apache with sites configs
-
For these paths:
files/{{ inventory_hostname }}/apache/files/{{ any_group_of_this_machine }}/apache/files/{{ inventory_hostname | regex_replace("[0-9]*$","") }}/apache/files/apache/
All maching files will be installed under apache config dir:
- FreeBSD:
modules.d/*.confIncludes/*.conf
- Debian:
mods-enabled/*.confconf.d/*.conf
- All:
*.inc
- same order, but "first match wins" and recursive copy for default root directory:
inventory_hostname/apache/default_root/(inventory_hostname with ending numbers stripped)/apache/default_root/apache/default_root/
sites ([]): Array of sites descriptions, see belowmonitoring_from ([127.0.0.1]): ip addresses/networks allowed to access status pagesadmin_from ([]): ip addresses/networks allowed to access status/balancer-manager pagesmysite (''): if defined, only process this site.id instead of eachsitesapache_protocols (""): you may define as per https://httpd.apache.org/docs/2.4/mod/core.html#protocols
Most of these are used in bundled site.conf.j2 template only, except id, apache_includes, apache_configs, rootdir, user/group, grwfiles/dirs and tls_key/cert
id (MANDATORY): unique short identifier (base for dirnames, usernames, etc.)name (MANDATORY): DNS name
rootdir (system-dependant/{{name}}): You have to populate it elsewhere (criecm.php-fpm does it from vars, or in your playbook)webroot (rootdir): If you need a different web rootlisten ([*:80] or [*:443])list of [IP:]port or port to listen (default depends oftls_certpresence)user (system dependant default)group (user)status_path (/apache-status): will present apache status page tomonitoring_fromandadmin_fromnets, if they are populated andstatus_pathis not emptybackends ([]): eg:- 'ajp://jentest1.nettest.egim:8009 route=jentest1 timeout=20 loadfactor=100'- if only one is defined, see https://httpd.apache.org/docs/2.4/mod/mod_proxy.html
- if more than one, see https://httpd.apache.org/docs/2.4/mod/mod_proxy_balancer.html
- if you define
prefixes, backends will only be used for them.
apache_directives ([]): list of apache config lines. MUST be valid config lines in virtualhost sectionprefixes ([{path: /}]): list of pathes allowed on this virtualhost, withallow_from_nets ([])listing IP(v4|v6) prefixes allowedapache_includes ([])as in sitesapache_configs ([])as in sitesbackends ([])as in sites (do not forget to add the url path as ajp://jentest1.nettest.egim:8009*/there*)apache_directives ([]): as in sites, but must be valid in<Location>protocols (apache_protocols): you may overrideProtocolper vhost - see https://httpd.apache.org/docs/2.4/mod/core.html#protocolsstickysessionname of session cookie for use with load-balancingapache_rewrite_config (True): Set to false it will never modify existing config filesoverride_site_config (apache_rewrite_config): You may want to rewrite sites configs but not global ones, or inverse with this one
aliases ([]): DNS aliases (ServerAlias'es)apache_includes ([])Files to be included in virtualhost config. see Files / Templates locations for searched pathapache_configs ([])Files to be copied in apache config directory (for inclusion in your templates) see Files / Templates locations for searched pathapache_directives ([])List of raw apache config lines (can be located in site, prefix)grwfiles ([])files writeable by groupgrwdirs ([])dirs writable by site's groupcache ([])cache lines (Added after "CacheEnable")redirectmatch ([])list of redirections dicts:regex: path selectordest: destinationtype (temp): "permanent", "temp", 302, 30x, …gitroot ()git repo to clone in rootdirgitrootversion ("master")git tag/branch/commit for gitroot
tls_cert ([]): file name, will be searched for in files/tls/ and copied in {prefix}/etc/ssl/tls_key ([]): file name, will be searched for in files/tls/ and copied in {prefix}/etc/ssl/private/tls_hsts (31536000): will add a Strict-Transport-Security header with provided valuetls_redir (False): will define an http vhost redirecting to https if True
From vars/site.yml:
siteconf_locations:
- '{{ playbook_dir }}/templates/{{ id }}/apache/{{ id }}.conf.j2'
- '{{ playbook_dir }}/files/{{ id }}/apache/{{ id }}.conf'
- templates/site.conf.j2 # bundled
# used for apache_includes vars:
include_locations:
- '{{ item }}.j2'
- '{{ item }}'
- '{{ playbook_dir }}/templates/{{ id }}/apache/{{ item }}.j2'
- '{{ playbook_dir }}/files/{{ id }}/apache/{{ item }}'
- 'templates/apache/{{ item }}.j2'
- '{{ playbook_dir }}/files/apache/{{ item }}'
- hosts: webhost*
roles: criecm.apache
vars:
apache_freebsd_modules:
- ap24-mod_auth_cas
- ap24-mod_rpaf2
apache_enabled_modules:
- rewrite
- access_compat
- proxy_ajp
- proxy_balancer
- proxy
- ssl
- lbmethod_byrequests
- lbmethod_bytraffic
- lbmethod_bybusyness
- slotmem_shm
- access_compat
sites:
# simple site
- id: webperso
name: site.domain.example
apache_includes:
- site_example.inc # see Files / Templates locations
- favicon.inc
rootdir: /usr/local/www/default
# reverse-proxy
- id: rproxy
name: www.my.univ.fr
listen: 443
tls: True
tls_redir: True
tls_cert: www.my.univ.crt # relative to playbook_dir/ssl/
tls_key: www.my.univ.key # idem
aliases:
- my.univ.fr
- univ.fr
backends:
- 'http://my.backend.internal:8090/'
- id: ajpproxy
name: apps.univ.fr
prefixes:
- path: /firstapp
allow_from_nets:
- 192.0.2.128/25
- 2001:db8:cafe:f001::/64
backends:
- 'ajp://backend1.internal:8009/'
- 'ajp://backend2.internal:8009/'
- path: /publicapp
backends:
- 'ajp://backend1.internal:8009/'
cache:
- 'disk "/publicapp"'
# reverse-proxy with differents backends
- id: apps
name: apps.univ.sample
prefixes:
- path: /
backends:
- http://mainback.local/
- path: /app1
backends:
- ajp://backapp1.local
allow_from_nets:
- 192.0.2.128/25
- 2001:db8:cafe:f001::/64
- path: /app2
backends:
- http://app2-1.local/app2/
- http://app2-2.local/app2/