AnsibleRoles/ensure_apache
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
ensure_apache/templates/Fedora/34/etc/httpd/conf.d/vhost.conf

108 lines
3.1 KiB
Plaintext
Raw Blame History

MDBaseServer on
MDCertificateProtocol ACME
MDCAChallenges http-01
MDDriveMode auto
MDPrivateKeys RSA 4096
MDRenewWindow 33%
MDStoreDir md
# MDCertificateAuthority https://acme-v02.api.letsencrypt.org/directory
# We want staging for now...
MDCertificateAuthority https://acme-staging-v02.api.letsencrypt.org/directory
# MDCertificateAgreementhttps://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
# https://httpd.apache.org/docs/trunk/mod/mod_md.html says the below works...
MDCertificateAgreement accepted
<Directory "/srv/http">
AllowOverride None
Require all granted
</Directory>
{% for item in http_vhost %}
<Directory "/srv/http/{{ item.fqdn }}">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
{% endfor %}
{% for item in http_vhost %}
{% if item.aliases is defined %}
{% for item_alias in item.aliases %}
<VirtualHost *:80>
ServerName {{ item_alias }}
ServerAdmin webmaster@firedragonenterprises.com
DocumentRoot /srv/http/{{ item.fqdn }}
RedirectMatch permanent "^(?!/\.well-known/acme-challenge/).*" https://{{ item.fqdn }}$0
</VirtualHost>
{% endfor %}
{% endif %}
<VirtualHost *:80>
ServerName {{ item.fqdn }}
ServerAdmin webmaster@firedragonenterprises.com
DocumentRoot /srv/http/{{ item.fqdn }}
RedirectMatch permanent "^(?!/\.well-known/acme-challenge/).*" https://{{ item.fqdn }}$0
</VirtualHost>
{% if item.aliases is defined %}
{% for item_alias in item.aliases %}
<VirtualHost *:443>
SSLEngine on
SSLProtocol all -TLSv1.1
SSLProxyProtocol all -TLSv1.1
SSLHonorCipherOrder on
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
ServerName {{ item_alias }}
ServerAdmin webmaster@firedragonenterprises.com
DocumentRoot /srv/http/{{ item.fqdn }}
RedirectMatch permanent "^(?!/\.well-known/acme-challenge/).*" https://{{ item.fqdn }}$0
<Location /.ansible>
Require all denied
</Location>
<Location /.config>
Require all denied
</Location>
<Location /.ssh>
Require all denied
</Location>
</VirtualHost>
{% endfor %}
{% endif %}
MDomain {{ item.fqdn }}
<VirtualHost *:443>
SSLEngine on
SSLProtocol all -TLSv1.1
SSLProxyProtocol all -TLSv1.1
SSLHonorCipherOrder on
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
# original
# SSLCertificateFile /etc/pki/tls/certs/localhost.crt
# SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
# mod_md should change hte default value to this
# SSLCertificateFile /etc/httpd/md/domains/{{ item.fqdn }}/pubcert.pem
# SSLCertificateKeyFile /etc/httpd/md/domains/{{ item.fqdn }}/privkey.pem
ServerName {{ item.fqdn }}
ServerAdmin webmaster@firedragonenterprises.com
DocumentRoot /srv/http/{{ item.fqdn }}
Alias /error/ "/var/www/error/"
{% if item.proxy is defined %}
ProxyPass "/.well-known" "!"
ProxyPass "/phpMyAdmin" "!"
ProxyPass "/phpmyadmin" "!"
ProxyPass "/" "{{ item.proxy }}"
ProxyPassReverse "/" "{{ item.proxy }}"
ProxyTimeout 300
{% endif %}
<Location /.git>
Require all denied
</Location>
</VirtualHost>
{% endfor %}
Reference in New Issue View Git Blame Copy Permalink