OpenStack-Ansible HTTPD role¶
This role installs a PKI infrastructure for maintaining a Root CA and creating server certificates as required to enable secure communication between components in a deployment.
To clone or view the source code for this repository, visit the role repository for pki.
Sample configuration¶
httpd_extra_modules:
- name: proxy
state: present
httpd_vhosts:
- name: test_http
address: "127.0.1.1"
document_root: /var/www/test
directories:
- path: "/var/www/cgi-bin"
params:
- Options Indexes FollowSymLinks MultiViews
headers:
- Header set X-Content-Type-Options "nosniff"
params:
- Options +FollowSymLinks
port: 80
server_name: test_http.test_server
Default variables¶
cache_timeout: 300
# Generic configuration
httpd_conf_dir: "/etc/{{ httpd_system_service_name }}"
httpd_conf_file: "{{ _httpd_conf_file }}"
httpd_default_sites: "{{ _httpd_default_sites }}"
httpd_distro_packages: "{{ _httpd_distro_packages }}"
httpd_extra_conf_files: "{{ _httpd_extra_conf_files }}"
## List of modules and MPMs to enable/disable is defined only for DEB systems
httpd_default_modules: "{{ _httpd_default_modules }}"
httpd_extra_modules: []
httpd_modules: "{{ httpd_default_modules + httpd_extra_modules }}"
httpd_mpms: "{{ _httpd_mpms }}"
httpd_package_state: "{{ package_state | default('latest') }}"
httpd_security_conf: "{{ _httpd_security_conf }}"
httpd_server_name: "{{ ansible_facts['fqdn'] }}"
httpd_vhost_enable_path: "{{ _httpd_vhost_enable_path }}"
httpd_service_home_folder: "{{ _httpd_service_home_folder }}"
httpd_service_user_name: "{{ _httpd_service_user_name }}"
httpd_service_group_name: "{{ _httpd_service_group_name }}"
httpd_system_service_name: "{{ _httpd_system_service_name }}"
## vHost defenition example:
# httpd_vhosts:
# - address: ""
# document_root:
# directories:
# - path: "/"
# options: []
# headers: []
# locations:
# - path: "/"
# options: []
# options: []
# port: 80
# server_name: "{{ inventory_hostname }}"
# state: present
# enabled: false
# ssl:
# # In case `cert` or `key` is undefined, certificate will be generated.
# # You can use `san` key to adjust CNs for the generated certificate.
# # `ca` key is optional and can be ommited.
# # You can also set ``ssl: false`` to explicitly disable any TLS configuration
# # for vhost
# cert: /path/to/vhost.crt
# key: /path/to/key.crt
# ca: /path/to/ca.crt
httpd_vhosts: []
# Logging
httpd_custom_log_format: '"%h %l %u \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""'
httpd_log_level: info
# MPM tunables
httpd_mpm_backend: "{{ openstack_apache_mpm_backend | default('event') }}"
httpd_mpm_max_conn_child: "{{ openstack_apache_max_conn_child | default(0) }}"
httpd_mpm_max_requests: "{{ httpd_mpm_server_limit | int * httpd_mpm_thread_child | int }}"
httpd_mpm_max_spare_threads: "{{ openstack_apache_max_spare_threads | default(75) }}"
httpd_mpm_min_spare_threads: "{{ openstack_apache_min_spare_threads | default(25) }}"
httpd_mpm_server_limit: "{{ [[ansible_facts['processor_vcpus'] | default(2) // 2, 1] | max, httpd_mpm_thread_max | int] | min }}"
httpd_mpm_start_servers: "{{ openstack_apache_start_servers | default(2) }}"
httpd_mpm_thread_child: "{{ openstack_apache_thread_child | default(25) }}"
httpd_mpm_thread_limit: "{{ openstack_apache_thread_limit | default(64) }}"
httpd_mpm_thread_max: "{{ openstack_apache_thread_max | default(16) }}"
# TLS configuration
httpd_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1') }}"
## TLS v1.2 and below
httpd_ssl_cipher_suite_tls12: "{{ ssl_cipher_suite | default('ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM') }}"
## TLS v1.3
httpd_ssl_cipher_suite_tls13: "{{ ssl_cipher_suite_tls13 | default('TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256') }}"
httpd_pki_dir: "{{ openstack_pki_dir | default('/etc/pki') }}"
httpd_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"
## Create a certificate authority if one does not already exist
httpd_pki_create_ca: "{{ openstack_pki_authorities is not defined | bool and httpd_pki_create_certificates }}"
httpd_pki_regen_ca: ''
httpd_pki_authorities:
- name: "HTTPDRoot"
country: "GB"
state_or_province_name: "England"
organization_name: "Example Corporation"
organizational_unit_name: "IT Security"
cn: "Apache HTTPD Root CA"
provider: selfsigned
basic_constraints: "CA:TRUE"
key_usage:
- digitalSignature
- cRLSign
- keyCertSign
not_after: "+3650d"
- name: "HTTPDIntermediate"
country: "GB"
state_or_province_name: "England"
organization_name: "Example Corporation"
organizational_unit_name: "IT Security"
cn: "Apache HTTPD Intermediate CA"
provider: ownca
basic_constraints: "CA:TRUE,pathlen:0"
key_usage:
- digitalSignature
- cRLSign
- keyCertSign
not_after: "+3650d"
signed_by: "HTTPDRoot"
# Installation details for certificate authorities
httpd_pki_install_ca:
- name: "HTTPDRoot"
condition: "{{ httpd_pki_create_ca }}"
# HTTPD server certificates to generate
httpd_pki_certs_path: "{{ httpd_pki_dir ~ '/certs/certs/' }}"
httpd_pki_certificates: "{{ _httpd_pki_generate_certificates_vhosts }}"
httpd_pki_create_certificates: "{{ httpd_pki_certificates | length > 0 }}"
httpd_pki_default_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',DNS:' ~ ansible_facts['fqdn']) }}"
httpd_pki_keys_path: "{{ httpd_pki_dir ~ '/certs/private/' }}"
httpd_pki_regen_cert: ''
httpd_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('HTTPDIntermediate') }}"
httpd_pki_intermediate_cert_path: "{{ httpd_pki_dir ~ '/roots/' ~ httpd_pki_intermediate_cert_name ~ '/certs/' ~ httpd_pki_intermediate_cert_name ~ '.crt' }}"
## Installation details for SSL certificates
httpd_pki_install_certificates: "{{ _httpd_pki_install_certificates_vhosts }}"
## Destination directories for SSL certificates
httpd_ssl_certs_dir: /etc/ssl/certs/
httpd_ssl_keys_dir: /etc/ssl/private/
Example playbook¶
---
- name: Installing Apache Web Server
hosts: httpd
roles:
- role: "{{ playbook_dir | dirname | basename }}"
