ansible-role-nagios/templates/apache_vhost.j2

<VirtualHost *:80>
  ServerName {{ item.vhost_name }}
  ServerAdmin {{ item.webadmin | default('webmaster@' + item.vhost_name) }}
  {% if item.vhost_aliases is defined %}
  ServerAlias {{ item.vhost_aliases }}
  {% endif %}

  ## Logging
  ErrorLog "/var/log/apache2/{{ item.vhost_name }}_error_ssl.log"
  ServerSignature Off
  CustomLog "/var/log/apache2/{{ item.vhost_name }}_access_ssl.log" combined
  ErrorDocument 404 https://susurrando.com/notfound.php
  ErrorDocument 500 https://susurrando.com/error500.php
  ErrorDocument 503 https://susurrando.com/error503.php


  ScriptAlias /cgi-bin/nagios4 /usr/lib/cgi-bin/nagios4
  ScriptAlias /nagios4/cgi-bin /usr/lib/cgi-bin/nagios4

  # Where the stylesheets (config files) reside
  Alias /nagios4/stylesheets /etc/nagios4/stylesheets

  # Where the HTML pages live
  Alias /nagios4 /usr/share/nagios4/htdocs

  <DirectoryMatch (/usr/share/nagios4/htdocs|/usr/lib/cgi-bin/nagios4|/etc/nagios4/stylesheets)>
    Options +FollowSymLinks
    DirectoryIndex index.php index.html
    AllowOverride None
    <IfVersion >= 2.3>
        <RequireAll>
            Require all granted
            AuthName "Nagios Access"
            AuthType Basic
            AuthUserFile {{ auth_user_file }}
            Require valid-user
        </RequireAll>
    </IfVersion>
    <IfVersion < 2.3>
        Order allow,deny
        Allow from all
        AuthName "Nagios Access"
        AuthType Basic
        AuthUserFile {{ auth_user_file }}
        Require valid-user
    </IfVersion>
  </DirectoryMatch>

  <Directory /usr/share/nagios4/htdocs>
      Options     +ExecCGI
  </Directory>

    # PNP4Nagios
    Alias /pnp4nagios "/usr/local/pnp4nagios/share"

    <Directory "/usr/local/pnp4nagios/share">
            AllowOverride None
            Order allow,deny
            Allow from all
            #
            # Use the same value as defined in nagios.conf
            #
            AuthName "Nagios Access"
            AuthType Basic
            AuthUserFile {{ auth_user_file }}
            Require valid-user
            <IfModule mod_rewrite.c>
                    # Turn on URL rewriting
                    RewriteEngine On
                    Options +symLinksIfOwnerMatch
                    # Installation directory
                    RewriteBase /pnp4nagios/
                    # Protect application and system files from being viewed
                    RewriteRule "^(?:application|modules|system)/" - [F]
                    # Allow any files or directories that exist to be displayed directly
                    RewriteCond "%{REQUEST_FILENAME}" !-f
                    RewriteCond "%{REQUEST_FILENAME}" !-d
                    # Rewrite all other URLs to index.php/URL
                    RewriteRule "^.*$" "index.php/$0" [PT]
            </IfModule>
    </Directory>

    # HighCharts
    Alias /highcharts "/usr/local/highcharts"
    <Directory "/usr/local/highcharts">
        Options None
        AllowOverride None
        Order allow,deny
        Allow from all
    ##  Only for apache 2.4 ##
    #   Require all granted
    </Directory>

</VirtualHost>

<VirtualHost *:443>
  ServerName {{ item.vhost_name }}
  ServerAdmin {{ item.webadmin }}

  ## Logging
  ErrorLog "/var/log/apache2/{{ item.vhost_name }}_ssl_error_ssl.log"
  ServerSignature Off
  CustomLog "/var/log/apache2/{{ item.vhost_name }}_ssl_access_ssl.log" combined
  ErrorDocument 404 https://susurrando.com/notfound.php
  ErrorDocument 500 https://susurrando.com/error500.php
  ErrorDocument 503 https://susurrando.com/error503.php
  ## Rewrite rules
  RewriteEngine On


  ## SSL directives
  SSLEngine on
  SSLCertificateFile      "{{ ssl_certificate_file }}"
  SSLCertificateKeyFile   "{{ ssl_certificate_file }}"
  {% if item.ssl_certificate_chain_file is defined %}
  SSLCertificateChainFile "{{ item.ssl_certificate_chain_file }}"
  {% endif %}
  SSLProtocol             all -SSLv3 -SSLv2 -TLSv1 -TLSv1.1
  SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

  ## Custom fragment

    SSLHonorCipherOrder     on
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
       SSLProxyEngine On
    SSLProxyCheckPeerCN on
    SSLProxyCheckPeerExpire on
    ProxyPass / http://{{ item.vhost_name }}/
    ProxyPassReverse / http://{{ item.vhost_name }}/
</VirtualHost>