Compare commits

..

265 Commits

Author SHA1 Message Date
jmrothst 7087dd53d0 Blank role requirements so makefile works
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-06-26 20:38:32 -05:00
jmrothst 27cc36f9c0 Removed known host manipulation
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-06-26 20:38:07 -05:00
jmrothst f68466907f Remove duplicate gitignore, and relicense all as CC BY-NC-ND 4.0
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-24 11:10:10 -05:00
jmrothst b252c2c087 Use package repo from gitea.fdragon.com with $releasever
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-17 22:21:53 -05:00
jmrothst 89b357473a Replace with version from Fedora 44 instead of carry forward old version
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-17 22:21:01 -05:00
jmrothst 2e371b2db9 Attempt to support WebSocket redirects
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-12 16:10:17 -05:00
jmrothst 4de083c8d2 Remove role requirements now that all roles have been merged
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-10 21:50:08 -05:00
jmrothst f3aaebf592 Merge ensure_mariadb
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-10 21:49:31 -05:00
jmrothst 63f1d8d6ee Add 'roles/ensure_mariadb/' from commit '9db90c39bdcb2ac355f24de078f09bf6376b08b6'
git-subtree-dir: roles/ensure_mariadb
git-subtree-mainline: a1a4d87dc1
git-subtree-split: 9db90c39bd
2026-05-10 21:49:13 -05:00
jmrothst a1a4d87dc1 Merge ensure_gitea
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-10 21:48:42 -05:00
jmrothst 0462696924 Add 'roles/ensure_gitea/' from commit 'bd5905bbb394c09e1ff03aa03985eb8974a85b12'
git-subtree-dir: roles/ensure_gitea
git-subtree-mainline: 36de5666db
git-subtree-split: bd5905bbb3
2026-05-10 21:48:13 -05:00
jmrothst 36de5666db Add 'roles/ensure_rsync/' from commit 'acd8e760165672bae24996505de0320d55b55152'
git-subtree-dir: roles/ensure_rsync
git-subtree-mainline: 94152ff0a5
git-subtree-split: acd8e76016
2026-05-10 21:47:30 -05:00
jmrothst 94152ff0a5 Merge ensure_dovecot
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-10 21:46:45 -05:00
jmrothst 838bad1300 Add 'roles/ensure_dovecot/' from commit '2fc15e207fac82a5451fd1adf57914797b6be6ce'
git-subtree-dir: roles/ensure_dovecot
git-subtree-mainline: cf8ae92948
git-subtree-split: 2fc15e207f
2026-05-10 21:46:18 -05:00
jmrothst cf8ae92948 Merge ensure_postfix
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-10 21:45:44 -05:00
jmrothst 83224591b7 Add 'roles/ensure_postfix/' from commit 'ad769d179b54cc5b076899400d958f5238bb1f84'
git-subtree-dir: roles/ensure_postfix
git-subtree-mainline: fb9049ac39
git-subtree-split: ad769d179b
2026-05-10 21:45:26 -05:00
jmrothst fb9049ac39 Merge ensure_apache
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-10 21:44:48 -05:00
jmrothst 08e90b0575 Add 'roles/ensure_apache/' from commit '5446d0b5eff69de5e80abfea7e6af4de519d5d2e'
git-subtree-dir: roles/ensure_apache
git-subtree-mainline: 395eab01c1
git-subtree-split: 5446d0b5ef
2026-05-10 21:44:33 -05:00
jmrothst 395eab01c1 Merge ensure_sudo
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-10 21:44:09 -05:00
jmrothst 568c8cbfcb Add 'roles/ensure_sudo/' from commit '50a7fc890b6096327610c65d40a9e53d60374711'
git-subtree-dir: roles/ensure_sudo
git-subtree-mainline: 539b7449e4
git-subtree-split: 50a7fc890b
2026-05-10 21:43:48 -05:00
jmrothst 539b7449e4 Merge ensure_rsync
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-10 21:43:20 -05:00
jmrothst 9db90c39bd Pass the user list to user creation instead of the db list
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-09 19:47:58 -04:00
jmrothst bd5905bbb3 Start gitea by default and remove mariadb configurations
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-09 19:20:08 -04:00
jmrothst e175a5c852 Disable gpg checks until I can find out why gitea isn't signing them
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-09 19:06:49 -04:00
jmrothst a563b361e1 Fix loop label
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-09 19:04:34 -04:00
jmrothst 4b375916e2 Add state
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-09 17:54:40 -04:00
jmrothst 36b5be7369 Fix the ansible fact for architecture
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-09 17:52:57 -04:00
jmrothst c29646f24a Allow UNIX Socket connections to function
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-09 17:27:46 -04:00
jmrothst 8152f1d311 Remove templates we don't need
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-09 16:19:01 -04:00
jmrothst 1c15a25444 Initial Version
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-09 16:18:30 -04:00
jmrothst 2f6473b772 Use the preferred python mysql client
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-09 15:09:21 -04:00
jmrothst 293b4727cb Add python mysql drivers to manage with
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-09 14:06:36 -04:00
jmrothst 305a3e80d2 default(omit)
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-09 13:51:00 -04:00
jmrothst 5b2ee333be Add db and user management
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-09 11:34:22 -04:00
jmrothst 71b6eab350 use the correct .pem file extension for certificates
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-09 00:45:03 -04:00
jmrothst 1a75050dad Fix mariadb and phpMyAdmin templates not change what shouldn't be
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-08 23:57:51 -04:00
jmrothst d6d3b5082d More ansible-core 2.20 fixes
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-08 23:57:33 -04:00
jmrothst 2fc15e207f More ansible core 2.20 fixes
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-08 20:02:04 -04:00
jmrothst ad769d179b More ansible core 2.20 fixes
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-08 20:01:10 -04:00
jmrothst 5446d0b5ef Fix directory typo
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-08 19:59:38 -04:00
jmrothst 9248d2abdd Move ansible core 2.20 fixes
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-08 19:59:17 -04:00
jmrothst 50a7fc890b Fixes for EL10
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-06 00:03:26 -05:00
jmrothst acd8e76016 Fix fedora package list
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-05 23:24:26 -05:00
jmrothst 57da1d7fc2 Initial Version
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-05 22:57:10 -05:00
jmrothst 6482720e07 First pass fix the sudo files for EL
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-05 22:53:32 -05:00
jmrothst 28bb67975e Fix fedora 44 sudo.conf
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-05 18:40:50 -05:00
jmrothst 39e701a0bf Fix fedora 43 sudo.conf
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-05 18:40:22 -05:00
jmrothst c729488227 Fix Fedora 42 sudo.conf
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-05 18:39:01 -05:00
jmrothst 193211d349 Add templates for EL 8/9/10
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-05 18:27:53 -05:00
jmrothst a019a68558 Fix ansible core 2.20 and supported OS list
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-05 18:16:12 -05:00
jmrothst f73b0d0ce9 Fix ansible core 2.20 and supported OS list
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-05 18:13:17 -05:00
jmrothst 924f228367 Fix ansible core 2.20 and sync the supported OS versions
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-05 18:10:49 -05:00
jmrothst f579967979 More ansible core 2.20 fixes
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-05 18:09:18 -05:00
jmrothst 1a64c362be More ansible core 2.20 fixes
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-05 17:09:41 -05:00
jmrothst dc6c08c0e5 More ansible-core 2.20 fixes
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-05 17:07:51 -05:00
jmrothst b1dc671bfb More ansible core 2.20 fixes
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-05 15:07:58 -05:00
jmrothst 4fed9b890a More ansible core 2.20 fixes
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-05 15:03:36 -05:00
jmrothst 8d8b193c53 More ansible core 2.20 fixes
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-05 15:01:05 -05:00
jmrothst 0c5e392b05 Ansible core 2.20 fixes and supported OS change
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2026-05-05 14:32:46 -05:00
jmrothst 42ecc990c6 Fedora 44 baseline update 2026-05-04 21:09:35 -05:00
jmrothst 0d874aa552 Bring all templates to Fedora 42 baseline 2026-05-04 20:59:48 -05:00
jmrothst 3c7230d4ca More ansible-core 2.20 updates 2026-05-04 19:31:47 -05:00
jmrothst 275108fa53 Ansible-core 2.20 fixes 2026-05-04 19:20:17 -05:00
jmrothst c0e00c75cf Drop unsupported OS versions 2026-05-04 19:17:58 -05:00
jmrothst 9fa1ad54c2 Fedora 43 and 44 2026-04-29 23:50:10 -05:00
jmrothst ea77c33716 Fedora 43 and 44 2026-04-29 23:28:27 -05:00
jmrothst 203a761e03 Trust traffic originating from localhost (outbound)
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2025-09-01 14:01:33 -05:00
jmrothst 113904a846 Handler Improvements
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2025-05-25 20:14:03 -05:00
jmrothst 41aa8840b0 Handler improvements
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2025-05-25 20:12:42 -05:00
jmrothst 476c3cd8e6 Handler improvements
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2025-05-25 20:08:44 -05:00
jmrothst 793bb71a10 Handler improvements
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2025-05-25 20:06:35 -05:00
jmrothst ec1f7ecb96 Handler improvements
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2025-05-25 20:03:49 -05:00
jmrothst 0c2b0d36a7 Fedora 42 moved postfix binaries to /usr/bin
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2025-04-27 13:09:07 -05:00
jmrothst 7fd1b46cdc Fedora 42
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2025-04-27 12:49:05 -05:00
jmrothst 6fef597574 Fedora 42
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2025-04-27 12:46:36 -05:00
jmrothst 25224177e4 Fedora 42
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2025-04-27 12:38:38 -05:00
jmrothst 9246884969 Fedora 42
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2025-04-27 12:24:49 -05:00
jmrothst 3d1858e0f6 Fedora 42
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2025-04-27 12:21:02 -05:00
jmrothst e10559639a Fedora 41
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2024-12-28 19:40:17 -06:00
jmrothst 4f03179cc9 Fedora 41
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2024-12-28 19:25:23 -06:00
jmrothst 2937eba7c2 Only template configs if config variable is set
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2024-12-28 18:57:08 -06:00
jmrothst 8b76150d81 Fedora 41
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2024-12-27 21:58:17 -06:00
jmrothst a48f4cdd85 Fedora 41
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2024-12-27 20:48:23 -06:00
jmrothst 7631ea72d1 Fedora 41
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2024-12-27 20:47:43 -06:00
jmrothst 60e0cd205e Fedora 41
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2024-12-27 20:30:05 -06:00
jmrothst 9d78bd48b5 Fedora 41
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2024-12-27 19:51:12 -06:00
jmrothst 5bcb268847 Fedora 41
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2024-12-27 19:42:15 -06:00
jmrothst 9646e3da30 Fedora 41
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2024-12-27 15:56:01 -06:00
jmrothst 1114295b03 Add Alma/CentOS/Oracle/Rocky 9
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2024-06-30 23:04:25 -05:00
jmrothst 0c312ee0ad Fedora 40 support
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2024-06-02 12:27:32 -05:00
jmrothst e936ecdc5c Fedora 40 support
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2024-06-02 12:25:14 -05:00
jmrothst 7a636a88f5 Fix Fedora 39 support
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2024-06-02 12:25:02 -05:00
jmrothst ec4475ef23 Fedora 40 support
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2024-06-02 12:19:36 -05:00
jmrothst 6f988d5ff6 Fedora 40 support
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2024-06-02 12:14:56 -05:00
jmrothst 09c04ae777 Fedora 40 support
Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2024-06-02 12:10:56 -05:00
jmrothst bd41187b01 Add Fedora 39 2024-03-16 21:04:11 -05:00
jmrothst 3db2f145e1 Add Fedora 39 2024-03-16 21:01:52 -05:00
jmrothst c34674b5ca Add Fedora 39 2024-03-16 21:01:06 -05:00
jmrothst 33b0341beb Add Fedora 39 2024-03-16 20:58:55 -05:00
jmrothst d6b0136276 Add Fedora 39 2024-03-16 20:25:22 -05:00
jmrothst fe22263513 Convert back to INET sockets for milters 2023-05-14 22:26:19 -05:00
jmrothst 7d418da8ca Fix for milters on Fedora 38 2023-05-14 21:29:45 -05:00
jmrothst 14db4fad95 Update to Postfix 3.7 and local sockets for milters 2023-05-14 20:56:06 -05:00
jmrothst d462b3b699 Update OpenDMARC Configuration 2023-05-14 20:45:40 -05:00
jmrothst ca0c57e1da Update OpenDKIM configuration 2023-05-14 20:43:09 -05:00
jmrothst 4494865cf1 Add Fedora 38 2023-04-30 17:53:01 -05:00
jmrothst aaf12b9219 Add Fedora 38 2023-04-30 17:51:17 -05:00
jmrothst 24294e708b Add Fedora 38 2023-04-30 17:47:39 -05:00
jmrothst 3c05905e14 Add Fedora 38 2023-04-29 20:36:51 -05:00
jmrothst 01481b534e Use Fedora 38 sudo.conf 2023-04-23 17:02:34 -05:00
jmrothst 0a788d5c4e Add Fedora 38 2023-04-23 16:46:02 -05:00
jmrothst 32a3492500 Stop sending delivery status notifications due to creating backskatter spam 2023-02-20 12:47:06 -06:00
jmrothst 45434263c7 Fedora 37 hates the oxford comma? 2023-02-12 22:27:18 -06:00
jmrothst 3b09858b0b Add submissions service to Fedora37 now too 2023-02-12 22:19:55 -06:00
jmrothst 4699743c4a Uptake changes with htcacheclean service 2023-02-12 22:18:14 -06:00
jmrothst 6d5ccdd2a9 New default service for submissions? 2023-02-12 22:15:28 -06:00
jmrothst 55e38f3370 Fedora 36 likes Oxford Comma now? 2023-02-12 21:25:25 -06:00
jmrothst 1b3c90507a Add Fedora 37 2022-12-06 21:57:12 -06:00
jmrothst 768615cb01 Add Fedora 37 2022-12-06 21:56:26 -06:00
jmrothst 064eecaec1 Add Fedora 37 2022-12-06 21:55:08 -06:00
jmrothst 8d8bde9e42 Add Fedora 37 2022-12-06 21:51:53 -06:00
jmrothst de222f0b71 Add Fedora 37 2022-12-06 21:40:03 -06:00
jmrothst 8de48b63e3 Add sudo_intercept.so comments from latest sudo package 2022-10-03 00:03:08 -05:00
jmrothst 9f2438be2a Restrict clients to those with valid DNS and HELO 2022-09-15 21:08:08 -05:00
jmrothst a75d3705a0 Make size of email permitted configurable 2022-09-15 20:41:20 -05:00
jmrothst f8cd1efdde Ensure variable name consistency 2022-06-05 22:19:13 -05:00
jmrothst f57348cc45 Variable names 2022-06-05 22:11:58 -05:00
jmrothst ca44b445ef Variable names 2022-06-05 22:04:22 -05:00
jmrothst e9c254c148 Use role local permission list, not global variable 2022-06-05 21:23:06 -05:00
jmrothst 3c4d4cc12e Enable Fedora 36 2022-06-05 18:30:32 -05:00
jmrothst 902503f4be Enable Fedora 36 2022-06-05 18:27:57 -05:00
jmrothst 9df440a3c8 Enable Fedora 36 2022-06-05 18:26:56 -05:00
jmrothst 468e659595 Enable Fedora 36 2022-06-05 18:25:22 -05:00
jmrothst 2423792139 Enable Fedora 36 2022-06-05 17:53:09 -05:00
jmrothst 6f4c0451aa Update tasks 2022-06-05 16:48:45 -05:00
jmrothst a5c6801ad7 Update tasks 2022-06-05 16:48:23 -05:00
jmrothst 604da46a69 Update tasks 2022-06-05 16:48:01 -05:00
jmrothst 8bbde0bc6c Update tasks 2022-06-05 16:47:43 -05:00
jmrothst 0e1fc1c14e Update tasks 2022-06-05 16:47:25 -05:00
jmrothst bb980765cb Update handlers 2022-06-05 16:30:17 -05:00
jmrothst e0dc7e1790 Make permissions set OS Vendor/Version specific (aka /etc/httpd/mod_md) 2022-06-04 21:11:07 -05:00
jmrothst 79e6e39112 Another URI to block 2022-05-08 17:40:43 -05:00
jmrothst 79e617c55d Redirect postmaster mail to the postmaster 2022-04-12 22:57:01 -05:00
jmrothst 021765352d Disable tcp/465 (SMTP SSL) and tcp/587 (SMTP Submission) listeners 2022-04-12 22:56:20 -05:00
jmrothst 4f701c013c Enable Dovecot to accept mail for delivery through postfix 2022-04-12 22:55:30 -05:00
jmrothst 8f327b04b3 Fully working IMAP with TLS and passwd like auth 2022-04-10 23:21:48 -05:00
jmrothst 4395b8034c Enable TLS with Postfix 2022-04-10 22:36:09 -05:00
jmrothst 9d469289ed Remove sql include for passwd in MySQL 2022-04-10 22:30:00 -05:00
jmrothst bfeff44109 Fix order of defined test to match syntax 2022-04-10 18:18:32 -05:00
jmrothst 4b8be1a112 Template syntax error 2022-04-10 18:07:19 -05:00
jmrothst 6767bdf12c php-json is provided by php-common 2022-04-10 18:00:54 -05:00
jmrothst 7e4dc6b245 Rename postfix_domains to make it easier to use 2022-04-10 17:56:34 -05:00
jmrothst b9a9e862b6 Add missing endif in template for accounts 2022-04-10 17:52:19 -05:00
jmrothst 7ede9e4031 Fix mail acceptance domain list variable names 2022-04-10 17:49:36 -05:00
jmrothst e6f243b079 Single account file with email address as the username 2022-04-10 17:40:27 -05:00
jmrothst 13ea9c20a6 Add plugins for future usage of MySQL auth 2022-04-10 17:09:49 -05:00
jmrothst 59f69534e2 Fix home directories for file based virtual users 2022-04-10 01:11:45 -05:00
jmrothst cbe3404f2a Document the variable for virtual domains 2022-04-10 01:10:00 -05:00
jmrothst cb9777f216 Ensure virtual domains go through LMTP 2022-04-10 01:08:19 -05:00
jmrothst c7cb38303f Remove MySQL and use dynamic file based accounts instead. 2022-04-07 22:41:04 -05:00
jmrothst 507bd00b99 If anything changes, notify all handlers 2022-01-30 21:41:18 -06:00
jmrothst 351cffc637 If anything changes, notify all handlers 2022-01-30 21:39:31 -06:00
jmrothst 15d5568b32 If anything changes, notify all handlers 2022-01-30 21:38:09 -06:00
jmrothst c926e408dc If things change, always notify all the handlers 2022-01-30 21:36:26 -06:00
jmrothst f4e0e923b2 Adding services to validate are running 2022-01-30 18:58:42 -06:00
jmrothst f4bb7b9d03 Make the certificates directory instead of find it 2022-01-23 18:53:11 -06:00
jmrothst 08005d5724 Make the certificates directory instead of finding it 2022-01-23 18:50:18 -06:00
jmrothst 8acf75dc15 Make the certificates directory instead of find it 2022-01-23 18:49:55 -06:00
jmrothst d6be779113 Enable selecting the TLS Certificate 2022-01-23 18:09:53 -06:00
jmrothst d3988b8431 Enable selecting the TLS Certificate 2022-01-23 18:09:27 -06:00
jmrothst d2fa1b290a Allow choice in TLS Certificate from mod_md 2022-01-23 17:07:18 -06:00
jmrothst 2e8186b540 Add SpamAssassin packages 2022-01-06 21:04:46 -06:00
jmrothst e1a6e3fd4a Work around Jinja2 bug? where %} and {{ need a space between 2022-01-02 23:48:17 -06:00
jmrothst 29bf5948f1 Enable OpenDKIM and OpenDMARC as MILTER 2022-01-02 19:55:17 -06:00
jmrothst 3173c6094d Use mod_md certificates 2021-12-05 20:32:36 -06:00
jmrothst 176a30e31e typo in minimum TLS version requirements 2021-12-05 18:55:55 -06:00
jmrothst f4151abc3f Enable mod_md fetched ACME TLS Certificates 2021-12-05 14:47:01 -06:00
jmrothst 9ef51a9b8c Typo in local.conf 2021-12-05 12:20:08 -06:00
jmrothst 9b30664a41 Enable MySQL user accounts 2021-12-05 11:54:39 -06:00
jmrothst a65428816e Postfix listening 2021-11-16 19:29:51 -06:00
jmrothst 23aece35e1 OpenDKIM verify only mode config 2021-11-14 16:10:05 -06:00
jmrothst c5bcae71fd OpenDMARC config 2021-11-14 15:47:49 -06:00
jmrothst 35bbd1bfff Add dkim and dmarc service 2021-11-14 15:42:18 -06:00
jmrothst f9fe1a6a14 Base configuration 2021-11-14 15:08:15 -06:00
jmrothst 259dde90c1 Base configuration 2021-11-14 15:05:38 -06:00
jmrothst 295b7370df Add dovecot service 2021-11-14 14:05:02 -06:00
jmrothst 4277d871a3 Add OpenDMARC, OpenDKIM, and postfix service 2021-11-14 14:01:54 -06:00
jmrothst 8b2c86621b Package deploy 2021-11-14 11:46:42 -06:00
jmrothst 12f9044e69 Package deploy 2021-11-14 11:46:26 -06:00
jmrothst 36767edf90 default vars 2021-11-14 11:36:01 -06:00
jmrothst 7b00fd5fac Default vars 2021-11-14 11:35:50 -06:00
jmrothst 4928db6267 role shell 2021-11-14 11:33:13 -06:00
jmrothst bba5e273ae Role shell 2021-11-14 11:33:05 -06:00
jmrothst af25b749ec Blank role 2021-11-14 10:19:29 -06:00
jmrothst d2346d4a65 Blank role 2021-11-14 10:19:15 -06:00
jmrothst 619ca21f11 Initial commit 2021-11-14 16:03:46 +00:00
AnsibleRoles 7b2045732f Initial commit 2021-11-14 16:02:42 +00:00
jmrothst ad92ecfd9c Add Fedora 35 2021-11-13 21:25:06 -06:00
jmrothst f2a99b77e4 Add Fedora 35 Support 2021-11-13 20:45:36 -06:00
jmrothst aa8b1bb570 Fedora 35 support 2021-11-13 20:30:16 -06:00
jmrothst 1daa22d767 Fix the TLS copy error and MariaDB not liking the CA Bundle 2021-10-31 18:37:59 -05:00
jmrothst e7eac95453 Fix path names for templates to match target system 2021-10-31 18:03:51 -05:00
jmrothst a0cf50b7cf Template path corrected for systemd unit files 2021-10-31 17:59:41 -05:00
jmrothst d70b23b0b1 Enable Apache mod_md Lets Encrypt Certificates with MariaDB 2021-10-31 17:55:14 -05:00
jmrothst 872f7633a0 Fix unit types and dependency 2021-10-31 17:51:02 -05:00
jmrothst e15987f2dc Fix jinja2 syntax to expand a variable 2021-10-31 01:45:55 -05:00
jmrothst 752468e5d9 recurse instead of recursive on find... 2021-10-31 01:40:53 -05:00
jmrothst 1047752534 Find certificates and include them by direct name 2021-10-31 01:29:43 -05:00
jmrothst 248787e188 Fix template pathname for phpMyAdmin... 2021-10-31 01:06:48 -05:00
jmrothst 2c34983602 Enable /phpMyAdmin if SSL, Use UTF8 char set, Try to auto use TLS in mariadb 2021-10-31 01:02:06 -05:00
jmrothst 70917f630e Removed apache specific items from mariadb task template... 2021-10-31 00:15:20 -05:00
jmrothst e5a385e5c8 Install phpMyAdmin and MariaDB service 2021-10-31 00:08:05 -05:00
jmrothst d8d40835be Initial Role 2021-10-30 23:58:33 -05:00
AnsibleRoles 371783897f Initial commit 2021-10-31 04:57:37 +00:00
jmrothst 1a8d3e7ae2 Reload apache 5 minutes after timer start, instead of every minute 2021-10-30 23:37:24 -05:00
jmrothst a8273b4d99 Full list of RPMs actually used 2021-10-30 11:44:20 -05:00
jmrothst 213d4ec8b1 Add base php configuration files 2021-10-30 11:42:10 -05:00
jmrothst d10cc5a79f Enable SELinux for MySQL Connections... 2021-10-30 09:24:32 -05:00
jmrothst 5a340fb3c3 Enable php MySQL support 2021-10-30 09:22:59 -05:00
jmrothst 7271471109 List the features 2021-10-27 00:02:56 -05:00
jmrothst 621799043d Start PHP FPM... 2021-10-26 23:50:42 -05:00
jmrothst 90d39f1432 Adding php 2021-10-26 23:46:29 -05:00
jmrothst 1d2581a005 Make git checkout happy with SSH URLs 2021-10-26 23:12:53 -05:00
jmrothst 18b6cd938a Ensure git is present to git checkouts work... 2021-10-26 23:09:00 -05:00
jmrothst 394574d6b6 Actually push the files for httpd-reload service and timer... 2021-10-26 23:04:02 -05:00
jmrothst dd1e9458c5 Add git repo deployments 2021-10-26 23:00:46 -05:00
jmrothst 94deb71dab Reload apache config automatically for Lets Encrypt 2021-10-26 22:14:09 -05:00
jmrothst e1d048dd8d Redirect everything excepting .well-known requests... 2021-10-26 21:34:32 -05:00
jmrothst 7e157eb9a7 Fix redirect to be redirectmatch so it passes the syntax checks... 2021-10-26 21:30:47 -05:00
jmrothst 7329cbaa44 Max username length = 32, thus ownership of docroot breaks 2021-10-26 21:24:15 -05:00
jmrothst 8b2a993fb0 Add URL Redirection for websites 2021-10-26 21:21:39 -05:00
jmrothst 6dbde96153 mod_md doesn't actually write to disk unless MDStoreDir is defined 2021-10-26 01:33:13 -05:00
jmrothst 69907dd4fb Fix disk storage location permissions for mod_md 2021-10-26 01:10:57 -05:00
jmrothst 63a6c56919 Update readme for usage 2021-10-26 00:20:30 -05:00
jmrothst 0d06d4feae First working mod_md with Lets Encrypt Staging 2021-10-26 00:12:43 -05:00
jmrothst e10558c076 Take2 on selinux 2021-10-25 23:17:37 -05:00
jmrothst 3c73d234ad Set SELinux Context per mod_md issue #253 2021-10-25 23:14:58 -05:00
jmrothst 4777716237 Fix mod_md renew window to have a value 2021-10-25 23:00:24 -05:00
jmrothst a9ce587c21 Attempt apache mod_md with Lets Encrypt Staging 2021-10-25 22:56:29 -05:00
jmrothst 754ce4a6f8 Only block what is actually going to be in a docroot 2021-10-25 22:44:05 -05:00
jmrothst b6e25d1ab8 Add default TLS Certificates for "localhost" 2021-10-25 22:39:42 -05:00
jmrothst 4afbe76369 Create vhosts, users, and document roots 2021-10-25 21:41:35 -05:00
jmrothst d92c35b296 Default apache configuration enforcement 2021-10-24 23:43:15 -05:00
jmrothst 484346789e Remove php so it can be dedicated ansible role 2021-10-24 23:33:59 -05:00
jmrothst 60dc1383f3 Enable php 2021-10-24 23:31:13 -05:00
jmrothst fa635f3cc8 Add mod_ssl and mod_md 2021-10-24 23:13:25 -05:00
jmrothst 49442dfa6a Test for firewalld before configuring with it 2021-10-24 23:07:10 -05:00
jmrothst 8e6874a645 Remove firewalld configs for now... 2021-10-24 23:00:02 -05:00
jmrothst 3e29276429 Typos 2021-10-24 22:56:44 -05:00
jmrothst cd054ce5a0 Default framework with packages, firewall, selinux, and services 2021-10-24 22:54:14 -05:00
jmrothst 66da6f9302 Initial Role 2021-10-24 22:35:34 -05:00
AnsibleRoles 7f1aac64a6 Initial commit 2021-10-25 03:34:04 +00:00
jmrothst 4a889a31bc Prevent multiple service restarts 2021-07-25 04:08:57 +00:00
jmrothst bdd06e2d44 Deploy configuration before services 2021-07-06 02:36:56 +00:00
jmrothst 38fbd29350 Skip packages that already installed 2021-07-05 04:49:28 +00:00
jmrothst 8bb7f19527 Enable Fedora 34 2021-06-29 21:01:16 -05:00
jmrothst 87b2934cba Correct the task label for when the variable isn't defined 2020-12-28 17:48:52 -06:00
jmrothst 8147f41d6f Clean logs older than 90d by default to add missing feature to sudo 2020-12-28 17:39:10 -06:00
jmrothst 329e5bd68e Fix template_list variable name error 2020-12-28 15:15:27 -06:00
jmrothst 9f589ee5ce Add role meta 2020-12-28 15:13:28 -06:00
jmrothst 4e58508b8e Add missing handlers 2020-12-28 15:12:30 -06:00
jmrothst f6031f74d1 Use correct variable names to ensure sudo is deployed 2020-12-28 15:10:50 -06:00
jmrothst ea082eab65 Ensure sudo with local session logs for Fedora 33 2020-12-28 14:56:37 -06:00
jmrothst fcba030a5b Initial Role 2020-12-28 14:11:34 -06:00
AnsibleRoles 31ae9def96 Initial commit 2020-12-28 20:09:46 +00:00
682 changed files with 33035 additions and 5456 deletions
+404
View File
@@ -0,0 +1,404 @@
Attribution-NonCommercial-NoDerivatives 4.0 International
=======================================================================
Creative Commons Corporation ("Creative Commons") is not a law firm and
does not provide legal services or legal advice. Distribution of
Creative Commons public licenses does not create a lawyer-client or
other relationship. Creative Commons makes its licenses and related
information available on an "as-is" basis. Creative Commons gives no
warranties regarding its licenses, any material licensed under their
terms and conditions, or any related information. Creative Commons
disclaims all liability for damages resulting from their use to the
fullest extent possible.
Using Creative Commons Public Licenses
Creative Commons public licenses provide a standard set of terms and
conditions that creators and other rights holders may use to share
original works of authorship and other material subject to copyright
and certain other rights specified in the public license below. The
following considerations are for informational purposes only, are not
exhaustive, and do not form part of our licenses.
Considerations for licensors: Our public licenses are
intended for use by those authorized to give the public
permission to use material in ways otherwise restricted by
copyright and certain other rights. Our licenses are
irrevocable. Licensors should read and understand the terms
and conditions of the license they choose before applying it.
Licensors should also secure all rights necessary before
applying our licenses so that the public can reuse the
material as expected. Licensors should clearly mark any
material not subject to the license. This includes other CC-
licensed material, or material used under an exception or
limitation to copyright. More considerations for licensors:
wiki.creativecommons.org/Considerations_for_licensors
Considerations for the public: By using one of our public
licenses, a licensor grants the public permission to use the
licensed material under specified terms and conditions. If
the licensor's permission is not necessary for any reason--for
example, because of any applicable exception or limitation to
copyright--then that use is not regulated by the license. Our
licenses grant only permissions under copyright and certain
other rights that a licensor has authority to grant. Use of
the licensed material may still be restricted for other
reasons, including because others have copyright or other
rights in the material. A licensor may make special requests,
such as asking that all changes be marked or described.
Although not required by our licenses, you are encouraged to
respect those requests where reasonable. More considerations
for the public:
wiki.creativecommons.org/Considerations_for_licensees
=======================================================================
Creative Commons Attribution-NonCommercial-NoDerivatives 4.0
International Public License
By exercising the Licensed Rights (defined below), You accept and agree
to be bound by the terms and conditions of this Creative Commons
Attribution-NonCommercial-NoDerivatives 4.0 International Public
License ("Public License"). To the extent this Public License may be
interpreted as a contract, You are granted the Licensed Rights in
consideration of Your acceptance of these terms and conditions, and the
Licensor grants You such rights in consideration of benefits the
Licensor receives from making the Licensed Material available under
these terms and conditions.
Section 1 -- Definitions.
a. Adapted Material means material subject to Copyright and Similar
Rights that is derived from or based upon the Licensed Material
and in which the Licensed Material is translated, altered,
arranged, transformed, or otherwise modified in a manner requiring
permission under the Copyright and Similar Rights held by the
Licensor. For purposes of this Public License, where the Licensed
Material is a musical work, performance, or sound recording,
Adapted Material is always produced where the Licensed Material is
synched in timed relation with a moving image.
b. Copyright and Similar Rights means copyright and/or similar rights
closely related to copyright including, without limitation,
performance, broadcast, sound recording, and Sui Generis Database
Rights, without regard to how the rights are labeled or
categorized. For purposes of this Public License, the rights
specified in Section 2(b)(1)-(2) are not Copyright and Similar
Rights.
c. Effective Technological Measures means those measures that, in the
absence of proper authority, may not be circumvented under laws
fulfilling obligations under Article 11 of the WIPO Copyright
Treaty adopted on December 20, 1996, and/or similar international
agreements.
d. Exceptions and Limitations means fair use, fair dealing, and/or
any other exception or limitation to Copyright and Similar Rights
that applies to Your use of the Licensed Material.
e. Licensed Material means the artistic or literary work, database,
or other material to which the Licensor applied this Public
License.
f. Licensed Rights means the rights granted to You subject to the
terms and conditions of this Public License, which are limited to
all Copyright and Similar Rights that apply to Your use of the
Licensed Material and that the Licensor has authority to license.
g. Licensor means the individual(s) or entity(ies) granting rights
under this Public License.
h. NonCommercial means not primarily intended for or directed towards
commercial advantage or monetary compensation. For purposes of
this Public License, the exchange of the Licensed Material for
other material subject to Copyright and Similar Rights by digital
file-sharing or similar means is NonCommercial provided there is
no payment of monetary compensation in connection with the
exchange.
i. Share means to provide material to the public by any means or
process that requires permission under the Licensed Rights, such
as reproduction, public display, public performance, distribution,
dissemination, communication, or importation, and to make material
available to the public including in ways that members of the
public may access the material from a place and at a time
individually chosen by them.
j. Sui Generis Database Rights means rights other than copyright
resulting from Directive 96/9/EC of the European Parliament and of
the Council of 11 March 1996 on the legal protection of databases,
as amended and/or succeeded, as well as other essentially
equivalent rights anywhere in the world.
k. You means the individual or entity exercising the Licensed Rights
under this Public License. Your has a corresponding meaning.
Section 2 -- Scope.
a. License grant.
1. Subject to the terms and conditions of this Public License,
the Licensor hereby grants You a worldwide, royalty-free,
non-sublicensable, non-exclusive, irrevocable license to
exercise the Licensed Rights in the Licensed Material to:
a. reproduce and Share the Licensed Material, in whole or
in part, for NonCommercial purposes only; and
b. produce and reproduce, but not Share, Adapted Material
for NonCommercial purposes only.
2. Exceptions and Limitations. For the avoidance of doubt, where
Exceptions and Limitations apply to Your use, this Public
License does not apply, and You do not need to comply with
its terms and conditions.
3. Term. The term of this Public License is specified in Section
6(a).
4. Media and formats; technical modifications allowed. The
Licensor authorizes You to exercise the Licensed Rights in
all media and formats whether now known or hereafter created,
and to make technical modifications necessary to do so. The
Licensor waives and/or agrees not to assert any right or
authority to forbid You from making technical modifications
necessary to exercise the Licensed Rights, including
technical modifications necessary to circumvent Effective
Technological Measures. For purposes of this Public License,
simply making modifications authorized by this Section 2(a)
(4) never produces Adapted Material.
5. Downstream recipients.
a. Offer from the Licensor -- Licensed Material. Every
recipient of the Licensed Material automatically
receives an offer from the Licensor to exercise the
Licensed Rights under the terms and conditions of this
Public License.
b. No downstream restrictions. You may not offer or impose
any additional or different terms or conditions on, or
apply any Effective Technological Measures to, the
Licensed Material if doing so restricts exercise of the
Licensed Rights by any recipient of the Licensed
Material.
6. No endorsement. Nothing in this Public License constitutes or
may be construed as permission to assert or imply that You
are, or that Your use of the Licensed Material is, connected
with, or sponsored, endorsed, or granted official status by,
the Licensor or others designated to receive attribution as
provided in Section 3(a)(1)(A)(i).
b. Other rights.
1. Moral rights, such as the right of integrity, are not
licensed under this Public License, nor are publicity,
privacy, and/or other similar personality rights; however, to
the extent possible, the Licensor waives and/or agrees not to
assert any such rights held by the Licensor to the limited
extent necessary to allow You to exercise the Licensed
Rights, but not otherwise.
2. Patent and trademark rights are not licensed under this
Public License.
3. To the extent possible, the Licensor waives any right to
collect royalties from You for the exercise of the Licensed
Rights, whether directly or through a collecting society
under any voluntary or waivable statutory or compulsory
licensing scheme. In all other cases the Licensor expressly
reserves any right to collect such royalties, including when
the Licensed Material is used other than for NonCommercial
purposes.
Section 3 -- License Conditions.
Your exercise of the Licensed Rights is expressly made subject to the
following conditions.
a. Attribution.
1. If You Share the Licensed Material, You must:
a. retain the following if it is supplied by the Licensor
with the Licensed Material:
i. identification of the creator(s) of the Licensed
Material and any others designated to receive
attribution, in any reasonable manner requested by
the Licensor (including by pseudonym if
designated);
ii. a copyright notice;
iii. a notice that refers to this Public License;
iv. a notice that refers to the disclaimer of
warranties;
v. a URI or hyperlink to the Licensed Material to the
extent reasonably practicable;
b. indicate if You modified the Licensed Material and
retain an indication of any previous modifications; and
c. indicate the Licensed Material is licensed under this
Public License, and include the text of, or the URI or
hyperlink to, this Public License.
For the avoidance of doubt, You do not have permission under
this Public License to Share Adapted Material.
2. You may satisfy the conditions in Section 3(a)(1) in any
reasonable manner based on the medium, means, and context in
which You Share the Licensed Material. For example, it may be
reasonable to satisfy the conditions by providing a URI or
hyperlink to a resource that includes the required
information.
3. If requested by the Licensor, You must remove any of the
information required by Section 3(a)(1)(A) to the extent
reasonably practicable.
Section 4 -- Sui Generis Database Rights.
Where the Licensed Rights include Sui Generis Database Rights that
apply to Your use of the Licensed Material:
a. for the avoidance of doubt, Section 2(a)(1) grants You the right
to extract, reuse, reproduce, and Share all or a substantial
portion of the contents of the database for NonCommercial purposes
only and provided You do not Share Adapted Material;
b. if You include all or a substantial portion of the database
contents in a database in which You have Sui Generis Database
Rights, then the database in which You have Sui Generis Database
Rights (but not its individual contents) is Adapted Material; and
c. You must comply with the conditions in Section 3(a) if You Share
all or a substantial portion of the contents of the database.
For the avoidance of doubt, this Section 4 supplements and does not
replace Your obligations under this Public License where the Licensed
Rights include other Copyright and Similar Rights.
Section 5 -- Disclaimer of Warranties and Limitation of Liability.
a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
c. The disclaimer of warranties and limitation of liability provided
above shall be interpreted in a manner that, to the extent
possible, most closely approximates an absolute disclaimer and
waiver of all liability.
Section 6 -- Term and Termination.
a. This Public License applies for the term of the Copyright and
Similar Rights licensed here. However, if You fail to comply with
this Public License, then Your rights under this Public License
terminate automatically.
b. Where Your right to use the Licensed Material has terminated under
Section 6(a), it reinstates:
1. automatically as of the date the violation is cured, provided
it is cured within 30 days of Your discovery of the
violation; or
2. upon express reinstatement by the Licensor.
For the avoidance of doubt, this Section 6(b) does not affect any
right the Licensor may have to seek remedies for Your violations
of this Public License.
c. For the avoidance of doubt, the Licensor may also offer the
Licensed Material under separate terms or conditions or stop
distributing the Licensed Material at any time; however, doing so
will not terminate this Public License.
d. Sections 1, 5, 6, 7, and 8 survive termination of this Public
License.
Section 7 -- Other Terms and Conditions.
a. The Licensor shall not be bound by any additional or different
terms or conditions communicated by You unless expressly agreed.
b. Any arrangements, understandings, or agreements regarding the
Licensed Material not stated herein are separate from and
independent of the terms and conditions of this Public License.
Section 8 -- Interpretation.
a. For the avoidance of doubt, this Public License does not, and
shall not be interpreted to, reduce, limit, restrict, or impose
conditions on any use of the Licensed Material that could lawfully
be made without permission under this Public License.
b. To the extent possible, if any provision of this Public License is
deemed unenforceable, it shall be automatically reformed to the
minimum extent necessary to make it enforceable. If the provision
cannot be reformed, it shall be severed from this Public License
without affecting the enforceability of the remaining terms and
conditions.
c. No term or condition of this Public License will be waived and no
failure to comply consented to unless expressly agreed to by the
Licensor.
d. Nothing in this Public License constitutes or may be interpreted
as a limitation upon, or waiver of, any privileges and immunities
that apply to the Licensor or You, including from the legal
processes of any jurisdiction or authority.
=======================================================================
Creative Commons is not a party to its public
licenses. Notwithstanding, Creative Commons may elect to apply one of
its public licenses to material it publishes and in those instances
will be considered the “Licensor.” The text of the Creative Commons
public licenses is dedicated to the public domain under the CC0 Public
Domain Dedication. Except for the limited purpose of indicating that
material is shared under a Creative Commons public license or as
otherwise permitted by the Creative Commons policies published at
creativecommons.org/policies, Creative Commons does not authorize the
use of the trademark "Creative Commons" or any other trademark or logo
of Creative Commons without its prior written consent including,
without limitation, in connection with any unauthorized modifications
to any of its public licenses or any other arrangements,
understandings, or agreements concerning use of licensed material. For
the avoidance of doubt, this paragraph does not form part of the
public licenses.
Creative Commons may be contacted at creativecommons.org.
-15
View File
@@ -1,15 +0,0 @@
---
- name: 'all'
hosts: 'all'
gather_facts: false
serial: 1
tasks:
- name: 'Remove known_host file entries'
delegate_to: 'localhost'
ansible.builtin.shell:
ssh-keygen -f ~/.ssh/known_hosts -R {{ inventory_hostname }}
- name: 'Add known_hosts file entries'
delegate_to: 'localhost'
ansible.builtin.shell:
ssh-keyscan {{ inventory_hostname }} >> ~/.ssh/known_hosts
...
-97
View File
@@ -1,97 +0,0 @@
# ---> Ansible
*.retry
# ---> Windows
# Windows thumbnail cache files
Thumbs.db
ehthumbs.db
ehthumbs_vista.db
# Dump file
*.stackdump
# Folder config file
[Dd]esktop.ini
# Recycle Bin used on file shares
$RECYCLE.BIN/
# Windows Installer files
*.cab
*.msi
*.msix
*.msm
*.msp
# Windows shortcuts
*.lnk
# ---> macOS
# General
.DS_Store
.AppleDouble
.LSOverride
# Icon must end with two \r
Icon
# Thumbnails
._*
# Files that might appear in the root of a volume
.DocumentRevisions-V100
.fseventsd
.Spotlight-V100
.TemporaryItems
.Trashes
.VolumeIcon.icns
.com.apple.timemachine.donotpresent
# Directories potentially created on remote AFP share
.AppleDB
.AppleDesktop
Network Trash Folder
Temporary Items
.apdisk
# ---> Linux
*~
# temporary files which can be created if a process still has a handle open of a deleted file
.fuse_hidden*
# KDE directory preferences
.directory
# Linux trash folder which might appear on any partition or disk
.Trash-*
# .nfs files are created when an open file is removed but is still being accessed
.nfs*
# ---> Vim
# Swap
[._]*.s[a-v][a-z]
[._]*.sw[a-p]
[._]s[a-rt-v][a-z]
[._]ss[a-gi-z]
[._]sw[a-p]
# Session
Session.vim
# Temporary
.netrwhist
*~
# Auto-generated tag files
tags
# Persistent undo
[._]*.un~
# ---> VisualStudioCode
.vscode/*
!.vscode/settings.json
!.vscode/tasks.json
!.vscode/launch.json
!.vscode/extensions.json
-163
View File
@@ -1,163 +0,0 @@
GNU LESSER GENERAL PUBLIC LICENSE
Version 3, 29 June 2007
Copyright (C) 2007 Free Software Foundation, Inc. <http s ://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies of this license
document, but changing it is not allowed.
This version of the GNU Lesser General Public License incorporates the terms
and conditions of version 3 of the GNU General Public License, supplemented
by the additional permissions listed below.
0. Additional Definitions.
As used herein, "this License" refers to version 3 of the GNU Lesser General
Public License, and the "GNU GPL" refers to version 3 of the GNU General Public
License.
"The Library" refers to a covered work governed by this License, other than
an Application or a Combined Work as defined below.
An "Application" is any work that makes use of an interface provided by the
Library, but which is not otherwise based on the Library. Defining a subclass
of a class defined by the Library is deemed a mode of using an interface provided
by the Library.
A "Combined Work" is a work produced by combining or linking an Application
with the Library. The particular version of the Library with which the Combined
Work was made is also called the "Linked Version".
The "Minimal Corresponding Source" for a Combined Work means the Corresponding
Source for the Combined Work, excluding any source code for portions of the
Combined Work that, considered in isolation, are based on the Application,
and not on the Linked Version.
The "Corresponding Application Code" for a Combined Work means the object
code and/or source code for the Application, including any data and utility
programs needed for reproducing the Combined Work from the Application, but
excluding the System Libraries of the Combined Work.
1. Exception to Section 3 of the GNU GPL.
You may convey a covered work under sections 3 and 4 of this License without
being bound by section 3 of the GNU GPL.
2. Conveying Modified Versions.
If you modify a copy of the Library, and, in your modifications, a facility
refers to a function or data to be supplied by an Application that uses the
facility (other than as an argument passed when the facility is invoked),
then you may convey a copy of the modified version:
a) under this License, provided that you make a good faith effort to ensure
that, in the event an Application does not supply the function or data, the
facility still operates, and performs whatever part of its purpose remains
meaningful, or
b) under the GNU GPL, with none of the additional permissions of this License
applicable to that copy.
3. Object Code Incorporating Material from Library Header Files.
The object code form of an Application may incorporate material from a header
file that is part of the Library. You may convey such object code under terms
of your choice, provided that, if the incorporated material is not limited
to numerical parameters, data structure layouts and accessors, or small macros,
inline functions and templates (ten or fewer lines in length), you do both
of the following:
a) Give prominent notice with each copy of the object code that the Library
is used in it and that the Library and its use are covered by this License.
b) Accompany the object code with a copy of the GNU GPL and this license document.
4. Combined Works.
You may convey a Combined Work under terms of your choice that, taken together,
effectively do not restrict modification of the portions of the Library contained
in the Combined Work and reverse engineering for debugging such modifications,
if you also do each of the following:
a) Give prominent notice with each copy of the Combined Work that the Library
is used in it and that the Library and its use are covered by this License.
b) Accompany the Combined Work with a copy of the GNU GPL and this license
document.
c) For a Combined Work that displays copyright notices during execution, include
the copyright notice for the Library among these notices, as well as a reference
directing the user to the copies of the GNU GPL and this license document.
d) Do one of the following:
0) Convey the Minimal Corresponding Source under the terms of this License,
and the Corresponding Application Code in a form suitable for, and under terms
that permit, the user to recombine or relink the Application with a modified
version of the Linked Version to produce a modified Combined Work, in the
manner specified by section 6 of the GNU GPL for conveying Corresponding Source.
1) Use a suitable shared library mechanism for linking with the Library. A
suitable mechanism is one that (a) uses at run time a copy of the Library
already present on the user's computer system, and (b) will operate properly
with a modified version of the Library that is interface-compatible with the
Linked Version.
e) Provide Installation Information, but only if you would otherwise be required
to provide such information under section 6 of the GNU GPL, and only to the
extent that such information is necessary to install and execute a modified
version of the Combined Work produced by recombining or relinking the Application
with a modified version of the Linked Version. (If you use option 4d0, the
Installation Information must accompany the Minimal Corresponding Source and
Corresponding Application Code. If you use option 4d1, you must provide the
Installation Information in the manner specified by section 6 of the GNU GPL
for conveying Corresponding Source.)
5. Combined Libraries.
You may place library facilities that are a work based on the Library side
by side in a single library together with other library facilities that are
not Applications and are not covered by this License, and convey such a combined
library under terms of your choice, if you do both of the following:
a) Accompany the combined library with a copy of the same work based on the
Library, uncombined with any other library facilities, conveyed under the
terms of this License.
b) Give prominent notice with the combined library that part of it is a work
based on the Library, and explaining where to find the accompanying uncombined
form of the same work.
6. Revised Versions of the GNU Lesser General Public License.
The Free Software Foundation may publish revised and/or new versions of the
GNU Lesser General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to address
new problems or concerns.
Each version is given a distinguishing version number. If the Library as you
received it specifies that a certain numbered version of the GNU Lesser General
Public License "or any later version" applies to it, you have the option of
following the terms and conditions either of that published version or of
any later version published by the Free Software Foundation. If the Library
as you received it does not specify a version number of the GNU Lesser General
Public License, you may choose any version of the GNU Lesser General Public
License ever published by the Free Software Foundation.
If the Library as you received it specifies that a proxy can decide whether
future versions of the GNU Lesser General Public License shall apply, that
proxy's public statement of acceptance of any version is permanent authorization
for you to choose that version for the Library.
+29
View File
@@ -0,0 +1,29 @@
---
language: python
python: "2.7"
# Use the new container infrastructure
sudo: false
# Install ansible
addons:
apt:
packages:
- python-pip
install:
# Install ansible
- pip install ansible
# Check ansible version
- ansible --version
# Create ansible.cfg with correct roles_path
- printf '[defaults]\nroles_path=../' >ansible.cfg
script:
# Basic role syntax check
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/
+73
View File
@@ -0,0 +1,73 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Feature List
------------
* Apache deployed
* Enables HTTP/2
* Enables and convets connections to HTTPS by default
* ACME based TLS Certificate request and renewal
* ACME uses Lets Encrypt by default, alternative ACME Providers may be specified
* Optionally act as a proxy to another URL
* Optionally redirect traffic to another URL
* Optionally populate DocumentRoot with git clone
* Multiple DocumentRoots supported, with aliases
Role Variables
--------------
* Lets Encrypt configuration
* lets_encrypt_admin : The Email address your Lets Encrypt account is with
* lets_encrypt_url : The ACME URL to speak with, defaults to Lets Encrypt, may set to 'https://acme-staging-v02.api.letsencrypt.org/directory' for Staging
* Web Host variable of type list
* http_vhost
* required dictionary elements
* fqdn : The FQDN of the website
* optional dictionary elements
* aliases : list of alternative FQDN for the website
* proxy : URL to direct traffic for the FQDN to, e.g. http://localhost:8080
* redirect : Where should we send traffic?
* repo : git URL of website repo to clone/update
~~~
lets_encrypt_admin: 'acme@example.com'
lets_encrypt_url: 'https://ipa.example.com'
http_vhost:
- fqdn: 'www.example.com'
aliases:
- 'exmaple.com'
proxy: 'http://localhost:8080'
~~~
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).
+4
View File
@@ -0,0 +1,4 @@
---
# defaults file for ensure_apache
lets_encrypt_admin: 'root@example.com'
lets_encrypt_url: 'https://acme-v02.api.letsencrypt.org/directory'
+29
View File
@@ -0,0 +1,29 @@
---
# handlers file for ensure_apache
- name: 'ensure_apache.package_facts'
ansible.builtin.package_facts:
- name: 'ensure_apache.service_facts'
ansible.builtin.service_facts:
- name: 'ensure_apache.service_reload'
when:
- ansible_facts["system"] == 'Linux'
- ansible_facts["service_mgr"] == 'systemd'
- ensure_apache is defined
ansible.builtin.systemd:
daemon_reload: 'yes'
- name: 'ensure_apache.service_restart'
when:
- ansible_facts["system"] == 'Linux'
- ensure_apache is defined
- ensure_apache.service_list is defined
- ensure_apache.service_list is iterable
- item.state == 'started'
ansible.builtin.service:
enabled: '{{ item.enabled }}'
name: '{{ item.name }}'
state: 'restarted'
loop: '{{ ensure_apache.service_list }}'
loop_control:
label: '{{ item.name }} will be restarted'
...
+53
View File
@@ -0,0 +1,53 @@
galaxy_info:
author: Jason Rothstein
description: Ensure Apache is installed, running, and functional
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: LGPL-3.0-or-later
min_ansible_version: 2.9
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.
+225
View File
@@ -0,0 +1,225 @@
---
# tasks file for ensure_apache
- name: 'include variables'
when:
- ansible_facts["system"] == 'Linux'
include_vars:
file: '{{ lookup("first_found", findme ) }}'
name: 'ensure_apache'
vars:
findme:
files:
- '{{ ansible_facts["distribution"] }}-{{ ansible_facts["distribution_major_version"] }}-{{ ansible_facts["architecture"] }}.yml'
- '{{ ansible_facts["distribution"] }}-{{ ansible_facts["distribution_major_version"] }}-default.yml'
- '{{ ansible_facts["distribution"] }}-default.yml'
- '{{ ansible_facts["os_family"] }}-{{ ansible_facts["distribution_major_version"] }}-{{ ansible_facts["architecture"] }}.yml'
- '{{ ansible_facts["os_family"] }}-{{ ansible_facts["distribution_major_version"] }}-default.yml'
- '{{ ansible_facts["os_family"] }}-default.yml'
- 'default.yml'
paths:
- '../vars/'
errors: 'ignore'
- name: 'package discovery'
when:
- ansible_facts["system"] == 'Linux'
- ansible_facts["packages"] is not defined
ansible.builtin.package_facts:
- name: 'service discovery'
when:
- ansible_facts["system"] == 'Linux'
- ansible_facts["services"] is not defined
ansible.builtin.service_facts:
- name: 'ensure sysctl'
when:
- ansible_facts["system"] == 'Linux'
- ensure_apache is defined
- ensure_apache.sysctl_list is defined
- ensure_apache.sysctl_list is iterable
ansible.posix.sysctl:
name: '{{ item.name }}'
reload: '{{ item.reload | default(omit) }}'
state: '{{ item.state }}'
sysctl_file: '{{ item.sysctl_file | default(omit) }}'
sysctl_set: '{{ item.sysctl_set | default(omit) }}'
value: '{{ item.value | default(omit) }}'
loop: '{{ ensure_apache.sysctl_list }}'
loop_control:
label: '{{ item.name }} will be {{ item.value }}'
notify:
- 'ensure_apache.package_facts'
- 'ensure_apache.service_facts'
- 'ensure_apache.service_reload'
- 'ensure_apache.service_restart'
- name: 'ensure packages'
when:
- ansible_facts["system"] == 'Linux'
- ensure_apache is defined
- ensure_apache.package_list is defined
- ensure_apache.package_list is iterable
ansible.builtin.package:
name: '{{ item.name }}'
state: '{{ item.state }}'
loop: '{{ ensure_apache.package_list }}'
loop_control:
label: '{{ item.name }} will be {{ item.state }}'
notify:
- 'ensure_apache.package_facts'
- 'ensure_apache.service_facts'
- 'ensure_apache.service_reload'
- 'ensure_apache.service_restart'
- name: 'ensure seboolean'
when:
- ansible_facts["system"] == 'Linux'
- ensure_apache is defined
- ensure_apache.seboolean_list is defined
- ensure_apache.seboolean_list is iterable
ansible.posix.seboolean:
name: '{{ item.name }}'
persistent: '{{ item.persistent }}'
state: '{{ item.state }}'
loop: '{{ ensure_apache.seboolean_list }}'
loop_control:
label: '{{ item.name }} will be {{ item.state }}'
notify:
- 'ensure_apache.package_facts'
- 'ensure_apache.service_facts'
- 'ensure_apache.service_reload'
- 'ensure_apache.service_restart'
- name: 'ensure configurations'
when:
- ansible_facts["system"] == 'Linux'
- http_vhost is defined
- ensure_apache is defined
- ensure_apache.template_list is defined
- ensure_apache.template_list is iterable
ansible.builtin.template:
backup: 'no'
dest: '{{ item.dest }}'
group: '{{ item.group | default(omit) }}'
mode: '{{ item.mode | default(omit) }}'
owner: '{{ item.owner | default(omit) }}'
selevel: '{{ iteml.selevel | default(omit) }}'
serole: '{{ item.serole | default(omit) }}'
setype: '{{ item.setype | default(omit) }}'
seuser: '{{ item.seuser | default(omit) }}'
src: '{{ item.src }}'
loop: '{{ ensure_apache.template_list }}'
loop_control:
label: '{{ item.dest }} will be ensured'
notify:
- 'ensure_apache.package_facts'
- 'ensure_apache.service_facts'
- 'ensure_apache.service_reload'
- 'ensure_apache.service_restart'
- name: 'ensure firewall'
when:
- ansible_facts["system"] == 'Linux'
- ansible_facts.packages["firewalld"] is defined
- ansible_facts.packages["python3-firewall"] is defined
- ensure_apache is defined
- ensure_apache.firewall_list is defined
- ensure_apache.firewall_list is iterable
ansible.posix.firewalld:
permanent: '{{ item.permanent }}'
service: '{{ item.service }}'
state: '{{ item.state }}'
loop: '{{ ensure_apache.firewall_list }}'
loop_control:
label: '{{ item.service }} will be {{ item.state }}'
notify:
- 'ensure_apache.package_facts'
- 'ensure_apache.service_facts'
- 'ensure_apache.service_reload'
- 'ensure_apache.service_restart'
- name: 'ensure permissions'
when:
- ansible_facts["system"] == 'Linux'
- ensure_apache is defined
- http_vhost is defined
- http_vhost is iterable
- ensure_apache.permission_list is defined
- ensure_apache.permission_list is iterable
ansible.builtin.file:
attributes: '{{ item.attributes | default(omit) }}'
follow: '{{ item.follow | default(omit) }}'
force: '{{ item.force | default(omit) }}'
group: '{{ item.group | default(omit) }}'
owner: '{{ item.owner | default(omit) }}'
mode: '{{ item.mode | default(omit) }}'
path: '{{ item.path }}'
reuse: '{{ item.reuse | default(omit) }}'
selevel: '{{ item.selevel | default(omit) }}'
serole: '{{ item.serole | default(omit) }}'
setype: '{{ item.setype | default(omit) }}'
seuser: '{{ item.seuser | default(omit) }}'
src: '{{ item.src | default(omit) }}'
state: '{{ item.state }}'
loop: '{{ ensure_apache.permission_list }}'
loop_control:
label: '{{ item.path }} will be ensured'
notify:
- 'ensure_apache.package_facts'
- 'ensure_apache.service_facts'
- 'ensure_apache.service_reload'
- 'ensure_apache.service_restart'
- name: 'ensure vhost document roots'
when:
- ansible_facts["system"] == 'Linux'
- ensure_apache is defined
- http_vhost is defined
- http_vhost is iterable
- item.fqdn is defined
ansible.builtin.file:
path: '/srv/http/{{ item.fqdn }}'
state: 'directory'
setype: 'httpd_sys_content_t'
loop: '{{ http_vhost }}'
loop_control:
label: '/srv/http/{{ item.fqdn }} will be ensured'
notify:
- 'ensure_apache.package_facts'
- 'ensure_apache.service_facts'
- 'ensure_apache.service_reload'
- 'ensure_apache.service_restart'
- name: 'ensure website content from git repos'
when:
- ansible_facts["system"] == 'Linux'
- ensure_apache is defined
- http_vhost is defined
- http_vhost is iterable
- item.fqdn is defined
- item.repo is defined
ansible.builtin.git:
accept_hostkey: 'yes'
dest: '/srv/http/{{ item.fqdn }}'
repo: '{{ item.repo }}'
loop: '{{ http_vhost }}'
loop_control:
label: '/srv/http/{{ item.fqdn }} will be populated...'
notify:
- 'ensure_apache.package_facts'
- 'ensure_apache.service_facts'
- 'ensure_apache.service_reload'
- 'ensure_apache.service_restart'
- name: 'ensure services'
when:
- ansible_facts["system"] == 'Linux'
- ensure_apache is defined
- ensure_apache.service_list is defined
- ensure_apache.service_list is iterable
ansible.builtin.service:
enabled: '{{ item.enabled }}'
name: '{{ item.name }}'
state: '{{ item.state }}'
loop: '{{ ensure_apache.service_list }}'
loop_control:
label: '{{ item.name }} will be {{ item.state }}'
notify:
- 'ensure_apache.package_facts'
- 'ensure_apache.service_facts'
- 'ensure_apache.service_reload'
- 'ensure_apache.service_restart'
- name: 'flush handlers'
meta: 'flush_handlers'
...
@@ -0,0 +1,9 @@
This directory holds configuration files for the Apache HTTP Server;
any files in this directory which have the ".conf" extension will be
processed as httpd configuration files. The directory is used in
addition to the directory /etc/httpd/conf.modules.d/, which contains
configuration files necessary to load modules.
Files are processed in sorted order. See httpd.conf(5) for more
information.
@@ -0,0 +1,93 @@
#
# Directives controlling the display of server-generated directory listings.
#
# Required modules: mod_authz_core, mod_authz_host,
# mod_autoindex, mod_alias
#
# To see the listing of a directory, the Options directive for the
# directory must include "Indexes", and the directory must not contain
# a file matching those listed in the DirectoryIndex directive.
#
#
# IndexOptions: Controls the appearance of server-generated directory
# listings.
#
IndexOptions FancyIndexing HTMLTable VersionSort
# We include the /icons/ alias for FancyIndexed directory listings. If
# you do not use FancyIndexing, you may comment this out.
#
Alias /icons/ "/usr/share/httpd/icons/"
<Directory "/usr/share/httpd/icons">
Options Indexes MultiViews FollowSymlinks
AllowOverride None
Require all granted
</Directory>
#
# AddIcon* directives tell the server which icon to show for different
# files or filename extensions. These are only displayed for
# FancyIndexed directories.
#
AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*
AddIconByType /icons/bomb.gif application/x-coredump
AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^
#
# DefaultIcon is which icon to show for files which do not have an icon
# explicitly set.
#
DefaultIcon /icons/unknown.gif
#
# AddDescription allows you to place a short description after a file in
# server-generated indexes. These are only displayed for FancyIndexed
# directories.
# Format: AddDescription "description" filename
#
#AddDescription "GZIP compressed document" .gz
#AddDescription "tar archive" .tar
#AddDescription "GZIP compressed tar archive" .tgz
#
# ReadmeName is the name of the README file the server will look for by
# default, and append to directory listings.
#
# HeaderName is the name of a file which should be prepended to
# directory indexes.
ReadmeName README.html
HeaderName HEADER.html
#
# IndexIgnore is a set of filenames which directory indexing should ignore
# and not include in the listing. Shell-style wildcarding is permitted.
#
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
@@ -0,0 +1,62 @@
#
# The following lines prevent .user.ini files from being viewed by Web clients.
#
<Files ".user.ini">
Require all denied
</Files>
#
# Allow php to handle Multiviews
#
AddType text/html .php
#
# Add index.php to the list of files that will be served as directory
# indexes.
#
DirectoryIndex index.php
#
# Redirect to local php-fpm (no mod_php in default configuration)
#
<IfModule !mod_php.c>
# Enable http authorization headers
SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1
<FilesMatch \.(php|phar)$>
SetHandler "proxy:unix:/run/php-fpm/www.sock|fcgi://localhost"
</FilesMatch>
</IfModule>
#
# mod_php is deprecated as FPM is now used by default with httpd in event mode
# mod_php is only used when explicitly enabled or httpd switch to prefork mode
#
# mod_php options
#
<IfModule mod_php.c>
#
# Cause the PHP interpreter to handle files with a .php extension.
#
<FilesMatch \.(php|phar)$>
SetHandler application/x-httpd-php
</FilesMatch>
#
# Uncomment the following lines to allow PHP to pretty-print .phps
# files as PHP source code:
#
#<FilesMatch \.phps$>
# SetHandler application/x-httpd-php-source
#</FilesMatch>
#
# Apache specific PHP configuration options
# those can be override in each configured vhost
#
php_value session.save_handler "files"
php_value session.save_path "/var/lib/php/session"
php_value soap.wsdl_cache_dir "/var/lib/php/wsdlcache"
#php_value opcache.file_cache "/var/lib/php/opcache"
</IfModule>
@@ -0,0 +1,219 @@
#
# When we also provide SSL we have to listen to the
# standard HTTPS port in addition.
#
Listen 443 https
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
# SSL library. The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
#
# Use "SSLCryptoDevice" to enable any supported hardware
# accelerators. Use "openssl engine -v" to list supported
# engine names. NOTE: If you enable an accelerator and the
# server does not start, consult the error logs and ensure
# your accelerator is functioning properly.
#
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec
##
## SSL Virtual Host Context
##
<VirtualHost _default_:443>
# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
#ServerName www.example.com:443
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# List the protocol versions which clients are allowed to connect with.
# The OpenSSL system profile is configured by default. See
# update-crypto-policies(8) for more details.
#SSLProtocol all -SSLv3
#SSLProxyProtocol all -SSLv3
# User agents such as web browsers are not configured for the user's
# own preference of either security or performance, therefore this
# must be the prerogative of the web server administrator who manages
# cpu load versus confidentiality, so enforce the server's cipher order.
SSLHonorCipherOrder on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
# The OpenSSL system profile is configured by default. See
# update-crypto-policies(8) for more details.
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that restarting httpd will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
# require an ECC certificate which can also be configured in
# parallel.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
# ECC keys, when in use, can also be configured in parallel
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convenience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is sent or allowed to be received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is sent and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
@@ -0,0 +1,36 @@
#
# UserDir: The name of the directory that is appended onto a user's home
# directory if a ~user request is received.
#
# The path to the end user account 'public_html' directory must be
# accessible to the webserver userid. This usually means that ~userid
# must have permissions of 711, ~userid/public_html must have permissions
# of 755, and documents contained therein must be world-readable.
# Otherwise, the client will only receive a "403 Forbidden" message.
#
<IfModule mod_userdir.c>
#
# UserDir is disabled by default since it can confirm the presence
# of a username on the system (depending on home directory
# permissions).
#
UserDir disabled
#
# To enable requests to /~user/ to serve the user's public_html
# directory, remove the "UserDir disabled" line above, and uncomment
# the following line instead:
#
#UserDir public_html
</IfModule>
#
# Control access to UserDir directories. The following is an example
# for a site where these directories are restricted to read-only.
#
<Directory "/home/*/public_html">
AllowOverride FileInfo AuthConfig Limit Indexes
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Require method GET POST OPTIONS
</Directory>
@@ -0,0 +1,78 @@
MDBaseServer on
MDCertificateAgreement accepted
MDCertificateAuthority {{ lets_encrypt_url }}
MDContactEmail {{ lets_encrypt_admin }}
MDPrivateKeys secp384r1 secp256r1 RSA 4096
MDRequireHttps temporary
MDStoreDir md
<Directory "/srv/http">
AllowOverride None
Require all granted
</Directory>
{% for item in http_vhost %}
<Directory "/srv/http/{{ item.fqdn }}">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<VirtualHost *:80>
ServerName {{ item.fqdn }}
{% if item.aliases is defined %}
{% for item_alias in item.aliases %}
ServerAlias {{ item_alias }}
{% endfor %}
{% endif %}
ServerAdmin webmaster@{{ item.fqdn }}
DocumentRoot /srv/http/{{ item.fqdn }}
{% if item.redirect is defined %}
RedirectMatch "^(?!/\.well-known/).*" {{ item.redirect }}
{% endif %}
</VirtualHost>
MDomain {{ item.fqdn }}
<VirtualHost *:443>
SSLEngine on
SSLProtocol all -TLSv1.1
SSLProxyProtocol all -TLSv1.1
SSLHonorCipherOrder on
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
ServerName {{ item.fqdn }}
{% if item.aliases is defined %}
{% for item_alias in item.aliases %}
ServerAlias {{ item_alias }}
{% endfor %}
{% endif %}
ServerAdmin webmaster@{{ item.fqdn }}
DocumentRoot /srv/http/{{ item.fqdn }}
Alias /error/ "/var/www/error/"
{% if item.proxy is defined %}
ProxyPass "/.well-known" "!"
ProxyPass "/phpMyAdmin" "!"
ProxyPass "/phpmyadmin" "!"
ProxyPass "/" "{{ item.proxy }}"
ProxyPassReverse "/" "{{ item.proxy }}"
ProxyTimeout 300
{% endif %}
{% if item.rewrite is defined %}
RewriteEngine On
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{HTTP:Connection} upgrade [NC]
RewriteRule ^/?(.*) ws://{{ item.proxy }}/$1 [P,L]
{% endif %}
{% if item.redirect is defined %}
RedirectMatch "^(?!/\.well-known/).*" {{ item.redirect }}
{% endif %}
<Location /.env>
Require all denied
</Location>
<Location /.git>
Require all denied
</Location>
</VirtualHost>
{% endfor %}
@@ -0,0 +1,20 @@
#
# This configuration file enables the default "Welcome" page if there
# is no default index page present for the root URL. To disable the
# Welcome page, comment out all the lines below.
#
# NOTE: if this file is removed, it will be restored on upgrades.
#
<LocationMatch "^/+$">
Options -Indexes
ErrorDocument 403 /.noindex.html
</LocationMatch>
<Directory /usr/share/httpd/noindex>
AllowOverride None
Require all granted
</Directory>
Alias /.noindex.html /usr/share/httpd/noindex/index.html
Alias /poweredby.png /usr/share/httpd/icons/apache_pb3.png
Alias /system_noindex_logo.png /usr/share/httpd/icons/system_noindex_logo.png
@@ -0,0 +1,69 @@
#
# This file loads most of the modules included with the Apache HTTP
# Server itself.
#
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule allowmethods_module modules/mod_allowmethods.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authn_dbd_module modules/mod_authn_dbd.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_socache_module modules/mod_authn_socache.so
LoadModule authnz_fcgi_module modules/mod_authnz_fcgi.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule authz_dbd_module modules/mod_authz_dbd.so
LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule cache_module modules/mod_cache.so
LoadModule cache_disk_module modules/mod_cache_disk.so
LoadModule cache_socache_module modules/mod_cache_socache.so
LoadModule data_module modules/mod_data.so
LoadModule dbd_module modules/mod_dbd.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule dir_module modules/mod_dir.so
LoadModule dumpio_module modules/mod_dumpio.so
LoadModule echo_module modules/mod_echo.so
LoadModule env_module modules/mod_env.so
LoadModule expires_module modules/mod_expires.so
LoadModule ext_filter_module modules/mod_ext_filter.so
LoadModule filter_module modules/mod_filter.so
LoadModule headers_module modules/mod_headers.so
LoadModule include_module modules/mod_include.so
LoadModule info_module modules/mod_info.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule logio_module modules/mod_logio.so
LoadModule macro_module modules/mod_macro.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule mime_module modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule remoteip_module modules/mod_remoteip.so
LoadModule reqtimeout_module modules/mod_reqtimeout.so
LoadModule request_module modules/mod_request.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule slotmem_plain_module modules/mod_slotmem_plain.so
LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
LoadModule socache_dbm_module modules/mod_socache_dbm.so
LoadModule socache_memcache_module modules/mod_socache_memcache.so
LoadModule socache_redis_module modules/mod_socache_redis.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule status_module modules/mod_status.so
LoadModule substitute_module modules/mod_substitute.so
LoadModule suexec_module modules/mod_suexec.so
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule version_module modules/mod_version.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule watchdog_module modules/mod_watchdog.so
@@ -0,0 +1 @@
LoadModule brotli_module modules/mod_brotli.so
@@ -0,0 +1,3 @@
LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule dav_lock_module modules/mod_dav_lock.so
@@ -0,0 +1 @@
LoadModule lua_module modules/mod_lua.so
@@ -0,0 +1,23 @@
# Select the MPM module which should be used by uncommenting exactly
# one of the following LoadModule lines. See the httpd.conf(5) man
# page for more information on changing the MPM.
# prefork MPM: Implements a non-threaded, pre-forking web server
# See: http://httpd.apache.org/docs/2.4/mod/prefork.html
#
# NOTE: If enabling prefork, the httpd_graceful_shutdown SELinux
# boolean should be enabled, to allow graceful stop/shutdown.
#
#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
# worker MPM: Multi-Processing Module implementing a hybrid
# multi-threaded multi-process web server
# See: http://httpd.apache.org/docs/2.4/mod/worker.html
#
#LoadModule mpm_worker_module modules/mod_mpm_worker.so
# event MPM: A variant of the worker MPM with the goal of consuming
# threads only for connections with active processing
# See: http://httpd.apache.org/docs/2.4/mod/event.html
#
LoadModule mpm_event_module modules/mod_mpm_event.so
@@ -0,0 +1,18 @@
#
# This file lists modules included with the Apache HTTP Server
# which are not enabled by default.
#
#LoadModule asis_module modules/mod_asis.so
#LoadModule buffer_module modules/mod_buffer.so
#LoadModule heartbeat_module modules/mod_heartbeat.so
#LoadModule heartmonitor_module modules/mod_heartmonitor.so
#LoadModule usertrack_module modules/mod_usertrack.so
#LoadModule dialup_module modules/mod_dialup.so
#LoadModule charset_lite_module modules/mod_charset_lite.so
#LoadModule log_debug_module modules/mod_log_debug.so
#LoadModule log_forensic_module modules/mod_log_forensic.so
#LoadModule ratelimit_module modules/mod_ratelimit.so
#LoadModule reflector_module modules/mod_reflector.so
#LoadModule sed_module modules/mod_sed.so
#LoadModule speling_module modules/mod_speling.so
@@ -0,0 +1,18 @@
# This file configures all the proxy modules:
LoadModule proxy_module modules/mod_proxy.so
LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so
LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so
LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_express_module modules/mod_proxy_express.so
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so
LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
@@ -0,0 +1 @@
LoadModule ssl_module modules/mod_ssl.so
@@ -0,0 +1,2 @@
# This file configures systemd module:
LoadModule systemd_module modules/mod_systemd.so
@@ -0,0 +1,11 @@
# This configuration file loads a CGI module appropriate to the MPM
# which has been configured in 00-mpm.conf. mod_cgid should be used
# with a threaded MPM; mod_cgi with the prefork MPM.
<IfModule !mpm_prefork_module>
LoadModule cgid_module modules/mod_cgid.so
</IfModule>
<IfModule mpm_prefork_module>
LoadModule cgi_module modules/mod_cgi.so
</IfModule>
@@ -0,0 +1 @@
LoadModule md_module modules/mod_md.so
@@ -0,0 +1 @@
LoadModule http2_module modules/mod_http2.so
@@ -0,0 +1 @@
LoadModule proxy_http2_module modules/mod_proxy_http2.so
@@ -0,0 +1,10 @@
This directory holds configuration files for the Apache HTTP Server;
any files in this directory which have the ".conf" extension will be
processed as httpd configuration files. This directory contains
configuration fragments necessary only to load modules.
Administrators should use the directory "/etc/httpd/conf.d" to modify
the configuration of httpd, or any modules.
Files are processed in sorted order and should have a two digit
numeric prefix. See httpd.conf(5) for more information.
@@ -0,0 +1,374 @@
#
# This is the main Apache HTTP server configuration file. It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
# In particular, see
# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
# for a discussion of each configuration directive.
#
# See the httpd.conf(5) man page for more information on this configuration,
# and httpd.service(8) on using and configuring the httpd service.
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path. If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so 'log/access_log'
# with ServerRoot set to '/www' will be interpreted by the
# server as '/www/log/access_log', where as '/log/access_log' will be
# interpreted as '/log/access_log'.
#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# Do not add a slash at the end of the directory path. If you point
# ServerRoot at a non-local disk, be sure to specify a local disk on the
# Mutex directive, if file-based mutexes are used. If you wish to share the
# same ServerRoot for multiple httpd daemons, you will need to change at
# least PidFile.
#
ServerRoot "/etc/httpd"
#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on a specific IP address, but note that if
# httpd.service is enabled to run at boot time, the address may not be
# available when the service starts. See the httpd.service(8) man
# page for more information.
#
#Listen 12.34.56.78:80
Listen 80
#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#
Include conf.modules.d/*.conf
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User apache
Group apache
# 'Main' server configuration
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition. These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#
#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. admin@your-domain.com
#
ServerAdmin root@localhost
#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
#ServerName www.example.com:80
#
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# <Directory> blocks below.
#
<Directory />
AllowOverride none
Require all denied
</Directory>
#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#
#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/var/www/html"
#
# Relax access to content within /var/www.
#
<Directory "/var/www">
AllowOverride None
# Allow open access:
Require all granted
</Directory>
# Further relax access to the default document root:
<Directory "/var/www/html">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# AllowOverride FileInfo AuthConfig Limit
#
AllowOverride None
#
# Controls who can get stuff from this server.
#
Require all granted
</Directory>
#
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ".ht*">
Require all denied
</Files>
#
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog "logs/error_log"
#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn
<IfModule log_config_module>
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost>
# container, they will be logged here. Contrariwise, if you *do*
# define per-<VirtualHost> access logfiles, transactions will be
# logged therein and *not* in this file.
#
#CustomLog "logs/access_log" common
#
# If you prefer a logfile with access, agent, and referer information
# (Combined Logfile Format) you can use the following directive.
#
CustomLog "logs/access_log" combined
</IfModule>
<IfModule alias_module>
#
# Redirect: Allows you to tell clients about documents that used to
# exist in your server's namespace, but do not anymore. The client
# will make a new request for the document at its new location.
# Example:
# Redirect permanent /foo http://www.example.com/bar
#
# Alias: Maps web paths into filesystem paths and is used to
# access content that does not live under the DocumentRoot.
# Example:
# Alias /webpath /full/filesystem/path
#
# If you include a trailing / on /webpath then the server will
# require it to be present in the URL. You will also likely
# need to provide a <Directory> section to allow access to
# the filesystem path.
#
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the target directory are treated as applications and
# run by the server when requested rather than as documents sent to the
# client. The same rules about trailing "/" apply to ScriptAlias
# directives as to Alias.
#
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
</IfModule>
#
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
<IfModule headers_module>
#
# Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
# backend servers which have lingering "httpoxy" defects.
# 'Proxy' request header is undefined by the IETF, not listed by IANA
#
RequestHeader unset Proxy early
</IfModule>
<IfModule mime_module>
#
# TypesConfig points to the file containing the list of mappings from
# filename extension to MIME-type.
#
TypesConfig /etc/mime.types
#
# AddType allows you to add to or override the MIME configuration
# file specified in TypesConfig for specific file types.
#
#AddType application/x-gzip .tgz
#
# AddEncoding allows you to have certain browsers uncompress
# information on the fly. Note: Not all browsers support this.
#
#AddEncoding x-compress .Z
#AddEncoding x-gzip .gz .tgz
#
# If the AddEncoding directives above are commented-out, then you
# probably should define those extensions to indicate media types:
#
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
#
# AddHandler allows you to map certain file extensions to "handlers":
# actions unrelated to filetype. These can be either built into the server
# or added with the Action directive (see below)
#
# To use CGI scripts outside of ScriptAliased directories:
# (You will also need to add "ExecCGI" to the "Options" directive.)
#
#AddHandler cgi-script .cgi
# For type maps (negotiated resources):
#AddHandler type-map var
#
# Filters allow you to process content before it is sent to the client.
#
# To parse .shtml files for server-side includes (SSI):
# (You will also need to add "Includes" to the "Options" directive.)
#
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
</IfModule>
#
# Specify a default charset for all content served; this enables
# interpretation of all content as UTF-8 by default. To use the
# default browser choice (ISO-8859-1), or to allow the META tags
# in HTML content to override this choice, comment out this
# directive:
#
AddDefaultCharset UTF-8
<IfModule mime_magic_module>
#
# The mod_mime_magic module allows the server to use various hints from the
# contents of the file itself to determine its type. The MIMEMagicFile
# directive tells the module where the hint definitions are located.
#
MIMEMagicFile conf/magic
</IfModule>
#
# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
#
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
#
#
# MaxRanges: Maximum number of Ranges in a request before
# returning the entire resource, or one of the special
# values 'default', 'none' or 'unlimited'.
# Default setting is to accept 200 Ranges.
#MaxRanges unlimited
#
# EnableMMAP and EnableSendfile: On systems that support it,
# memory-mapping or the sendfile syscall may be used to deliver
# files. This usually improves server performance, but must
# be turned off when serving from networked-mounted
# filesystems or if support for these functions is otherwise
# broken on your system.
# Defaults if commented: EnableMMAP On, EnableSendfile Off
#
#EnableMMAP off
EnableSendfile on
# Supplemental configuration
#
# Load config files in the "/etc/httpd/conf.d" directory, if any.
IncludeOptional conf.d/*.conf
@@ -0,0 +1,397 @@
# Magic data for mod_mime_magic Apache module (originally for file(1) command)
# The module is described in /manual/mod/mod_mime_magic.html
#
# The format is 4-5 columns:
# Column #1: byte number to begin checking from, ">" indicates continuation
# Column #2: type of data to match
# Column #3: contents of data to match
# Column #4: MIME type of result
# Column #5: MIME encoding of result (optional)
#------------------------------------------------------------------------------
# Localstuff: file(1) magic for locally observed files
# Add any locally observed files here.
#------------------------------------------------------------------------------
# end local stuff
#------------------------------------------------------------------------------
#------------------------------------------------------------------------------
# Java
0 short 0xcafe
>2 short 0xbabe application/java
#------------------------------------------------------------------------------
# audio: file(1) magic for sound formats
#
# from Jan Nicolai Langfeldt <janl@ifi.uio.no>,
#
# Sun/NeXT audio data
0 string .snd
>12 belong 1 audio/basic
>12 belong 2 audio/basic
>12 belong 3 audio/basic
>12 belong 4 audio/basic
>12 belong 5 audio/basic
>12 belong 6 audio/basic
>12 belong 7 audio/basic
>12 belong 23 audio/x-adpcm
# DEC systems (e.g. DECstation 5000) use a variant of the Sun/NeXT format
# that uses little-endian encoding and has a different magic number
# (0x0064732E in little-endian encoding).
0 lelong 0x0064732E
>12 lelong 1 audio/x-dec-basic
>12 lelong 2 audio/x-dec-basic
>12 lelong 3 audio/x-dec-basic
>12 lelong 4 audio/x-dec-basic
>12 lelong 5 audio/x-dec-basic
>12 lelong 6 audio/x-dec-basic
>12 lelong 7 audio/x-dec-basic
# compressed (G.721 ADPCM)
>12 lelong 23 audio/x-dec-adpcm
# Bytes 0-3 of AIFF, AIFF-C, & 8SVX audio files are "FORM"
# AIFF audio data
8 string AIFF audio/x-aiff
# AIFF-C audio data
8 string AIFC audio/x-aiff
# IFF/8SVX audio data
8 string 8SVX audio/x-aiff
# Creative Labs AUDIO stuff
# Standard MIDI data
0 string MThd audio/unknown
#>9 byte >0 (format %d)
#>11 byte >1 using %d channels
# Creative Music (CMF) data
0 string CTMF audio/unknown
# SoundBlaster instrument data
0 string SBI audio/unknown
# Creative Labs voice data
0 string Creative\ Voice\ File audio/unknown
## is this next line right? it came this way...
#>19 byte 0x1A
#>23 byte >0 - version %d
#>22 byte >0 \b.%d
# [GRR 950115: is this also Creative Labs? Guessing that first line
# should be string instead of unknown-endian long...]
#0 long 0x4e54524b MultiTrack sound data
#0 string NTRK MultiTrack sound data
#>4 long x - version %ld
# Microsoft WAVE format (*.wav)
# [GRR 950115: probably all of the shorts and longs should be leshort/lelong]
# Microsoft RIFF
0 string RIFF
# - WAVE format
>8 string WAVE audio/x-wav
# MPEG audio.
0 beshort&0xfff0 0xfff0 audio/mpeg
# C64 SID Music files, from Linus Walleij <triad@df.lth.se>
0 string PSID audio/prs.sid
#------------------------------------------------------------------------------
# c-lang: file(1) magic for C programs or various scripts
#
# XPM icons (Greg Roelofs, newt@uchicago.edu)
# ideally should go into "images", but entries below would tag XPM as C source
0 string /*\ XPM image/x-xbm 7bit
# this first will upset you if you're a PL/1 shop... (are there any left?)
# in which case rm it; ascmagic will catch real C programs
# C or REXX program text
0 string /* text/plain
# C++ program text
0 string // text/plain
#------------------------------------------------------------------------------
# compress: file(1) magic for pure-compression formats (no archives)
#
# compress, gzip, pack, compact, huf, squeeze, crunch, freeze, yabba, whap, etc.
#
# Formats for various forms of compressed data
# Formats for "compress" proper have been moved into "compress.c",
# because it tries to uncompress it to figure out what's inside.
# standard unix compress
0 string \037\235 application/octet-stream x-compress
# gzip (GNU zip, not to be confused with [Info-ZIP/PKWARE] zip archiver)
0 string \037\213 application/octet-stream x-gzip
# According to gzip.h, this is the correct byte order for packed data.
0 string \037\036 application/octet-stream
#
# This magic number is byte-order-independent.
#
0 short 017437 application/octet-stream
# XXX - why *two* entries for "compacted data", one of which is
# byte-order independent, and one of which is byte-order dependent?
#
# compacted data
0 short 0x1fff application/octet-stream
0 string \377\037 application/octet-stream
# huf output
0 short 0145405 application/octet-stream
# Squeeze and Crunch...
# These numbers were gleaned from the Unix versions of the programs to
# handle these formats. Note that I can only uncrunch, not crunch, and
# I didn't have a crunched file handy, so the crunch number is untested.
# Keith Waclena <keith@cerberus.uchicago.edu>
#0 leshort 0x76FF squeezed data (CP/M, DOS)
#0 leshort 0x76FE crunched data (CP/M, DOS)
# Freeze
#0 string \037\237 Frozen file 2.1
#0 string \037\236 Frozen file 1.0 (or gzip 0.5)
# lzh?
#0 string \037\240 LZH compressed data
#------------------------------------------------------------------------------
# frame: file(1) magic for FrameMaker files
#
# This stuff came on a FrameMaker demo tape, most of which is
# copyright, but this file is "published" as witness the following:
#
0 string \<MakerFile application/x-frame
0 string \<MIFFile application/x-frame
0 string \<MakerDictionary application/x-frame
0 string \<MakerScreenFon application/x-frame
0 string \<MML application/x-frame
0 string \<Book application/x-frame
0 string \<Maker application/x-frame
#------------------------------------------------------------------------------
# html: file(1) magic for HTML (HyperText Markup Language) docs
#
# from Daniel Quinlan <quinlan@yggdrasil.com>
# and Anna Shergold <anna@inext.co.uk>
#
0 string \<!DOCTYPE\ HTML text/html
0 string \<!doctype\ html text/html
0 string \<HEAD text/html
0 string \<head text/html
0 string \<TITLE text/html
0 string \<title text/html
0 string \<html text/html
0 string \<HTML text/html
0 string \<!-- text/html
0 string \<h1 text/html
0 string \<H1 text/html
# XML eXtensible Markup Language, from Linus Walleij <triad@df.lth.se>
0 string \<?xml text/xml
#------------------------------------------------------------------------------
# images: file(1) magic for image formats (see also "c-lang" for XPM bitmaps)
#
# originally from jef@helios.ee.lbl.gov (Jef Poskanzer),
# additions by janl@ifi.uio.no as well as others. Jan also suggested
# merging several one- and two-line files into here.
#
# XXX - byte order for GIF and TIFF fields?
# [GRR: TIFF allows both byte orders; GIF is probably little-endian]
#
# [GRR: what the hell is this doing in here?]
#0 string xbtoa btoa'd file
# PBMPLUS
# PBM file
0 string P1 image/x-portable-bitmap 7bit
# PGM file
0 string P2 image/x-portable-greymap 7bit
# PPM file
0 string P3 image/x-portable-pixmap 7bit
# PBM "rawbits" file
0 string P4 image/x-portable-bitmap
# PGM "rawbits" file
0 string P5 image/x-portable-greymap
# PPM "rawbits" file
0 string P6 image/x-portable-pixmap
# NIFF (Navy Interchange File Format, a modification of TIFF)
# [GRR: this *must* go before TIFF]
0 string IIN1 image/x-niff
# TIFF and friends
# TIFF file, big-endian
0 string MM image/tiff
# TIFF file, little-endian
0 string II image/tiff
# possible GIF replacements; none yet released!
# (Greg Roelofs, newt@uchicago.edu)
#
# GRR 950115: this was mine ("Zip GIF"):
# ZIF image (GIF+deflate alpha)
0 string GIF94z image/unknown
#
# GRR 950115: this is Jeremy Wohl's Free Graphics Format (better):
# FGF image (GIF+deflate beta)
0 string FGF95a image/unknown
#
# GRR 950115: this is Thomas Boutell's Portable Bitmap Format proposal
# (best; not yet implemented):
# PBF image (deflate compression)
0 string PBF image/unknown
# GIF
0 string GIF image/gif
# JPEG images
0 beshort 0xffd8 image/jpeg
# PC bitmaps (OS/2, Windoze BMP files) (Greg Roelofs, newt@uchicago.edu)
0 string BM image/bmp
#>14 byte 12 (OS/2 1.x format)
#>14 byte 64 (OS/2 2.x format)
#>14 byte 40 (Windows 3.x format)
#0 string IC icon
#0 string PI pointer
#0 string CI color icon
#0 string CP color pointer
#0 string BA bitmap array
0 string \x89PNG image/png
0 string FWS application/x-shockwave-flash
0 string CWS application/x-shockwave-flash
#------------------------------------------------------------------------------
# lisp: file(1) magic for lisp programs
#
# various lisp types, from Daniel Quinlan (quinlan@yggdrasil.com)
0 string ;; text/plain 8bit
# Emacs 18 - this is always correct, but not very magical.
0 string \012( application/x-elc
# Emacs 19
0 string ;ELC\023\000\000\000 application/x-elc
#------------------------------------------------------------------------------
# mail.news: file(1) magic for mail and news
#
# There are tests to ascmagic.c to cope with mail and news.
0 string Relay-Version: message/rfc822 7bit
0 string #!\ rnews message/rfc822 7bit
0 string N#!\ rnews message/rfc822 7bit
0 string Forward\ to message/rfc822 7bit
0 string Pipe\ to message/rfc822 7bit
0 string Return-Path: message/rfc822 7bit
0 string Path: message/news 8bit
0 string Xref: message/news 8bit
0 string From: message/rfc822 7bit
0 string Article message/news 8bit
#------------------------------------------------------------------------------
# msword: file(1) magic for MS Word files
#
# Contributor claims:
# Reversed-engineered MS Word magic numbers
#
0 string \376\067\0\043 application/msword
0 string \333\245-\0\0\0 application/msword
# disable this one because it applies also to other
# Office/OLE documents for which msword is not correct. See PR#2608.
#0 string \320\317\021\340\241\261 application/msword
#------------------------------------------------------------------------------
# printer: file(1) magic for printer-formatted files
#
# PostScript
0 string %! application/postscript
0 string \004%! application/postscript
# Acrobat
# (due to clamen@cs.cmu.edu)
0 string %PDF- application/pdf
#------------------------------------------------------------------------------
# sc: file(1) magic for "sc" spreadsheet
#
38 string Spreadsheet application/x-sc
#------------------------------------------------------------------------------
# tex: file(1) magic for TeX files
#
# XXX - needs byte-endian stuff (big-endian and little-endian DVI?)
#
# From <conklin@talisman.kaleida.com>
# Although we may know the offset of certain text fields in TeX DVI
# and font files, we can't use them reliably because they are not
# zero terminated. [but we do anyway, christos]
0 string \367\002 application/x-dvi
#0 string \367\203 TeX generic font data
#0 string \367\131 TeX packed font data
#0 string \367\312 TeX virtual font data
#0 string This\ is\ TeX, TeX transcript text
#0 string This\ is\ METAFONT, METAFONT transcript text
# There is no way to detect TeX Font Metric (*.tfm) files without
# breaking them apart and reading the data. The following patterns
# match most *.tfm files generated by METAFONT or afm2tfm.
#2 string \000\021 TeX font metric data
#2 string \000\022 TeX font metric data
#>34 string >\0 (%s)
# Texinfo and GNU Info, from Daniel Quinlan (quinlan@yggdrasil.com)
#0 string \\input\ texinfo Texinfo source text
#0 string This\ is\ Info\ file GNU Info text
# correct TeX magic for Linux (and maybe more)
# from Peter Tobias (tobias@server.et-inf.fho-emden.de)
#
0 leshort 0x02f7 application/x-dvi
# RTF - Rich Text Format
0 string {\\rtf application/rtf
#------------------------------------------------------------------------------
# animation: file(1) magic for animation/movie formats
#
# animation formats, originally from vax@ccwf.cc.utexas.edu (VaX#n8)
# MPEG file
0 string \000\000\001\263 video/mpeg
#
# The contributor claims:
# I couldn't find a real magic number for these, however, this
# -appears- to work. Note that it might catch other files, too,
# so BE CAREFUL!
#
# Note that title and author appear in the two 20-byte chunks
# at decimal offsets 2 and 22, respectively, but they are XOR'ed with
# 255 (hex FF)! DL format SUCKS BIG ROCKS.
#
# DL file version 1 , medium format (160x100, 4 images/screen)
0 byte 1 video/unknown
0 byte 2 video/unknown
# Quicktime video, from Linus Walleij <triad@df.lth.se>
# from Apple quicktime file format documentation.
4 string moov video/quicktime
4 string mdat video/quicktime
#------------------------------------------------------------------------------
# application/x-coredump for LE/BE ELF
#
0 string \177ELF
>5 byte 1
>16 leshort 4 application/x-coredump
0 string \177ELF
>5 byte 2
>16 beshort 4 application/x-coredump
@@ -0,0 +1,11 @@
# Note that logs are not compressed unless "compress" is configured,
# which can be done either here or globally in /etc/logrotate.conf.
/var/log/httpd/*log {
missingok
notifempty
sharedscripts
delaycompress
postrotate
/bin/systemctl reload httpd.service > /dev/null 2>/dev/null || true
endscript
}
@@ -0,0 +1,9 @@
/var/log/php-fpm/*log {
missingok
notifempty
sharedscripts
delaycompress
postrotate
/bin/kill -SIGUSR1 `cat /run/php-fpm/php-fpm.pid 2>/dev/null` 2>/dev/null || true
endscript
}
@@ -0,0 +1,135 @@
;;;;;;;;;;;;;;;;;;;;;
; FPM Configuration ;
;;;;;;;;;;;;;;;;;;;;;
; All relative paths in this configuration file are relative to PHP's install
; prefix.
;;;;;;;;;;;;;;;;;;
; Global Options ;
;;;;;;;;;;;;;;;;;;
[global]
; Pid file
; Default Value: none
pid = /run/php-fpm/php-fpm.pid
; Error log file
; If it's set to "syslog", log is sent to syslogd instead of being written
; in a local file.
; Default Value: /var/log/php-fpm.log
error_log = /var/log/php-fpm/error.log
; syslog_facility is used to specify what type of program is logging the
; message. This lets syslogd specify that messages from different facilities
; will be handled differently.
; See syslog(3) for possible values (ex daemon equiv LOG_DAEMON)
; Default Value: daemon
;syslog.facility = daemon
; syslog_ident is prepended to every message. If you have multiple FPM
; instances running on the same server, you can change the default value
; which must suit common needs.
; Default Value: php-fpm
;syslog.ident = php-fpm
; Log level
; Possible Values: alert, error, warning, notice, debug
; Default Value: notice
;log_level = notice
; Log limit on number of characters in the single line (log entry). If the
; line is over the limit, it is wrapped on multiple lines. The limit is for
; all logged characters including message prefix and suffix if present. However
; the new line character does not count into it as it is present only when
; logging to a file descriptor. It means the new line character is not present
; when logging to syslog.
; Default Value: 1024
;log_limit = 4096
; Log buffering specifies if the log line is buffered which means that the
; line is written in a single write operation. If the value is false, then the
; data is written directly into the file descriptor. It is an experimental
; option that can potentionaly improve logging performance and memory usage
; for some heavy logging scenarios. This option is ignored if logging to syslog
; as it has to be always buffered.
; Default value: yes
;log_buffering = no
; If this number of child processes exit with SIGSEGV or SIGBUS within the time
; interval set by emergency_restart_interval then FPM will restart. A value
; of '0' means 'Off'.
; Default Value: 0
;emergency_restart_threshold = 0
; Interval of time used by emergency_restart_interval to determine when
; a graceful restart will be initiated. This can be useful to work around
; accidental corruptions in an accelerator's shared memory.
; Available Units: s(econds), m(inutes), h(ours), or d(ays)
; Default Unit: seconds
; Default Value: 0
;emergency_restart_interval = 0
; Time limit for child processes to wait for a reaction on signals from master.
; Available units: s(econds), m(inutes), h(ours), or d(ays)
; Default Unit: seconds
; Default Value: 0
;process_control_timeout = 0
; The maximum number of processes FPM will fork. This has been designed to control
; the global number of processes when using dynamic PM within a lot of pools.
; Use it with caution.
; Note: A value of 0 indicates no limit
; Default Value: 0
;process.max = 128
; Specify the nice(2) priority to apply to the master process (only if set)
; The value can vary from -19 (highest priority) to 20 (lowest priority)
; Note: - It will only work if the FPM master process is launched as root
; - The pool process will inherit the master process priority
; unless specified otherwise
; Default Value: no set
;process.priority = -19
; Send FPM to background. Set to 'no' to keep FPM in foreground for debugging.
; Default Value: yes
daemonize = yes
; Set open file descriptor rlimit for the master process.
; Default Value: system defined value
;rlimit_files = 1024
; Set max core size rlimit for the master process.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0
; Specify the event mechanism FPM will use. The following is available:
; - select (any POSIX os)
; - poll (any POSIX os)
; - epoll (linux >= 2.5.44)
; Default Value: not set (auto detection)
;events.mechanism = epoll
; When FPM is built with systemd integration, specify the interval,
; in seconds, between health report notification to systemd.
; Set to 0 to disable.
; Available Units: s(econds), m(inutes), h(ours)
; Default Unit: seconds
; Default value: 10
;systemd_interval = 10
;;;;;;;;;;;;;;;;;;;;
; Pool Definitions ;
;;;;;;;;;;;;;;;;;;;;
; Multiple pools of child processes may be started with different listening
; ports and different management options. The name of the pool will be
; used in logs and stats. There is no limitation on the number of pools which
; FPM can handle. Your system will tell you anyway :)
; Include one or more files. If glob(3) exists, it is used to include a bunch of
; files from a glob(3) pattern. This directive can be used everywhere in the
; file.
include=/etc/php-fpm.d/*.conf
@@ -0,0 +1,438 @@
; Start a new pool named 'www'.
; the variable $pool can be used in any directive and will be replaced by the
; pool name ('www' here)
[www]
; Per pool prefix
; It only applies on the following directives:
; - 'access.log'
; - 'slowlog'
; - 'listen' (unixsocket)
; - 'chroot'
; - 'chdir'
; - 'php_values'
; - 'php_admin_values'
; When not set, the global prefix (or @php_fpm_prefix@) applies instead.
; Note: This directive can also be relative to the global prefix.
; Default Value: none
;prefix = /path/to/pools/$pool
; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
; will be used.
; RPM: apache user chosen to provide access to the same directories as httpd
user = apache
; RPM: Keep a group allowed to write in log dir.
group = apache
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; a specific port;
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = /run/php-fpm/www.sock
; Set listen(2) backlog.
; Default Value: 511
;listen.backlog = 511
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server.
; Default Values: user and group are set as the running user
; mode is set to 0660
;listen.owner = nobody
;listen.group = nobody
;listen.mode = 0660
; When POSIX Access Control Lists are supported you can set them using
; these options, value is a comma separated list of user/group names.
; When set, listen.owner and listen.group are ignored
listen.acl_users = apache,nginx
;listen.acl_groups =
; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
; must be separated by a comma. If this value is left blank, connections will be
; accepted from any ip address.
; Default Value: any
listen.allowed_clients = 127.0.0.1
; Specify the nice(2) priority to apply to the pool processes (only if set)
; The value can vary from -19 (highest priority) to 20 (lower priority)
; Note: - It will only work if the FPM master process is launched as root
; - The pool processes will inherit the master process priority
; unless it specified otherwise
; Default Value: no set
; process.priority = -19
; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
; or group is differrent than the master process user. It allows to create process
; core dump and ptrace the process for the pool user.
; Default Value: no
; process.dumpable = yes
; Choose how the process manager will control the number of child processes.
; Possible Values:
; static - a fixed number (pm.max_children) of child processes;
; dynamic - the number of child processes are set dynamically based on the
; following directives. With this process management, there will be
; always at least 1 children.
; pm.max_children - the maximum number of children that can
; be alive at the same time.
; pm.start_servers - the number of children created on startup.
; pm.min_spare_servers - the minimum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is less than this
; number then some children will be created.
; pm.max_spare_servers - the maximum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is greater than this
; number then some children will be killed.
; ondemand - no children are created at startup. Children will be forked when
; new requests will connect. The following parameter are used:
; pm.max_children - the maximum number of children that
; can be alive at the same time.
; pm.process_idle_timeout - The number of seconds after which
; an idle process will be killed.
; Note: This value is mandatory.
pm = dynamic
; The number of child processes to be created when pm is set to 'static' and the
; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
; This value sets the limit on the number of simultaneous requests that will be
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
; CGI. The below defaults are based on a server without much resources. Don't
; forget to tweak pm.* to fit your needs.
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
; Note: This value is mandatory.
pm.max_children = 50
; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
pm.start_servers = 5
; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.min_spare_servers = 5
; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 35
; The number of seconds after which an idle process will be killed.
; Note: Used only when pm is set to 'ondemand'
; Default Value: 10s
;pm.process_idle_timeout = 10s;
; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries. For
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default Value: 0
;pm.max_requests = 500
; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. It shows the following informations:
; pool - the name of the pool;
; process manager - static, dynamic or ondemand;
; start time - the date and time FPM has started;
; start since - number of seconds since FPM has started;
; accepted conn - the number of request accepted by the pool;
; listen queue - the number of request in the queue of pending
; connections (see backlog in listen(2));
; max listen queue - the maximum number of requests in the queue
; of pending connections since FPM has started;
; listen queue len - the size of the socket queue of pending connections;
; idle processes - the number of idle processes;
; active processes - the number of active processes;
; total processes - the number of idle + active processes;
; max active processes - the maximum number of active processes since FPM
; has started;
; max children reached - number of times, the process limit has been reached,
; when pm tries to start more children (works only for
; pm 'dynamic' and 'ondemand');
; Value are updated in real time.
; Example output:
; pool: www
; process manager: static
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 62636
; accepted conn: 190460
; listen queue: 0
; max listen queue: 1
; listen queue len: 42
; idle processes: 4
; active processes: 11
; total processes: 15
; max active processes: 12
; max children reached: 0
;
; By default the status page output is formatted as text/plain. Passing either
; 'html', 'xml' or 'json' in the query string will return the corresponding
; output syntax. Example:
; http://www.foo.bar/status
; http://www.foo.bar/status?json
; http://www.foo.bar/status?html
; http://www.foo.bar/status?xml
;
; By default the status page only outputs short status. Passing 'full' in the
; query string will also return status for each pool process.
; Example:
; http://www.foo.bar/status?full
; http://www.foo.bar/status?json&full
; http://www.foo.bar/status?html&full
; http://www.foo.bar/status?xml&full
; The Full status returns for each process:
; pid - the PID of the process;
; state - the state of the process (Idle, Running, ...);
; start time - the date and time the process has started;
; start since - the number of seconds since the process has started;
; requests - the number of requests the process has served;
; request duration - the duration in µs of the requests;
; request method - the request method (GET, POST, ...);
; request URI - the request URI with the query string;
; content length - the content length of the request (only with POST);
; user - the user (PHP_AUTH_USER) (or '-' if not set);
; script - the main script called (or '-' if not set);
; last request cpu - the %cpu the last request consumed
; it's always 0 if the process is not in Idle state
; because CPU calculation is done when the request
; processing has terminated;
; last request memory - the max amount of memory the last request consumed
; it's always 0 if the process is not in Idle state
; because memory calculation is done when the request
; processing has terminated;
; If the process is in Idle state, then informations are related to the
; last request the process has served. Otherwise informations are related to
; the current request being served.
; Example output:
; ************************
; pid: 31330
; state: Running
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 63087
; requests: 12808
; request duration: 1250261
; request method: GET
; request URI: /test_mem.php?N=10000
; content length: 0
; user: -
; script: /home/fat/web/docs/php/test_mem.php
; last request cpu: 0.00
; last request memory: 0
;
; Note: There is a real-time FPM status monitoring sample web page available
; It's available in: @EXPANDED_DATADIR@/fpm/status.html
;
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;pm.status_path = /status
; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to
; - create a graph of FPM availability (rrd or such);
; - remove a server from a group if it is not responding (load balancing);
; - trigger alerts for the operating team (24/7).
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;ping.path = /ping
; This directive may be used to customize the response of a ping request. The
; response is formatted as text/plain with a 200 response code.
; Default Value: pong
;ping.response = pong
; The access log file
; Default: not set
;access.log = log/$pool.access.log
; The access log format.
; The following syntax is allowed
; %%: the '%' character
; %C: %CPU used by the request
; it can accept the following format:
; - %{user}C for user CPU only
; - %{system}C for system CPU only
; - %{total}C for user + system CPU (default)
; %d: time taken to serve the request
; it can accept the following format:
; - %{seconds}d (default)
; - %{miliseconds}d
; - %{mili}d
; - %{microseconds}d
; - %{micro}d
; %e: an environment variable (same as $_ENV or $_SERVER)
; it must be associated with embraces to specify the name of the env
; variable. Some exemples:
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
; %f: script filename
; %l: content-length of the request (for POST request only)
; %m: request method
; %M: peak of memory allocated by PHP
; it can accept the following format:
; - %{bytes}M (default)
; - %{kilobytes}M
; - %{kilo}M
; - %{megabytes}M
; - %{mega}M
; %n: pool name
; %o: output header
; it must be associated with embraces to specify the name of the header:
; - %{Content-Type}o
; - %{X-Powered-By}o
; - %{Transfert-Encoding}o
; - ....
; %p: PID of the child that serviced the request
; %P: PID of the parent of the child that serviced the request
; %q: the query string
; %Q: the '?' character if query string exists
; %r: the request URI (without the query string, see %q and %Q)
; %R: remote IP address
; %s: status (response code)
; %t: server time the request was received
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
; %T: time the log has been written (the request has finished)
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
; %u: remote user
;
; Default: "%R - %u %t \"%m %r\" %s"
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
; The log file for slow requests
; Default Value: not set
; Note: slowlog is mandatory if request_slowlog_timeout is set
slowlog = /var/log/php-fpm/www-slow.log
; The timeout for serving a single request after which a PHP backtrace will be
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_slowlog_timeout = 0
; Depth of slow log stack trace.
; Default Value: 20
;request_slowlog_trace_depth = 20
; The timeout for serving a single request after which the worker process will
; be killed. This option should be used when the 'max_execution_time' ini option
; does not stop script execution for some reason. A value of '0' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_terminate_timeout = 0
; Set open file descriptor rlimit.
; Default Value: system defined value
;rlimit_files = 1024
; Set max core size rlimit.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0
; Chroot to this directory at the start. This value must be defined as an
; absolute path. When this value is not set, chroot is not used.
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
; of its subdirectories. If the pool prefix is not set, the global prefix
; will be used instead.
; Note: chrooting is a great security feature and should be used whenever
; possible. However, all PHP paths will be relative to the chroot
; (error_log, sessions.save_path, ...).
; Default Value: not set
;chroot =
; Chdir to this directory at the start.
; Note: relative path can be used.
; Default Value: current directory or / when chroot
;chdir = /var/www
; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environement, this can cause some delay in the page
; process time (several ms).
; Default Value: no
;catch_workers_output = yes
; Clear environment in FPM workers
; Prevents arbitrary environment variables from reaching FPM worker processes
; by clearing the environment in workers before env vars specified in this
; pool configuration are added.
; Setting to "no" will make all environment variables available to PHP code
; via getenv(), $_ENV and $_SERVER.
; Default Value: yes
;clear_env = no
; Limits the extensions of the main script FPM will allow to parse. This can
; prevent configuration mistakes on the web server side. You should only limit
; FPM to .php extensions to prevent malicious users to use other extensions to
; execute php code.
; Note: set an empty value to allow all extensions.
; Default Value: .php
;security.limit_extensions = .php .php3 .php4 .php5 .php7
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
; the current environment.
; Default Value: clean env
;env[HOSTNAME] = $HOSTNAME
;env[PATH] = /usr/local/bin:/usr/bin:/bin
;env[TMP] = /tmp
;env[TMPDIR] = /tmp
;env[TEMP] = /tmp
; Additional php.ini defines, specific to this pool of workers. These settings
; overwrite the values previously defined in the php.ini. The directives are the
; same as the PHP SAPI:
; php_value/php_flag - you can set classic ini defines which can
; be overwritten from PHP call 'ini_set'.
; php_admin_value/php_admin_flag - these directives won't be overwritten by
; PHP call 'ini_set'
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
; Defining 'extension' will load the corresponding shared extension from
; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
; overwrite previously defined php.ini values, but will append the new value
; instead.
; Note: path INI options can be relative and will be expanded with the prefix
; (pool, global or @prefix@)
; Default Value: nothing is defined by default except the values in php.ini and
; specified at startup with the -d argument
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
;php_flag[display_errors] = off
php_admin_value[error_log] = /var/log/php-fpm/www-error.log
php_admin_flag[log_errors] = on
;php_admin_value[memory_limit] = 128M
; Set the following data paths to directories owned by the FPM process user.
;
; Do not change the ownership of existing system directories, if the process
; user does not have write permission, create dedicated directories for this
; purpose.
;
; See warning about choosing the location of these directories on your system
; at http://php.net/session.save-path
php_value[session.save_handler] = files
php_value[session.save_path] = /var/lib/php/session
php_value[soap.wsdl_cache_dir] = /var/lib/php/wsdlcache
;php_value[opcache.file_cache] = /var/lib/php/opcache
@@ -0,0 +1,148 @@
; Enable Zend OPcache extension module
zend_extension=opcache
; Determines if Zend OPCache is enabled
opcache.enable=1
; Determines if Zend OPCache is enabled for the CLI version of PHP
opcache.enable_cli=1
; The OPcache shared memory storage size.
;opcache.memory_consumption=128
; The amount of memory for interned strings in Mbytes.
;opcache.interned_strings_buffer=8
; The maximum number of keys (scripts) in the OPcache hash table.
; Only numbers between 200 and 1000000 are allowed.
;opcache.max_accelerated_files=10000
; The maximum percentage of "wasted" memory until a restart is scheduled.
;opcache.max_wasted_percentage=5
; When this directive is enabled, the OPcache appends the current working
; directory to the script key, thus eliminating possible collisions between
; files with the same name (basename). Disabling the directive improves
; performance, but may break existing applications.
;opcache.use_cwd=1
; When disabled, you must reset the OPcache manually or restart the
; webserver for changes to the filesystem to take effect.
;opcache.validate_timestamps=1
; How often (in seconds) to check file timestamps for changes to the shared
; memory storage allocation. ("1" means validate once per second, but only
; once per request. "0" means always validate)
;opcache.revalidate_freq=2
; Enables or disables file search in include_path optimization
;opcache.revalidate_path=0
; If disabled, all PHPDoc comments are dropped from the code to reduce the
; size of the optimized code.
;opcache.save_comments=1
; Allow file existence override (file_exists, etc.) performance feature.
;opcache.enable_file_override=0
; A bitmask, where each bit enables or disables the appropriate OPcache
; passes
;opcache.optimization_level=0x7FFFBFFF
; This hack should only be enabled to work around "Cannot redeclare class"
; errors.
;opcache.dups_fix=0
; The location of the OPcache blacklist file (wildcards allowed).
; Each OPcache blacklist file is a text file that holds the names of files
; that should not be accelerated.
opcache.blacklist_filename=/etc/php-zts.d/opcache*.blacklist
; Allows exclusion of large files from being cached. By default all files
; are cached.
;opcache.max_file_size=0
; Check the cache checksum each N requests.
; The default value of "0" means that the checks are disabled.
;opcache.consistency_checks=0
; How long to wait (in seconds) for a scheduled restart to begin if the cache
; is not being accessed.
;opcache.force_restart_timeout=180
; OPcache error_log file name. Empty string assumes "stderr".
;opcache.error_log=
; All OPcache errors go to the Web server log.
; By default, only fatal errors (level 0) or errors (level 1) are logged.
; You can also enable warnings (level 2), info messages (level 3) or
; debug messages (level 4).
;opcache.log_verbosity_level=1
; Preferred Shared Memory back-end. Leave empty and let the system decide.
;opcache.preferred_memory_model=
; Protect the shared memory from unexpected writing during script execution.
; Useful for internal debugging only.
;opcache.protect_memory=0
; Allows calling OPcache API functions only from PHP scripts which path is
; started from specified string. The default "" means no restriction
;opcache.restrict_api=
; Enables and sets the second level cache directory.
; It should improve performance when SHM memory is full, at server restart or
; SHM reset. The default "" disables file based caching.
; RPM note : file cache directory must be owned by process owner
; for mod_php, see /etc/httpd/conf.d/php.conf
; for php-fpm, see /etc/php-fpm.d/*conf
;opcache.file_cache=
; Enables or disables opcode caching in shared memory.
;opcache.file_cache_only=0
; Enables or disables checksum validation when script loaded from file cache.
;opcache.file_cache_consistency_checks=1
; Implies opcache.file_cache_only=1 for a certain process that failed to
; reattach to the shared memory (for Windows only). Explicitly enabled file
; cache is required.
;opcache.file_cache_fallback=1
; Enables or disables copying of PHP code (text segment) into HUGE PAGES.
; This should improve performance, but requires appropriate OS configuration.
opcache.huge_code_pages=0
; Validate cached file permissions.
; Leads OPcache to check file readability on each access to cached file.
; This directive should be enabled in shared hosting environment, when few
; users (PHP-FPM pools) reuse the common OPcache shared memory.
;opcache.validate_permission=0
; Prevent name collisions in chroot'ed environment.
; This directive prevents file name collisions in different "chroot"
; environments. It should be enabled for sites that may serve requests in
; different "chroot" environments.
;opcache.validate_root=0
; If specified, it produces opcode dumps for debugging different stages of
; optimizations.
;opcache.opt_debug_level=0
; Specifies a PHP script that is going to be compiled and executed at server
; start-up.
; http://php.net/opcache.preload
;opcache.preload=
; Preloading code as root is not allowed for security reasons. This directive
; facilitates to let the preloading to be run as another user.
; http://php.net/opcache.preload_user
;opcache.preload_user=
; Prevents caching files that are less than this number of seconds old. It
; protects from caching of incompletely updated files. In case all file updates
; on your site are atomic, you may increase performance by setting it to "0".
;opcache.file_update_protection=2
; Absolute path used to store shared lockfiles (for *nix only).
;opcache.lockfile_path=/tmp
@@ -0,0 +1,2 @@
; Enable bz2 extension module
extension=bz2
@@ -0,0 +1,2 @@
; Enable calendar extension module
extension=calendar
@@ -0,0 +1,2 @@
; Enable ctype extension module
extension=ctype
@@ -0,0 +1,2 @@
; Enable curl extension module
extension=curl
@@ -0,0 +1,2 @@
; Enable dom extension module
extension=dom
@@ -0,0 +1,2 @@
; Enable exif extension module
extension=exif
@@ -0,0 +1,2 @@
; Enable fileinfo extension module
extension=fileinfo
@@ -0,0 +1,2 @@
; Enable ftp extension module
extension=ftp
@@ -0,0 +1,2 @@
; Enable gettext extension module
extension=gettext
@@ -0,0 +1,2 @@
; Enable iconv extension module
extension=iconv
@@ -0,0 +1,2 @@
; Enable json extension module
extension=json
@@ -0,0 +1,2 @@
; Enable mbstring extension module
extension=mbstring
@@ -0,0 +1,2 @@
; Enable mysqlnd extension module
extension=mysqlnd
@@ -0,0 +1,2 @@
; Enable pdo extension module
extension=pdo
@@ -0,0 +1,2 @@
; Enable phar extension module
extension=phar
@@ -0,0 +1,2 @@
; Enable simplexml extension module
extension=simplexml
@@ -0,0 +1,2 @@
; Enable sockets extension module
extension=sockets
@@ -0,0 +1,2 @@
; Enable sodium extension module
extension=sodium
@@ -0,0 +1,2 @@
; Enable sqlite3 extension module
extension=sqlite3
@@ -0,0 +1,2 @@
; Enable tokenizer extension module
extension=tokenizer
@@ -0,0 +1,2 @@
; Enable xml extension module
extension=xml
@@ -0,0 +1,2 @@
; Enable xmlwriter extension module
extension=xmlwriter
@@ -0,0 +1,2 @@
; Enable xsl extension module
extension=xsl
@@ -0,0 +1,2 @@
; Enable mysqli extension module
extension=mysqli
@@ -0,0 +1,2 @@
; Enable pdo_mysql extension module
extension=pdo_mysql
@@ -0,0 +1,2 @@
; Enable pdo_sqlite extension module
extension=pdo_sqlite
@@ -0,0 +1,2 @@
; Enable xmlreader extension module
extension=xmlreader
@@ -0,0 +1,11 @@
; The blacklist file is a text file that holds the names of files
; that should not be accelerated. The file format is to add each filename
; to a new line. The filename may be a full path or just a file prefix
; (i.e., /var/www/x blacklists all the files and directories in /var/www
; that start with 'x'). Line starting with a ; are ignored (comments).
; Files are usually triggered by one of the following three reasons:
; 1) Directories that contain auto generated code, like Smarty or ZFW cache.
; 2) Code that does not work well when accelerated, due to some delayed
; compile time evaluation.
; 3) Code that triggers an OPcache bug.
@@ -0,0 +1,154 @@
; Enable Zend OPcache extension module
zend_extension=opcache
; Determines if Zend OPCache is enabled
opcache.enable=1
; Determines if Zend OPCache is enabled for the CLI version of PHP
opcache.enable_cli=1
; The OPcache shared memory storage size.
;opcache.memory_consumption=128
; The amount of memory for interned strings in Mbytes.
;opcache.interned_strings_buffer=8
; The maximum number of keys (scripts) in the OPcache hash table.
; Only numbers between 200 and 1000000 are allowed.
;opcache.max_accelerated_files=10000
; The maximum percentage of "wasted" memory until a restart is scheduled.
;opcache.max_wasted_percentage=5
; When this directive is enabled, the OPcache appends the current working
; directory to the script key, thus eliminating possible collisions between
; files with the same name (basename). Disabling the directive improves
; performance, but may break existing applications.
;opcache.use_cwd=1
; When disabled, you must reset the OPcache manually or restart the
; webserver for changes to the filesystem to take effect.
;opcache.validate_timestamps=1
; How often (in seconds) to check file timestamps for changes to the shared
; memory storage allocation. ("1" means validate once per second, but only
; once per request. "0" means always validate)
;opcache.revalidate_freq=2
; Enables or disables file search in include_path optimization
;opcache.revalidate_path=0
; If disabled, all PHPDoc comments are dropped from the code to reduce the
; size of the optimized code.
;opcache.save_comments=1
; If enabled, compilation warnings (including notices and deprecations) will
; be recorded and replayed each time a file is included. Otherwise, compilation
; warnings will only be emitted when the file is first cached.
;opcache.record_warnings=0
; Allow file existence override (file_exists, etc.) performance feature.
;opcache.enable_file_override=0
; A bitmask, where each bit enables or disables the appropriate OPcache
; passes
;opcache.optimization_level=0x7FFFBFFF
; This hack should only be enabled to work around "Cannot redeclare class"
; errors.
;opcache.dups_fix=0
; The location of the OPcache blacklist file (wildcards allowed).
; Each OPcache blacklist file is a text file that holds the names of files
; that should not be accelerated.
opcache.blacklist_filename=/etc/php.d/opcache*.blacklist
; Allows exclusion of large files from being cached. By default all files
; are cached.
;opcache.max_file_size=0
; How long to wait (in seconds) for a scheduled restart to begin if the cache
; is not being accessed.
;opcache.force_restart_timeout=180
; OPcache error_log file name. Empty string assumes "stderr".
;opcache.error_log=
; All OPcache errors go to the Web server log.
; By default, only fatal errors (level 0) or errors (level 1) are logged.
; You can also enable warnings (level 2), info messages (level 3) or
; debug messages (level 4).
;opcache.log_verbosity_level=1
; Preferred Shared Memory back-end. Leave empty and let the system decide.
;opcache.preferred_memory_model=
; Protect the shared memory from unexpected writing during script execution.
; Useful for internal debugging only.
;opcache.protect_memory=0
; Allows calling OPcache API functions only from PHP scripts which path is
; started from specified string. The default "" means no restriction
;opcache.restrict_api=
; Enables and sets the second level cache directory.
; It should improve performance when SHM memory is full, at server restart or
; SHM reset. The default "" disables file based caching.
; RPM note : file cache directory must be owned by process owner
; for mod_php, see /etc/httpd/conf.d/php.conf
; for php-fpm, see /etc/php-fpm.d/*conf
;opcache.file_cache=
; Enables or disables opcode caching in shared memory.
;opcache.file_cache_only=0
; Enables or disables checksum validation when script loaded from file cache.
;opcache.file_cache_consistency_checks=1
; Implies opcache.file_cache_only=1 for a certain process that failed to
; reattach to the shared memory (for Windows only). Explicitly enabled file
; cache is required.
;opcache.file_cache_fallback=1
; Enables or disables copying of PHP code (text segment) into HUGE PAGES.
; Under certain circumstances (if only a single global PHP process is
; started from which all others fork), this can increase performance
; by a tiny amount because TLB misses are reduced. On the other hand, this
; delays PHP startup, increases memory usage and degrades performance
; under memory pressure - use with care.
; Requires appropriate OS configuration.
opcache.huge_code_pages=0
; Validate cached file permissions.
; Leads OPcache to check file readability on each access to cached file.
; This directive should be enabled in shared hosting environment, when few
; users (PHP-FPM pools) reuse the common OPcache shared memory.
;opcache.validate_permission=0
; Prevent name collisions in chroot'ed environment.
; This directive prevents file name collisions in different "chroot"
; environments. It should be enabled for sites that may serve requests in
; different "chroot" environments.
;opcache.validate_root=0
; If specified, it produces opcode dumps for debugging different stages of
; optimizations.
;opcache.opt_debug_level=0
; Specifies a PHP script that is going to be compiled and executed at server
; start-up.
; https://php.net/opcache.preload
;opcache.preload=
; Preloading code as root is not allowed for security reasons. This directive
; facilitates to let the preloading to be run as another user.
; https://php.net/opcache.preload_user
;opcache.preload_user=
; Prevents caching files that are less than this number of seconds old. It
; protects from caching of incompletely updated files. In case all file updates
; on your site are atomic, you may increase performance by setting it to "0".
;opcache.file_update_protection=2
; Absolute path used to store shared lockfiles (for *nix only).
;opcache.lockfile_path=/tmp
@@ -0,0 +1,2 @@
; Enable bz2 extension module
extension=bz2
@@ -0,0 +1,2 @@
; Enable calendar extension module
extension=calendar
@@ -0,0 +1,2 @@
; Enable ctype extension module
extension=ctype
@@ -0,0 +1,2 @@
; Enable curl extension module
extension=curl
@@ -0,0 +1,2 @@
; Enable dom extension module
extension=dom
@@ -0,0 +1,2 @@
; Enable exif extension module
extension=exif
@@ -0,0 +1,2 @@
; Enable fileinfo extension module
extension=fileinfo
@@ -0,0 +1,2 @@
; Enable ftp extension module
extension=ftp
@@ -0,0 +1,2 @@
; Enable gettext extension module
extension=gettext
@@ -0,0 +1,2 @@
; Enable iconv extension module
extension=iconv
@@ -0,0 +1,2 @@
; Enable json extension module
extension=json
@@ -0,0 +1,2 @@
; Enable mbstring extension module
extension=mbstring
@@ -0,0 +1,2 @@
; Enable mysqlnd extension module
extension=mysqlnd
@@ -0,0 +1,2 @@
; Enable pdo extension module
extension=pdo
@@ -0,0 +1,2 @@
; Enable phar extension module
extension=phar
@@ -0,0 +1,2 @@
; Enable simplexml extension module
extension=simplexml
@@ -0,0 +1,2 @@
; Enable sockets extension module
extension=sockets
@@ -0,0 +1,2 @@
; Enable sodium extension module
extension=sodium
@@ -0,0 +1,2 @@
; Enable sqlite3 extension module
extension=sqlite3
@@ -0,0 +1,2 @@
; Enable tokenizer extension module
extension=tokenizer
@@ -0,0 +1,2 @@
; Enable xml extension module
extension=xml
@@ -0,0 +1,2 @@
; Enable xmlwriter extension module
extension=xmlwriter
@@ -0,0 +1,2 @@
; Enable xsl extension module
extension=xsl
@@ -0,0 +1,2 @@
; Enable mysqli extension module
extension=mysqli
@@ -0,0 +1,2 @@
; Enable pdo_mysql extension module
extension=pdo_mysql
@@ -0,0 +1,2 @@
; Enable pdo_sqlite extension module
extension=pdo_sqlite
@@ -0,0 +1,2 @@
; Enable xmlreader extension module
extension=xmlreader
@@ -0,0 +1,11 @@
; The blacklist file is a text file that holds the names of files
; that should not be accelerated. The file format is to add each filename
; to a new line. The filename may be a full path or just a file prefix
; (i.e., /var/www/x blacklists all the files and directories in /var/www
; that start with 'x'). Line starting with a ; are ignored (comments).
; Files are usually triggered by one of the following three reasons:
; 1) Directories that contain auto generated code, like Smarty or ZFW cache.
; 2) Code that does not work well when accelerated, due to some delayed
; compile time evaluation.
; 3) Code that triggers an OPcache bug.
File diff suppressed because it is too large Load Diff
@@ -0,0 +1,16 @@
#
# Configuration options for systemd service, htcacheclean.service.
# See htcacheclean(8) for more information on available options.
#
# Interval between cache clean runs, in minutes
INTERVAL=15
# Default cache root.
CACHE_ROOT=/var/cache/httpd/proxy
# Cache size limit in bytes (K=Kbytes, M=Mbytes)
LIMIT=100M
# Any other options...
OPTIONS=
@@ -0,0 +1,16 @@
[Unit]
Description=Disk Cache Cleaning Daemon for the Apache HTTP Server
After=httpd.service
Documentation=man:htcacheclean.service(8)
[Service]
Type=forking
User=apache
PIDFile=/run/httpd/htcacheclean/pid
Environment=LANG=C
EnvironmentFile=/etc/sysconfig/htcacheclean
ExecStart=/usr/sbin/htcacheclean -P /run/httpd/htcacheclean/pid -d $INTERVAL -p $CACHE_ROOT -l $LIMIT $OPTIONS
PrivateTmp=true
[Install]
WantedBy=multi-user.target
@@ -0,0 +1,13 @@
[Unit]
Description=One-time temporary TLS key generation for httpd.service
Documentation=man:httpd-init.service(8)
ConditionPathExists=|!/etc/pki/tls/certs/localhost.crt
ConditionPathExists=|!/etc/pki/tls/private/localhost.key
[Service]
Type=oneshot
RemainAfterExit=no
PrivateTmp=true
ExecStart=/usr/libexec/httpd-ssl-gencerts
@@ -0,0 +1,9 @@
[Unit]
Description=Reload Apache for Let's Encrypt Certificate Insert
[Service]
Type=oneshot
ExecStart=/bin/systemctl reload httpd.service
[Install]
WantedBy=httpd.service

Some files were not shown because too many files have changed in this diff Show More