Browse Source

Clean up Apache SSL configuration

Avoid using the Include directive.  Move most of the SSL configuration
to the global configuration and leave enabling the SSL engine to each
virtual host that wants to use it.
Mike Ashley 9 years ago
parent
commit
d3abc02f84

+ 1
- 2
roles/blog/templates/etc_apache2_sites-available_blog.j2 View File

9
 <VirtualHost *:443>
9
 <VirtualHost *:443>
10
     ServerName {{ domain }}
10
     ServerName {{ domain }}
11
     ServerAlias www.{{ domain }}
11
     ServerAlias www.{{ domain }}
12
-
13
-    Include /etc/apache2/ssl.conf
12
+    SSLEngine On
14
 
13
 
15
     DocumentRoot            "/var/www/{{ domain }}"
14
     DocumentRoot            "/var/www/{{ domain }}"
16
     DirectoryIndex          index.html
15
     DirectoryIndex          index.html

+ 0
- 1
roles/common/files/etc_apache2_conf-available_ssl-stapling-cache.conf View File

1
-SSLStaplingCache shmcb:${APACHE_RUN_DIR}/stapling_cache(128000)

roles/common/templates/etc_apache2_ssl.conf.j2 → roles/common/files/etc_apache2_conf-available_ssl.conf View File

1
-SSLEngine on
2
 SSLProtocol ALL -SSLv2 -SSLv3
1
 SSLProtocol ALL -SSLv2 -SSLv3
3
 SSLHonorCipherOrder On
2
 SSLHonorCipherOrder On
4
 SSLCompression off
3
 SSLCompression off
5
 SSLUseStapling On
4
 SSLUseStapling On
5
+SSLStaplingCache shmcb:${APACHE_RUN_DIR}/stapling_cache(128000)
6
 SSLStaplingResponderTimeout 5
6
 SSLStaplingResponderTimeout 5
7
 SSLStaplingReturnResponderErrors off
7
 SSLStaplingReturnResponderErrors off
8
 
8
 

+ 5
- 17
roles/common/tasks/ssl.yml View File

43
   notify: restart apache
43
   notify: restart apache
44
   when: ansible_distribution_release != 'wheezy'
44
   when: ansible_distribution_release != 'wheezy'
45
 
45
 
46
-- name: Add Apache SSL stapling cache configuration
47
-  copy:
48
-    src=etc_apache2_conf-available_ssl-stapling-cache.conf
49
-    dest=/etc/apache2/conf-available/ssl-stapling-cache.conf
46
+- name: Add common Apache SSL config
47
+  copy: src=etc_apache2_conf-available_ssl.conf
48
+    dest=/etc/apache2/conf-available/ssl.conf
50
     owner=root
49
     owner=root
51
     group=root
50
     group=root
52
-  when: ansible_distribution_release != 'wheezy'
53
-  notify: restart apache
54
-
55
-- name: Enable Apache SSL stapling cache configuration
56
-  command: a2enconf ssl-stapling-cache
57
-    creates=/etc/apache2/conf-enabled/ssl-stapling-cache.conf
58
-  when: ansible_distribution_release != 'wheezy'
59
   notify: restart apache
51
   notify: restart apache
60
 
52
 
61
-- name: Add common Apache SSL config
62
-  template:
63
-    src=etc_apache2_ssl.conf.j2
64
-    dest=/etc/apache2/ssl.conf
65
-    owner=root
66
-    group=root
53
+- name: Enable Apache SSL config
54
+  command: a2enconf ssl creates=/etc/apache2/conf-enabled/ssl.conf
67
   notify: restart apache
55
   notify: restart apache

+ 1
- 2
roles/git/templates/etc_apache2_sites-available_cgit.j2 View File

6
 
6
 
7
 <VirtualHost *:443>
7
 <VirtualHost *:443>
8
     ServerName {{ cgit_domain }}
8
     ServerName {{ cgit_domain }}
9
+    SSLEngine On
9
 
10
 
10
-    Include /etc/apache2/ssl.conf
11
     DocumentRoot /var/www/htdocs/cgit/
11
     DocumentRoot /var/www/htdocs/cgit/
12
-
13
     <Directory "/var/www/htdocs/cgit/">
12
     <Directory "/var/www/htdocs/cgit/">
14
         AllowOverride None
13
         AllowOverride None
15
         Options +ExecCGI
14
         Options +ExecCGI

+ 1
- 2
roles/mailserver/templates/etc_apache2_sites-available_autoconfig.j2 View File

17
 
17
 
18
 <VirtualHost *:443>
18
 <VirtualHost *:443>
19
     ServerName {{ mail_server_autoconfig_hostname }}
19
     ServerName {{ mail_server_autoconfig_hostname }}
20
-
21
-    Include /etc/apache2/ssl.conf
20
+    SSLEngine On
22
 
21
 
23
     DocumentRoot            "/var/www/autoconfig"
22
     DocumentRoot            "/var/www/autoconfig"
24
     Options                 -Indexes
23
     Options                 -Indexes

+ 1
- 2
roles/news/templates/etc_apache2_sites-available_selfoss.j2 View File

6
 
6
 
7
 <VirtualHost *:443>
7
 <VirtualHost *:443>
8
     ServerName {{ selfoss_domain }}
8
     ServerName {{ selfoss_domain }}
9
-
10
-    Include /etc/apache2/ssl.conf
9
+    SSLEngine On
11
 
10
 
12
     DocumentRoot            /var/www/selfoss
11
     DocumentRoot            /var/www/selfoss
13
     Options                 -Indexes
12
     Options                 -Indexes

+ 1
- 2
roles/owncloud/templates/etc_apache2_sites-available_owncloud.j2 View File

6
 
6
 
7
 <VirtualHost *:443>
7
 <VirtualHost *:443>
8
     ServerName {{ owncloud_domain }}
8
     ServerName {{ owncloud_domain }}
9
-
10
-    Include /etc/apache2/ssl.conf
9
+    SSLEngine On
11
 
10
 
12
     DocumentRoot            /var/www/owncloud
11
     DocumentRoot            /var/www/owncloud
13
     Options                 -Indexes
12
     Options                 -Indexes

+ 1
- 2
roles/readlater/templates/etc_apache2_sites-available_wallabag.j2 View File

6
 
6
 
7
 <VirtualHost *:443>
7
 <VirtualHost *:443>
8
     ServerName {{ wallabag_domain }}
8
     ServerName {{ wallabag_domain }}
9
-
10
-    Include /etc/apache2/ssl.conf
9
+    SSLEngine On
11
 
10
 
12
     DocumentRoot            /var/www/wallabag
11
     DocumentRoot            /var/www/wallabag
13
     Options                 -Indexes
12
     Options                 -Indexes

Loading…
Cancel
Save