feat: enable HTTPS/TLS for validation service

b1cbf562 · Jörg Sachse · 33dd18b9 · b1cbf562 · b1cbf562
Commit b1cbf562 authored 1 year ago by Jörg Sachse
--- a/tasks/configure_apache.yml
+++ b/tasks/configure_apache.yml
 ---
 ### APACHE KONFIGURIEREN ###
+# symlink /etc/apache2/mods-available/cgi.load to /etc/apache2/mods-enabled/
+- name: CGI-Extension-Modul aktivieren
+  community.general.apache2_module:
+    name: "{{ item }}"
+  loop:
+    - "cgid"
+    - "ssl"
+  register: a2enmod
+- name: restart apache immediately to make sure mod_ssl is running before configuring TLS. Just notifying the handler doesn't suffice.
+  ansible.builtin.systemd:
+    unit: "apache2"
+    state: restarted
+  when: a2enmod.changed    # noqa no-handler
+
 - name: Apache-Konfigurationsdateien einspielen (copied)
  ansible.builtin.copy:
    src: "{{ item.src }}"
@@ -24,13 +38,6 @@
  notify:
    - restart apache

-# symlink /etc/apache2/mods-available/cgi.load to /etc/apache2/mods-enabled/
- name: CGI-Extension-Modul aktivieren
-  community.general.apache2_module:
-    name: "cgid"
-  notify:
-    - restart apache
-
 - name: check if config needs to be enabled
  ansible.builtin.command: "/usr/sbin/a2query -c serve-cgi-bin"
  register: a2query
@@ -70,8 +77,8 @@
        <div>
        Willkommen auf dem Validierungs- und Konvertierungsserver des SLUBarchivs. Das sind deine Alternativen.
          <ul>
-            <li><a href="http://{{ ansible_fqdn }}/cgi-bin/is_valid/pdfa">Validierung</a></li>
-            <li><a href="http://{{ ansible_fqdn }}/cgi-bin/convert_to/pdfa">Konvertierung zu PDF/A</a></li>
+            <li><a href="https://{{ ansible_fqdn }}/cgi-bin/is_valid/pdfa">Validierung</a></li>
+            <li><a href="https://{{ ansible_fqdn }}/cgi-bin/convert_to/pdfa">Konvertierung zu PDF/A</a></li>
          </ul>
        </div>
        </body>
@@ -87,3 +94,15 @@
    state: present
  notify:
    - restart apache
+
+- name: copy server sertificates
+  ansible.builtin.copy:
+    src: "{{ role_path }}/../ansible_vaults/{{ role_name }}/{{ ansible_hostname }}/{{ item }}"
+    dest: "/etc/ssl/certs/{{ item }}"
+    mode: "0600"
+  loop:
+    - "server.key"
+    - "server.pem"
+    #- "usr/local/share/ca-certificates/GEANT.crt"
+  notify:
+    - restart apache
--- a/templates/etc/apache2/default.conf.j2
+++ b/templates/etc/apache2/default.conf.j2
@@ -28,15 +28,18 @@
 	#Include conf-available/serve-cgi-bin.conf
 </VirtualHost>

-<VirtualHost {{ ansible_default_ipv4.address }}:80>
-	ServerName sdvlzavalidate
+<VirtualHost {{ ansible_default_ipv4.address }}:443>
+	ServerName {{ ansible_hostname }}
 		ServerAdmin webmaster@localhost
 		DocumentRoot /var/www/html
 		ScriptAlias "/cgi-bin/" "/usr/lib/cgi-bin/"

+		SSLEngine on
+        SSLCertificateFile /etc/ssl/certs/server.pem
+        SSLCertificateKeyFile /etc/ssl/certs/server.key
+
 	ErrorLog ${APACHE_LOG_DIR}/error.log
 		CustomLog ${APACHE_LOG_DIR}/access.log combined
-
 </VirtualHost>

 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet