geerlingguy · hdep · May 7, 2025 · May 7, 2025 · May 7, 2025
diff --git a/README.md b/README.md
@@ -36,6 +36,24 @@ apache_vhosts_template: "vhosts.conf.j2"
 
 If set to true, a vhosts file, managed by this role's variables (see below), will be created and placed in the Apache configuration folder. If set to false, you can place your own vhosts file into Apache's configuration folder and skip the convenient (but more basic) one added by this role. You can also override the template used and set a path to your own template, if you need to further customize the layout of your VirtualHosts.
 
+```yaml
+apache_manage_security: true
+apache_security_filename: "security.conf"
+apache_security_template: "security.conf.j2"
+```
+
+if set to true, a security file will de deployed in /etc/apache2/conf-enabled/, *Only for debian system* 
+see variable below for content of this file.
+
+```yaml
+apache_security_servertokens: prod
+apache_security_serversignature: "Off"
+apache_security_traceenable: "Off"
+apache_security_redirectmatch_git: true
+```
+
+Default value for security.conf file for debian system
+
 ```yaml
 apache_remove_default_vhost: false
 ```

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -9,6 +9,15 @@ apache_create_vhosts: true
 apache_vhosts_filename: "vhosts.conf"
 apache_vhosts_template: "vhosts.conf.j2"
 
+apache_manage_security: true
+apache_security_filename: "security.conf"
+apache_security_template: "security.conf.j2"
+
+apache_security_servertokens: prod
+apache_security_serversignature: "Off"
+apache_security_traceenable: "Off"
+apache_security_redirectmatch_git: true
+
 # On Debian/Ubuntu, a default virtualhost is included in Apache's configuration.
 # Set this to `true` to remove that default.
 apache_remove_default_vhost: false
@@ -45,6 +54,7 @@ apache_ssl_cipher_suite: "AES256+EECDH:AES256+EDH"
 apache_mods_enabled:
   - rewrite
   - ssl
+  - headers
 apache_mods_disabled: []
 
 # Set initial apache state. Recommended values: `started` or `stopped`

diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml
@@ -1,7 +1,7 @@
 ---
 - name: Converge
   hosts: all
-  #become: true
+  # become: true
 
   vars:
     apache_listen_port_ssl: 443

diff --git a/tasks/configure-Debian.yml b/tasks/configure-Debian.yml
@@ -57,3 +57,23 @@
     state: absent
   notify: restart apache
   when: apache_remove_default_vhost
+
+- name: Add apache security.conf configuration.
+  ansible.builtin.template:
+    src: "{{ apache_security_template }}"
+    dest: "{{ apache_conf_path }}/conf-available/{{ apache_security_filename }}"
+    owner: root
+    group: root
+    mode: '0644'
+  notify: restart apache
+  when: apache_manage_security | bool
+
+- name: Add security.conf symlink in conf-enabled-enabled.
+  ansible.builtin.file:
+    src: "{{ apache_conf_path }}/conf-available/{{ apache_security_filename }}"
+    dest: "{{ apache_conf_path }}/conf-enabled/{{ apache_security_filename }}"
+    state: link
+    mode: '0644'
+    force: "{{ ansible_check_mode }}"
+  notify: restart apache
+  when: apache_manage_security | bool
diff --git a/templates/security.conf.j2 b/templates/security.conf.j2
@@ -0,0 +1,59 @@
+# {{ ansible_managed }}
+# Changing the following options will not really affect the security of the
+# server, but might make attacks slightly more difficult in some cases.
+
+#
+# ServerTokens
+# This directive configures what you return as the Server HTTP response
+# Header. The default is 'Full' which sends information about the OS-Type
+# and compiled in modules.
+# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
+# where Full conveys the most information, and Prod the least.
+ServerTokens {{ apache_security_servertokens }}
+
+#
+# Optionally add a line containing the server version and virtual host
+# name to server-generated pages (internal error documents, FTP directory
+# listings, mod_status and mod_info output etc., but not CGI generated
+# documents or custom error documents).
+# Set to "EMail" to also include a mailto: link to the ServerAdmin.
+# Set to one of:  On | Off | EMail
+#ServerSignature Off
+ServerSignature {{ apache_security_serversignature }}
+
+#
+# Allow TRACE method
+#
+# Set to "extended" to also reflect the request body (only for testing and
+# diagnostic purposes).
+#
+# Set to one of:  On | Off | extended
+TraceEnable {{ apache_security_traceenable }}
+#TraceEnable On
+
+#
+# Forbid access to version control directories
+#
+# If you use version control systems in your document root, you should
+# probably deny access to their directories.
+#
+# Examples:
+#
+#RedirectMatch 404 /\.git
+#RedirectMatch 404 /\.svn
+{% if apache_security_redirectmatch_git %}
+RedirectMatch 404 /\.git
+{% endif %}
+#
+# Setting this header will prevent MSIE from interpreting files as something
+# else than declared by the content type in the HTTP headers.
+# Requires mod_headers to be enabled.
+#
+#Header set X-Content-Type-Options: "nosniff"
+
+#
+# Setting this header will prevent other sites from embedding pages from this
+# site as frames. This defends against clickjacking attacks.
+# Requires mod_headers to be enabled.
+#
+#Header set Content-Security-Policy "frame-ancestors 'self';"