From b1cbf562c0e1a09b6f4e5bfaaad9c1453c402946 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Sachse?= <joerg.sachse@slub-dresden.de>
Date: Thu, 21 Dec 2023 13:18:05 +0100
Subject: [PATCH] feat: enable HTTPS/TLS for validation service

---
 tasks/configure_apache.yml            | 37 ++++++++++++++++++++-------
 templates/etc/apache2/default.conf.j2 |  9 ++++---
 2 files changed, 34 insertions(+), 12 deletions(-)

diff --git a/tasks/configure_apache.yml b/tasks/configure_apache.yml
index 8e45ef1..a92b3bb 100644
--- a/tasks/configure_apache.yml
+++ b/tasks/configure_apache.yml
@@ -1,5 +1,19 @@
 ---
 ### APACHE KONFIGURIEREN ###
+# symlink /etc/apache2/mods-available/cgi.load to /etc/apache2/mods-enabled/
+- name: CGI-Extension-Modul aktivieren
+  community.general.apache2_module:
+    name: "{{ item }}"
+  loop:
+    - "cgid"
+    - "ssl"
+  register: a2enmod
+- name: restart apache immediately to make sure mod_ssl is running before configuring TLS. Just notifying the handler doesn't suffice.
+  ansible.builtin.systemd:
+    unit: "apache2"
+    state: restarted
+  when: a2enmod.changed    # noqa no-handler
+
 - name: Apache-Konfigurationsdateien einspielen (copied)
   ansible.builtin.copy:
     src: "{{ item.src }}"
@@ -24,13 +38,6 @@
   notify:
     - restart apache
 
-# symlink /etc/apache2/mods-available/cgi.load to /etc/apache2/mods-enabled/
-- name: CGI-Extension-Modul aktivieren
-  community.general.apache2_module:
-    name: "cgid"
-  notify:
-    - restart apache
-
 - name: check if config needs to be enabled
   ansible.builtin.command: "/usr/sbin/a2query -c serve-cgi-bin"
   register: a2query
@@ -70,8 +77,8 @@
         <div>
         Willkommen auf dem Validierungs- und Konvertierungsserver des SLUBarchivs. Das sind deine Alternativen.
           <ul>
-            <li><a href="http://{{ ansible_fqdn }}/cgi-bin/is_valid/pdfa">Validierung</a></li>
-            <li><a href="http://{{ ansible_fqdn }}/cgi-bin/convert_to/pdfa">Konvertierung zu PDF/A</a></li>
+            <li><a href="https://{{ ansible_fqdn }}/cgi-bin/is_valid/pdfa">Validierung</a></li>
+            <li><a href="https://{{ ansible_fqdn }}/cgi-bin/convert_to/pdfa">Konvertierung zu PDF/A</a></li>
           </ul>
         </div>
         </body>
@@ -87,3 +94,15 @@
     state: present
   notify:
     - restart apache
+
+- name: copy server sertificates
+  ansible.builtin.copy:
+    src: "{{ role_path }}/../ansible_vaults/{{ role_name }}/{{ ansible_hostname }}/{{ item }}"
+    dest: "/etc/ssl/certs/{{ item }}"
+    mode: "0600"
+  loop:
+    - "server.key"
+    - "server.pem"
+    #- "usr/local/share/ca-certificates/GEANT.crt"
+  notify:
+    - restart apache
diff --git a/templates/etc/apache2/default.conf.j2 b/templates/etc/apache2/default.conf.j2
index 33ae10c..d27a574 100644
--- a/templates/etc/apache2/default.conf.j2
+++ b/templates/etc/apache2/default.conf.j2
@@ -28,15 +28,18 @@
 	#Include conf-available/serve-cgi-bin.conf
 </VirtualHost>
 
-<VirtualHost {{ ansible_default_ipv4.address }}:80>
-	ServerName sdvlzavalidate
+<VirtualHost {{ ansible_default_ipv4.address }}:443>
+	ServerName {{ ansible_hostname }}
 		ServerAdmin webmaster@localhost
 		DocumentRoot /var/www/html
 		ScriptAlias "/cgi-bin/" "/usr/lib/cgi-bin/"
 
+		SSLEngine on
+        SSLCertificateFile /etc/ssl/certs/server.pem
+        SSLCertificateKeyFile /etc/ssl/certs/server.key
+
 	ErrorLog ${APACHE_LOG_DIR}/error.log
 		CustomLog ${APACHE_LOG_DIR}/access.log combined
-
 </VirtualHost>
 
 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
-- 
GitLab