES128-GCM-SHA256:\
34ECDHE-RSA-AES128-GCM-SHA256:\
35ECDHE-ECDSA-AES256-SHA384:\
36ECDHE-RSA-AES256-SHA384:\
37ECDHE-ECDSA-AES128-SHA256:\
38ECDHE-RSA-AES128-SHA256"
39apache_sslhonorcipherorder: 'on'
40apache_sslcompression: 'off'
41apache_sslsessiontickets: 'off'
42# SSLOpenSSLConfCmd DHParameters '/usr/local/etc/ssl/dhparam.pem'
43# SSLSessionCache shmcb:/var/run/ssl_scache(512000)
44# Header always set X-Frame-Options DENY
45# Header always set X-Frame-Options SAMEORIGIN
46apache_httpd_conf_ssl:
47 - "Include etc/apache{{ apache_version }}/extra/httpd-ssl.conf"
48# Note: The regex value must be terminated by one space
49apache_httpd_conf_ssl_extra:
50 - {regexp: 'ServerName ', line: "{{ apache_servername }}:443"}
51 - {regexp: 'ServerAdmin ', line: "{{ apache_serveradmin }}"}
52 - {regexp: 'SSLEngine ', line: "{{ apache_sslengine }}"}
53 - {regexp: 'SSLProtocol ', line: "{{ apache_sslprotocol }}"}
54 - {regexp: 'SSLCipherSuite ', line: "{{ apache_sslciphersuite }}"}
55 - {regexp: 'SSLHonorCipherOrder ', line: "{{ apache_sslhonorcipherorder }}"}
56 - {regexp: 'SSLCompression ', line: "{{ apache_sslcompression }}"}
57 - {regexp: 'SSLSessionTickets ', line: "{{ apache_sslsessiontickets }}"}
58 - {regexp: 'SSLCertificateFile ', line: "{{ apache_sslcertificatefile }}"}
59 - {regexp: 'SSLCertificateKeyFile ', line: "{{ apache_sslcertificatekeyfile }}"}
60apache_httpd_conf_ssl_extra_absent: []
61apache_httpd_conf_ssl_listen:
62 - Listen 443
63
64# Modules
65apache_httpd_conf_modules:
66 - {module: socache_shmcb_module, mod: mod_socache_shmcb.so}
67
68# PHP
69apache_php_version: '81'
70apache_php_package: "www/mod_php{{ apache_php_version }}"
71
72# vhosts
73# Virtual hosts need apache_ssl. Port 80 is redirected permanently to
74# 443 for vhosts.
75apache_vhost: []
76
77# dirs
78apache_directory_blocks: []
79
80# aliases
81apache_alias: []
82
83# conf.d
84apache_confd_dir_vhosts: "{{ role_path }}/vars/conf.d/vhosts"
85apache_confd_dir_sections: "{{ role_path }}/vars/conf.d/sections"
86
87# samples
88apache_samples: false
89apache_samples_list:
90 - httpd.conf
91 - magic
92 - mime.types
93 - extra/httpd-autoindex.conf
94 - extra/httpd-dav.conf
95 - extra/httpd-default.conf
96 - extra/httpd-info.conf
97 - extra/httpd-languages.conf
98 - extra/httpd-manual.conf
99 - extra/httpd-mpm.conf
100 - extra/httpd-multilang-errordoc.conf
101 - extra/httpd-ssl.conf
102 - extra/httpd-userdir.conf
103 - extra/httpd-vhosts.conf
104 - extra/proxy-html.conf
105
106# rc.conf
107apache_rcconf: []
108
109# EOF
110...
Warning
By default SSL is turned off apache_sslengine: "off" (11).
OS specific default variables
The configuration files from the directory vars/defaults will be included in the loop
with_first_found (1). At least empty default.yml (6) shall be present.
1 with_first_found:
2 - files:
3 - "{{ ansible_distribution }}-{{ ansible_distribution_release }}.yml"
4 - "{{ ansible_distribution }}.yml"
5 - "{{ ansible_os_family }}.yml"
6 - "default.yml"
7 - "defaults.yml"
8 paths: "{{ al_os_vars_path }}/vars/defaults"
Note
OS specific variables are included by the module
include_varthat has very high precedence (18 in the list of 22).See Ansible variable precedence: Where should I put a variable?
To override the default variables see OS specific custom variables
FreeBSD default variables
By default the binary packages will be installed (4). But if custom builds are available switch to
ports (5) and use freebsd_use_packages: "yes" (6) to speedup the installation. Under
standard circumstances, there is no reason to change other parameters here.
1---
2# FreeBSD defaults for vbotka.apache
3
4freebsd_install_method: packages
5# freebsd_install_method: ports
6freebsd_use_packages: true
7freebsd_install_retries: 10
8freebsd_install_delay: 5
9
10apache_version: '24'
11apache_package: "www/apache{{ apache_version }}"
12apache_dir: "apache{{ apache_version }}"
13apache_service: "apache{{ apache_version }}"
14apache_conf_path: "/usr/local/etc/apache{{ apache_version }}"
15apache_data_owner: www
16apache_data_group: wheel
17apache_data_mode: '0640'
18apache_dir_mode: '0750'
19apache_packages:
20 - "{{ apache_package }}"
21
22# EOF
23...
OS specific custom variables
The configuration files from the directory vars will be included in the loop
with_first_found (1) and will override the default values of the variables. At least empty
default.yml (6) shall be present here.
1 with_first_found:
2 - files:
3 - "{{ ansible_distribution }}-{{ ansible_distribution_release }}.yml"
4 - "{{ ansible_distribution }}.yml"
5 - "{{ ansible_os_family }}.yml"
6 - "default.yml"
7 - "defaults.yml"
8 paths: "{{ al_os_vars_path }}/vars"
Note
OS specific variables from the directory
{{ al_os_vars_path }}/varsoverride OS specific default variables from the directory{{ al_os_vars_path }}/vars/defaults.
apache_vhost
Synopsis
apache_vhostis a list of virtual hosts.
Parameters
Parameter
|
Type
|
Comments
|
|---|---|---|
ServerName
|
string
required |
Fully qualified domain
name (FQDN)
|
DocumentRoot
|
string
required |
Path DocumentRoot
|
SSLCertificateFile
|
string
required |
Path to SSL Certificate
|
SSLCertificateKeyFile
|
string
required |
Path to SSL Private key
|
redirect
|
boolean
default: false |
Redirect permanent http
to https
|
create_document_root
|
boolean
default: false |
Create DocumentRoot
|
Example
The example below will configure virtual server mail.example.net (2).
1apache_vhost:
2 - ServerName: "mail.example.net"
3 DocumentRoot: "/usr/local/www/roundcube/"
4 SSLCertificateFile: "/usr/local/etc/letsencrypt/live/mail.example.net/fullchain.pem"
5 SSLCertificateKeyFile: "/usr/local/etc/letsencrypt/live/mail.example.net/privkey.pem"
Notes
Note
The default value is an empty list
apache_vhost: []For details see httpd-vhosts.yml. [httpd-vhosts.yml]
See Also
See also
It is also possible to configure virtual servers with
apache_confd_dir_vhosts. See apache_confd_dir_vhosts.
apache_directory_blocks
Synopsis
apache_directory_blocksis a list of directory blocks.
Parameters
Parameter
|
Type
|
Comments
|
|---|---|---|
Directory
|
string
required |
DocumentRoot directory
|
Includefile
|
string
required |
Path to the includefile to be
created
|
Conf
|
list
|
Configuration of the directory
|
Example
Configuration file (3) will be created in the directory {{ apache_conf_path }}/Includes/.
1 apache_directory_blocks:
2 - Directory: "/usr/local/www/roundcube"
3 Includefile: "usr-local-www-roundcube.conf"
4 Conf:
5 - "Options Indexes FollowSymLinks"
6 - "DirectoryIndex index.html"
7 - "AllowOverride All"
8 - "Require all granted"
Notes
Note
The default value is an empty dictionary
apache_directory_blocks: {}For details see httpd-dirs.yml. [httpd-dirs.yml]
See Also
See also
<TBD>
apache_alias
Synopsis
apache_aliasis a list of aliases.
Example
1 apache_alias:
2 - "ScriptAlias /nagios/cgi-bin/ /usr/local/www/nagios/cgi-bin/"
3 - "Alias /nagios/ /usr/local/www/nagios/"
4 - "Alias /joomla /usr/local/www/joomla3/"
Notes
Note
The default value is an empty list
apache_alias: []For details see httpd-alias.yml. [httpd-alias.yml]
apache_confd_dir_vhosts
Synopsis
apache_confd_dir_vhostsis path to directory with virtual hosts’ configuration files.
Parameters
The parameters and format of the files are described in the filter encode_apache.
Example
From the configuration file below the configuration file {{
apache_conf_path }}/extra/mail.example.net.conf will be created and
the file will be included in {{ apache_conf_path }}/httpd.conf.
1 $ cat mail.example.net/apache.d/vhosts/mail.example.net.yml
2 my_apache_vhost:
3 content:
4 - sections:
5 - name: VirtualHost
6 param: "*:80"
7 content:
8 - options:
9 - ServerName: mail.example.net
10 - DocumentRoot: /usr/local/www/roundcube/
11 - Redirect permanent /: https://mail.example.net/
12 - sections:
13 - name: VirtualHost
14 param: "*:443"
15 content:
16 - options:
17 - ServerName: mail.example.net
18 - DocumentRoot: /usr/local/www/roundcube/
19 - SSLCertificateFile: /usr/local/etc/ssl/certs/mail.example.net.crt
20 - SSLCertificateKeyFile: /usr/local/etc/ssl/private/mail.example.net.key
Notes
Note
For details see httpd-confd-vhosts.yml. [httpd-confd-vhosts.yml]
Hints
Hint
- The default value is
apache_confd_dir_vhosts: "{{ role_path }}/vars/conf.d/vhosts" - In projects it might be convenient to change the path. For example
apache_confd_dir_vhosts: "{{ playbook_dir }}/apache.d/vhosts"
apache_confd_dir_sections
Synopsis
apache_confd_dir_sectionsis path to directory with configuration files.
Parameters
The parameters and format of the files are described in the filter
encode_apache. The
content of the files will be encoded and stored in the files in the
directory {{ apache_conf_path }}/Includes/.
Example
For example from the configuration file below the configuration file
usr-local-www-roundcube.conf will be created and stored in the
directory {{ apache_conf_path }}/Includes (17).
1$ cat mail.example.net/apache.d/sections/usr-local-www-roundcube.yml
2my_apache_dir:
3 content:
4 - sections:
5 - name: Directory
6 param: /usr/local/www/roundcube
7 content:
8 - options:
9 - Options:
10 - Indexes
11 - FollowSymLinks
12 - AllowOverride: All
13 - Require:
14 - all
15 - granted
16
17$ cat /usr/local/etc/apache24/Includes/usr-local-www-roundcube.conf
18<Directory /usr/local/www/roundcube>
19 Options Indexes FollowSymLinks
20 AllowOverride All
21 Require all granted
22</Directory>
Notes
Note
For details see httpd-confd-includes.yml. [httpd-confd-includes.yml]
Hints
Hint
- The default value is
apache_confd_dir_vhosts: "{{ role_path }}/vars/conf.d/sections" - In projects it might be convenient to change the path. For example
apache_confd_dir_vhosts: "{{ playbook_dir }}/apache.d/sections"
apache_httpd_conf
Synopsis
apache_httpd_confis a list of lines in httpd.conf.
Parameters
Parameter
|
Type
|
Comments
|
|---|---|---|
regexp
|
string
required |
The pattern to replace if
found
|
line
|
string
required |
The line to insert/replace
into the file
|
Example
1apache_httpd_conf:
2 - {regexp: "ServerName", line: "{{ apache_servername }}"}
3 - {regexp: "ServerAdmin", line: "{{ apache_serveradmin }}"}
4 - {regexp: "ServerRoot", line: "/usr/local"}
5 - {regexp: "MIMEMagicFile", line: "etc/apache24/magic"}
Notes
Note
apache_httpd_conf:- {regexp: "ServerName", line: "{{ apache_servername }}"}- {regexp: "ServerAdmin", line: "{{ apache_serveradmin }}"}- {regexp: "ErrorDocument 500", line: "\"The server made a boo boo.\""}apache_httpd_conf_ssl
Synopsis
apache_httpd_conf_sslis a list of lines that configure SSL in httpd.conf.
Parameters
Parameter
|
Type
|
Comments
|
|---|---|---|
line
|
string
required |
The line to insert
into the file
|
Notes
Note
apache_httpd_conf_ssl:- "Include etc/apache{{ apache_version }}/extra/httpd-ssl.confapache_httpd_conf_ssl_extra
Synopsis
apache_httpd_conf_ssl_extrais a list of lines that configure SSL in extra/httpd-ssl.conf.
Parameters
Parameter
|
Type
|
Comments
|
|---|---|---|
regexp
|
string
required |
The pattern to replace if
found
|
line
|
string
required |
The line to insert/replace
into the file
|
Notes
Note
See the default value in Default variables
For details see httpd-ssl.yml. [httpd-ssl.yml]
apache_httpd_conf_ssl_extra_absent
Synopsis
apache_httpd_conf_ssl_extra_absentis a list of lines that will be removed from extra/httpd-ssl.conf.
Parameters
Parameter
|
Type
|
Comments
|
|---|---|---|
regexp
|
string
required |
The pattern to be removed
|
Notes
Note
The default value is empty list
apache_httpd_conf_ssl_extra_absent: []For details see httpd-ssl.yml. [httpd-ssl.yml]
apache_httpd_conf_ssl_listen
Synopsis
apache_httpd_conf_ssl_listenis a list of addresses and ports that the server will bind to.
Notes
Note
- The default value is
apache_httpd_conf_ssl_listen:- "Listen 443" - Overlapping Listen directives will result in a fatal error whichwill prevent the server from starting up.
- For details see httpd-ssl.yml. [httpd-ssl.yml]
apache_httpd_conf_modules
Synopsis
apache_httpd_conf_modulesis a list of modules to be loaded.
Parameters
Parameter
|
Type
|
Comments
|
|---|---|---|
module
|
string
required |
Name of the module
|
mod
|
string
required |
Object file or Library
|
present
|
boolean
default: true |
If
true LoadModuledirective will be added to
httpd.conf.
If
false directive willbe commented (disabled).
|
Example
1apache_httpd_conf_modules:
2 - {module: "socache_shmcb_module", mod: "mod_socache_shmcb.so"}
3 - {module: "ssl_module", mod: "mod_ssl.so"}
4 - {module: "php5_module", mod: "libphp5.so"}
Notes
Note
- The default value is
apache_httpd_conf_modules:- {module: "socache_shmcb_module", mod: "mod_socache_shmcb.so"} For details see httpd-modules.yml. [httpd-modules.yml]