update template to allow opt out of ssl

2023-09-24 10:01:08 +03:00 · 2023-09-24 10:01:08 +03:00 · 1e6ab8b56d
commit 1e6ab8b56d
parent d268d44421
1 changed files with 92 additions and 9 deletions
--- a/templates/vhost.conf.j2
+++ b/templates/vhost.conf.j2
@ -5,25 +5,112 @@

 <VirtualHost *:{{ item.web_port|default("80") }}>
  ServerName {{ item.vhostname }}
+  ServerAdmin {{ item.serveradmin|default("webmaster@" + item.vhostname ) }}
 {% if item.server_aliases is defined %}
    ServerAlias {% for alias in item.server_aliases %}{{ alias }} {% endfor %}
 {% endif %}

-  ## Directories, there should at least be a declaration for {{ item.docroot | default("/var/www/" + item.vhostname) }}/
-  <Directory "{{ item.docroot | default("/var/www/" + item.vhostname) }}/">
-    Options +FollowSymlinks
+{% if item.server_aliases is defined %}
+  ServerAlias {% for alias in item.server_aliases %}{{ alias }} {% endfor %}
+{% endif %}
+
+{% if item.aliases is defined %}{% for alias in item.aliases %}
+  Alias /{{ alias.dest }} "{{ alias.src }}"
+{% endfor %}{% endif %}
+
+{% if item.scriptaliases is defined %}{% for alias in item.scriptaliases %}
+  ScriptAlias /{{ alias.dest }} "{{ alias.src }}"
+{% endfor %}{% endif %}
+
+{% if item.docroot is defined %}  ## Vhost docroot
+  DocumentRoot "{{ item.docroot | default("/var/www/" + item.vhostname ) }}/"
+
+  ## Directories, there should at least be a declaration for {{ item.docroot | default('/var/www/' + item.vhostname ) }}/
+
+  <Directory "{{ item.docroot | default('/var/www/' + item.vhostname ) }}/">
+{% if item.root_options is defined %}
+    Options {% for option in item.root_options %}{{ option }} {% endfor %}
+{% endif %}
+
+{% if item.root_custom_code is defined %}
+    {{ item.root_custom_code }}
+{% endif %}
+
    AllowOverride All
  </Directory>
+## End of root directory
+{% endif %}
+
+{% if item.directories is defined %}{% for directory in item.directories %}
+  <Directory "{{ directory.path }}">
+{% if directory.options is defined %}
+    Options {% for option in directory.options %}{{ option }} {% endfor %}
+{% endif %}
+
+    {% if directory.allow_override is defined %}AllowOverride {{ directory.allow_override }}
+{% endif %}
+    {% if directory.require is defined %}Require {{ directory.require }}
+{% endif %}
+    {{ directory.custom_code | default("") }}
+  </Directory>
+{% endfor %}{% endif %}
+## End of directories
+
+{% if item.directoriesmatches is defined %}{% for directorymatch in item.directoriesmatches %}
+  <DirectoryMatch "{{ directorymatch.path }}">
+{% if directorymatch.options is defined %}
+    Options {% for option in directorymatch.options %}{{ option }} {% endfor %}
+{% endif %}
+
+    {% if directory.allow_override is defined %}AllowOverride {{ directory.allow_override }}
+{% endif %}
+    {% if directory.require is defined %}Require {{ directory.require }}
+{% endif %}
+  {{ directorymatch.custom_code | default("") }}
+  </DirectoryMatch>
+{% endfor %}{% endif %}
+## End of directorymatches

  ## Logging
-  ErrorLog "/var/log/apache2/{{ item.vhostname }}_error.log"
+  ErrorLog "/var/log/apache2/{{ item.vhostname }}_error_ssl.log"
  ServerSignature Off
-  CustomLog "/var/log/apache2/{{ item.vhostname }}_access.log" combined
+  CustomLog "/var/log/apache2/{{ item.vhostname }}_access_ssl.log" combined
+  ## Rewrite rules
+  RewriteEngine On

+{% if item.ldap is defined %}
+  ## LDAP authentication
+  <Location />
+    AuthType Basic
+    AuthName "Enter credentials"
+    AuthBasicProvider ldap
+    AuthLDAPGroupAttribute member
+    AuthLDAPSubGroupClass group
+    AuthLDAPGroupAttributeIsDN On
+    AuthLDAPURL {{ item.ldap.url }} #ldap://ldap.koti.site/ou=People,ou=Users,dc=koti,dc=site?uid
+    Require {{ item.ldap.require }} #valid-user
+  </Location>
+{% endif %}
+
+{% if item.reverse_proxy is defined and not ssl %}
+  ## Reverse proxy
+  ProxyPass / {{ item.reverse_proxy }}
+  ProxyPassReverse / {{ item.reverse_proxy }}
+{% endif %}
+
+{% if item.custom_code is defined %}
+  ## Custom fragment
+  {{ item.custom_code }}
+  ## End of custom fragment
+{% endif %}
+
+  {% if ssl %}
  ## Redirect rules
  Redirect permanent / https://{{ item.vhostname }}/
+  {% endif %}
 </VirtualHost>

+{% if ssl %}
 <VirtualHost *:{{ ssl_port|default("443") }}>
  ServerName {{ item.vhostname }}
  ServerAdmin {{ item.serveradmin|default("webmaster@" + item.vhostname ) }}
@ -92,9 +179,6 @@
  ErrorLog "/var/log/apache2/{{ item.vhostname }}_error_ssl.log"
  ServerSignature Off
  CustomLog "/var/log/apache2/{{ item.vhostname }}_access_ssl.log" combined
-  ErrorDocument 404 /notfound.php
-  ErrorDocument 500 /error500.php
-  ErrorDocument 503 /error503.php
  ## Rewrite rules
  RewriteEngine On

@ -104,7 +188,6 @@
  SSLCertificateKeyFile   "/etc/letsencrypt/live/{{ item.vhostname }}/privkey.pem"
  SSLProtocol             all -SSLv3 -SSLv2 -TLSv1 -TLSv1.1
  SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
-
 {% if item.ldap is defined %}
  ## LDAP authentication
  <Location />