Web Service

ROLE apache

The web service configuration is handled by the "apache" role. Apache is used as the server and this role sets up SSL keys from Lets Encrypt using certbot. HTTP and HTTPS are configured on the standard ports.

The role creates one or more vhosts, along with aliases for each. The document root for each vhost is at /var/www/<domain>. We initialize the root with an index.html if one is not present. We create a 'www' user and a 'www-data' group to use when uploading content via rsync.

The default Apache config enables gzip compression, and it is not recommended to turn it off. If your website uses cookies, strongly advise using the SameSite flag to mitigate BREACH (CVE-2013-3587)

Variables

The web_vhosts variable is a list of structs, one for each root domain, along any other settings. It looks something like this.

web_vhosts:
  # simple example.com and www.example.com
  - name: example.com

  # a second domain with more aliases, a different
  # DocumentRoot and a custom error page.
  - name: another.com
    aliases:
      - www.another.com
      - someother.another.com
    root: /var/www/someplace/else
    conf_extra: >-
      ErrorDocument 404 /error/notfound.html

The name is required and is the ServerName. The aliases list is optional and contains a list of ServerAlias values. If it is not present, it will default to the 'www' alias for the name. If you don't want any aliases, set this to an empty list []. Other settings are:

• admin: "admin email" (defaults to webmaster@{{name}})
• root "document root" (defaults to {{webdata_root}}/{{name}})
• cert "cert file" (defaults to letsencrypt {{name}}/fullchain.pem)
• certkey "key file" (defaults to letsencrypt {{name}}/privkey.pem)
• default (if yes, .conf sorted first to force it as the default vhost)
• use_https provide https? (defaults to True, set to False for an http-only site)
• force_https redirect everything to https? (defaults to apache_force_https which itself defaults to yes)

The certbot role will not request a certificate for a particular host if the cert or certkey fields are defined or if use_https is False.

The following can each contain a single string (probably multi-line) that is included in the http and https configuration directives. Use for custom error pages, rewrite rules, etc.

• conf_extra ( both )
• conf_extra_http ( only http )
• conf_extra_https ( only https )

You can set the apache_modules variable to force certain modules to be enabled. The rewrite module is always present. By default we always redirect http to https, but if you want to disable that you can set apache_force_https to no.

apache_modules: [ extra, modules, to, load ]

# permanent redirect from http to https
# apache_force_https: yes

Why These Packages?

I really didn't give this much thought. I've been using Apache for years and am already familiar with it. I'm sure that Nginx is also a fine choice. Any site of mine is likely to be mostly static HTML, perhaps a few CGI scripts, and unlikely to spark worldwide interest, so any server would be fine.

About a year after putting this in place, I was updating my website and found the HTML 5 Boilerplate project. This has good recommendations for server configs that I have incorporated. The Mozilla Observatory/ is also useful for checking your configuration.