From 726b6dc279fa7f18b17ab57d129c8e494faf38bd Mon Sep 17 00:00:00 2001 From: Rottler Tamas Date: Sun, 27 Apr 2025 11:38:18 +0200 Subject: [PATCH] + rhel9, - hardening --- files/security.conf_redhat | 6 + tasks/debian.yml | 247 +++++++++++++++ tasks/main.yml | 298 ++---------------- tasks/redhat.yml | 160 ++++++++++ templates/000-default_fpm.conf | 28 ++ {files => templates}/charset.conf | 0 .../other-vhosts-access-log.conf | 4 + templates/pool_www.conf_redhat | 20 ++ templates/redhat_ssl.conf | 8 + 9 files changed, 503 insertions(+), 268 deletions(-) create mode 100644 files/security.conf_redhat create mode 100644 tasks/debian.yml create mode 100644 tasks/redhat.yml rename {files => templates}/charset.conf (100%) rename {files => templates}/other-vhosts-access-log.conf (67%) create mode 100644 templates/pool_www.conf_redhat create mode 100644 templates/redhat_ssl.conf diff --git a/files/security.conf_redhat b/files/security.conf_redhat new file mode 100644 index 0000000..fe2e7fb --- /dev/null +++ b/files/security.conf_redhat @@ -0,0 +1,6 @@ +# security + +ServerTokens Prod +ServerSignature Off +TraceEnable Off + diff --git a/tasks/debian.yml b/tasks/debian.yml new file mode 100644 index 0000000..18d8986 --- /dev/null +++ b/tasks/debian.yml @@ -0,0 +1,247 @@ +--- +- name: check if apt.conf uses a proxy + shell: grep -Po '(?<=^Acquire::http::Proxy ")[^"]*' /etc/apt/apt.conf + register: proxy_grep + failed_when: false + changed_when: false + +- name: set proxy variable + set_fact: + proxy: "{{ proxy_grep.stdout }}" + when: proxy_grep.stdout != "" + +- name: install packages, debian8 + tags: apt + apt: + name: + - apache2 + - libapache2-mod-php5 + - mysql-client + - php5-cli + - php5-curl + - php5-gd + - php5-json + - php5-ldap + - php5-mysqlnd + state: present + when: + - ansible_distribution == "Debian" + - ansible_distribution_major_version == "8" + +- name: install packages, debian9-10 + tags: apt + apt: + name: + - apache2 + - libapache2-mod-php + - mariadb-client + - php-cli + - php-bcmath + - php-curl + - php-gd + - php-json + - php-ldap + - php-mbstring + - php-mysql + - php-soap + - php-xml + - php-zip + state: present + when: + - ansible_distribution == "Debian" + - ansible_distribution_major_version|int() == 9 or ansible_distribution_major_version|int() == 10 + +- name: sury repo pgp key, debian11-99 + tags: apt + shell: "curl {{ (proxy is defined) | ternary('--proxy '+ proxy|default(''), '')}} -o /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg" + when: + - ansible_distribution == "Debian" + - ansible_distribution_major_version|int() >= 11 + +- name: sury repo in sources list, debian11 + tags: apt + lineinfile: + dest: /etc/apt/sources.list.d/php-sury.list + line: 'deb https://packages.sury.org/php/ bullseye main' + create: yes + when: + - ansible_distribution == "Debian" + - ansible_distribution_major_version|int() == 11 + +- name: sury repo in sources list, debian12 + tags: apt + lineinfile: + dest: /etc/apt/sources.list.d/php-sury.list + line: 'deb https://packages.sury.org/php/ bookworm main' + create: yes + when: + - ansible_distribution == "Debian" + - ansible_distribution_major_version|int() == 12 + +- name: apt update, debian11-99 + tags: apt + apt: + update_cache: yes + when: + - ansible_distribution == "Debian" + - ansible_distribution_major_version|int() >= 11 + +- name: set phpver for debian11 ubuntu20 + set_fact: + phpver: "7.4" + when: + - ansible_distribution == "Debian" + - ansible_distribution_major_version|int() == 12 + +- name: set phpver for debian debian12 + set_fact: + phpver: "8.2" + when: + - ansible_distribution == "Debian" + - ansible_distribution_major_version|int() == 12 + +- name: set phpver for ubuntu20 + set_fact: + phpver: "7.4" + # default, ubuntuba nem teszunk sury repot + when: + - ansible_distribution == "Ubuntu" + - ansible_distribution_major_version|int() == 20 + +- name: set phpver for debian ubuntu22 + set_fact: + phpver: "8.1" + # default, ubuntuba nem teszunk sury repot + when: + - ansible_distribution == "Ubuntu" + - ansible_distribution_major_version|int() == 22 + + +- name: install packages [phpver] + tags: apt + apt: + name: + - apache2 + - mariadb-client + - "php{{ phpver }}-cli" + - "php{{ phpver }}-fpm" + - "php{{ phpver }}-bcmath" + - "php{{ phpver }}-curl" + - "php{{ phpver }}-gd" + - "php{{ phpver }}-ldap" + - "php{{ phpver }}-mbstring" + - "php{{ phpver }}-mongodb" + - "php{{ phpver }}-mysql" + - "php{{ phpver }}-opcache" + - "php{{ phpver }}-readline" + - "php{{ phpver }}-redis" + - "php{{ phpver }}-soap" + - "php{{ phpver }}-xml" + - "php{{ phpver }}-zip" + state: present + when: + - phpver is defined + +- name: install json for php7.4 [phpver] + tags: apt + apt: + name: + - "php{{ phpver }}-json" + state: present + when: + - phpver is defined + - phpver == "7.4" + +- name: php fpm/pool.d/www.conf [phpver] + template: + src: pool_www.conf + dest: "/etc/php/{{ phpver }}/fpm/pool.d/www.conf" + when: + - phpver is defined + +- name: php config, debian8 + copy: + src: hws.php.ini.modphp + dest: /etc/php5 + when: + - ansible_distribution == "Debian" + - ansible_distribution_major_version == "8" + +- name: php config symlinks, debian8 + file: + state: link + src: /etc/php5/hws.php.ini + path: "/etc/php5/{{ item }}/conf.d/hws.php.ini" + with_items: + - apache2 + - cli + when: + - ansible_distribution == "Debian" + - ansible_distribution_major_version == "8" + +- name: php config, debian9 + copy: + src: hws.php.ini.modphp + dest: /etc/php/7.0/hws.php.ini + when: + - ansible_distribution == "Debian" + - ansible_distribution_major_version == "9" + +- name: php config, debian10 + copy: + src: hws.php.ini.modphp + dest: /etc/php/7.3/hws.php.ini + when: + - ansible_distribution == "Debian" + - ansible_distribution_major_version == "10" + +#- name: php config, bullseye +# copy: +# src: hws.php.ini.fpm +# dest: /etc/php/7.4/hws.php.ini +# when: +# - (ansible_distribution == "Debian" and ansible_distribution_major_version|int() == 11) or +# (ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int() >= 20) + +- name: php config symlinks, debian9 + file: + state: link + src: /etc/php/7.0/hws.php.ini + path: "/etc/php/7.0/{{ item }}/conf.d/hws.php.ini" + with_items: + - apache2 + - cli + when: + - ansible_distribution == "Debian" + - ansible_distribution_major_version == "9" + +- name: php config symlinks, debian10 + file: + state: link + src: /etc/php/7.3/hws.php.ini + path: "/etc/php/7.3/{{ item }}/conf.d/hws.php.ini" + with_items: + - apache2 + - cli + when: + - ansible_distribution == "Debian" + - ansible_distribution_major_version == "10" + +#- name: php config symlinks, bullseye +# file: +# state: link +# src: /etc/php/7.4/hws.php.ini +# path: "/etc/php/7.4/{{ item }}/conf.d/hws.php.ini" +# with_items: +# - fpm +# - cli +# when: +# - ansible_distribution == "Debian" +# - ansible_distribution_major_version == "11" + +- name: php logrotate config + copy: + src: logrotate.conf + dest: /etc/logrotate.d/php + +# vim: set tabstop=2 shiftwidth=2 expandtab smarttab: diff --git a/tasks/main.yml b/tasks/main.yml index 68f87cb..d019316 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,15 +1,4 @@ --- -- name: check if apt.conf uses a proxy - shell: grep -Po '(?<=^Acquire::http::Proxy ")[^"]*' /etc/apt/apt.conf - register: proxy_grep - failed_when: false - changed_when: false - -- name: set proxy variable - set_fact: - proxy: "{{ proxy_grep.stdout }}" - when: proxy_grep.stdout != "" - - name: /var/www bind mount in fstab lineinfile: dest: /etc/fstab @@ -20,6 +9,20 @@ shell: 'mkdir -p /var/www && mv /var/www /data && mkdir -p /var/www && mount /var/www' when: fstab_www.changed +- name: /var/www fcontext httpd_sys_content_t + sefcontext: + setype: httpd_sys_rw_content_t + target: "/var/www/.*" + when: + - ansible_distribution == "RedHat" + - ansible_selinux.status == 'enabled' + +- name: /var/www restorecon + command: "restorecon -r /var/www" + when: + - ansible_distribution == "RedHat" + - ansible_selinux.status == 'enabled' + - name: www subdirs file: dest: "/var/www/{{ item }}" @@ -31,162 +34,27 @@ - name: www index.html shell: "test -e /var/www/def/public/index.html || hostname > /var/www/def/public/index.html" -- name: install packages, debian8 - tags: apt - apt: - name: - - apache2 - - libapache2-mod-php5 - - mysql-client - - php5-cli - - php5-curl - - php5-gd - - php5-json - - php5-ldap - - php5-mysqlnd - state: present - when: - - ansible_distribution == "Debian" - - ansible_distribution_major_version == "8" +- name: include debian/ubuntu specific + include_tasks: debian.yml + when: (ansible_distribution == "Debian" or ansible_distribution == "Ubuntu") -- name: install packages, debian9-10 - tags: apt - apt: - name: - - apache2 - - libapache2-mod-php - - mariadb-client - - php-cli - - php-bcmath - - php-curl - - php-gd - - php-json - - php-ldap - - php-mbstring - - php-mysql - - php-soap - - php-xml - - php-zip - state: present - when: - - ansible_distribution == "Debian" - - ansible_distribution_major_version|int() == 9 or ansible_distribution_major_version|int() == 10 +- name: include redhat specific + include_tasks: redhat.yml + when: ansible_distribution == "RedHat" -- name: sury repo pgp key, debian11-99 - tags: apt - shell: "curl {{ (proxy is defined) | ternary('--proxy '+ proxy|default(''), '')}} -o /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg" - when: - - ansible_distribution == "Debian" - - ansible_distribution_major_version|int() >= 11 - -- name: sury repo in sources list, debian11 - tags: apt - lineinfile: - dest: /etc/apt/sources.list.d/php-sury.list - line: 'deb https://packages.sury.org/php/ bullseye main' - create: yes - when: - - ansible_distribution == "Debian" - - ansible_distribution_major_version|int() == 11 - -- name: sury repo in sources list, debian12 - tags: apt - lineinfile: - dest: /etc/apt/sources.list.d/php-sury.list - line: 'deb https://packages.sury.org/php/ bookworm main' - create: yes - when: - - ansible_distribution == "Debian" - - ansible_distribution_major_version|int() == 12 - -- name: apt update, debian11-99 - tags: apt - apt: - update_cache: yes - when: - - ansible_distribution == "Debian" - - ansible_distribution_major_version|int() >= 11 - -- name: set phpver for debian11 ubuntu20 - set_fact: - phpver: "7.4" - when: - - ansible_distribution == "Debian" - - ansible_distribution_major_version|int() == 12 - -- name: set phpver for debian debian12 - set_fact: - phpver: "8.2" - when: - - ansible_distribution == "Debian" - - ansible_distribution_major_version|int() == 12 - -- name: set phpver for ubuntu20 - set_fact: - phpver: "7.4" - # default, ubuntuba nem teszunk sury repot - when: - - ansible_distribution == "Ubuntu" - - ansible_distribution_major_version|int() == 20 - -- name: set phpver for debian ubuntu22 - set_fact: - phpver: "8.1" - # default, ubuntuba nem teszunk sury repot - when: - - ansible_distribution == "Ubuntu" - - ansible_distribution_major_version|int() == 22 - - -- name: install packages [phpver] - tags: apt - apt: - name: - - apache2 - - mariadb-client - - "php{{ phpver }}-cli" - - "php{{ phpver }}-fpm" - - "php{{ phpver }}-bcmath" - - "php{{ phpver }}-curl" - - "php{{ phpver }}-gd" - - "php{{ phpver }}-ldap" - - "php{{ phpver }}-mbstring" - - "php{{ phpver }}-mongodb" - - "php{{ phpver }}-mysql" - - "php{{ phpver }}-opcache" - - "php{{ phpver }}-readline" - - "php{{ phpver }}-redis" - - "php{{ phpver }}-soap" - - "php{{ phpver }}-xml" - - "php{{ phpver }}-zip" - state: present - when: - - phpver is defined - -- name: install json for php7.4 [phpver] - tags: apt - apt: - name: - - "php{{ phpver }}-json" - state: present - when: - - phpver is defined - - phpver == "7.4" - -- name: php fpm/pool.d/www.conf [phpver] +- name: conf-available templates template: - src: pool_www.conf - dest: "/etc/php/{{ phpver }}/fpm/pool.d/www.conf" - when: - - phpver is defined - -- name: conf-available - copy: src: "{{ item }}" dest: /etc/apache2/conf-available with_items: - other-vhosts-access-log.conf - charset.conf + +- name: conf-available files + copy: + src: "{{ item }}" + dest: /etc/apache2/conf-available + with_items: - log-detailed.conf - name: enable confs / modules, debian0-10 @@ -209,120 +77,14 @@ - ansible_distribution == "Debian" - ansible_distribution_major_version|int() < 11 -- name: virtualhost config, debian11-99 ubuntu20-99 +- name: virtualhost config, debian11-99 ubuntu20-99 redhat template: src: 000-default_fpm.conf dest: /etc/apache2/sites-available/000-default.conf when: - (ansible_distribution == "Debian" and ansible_distribution_major_version|int() >= 11) or - (ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int() >= 20) - -- name: php config, debian8 - copy: - src: hws.php.ini.modphp - dest: /etc/php5 - when: - - ansible_distribution == "Debian" - - ansible_distribution_major_version == "8" - -- name: php config symlinks, debian8 - file: - state: link - src: /etc/php5/hws.php.ini - path: "/etc/php5/{{ item }}/conf.d/hws.php.ini" - with_items: - - apache2 - - cli - when: - - ansible_distribution == "Debian" - - ansible_distribution_major_version == "8" - -- name: php config, debian9 - copy: - src: hws.php.ini.modphp - dest: /etc/php/7.0/hws.php.ini - when: - - ansible_distribution == "Debian" - - ansible_distribution_major_version == "9" - -- name: php config, debian10 - copy: - src: hws.php.ini.modphp - dest: /etc/php/7.3/hws.php.ini - when: - - ansible_distribution == "Debian" - - ansible_distribution_major_version == "10" - -#- name: php config, bullseye -# copy: -# src: hws.php.ini.fpm -# dest: /etc/php/7.4/hws.php.ini -# when: -# - (ansible_distribution == "Debian" and ansible_distribution_major_version|int() == 11) or -# (ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int() >= 20) - -- name: php config symlinks, debian9 - file: - state: link - src: /etc/php/7.0/hws.php.ini - path: "/etc/php/7.0/{{ item }}/conf.d/hws.php.ini" - with_items: - - apache2 - - cli - when: - - ansible_distribution == "Debian" - - ansible_distribution_major_version == "9" - -- name: php config symlinks, debian10 - file: - state: link - src: /etc/php/7.3/hws.php.ini - path: "/etc/php/7.3/{{ item }}/conf.d/hws.php.ini" - with_items: - - apache2 - - cli - when: - - ansible_distribution == "Debian" - - ansible_distribution_major_version == "10" - -#- name: php config symlinks, bullseye -# file: -# state: link -# src: /etc/php/7.4/hws.php.ini -# path: "/etc/php/7.4/{{ item }}/conf.d/hws.php.ini" -# with_items: -# - fpm -# - cli -# when: -# - ansible_distribution == "Debian" -# - ansible_distribution_major_version == "11" - - -- name: php logrotate config - copy: - src: logrotate.conf - dest: /etc/logrotate.d/php - -- name: security.conf ServerTokens, debian11-99 ubuntu20-99 - tags: apt - lineinfile: - dest: /etc/apache2/conf-available/security.conf - regexp: "^ServerTokens" - line: "ServerTokens Prod" - when: - - (ansible_distribution == "Debian" and ansible_distribution_major_version|int() >= 11) or - (ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int() >= 20) - - -- name: security.conf ServerSignature, debian11-99 ubuntu20-99 - tags: apt - lineinfile: - dest: /etc/apache2/conf-available/security.conf - regexp: "^ServerSignature" - line: "ServerSignature Off" - when: - - (ansible_distribution == "Debian" and ansible_distribution_major_version|int() >= 11) or - (ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int() >= 20) + (ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int() >= 20) or + ansible_distribution == "RedHat" # vim: set tabstop=2 shiftwidth=2 expandtab smarttab: diff --git a/tasks/redhat.yml b/tasks/redhat.yml new file mode 100644 index 0000000..68aa1fc --- /dev/null +++ b/tasks/redhat.yml @@ -0,0 +1,160 @@ +--- +- name: set phpver for rhel9 + set_fact: + phpver: "84" + when: + - ansible_distribution == "RedHat" + - ansible_distribution_major_version|int() == 9 + +- name: install remi repo + tags: dnf + dnf: + name: "https://rpms.remirepo.net/enterprise/remi-release-9.rpm" + disable_gpg_check: yes + +#- name: dnf module php [phpver] +# tags: dnf +# dnf: +# name: +# - "@php:remi-{{ phpver }}" + +- name: install packages + tags: dnf + dnf: + name: + - httpd + - mod_ssl + - mysql + - redis + - "php{{ phpver }}-php-fpm" + - "php{{ phpver }}-php-cli" + - "php{{ phpver }}-php-bcmath" + - "php{{ phpver }}-php-gd" + - "php{{ phpver }}-php-ldap" + - "php{{ phpver }}-php-mbstring" + - "php{{ phpver }}-php-mysqlnd" + - "php{{ phpver }}-php-opcache" + - "php{{ phpver }}-php-soap" + - "php{{ phpver }}-php-xml" + - "php{{ phpver }}-php-pecl-zip" + - "php{{ phpver }}-php-pecl-mongodb" + - "php{{ phpver }}-php-pecl-redis6" + - "php{{ phpver }}-php-process" + when: + - phpver is defined + +- name: enable httpd service + systemd_service: + name: httpd + enabled: true + +- name: enable redis service + systemd_service: + name: redis + enabled: true + +- name: enable php-fpm service [phpver] + systemd_service: + name: "php{{ phpver }}-php-fpm" + enabled: true + +- name: php-fpm.d/www.conf [phpver] + template: + src: pool_www.conf_redhat + dest: "/etc/opt/remi/php{{ phpver }}/php-fpm.d/www.conf" + when: + - phpver is defined + +- name: httpd.conf remove conf.d include + lineinfile: + path: /etc/httpd/conf/httpd.conf + regex: "^IncludeOptional conf.d/\\*.conf" + state: absent + +- name: httpd.conf add conf-enabled include + lineinfile: + path: /etc/httpd/conf/httpd.conf + line: "IncludeOptional conf-enabled/*.conf" + +- name: httpd.conf add sites-enabled include + lineinfile: + path: /etc/httpd/conf/httpd.conf + line: "IncludeOptional sites-enabled/*.conf" + +- name: /etc/apache2 symlink + file: + path: /etc/apache2 + src: httpd + state: link + +- name: /var/log/apache2 symlink + file: + path: /var/log/apache2 + src: httpd + state: link + +- name: /etc/apache2/conf-enabled + file: + path: /etc/apache2/conf-enabled + state: directory + owner: root + group: root + mode: "0755" + +- name: /etc/apache2/conf-available + file: + path: /etc/apache2/conf-available + src: conf-enabled + state: link + +- name: /etc/apache2/sites-enabled + file: + path: /etc/apache2/sites-enabled + state: directory + owner: root + group: root + mode: "0755" + +- name: /etc/apache2/sites-available + file: + path: /etc/apache2/sites-available + src: sites-enabled + state: link + +- name: create security.conf + copy: + src: security.conf_redhat + dest: /etc/apache2/conf-enabled/security.conf + +- name: create index.conf + copy: + content: "DirectoryIndex index.html index.php\n" + dest: /etc/apache2/conf-enabled/index.conf + +- name: ssl.conf + template: + src: redhat_ssl.conf + dest: "/etc/apache2/conf-enabled/ssl.conf" + +- name: set httpd_can_network_connect + seboolean: + name: httpd_can_network_connect + state: true + persistent: yes + when: + - ansible_selinux.status == 'enabled' + +- name: set httpd_can_sendmail + seboolean: + name: httpd_can_sendmail + state: true + persistent: yes + when: + - ansible_selinux.status == 'enabled' + +#D- name: php logrotate config +#D copy: +#D src: logrotate.conf +#D dest: /etc/logrotate.d/php + +# vim: set tabstop=2 shiftwidth=2 expandtab smarttab: diff --git a/templates/000-default_fpm.conf b/templates/000-default_fpm.conf index ea48c62..90a2c2c 100644 --- a/templates/000-default_fpm.conf +++ b/templates/000-default_fpm.conf @@ -1,15 +1,43 @@ +# +{% if ansible_distribution == "RedHat" %} +# ErrorLog /var/log/httpd/notls.log +# CustomLog /var/log/httpd/notls.log detailed +{% else %} +# ErrorLog ${APACHE_LOG_DIR}/notls.log +# CustomLog ${APACHE_LOG_DIR}/notls.log detailed +{% endif %} +# RewriteEngine On +# RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/ +# RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [R,L] +# +# +# SSLEngine on +# SSLCertificateFile /etc/ssl/i.hwstudio.hu/fullchain.pem +# SSLCertificateKeyFile /etc/ssl/i.hwstudio.hu/privkey.pem +# #ServerName +# #Header always set Strict-Transport-Security "max-age=31536000;" + DocumentRoot /var/www/def/public +{% if ansible_distribution == "RedHat" %} + ErrorLog /var/log/httpd/error.log + CustomLog /var/log/httpd/access.log detailed +{% else %} ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log detailed +{% endif %} Options -Indexes +FollowSymLinks +MultiViews AllowOverride All Require all granted +{% if ansible_distribution == "RedHat" %} + SetHandler "proxy:unix:/var/opt/remi/php{{ phpver }}/run/php-fpm/www.sock|fcgi://localhost" +{% else %} SetHandler "proxy:unix:/run/php/php{{ phpver }}-fpm.sock|fcgi://localhost" +{% endif %} diff --git a/files/charset.conf b/templates/charset.conf similarity index 100% rename from files/charset.conf rename to templates/charset.conf diff --git a/files/other-vhosts-access-log.conf b/templates/other-vhosts-access-log.conf similarity index 67% rename from files/other-vhosts-access-log.conf rename to templates/other-vhosts-access-log.conf index ffbcea1..9c36d68 100644 --- a/files/other-vhosts-access-log.conf +++ b/templates/other-vhosts-access-log.conf @@ -1,5 +1,9 @@ # Define an access log for VirtualHosts that don't define their own logfile #CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log vhost_combined +{% if ansible_distribution == "RedHat" %} +CustomLog /var/log/httpd/other_vhosts_access.log detailed +{% else %} CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log detailed +{% endif %} # vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/templates/pool_www.conf_redhat b/templates/pool_www.conf_redhat new file mode 100644 index 0000000..2dd5794 --- /dev/null +++ b/templates/pool_www.conf_redhat @@ -0,0 +1,20 @@ +[www] +user = apache +group = apache +listen = /var/opt/remi/php{{ phpver }}/run/php-fpm/www.sock +listen.acl_users = apache +listen.allowed_clients = 127.0.0.1 +pm = dynamic +pm.max_children = 50 +pm.start_servers = 5 +pm.min_spare_servers = 5 +pm.max_spare_servers = 35 +slowlog = /var/opt/remi/php{{ phpver }}/log/php-fpm/www-slow.log +php_admin_value[error_log] = /var/opt/remi/php{{ phpver }}/log/php-fpm/www-error.log +php_admin_flag[log_errors] = on +php_value[session.save_handler] = files +php_value[session.save_path] = /var/opt/remi/php{{ phpver }}/lib/php/session +php_value[soap.wsdl_cache_dir] = /var/opt/remi/php{{ phpver }}/lib/php/wsdlcache + +php_admin_value[user_ini.filename] = .php.ini +php_admin_value[user_ini.cache_ttl] = 60 diff --git a/templates/redhat_ssl.conf b/templates/redhat_ssl.conf new file mode 100644 index 0000000..59cb9c8 --- /dev/null +++ b/templates/redhat_ssl.conf @@ -0,0 +1,8 @@ +Listen 443 https +SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog +SSLSessionCache shmcb:/run/httpd/sslcache(512000) +SSLSessionCacheTimeout 300 +SSLCryptoDevice builtin +SSLCipherSuite HIGH+ECDHE:!aNULL:!SHA1:!SHA256:!SHA384 +SSLHonorCipherOrder on +SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1