OpenStack-Ansible HTTPD role¶
This role installs an Apache Web Server for serving static files and various applications which are required for the deployment.
To clone or view the source code for this repository, visit the role repository for httpd.
Sample configuration¶
httpd_extra_modules:
- name: proxy
state: present
httpd_vhosts:
- name: test_http
address: "127.0.1.1"
document_root: /var/www/test
directories:
- path: "/var/www/cgi-bin"
params:
- Options Indexes FollowSymLinks MultiViews
headers:
- Header set X-Content-Type-Options "nosniff"
params:
- Options +FollowSymLinks
port: 80
server_name: test_http.test_server
Default variables¶
cache_timeout: 300
# Generic configuration
httpd_conf_dir: "/etc/{{ httpd_system_service_name }}"
httpd_conf_file: "{{ _httpd_conf_file }}"
httpd_default_sites: "{{ _httpd_default_sites }}"
httpd_distro_packages: "{{ _httpd_distro_packages }}"
httpd_extra_packages: []
httpd_extra_conf_files: "{{ _httpd_extra_conf_files }}"
## List of modules and MPMs to enable/disable is defined only for DEB systems
httpd_default_modules: "{{ _httpd_default_modules }}"
httpd_extra_modules: []
httpd_modules: "{{ httpd_default_modules + httpd_extra_modules }}"
httpd_mpms: "{{ _httpd_mpms }}"
httpd_package_state: "{{ package_state | default('latest') }}"
httpd_security_conf: "{{ _httpd_security_conf }}"
httpd_server_name: "{{ ansible_facts['fqdn'] }}"
httpd_vhost_enable_path: "{{ _httpd_vhost_enable_path }}"
httpd_service_home_folder: "{{ _httpd_service_home_folder }}"
httpd_service_user_name: "{{ _httpd_service_user_name }}"
httpd_service_group_name: "{{ _httpd_service_group_name }}"
httpd_system_service_name: "{{ _httpd_system_service_name }}"
## vHost defenition example:
# httpd_vhosts:
# - address: ""
# document_root:
# directories:
# - path: "/"
# options: []
# headers: []
# locations:
# - path: "/"
# options: []
# options: []
# port: 80
# server_name: "{{ inventory_hostname }}"
# state: present
# enabled: false
# ssl:
# # In case `cert` or `key` is undefined, certificate will be generated.
# # You can use `san` key to adjust CNs for the generated certificate.
# # `ca` key is optional and can be ommited.
# # You can also set ``ssl: false`` to explicitly disable any TLS configuration
# # for vhost
# cert: /path/to/vhost.crt
# key: /path/to/key.crt
# ca: /path/to/ca.crt
httpd_vhosts: []
# Logging
httpd_custom_log_format: '"%h %l %u \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""'
httpd_log_level: info
# MPM tunables
httpd_mpm_backend: "{{ openstack_apache_mpm_backend | default('event') }}"
httpd_mpm_max_conn_child: "{{ openstack_apache_max_conn_child | default(0) }}"
httpd_mpm_max_requests: "{{ httpd_mpm_server_limit | int * httpd_mpm_thread_child | int }}"
httpd_mpm_max_spare_threads: "{{ openstack_apache_max_spare_threads | default(75) }}"
httpd_mpm_min_spare_threads: "{{ openstack_apache_min_spare_threads | default(25) }}"
httpd_mpm_server_limit: "{{ [[ansible_facts['processor_vcpus'] | default(2) // 2, 1] | max, httpd_mpm_thread_max | int] | min }}"
httpd_mpm_start_servers: "{{ openstack_apache_start_servers | default(2) }}"
httpd_mpm_thread_child: "{{ openstack_apache_thread_child | default(25) }}"
httpd_mpm_thread_limit: "{{ openstack_apache_thread_limit | default(64) }}"
httpd_mpm_thread_max: "{{ openstack_apache_thread_max | default(16) }}"
# TLS configuration
httpd_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1') }}"
## TLS v1.2 and below
httpd_ssl_cipher_suite_tls12: "{{ ssl_cipher_suite | default('ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM') }}"
## TLS v1.3
httpd_ssl_cipher_suite_tls13: "{{ ssl_cipher_suite_tls13 | default('TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256') }}"
httpd_pki_dir: "{{ openstack_pki_dir | default('/etc/pki') }}"
httpd_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"
## Create a certificate authority if one does not already exist
httpd_pki_create_ca: "{{ openstack_pki_authorities is not defined | bool and httpd_pki_create_certificates }}"
httpd_pki_regen_ca: ""
httpd_pki_authorities:
- name: "HTTPDRoot"
country: "GB"
state_or_province_name: "England"
organization_name: "Example Corporation"
organizational_unit_name: "IT Security"
cn: "Apache HTTPD Root CA"
provider: selfsigned
basic_constraints: "CA:TRUE"
key_usage:
- digitalSignature
- cRLSign
- keyCertSign
not_after: "+3650d"
- name: "HTTPDIntermediate"
country: "GB"
state_or_province_name: "England"
organization_name: "Example Corporation"
organizational_unit_name: "IT Security"
cn: "Apache HTTPD Intermediate CA"
provider: ownca
basic_constraints: "CA:TRUE,pathlen:0"
key_usage:
- digitalSignature
- cRLSign
- keyCertSign
not_after: "+3650d"
signed_by: "HTTPDRoot"
# Installation details for certificate authorities
httpd_pki_install_ca:
- name: "HTTPDRoot"
condition: "{{ httpd_pki_create_ca }}"
# HTTPD server certificates to generate
httpd_pki_certs_path: "{{ httpd_pki_dir ~ '/certs/certs/' }}"
httpd_pki_certificates: "{{ _httpd_pki_generate_certificates_vhosts }}"
httpd_pki_create_certificates: "{{ httpd_pki_certificates | length > 0 }}"
httpd_pki_default_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',DNS:' ~ ansible_facts['fqdn']) }}"
httpd_pki_keys_path: "{{ httpd_pki_dir ~ '/certs/private/' }}"
httpd_pki_regen_cert: ""
httpd_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('HTTPDIntermediate') }}"
httpd_pki_intermediate_cert_path: "{{ httpd_pki_dir ~ '/roots/' ~ httpd_pki_intermediate_cert_name ~ '/certs/' ~ httpd_pki_intermediate_cert_name ~ '.crt' }}"
## Installation details for SSL certificates
httpd_pki_install_certificates: "{{ _httpd_pki_install_certificates_vhosts }}"
## Destination directories for SSL certificates
httpd_ssl_certs_dir: /etc/ssl/certs/
httpd_ssl_keys_dir: /etc/ssl/private/
Example playbook¶
---
- name: Installing Apache Web Server
hosts: httpd
roles:
- role: httpd
