+ rhel9, - hardening

files/security.conf_redhat

@@ -0,0 +1,6 @@
+# security
+
+ServerTokens Prod
+ServerSignature Off
+TraceEnable Off
+

tasks/debian.yml

@@ -0,0 +1,247 @@
+---
+- name: check if apt.conf uses a proxy
+  shell: grep -Po '(?<=^Acquire::http::Proxy ")[^"]*' /etc/apt/apt.conf
+  register: proxy_grep
+  failed_when: false
+  changed_when: false
+
+- name: set proxy variable
+  set_fact:
+    proxy: "{{ proxy_grep.stdout }}"
+  when: proxy_grep.stdout != ""
+
+- name: install packages, debian8
+  tags: apt
+  apt:
+    name:
+      - apache2
+      - libapache2-mod-php5
+      - mysql-client
+      - php5-cli
+      - php5-curl
+      - php5-gd
+      - php5-json
+      - php5-ldap
+      - php5-mysqlnd
+    state: present
+  when:
+    - ansible_distribution == "Debian"
+    - ansible_distribution_major_version == "8"
+
+- name: install packages, debian9-10
+  tags: apt
+  apt:
+    name:
+      - apache2
+      - libapache2-mod-php
+      - mariadb-client
+      - php-cli
+      - php-bcmath
+      - php-curl
+      - php-gd
+      - php-json
+      - php-ldap
+      - php-mbstring
+      - php-mysql
+      - php-soap
+      - php-xml
+      - php-zip
+    state: present
+  when:
+    - ansible_distribution == "Debian"
+    - ansible_distribution_major_version|int() == 9 or ansible_distribution_major_version|int() == 10
+
+- name: sury repo pgp key, debian11-99
+  tags: apt
+  shell: "curl {{ (proxy is defined) | ternary('--proxy '+ proxy|default(''), '')}} -o /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg"
+  when:
+    - ansible_distribution == "Debian"
+    - ansible_distribution_major_version|int() >= 11
+
+- name: sury repo in sources list, debian11
+  tags: apt
+  lineinfile:
+    dest: /etc/apt/sources.list.d/php-sury.list
+    line: 'deb https://packages.sury.org/php/ bullseye main'
+    create: yes
+  when:
+    - ansible_distribution == "Debian"
+    - ansible_distribution_major_version|int() == 11
+
+- name: sury repo in sources list, debian12
+  tags: apt
+  lineinfile:
+    dest: /etc/apt/sources.list.d/php-sury.list
+    line: 'deb https://packages.sury.org/php/ bookworm main'
+    create: yes
+  when:
+    - ansible_distribution == "Debian"
+    - ansible_distribution_major_version|int() == 12
+
+- name: apt update, debian11-99
+  tags: apt
+  apt:
+    update_cache: yes
+  when: 
+    - ansible_distribution == "Debian"
+    - ansible_distribution_major_version|int() >= 11
+
+- name: set phpver for debian11 ubuntu20
+  set_fact:
+    phpver: "7.4"
+  when:
+    - ansible_distribution == "Debian"
+    - ansible_distribution_major_version|int() == 12
+
+- name: set phpver for debian debian12
+  set_fact:
+    phpver: "8.2"
+  when:
+    - ansible_distribution == "Debian"
+    - ansible_distribution_major_version|int() == 12
+
+- name: set phpver for ubuntu20
+  set_fact:
+    phpver: "7.4"
+    # default, ubuntuba nem teszunk sury repot
+  when:
+    - ansible_distribution == "Ubuntu"
+    - ansible_distribution_major_version|int() == 20
+
+- name: set phpver for debian ubuntu22
+  set_fact:
+    phpver: "8.1"
+    # default, ubuntuba nem teszunk sury repot
+  when:
+    - ansible_distribution == "Ubuntu"
+    - ansible_distribution_major_version|int() == 22
+
+
+- name: install packages [phpver]
+  tags: apt
+  apt:
+    name:
+      - apache2
+      - mariadb-client
+      - "php{{ phpver }}-cli"
+      - "php{{ phpver }}-fpm"
+      - "php{{ phpver }}-bcmath"
+      - "php{{ phpver }}-curl"
+      - "php{{ phpver }}-gd"
+      - "php{{ phpver }}-ldap"
+      - "php{{ phpver }}-mbstring"
+      - "php{{ phpver }}-mongodb"
+      - "php{{ phpver }}-mysql"
+      - "php{{ phpver }}-opcache"
+      - "php{{ phpver }}-readline"
+      - "php{{ phpver }}-redis"
+      - "php{{ phpver }}-soap"
+      - "php{{ phpver }}-xml"
+      - "php{{ phpver }}-zip"
+    state: present
+  when:
+    - phpver is defined
+
+- name: install json for php7.4 [phpver]
+  tags: apt
+  apt:
+    name:
+      - "php{{ phpver }}-json"
+    state: present
+  when:
+    - phpver is defined
+    - phpver == "7.4"
+
+- name: php fpm/pool.d/www.conf [phpver]
+  template:
+    src: pool_www.conf
+    dest: "/etc/php/{{ phpver }}/fpm/pool.d/www.conf"
+  when:
+    - phpver is defined
+
+- name: php config, debian8
+  copy:
+    src: hws.php.ini.modphp
+    dest: /etc/php5
+  when:
+    - ansible_distribution == "Debian"
+    - ansible_distribution_major_version == "8"
+
+- name: php config symlinks, debian8
+  file:
+    state: link
+    src: /etc/php5/hws.php.ini
+    path: "/etc/php5/{{ item }}/conf.d/hws.php.ini"
+  with_items:
+    - apache2
+    - cli
+  when:
+    - ansible_distribution == "Debian"
+    - ansible_distribution_major_version == "8"
+
+- name: php config, debian9
+  copy:
+    src: hws.php.ini.modphp
+    dest: /etc/php/7.0/hws.php.ini
+  when:
+    - ansible_distribution == "Debian"
+    - ansible_distribution_major_version == "9"
+
+- name: php config, debian10
+  copy:
+    src: hws.php.ini.modphp
+    dest: /etc/php/7.3/hws.php.ini
+  when:
+    - ansible_distribution == "Debian"
+    - ansible_distribution_major_version == "10"
+
+#- name: php config, bullseye
+#  copy:
+#    src: hws.php.ini.fpm
+#    dest: /etc/php/7.4/hws.php.ini
+#  when:
+#    - (ansible_distribution == "Debian" and ansible_distribution_major_version|int() == 11) or
+#      (ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int() >= 20)
+
+- name: php config symlinks, debian9
+  file:
+    state: link
+    src: /etc/php/7.0/hws.php.ini
+    path: "/etc/php/7.0/{{ item }}/conf.d/hws.php.ini"
+  with_items:
+    - apache2
+    - cli
+  when:
+    - ansible_distribution == "Debian"
+    - ansible_distribution_major_version == "9"
+
+- name: php config symlinks, debian10
+  file:
+    state: link
+    src: /etc/php/7.3/hws.php.ini
+    path: "/etc/php/7.3/{{ item }}/conf.d/hws.php.ini"
+  with_items:
+    - apache2
+    - cli
+  when:
+    - ansible_distribution == "Debian"
+    - ansible_distribution_major_version == "10"
+
+#- name: php config symlinks, bullseye
+#  file:
+#    state: link
+#    src: /etc/php/7.4/hws.php.ini
+#    path: "/etc/php/7.4/{{ item }}/conf.d/hws.php.ini"
+#  with_items:
+#    - fpm
+#    - cli
+#  when:
+#    - ansible_distribution == "Debian"
+#    - ansible_distribution_major_version == "11"
+
+- name: php logrotate config
+  copy:
+    src: logrotate.conf
+    dest: /etc/logrotate.d/php
+
+# vim: set tabstop=2 shiftwidth=2 expandtab smarttab:

tasks/main.yml

@@ -1,15 +1,4 @@
 ---
-- name: check if apt.conf uses a proxy
-  shell: grep -Po '(?<=^Acquire::http::Proxy ")[^"]*' /etc/apt/apt.conf
-  register: proxy_grep
-  failed_when: false
-  changed_when: false
-
-- name: set proxy variable
-  set_fact:
-    proxy: "{{ proxy_grep.stdout }}"
-  when: proxy_grep.stdout != ""
-
 - name: /var/www bind mount in fstab
   lineinfile:
     dest: /etc/fstab
@@ -20,6 +9,20 @@
   shell: 'mkdir -p /var/www && mv /var/www /data && mkdir -p /var/www && mount /var/www'
   when: fstab_www.changed
 
+- name: /var/www fcontext httpd_sys_content_t
+  sefcontext:
+    setype: httpd_sys_rw_content_t
+    target: "/var/www/.*"
+  when:
+    - ansible_distribution == "RedHat"
+    - ansible_selinux.status == 'enabled'
+
+- name: /var/www restorecon
+  command: "restorecon -r /var/www"
+  when: 
+    - ansible_distribution == "RedHat"
+    - ansible_selinux.status == 'enabled'
+
 - name: www subdirs
   file:
     dest: "/var/www/{{ item }}"
@@ -31,162 +34,27 @@
 - name: www index.html
   shell: "test -e /var/www/def/public/index.html || hostname > /var/www/def/public/index.html"
 
-- name: install packages, debian8
+- name: include debian/ubuntu specific
-  tags: apt
+  include_tasks: debian.yml
-  apt:
+  when: (ansible_distribution == "Debian" or ansible_distribution == "Ubuntu")
-    name:
-      - apache2
-      - libapache2-mod-php5
-      - mysql-client
-      - php5-cli
-      - php5-curl
-      - php5-gd
-      - php5-json
-      - php5-ldap
-      - php5-mysqlnd
-    state: present
-  when:
-    - ansible_distribution == "Debian"
-    - ansible_distribution_major_version == "8"
 
-- name: install packages, debian9-10
+- name: include redhat specific
-  tags: apt
+  include_tasks: redhat.yml
-  apt:
+  when: ansible_distribution == "RedHat"
-    name:
-      - apache2
-      - libapache2-mod-php
-      - mariadb-client
-      - php-cli
-      - php-bcmath
-      - php-curl
-      - php-gd
-      - php-json
-      - php-ldap
-      - php-mbstring
-      - php-mysql
-      - php-soap
-      - php-xml
-      - php-zip
-    state: present
-  when:
-    - ansible_distribution == "Debian"
-    - ansible_distribution_major_version|int() == 9 or ansible_distribution_major_version|int() == 10
 
-- name: sury repo pgp key, debian11-99
+- name: conf-available templates
-  tags: apt
-  shell: "curl {{ (proxy is defined) | ternary('--proxy '+ proxy|default(''), '')}} -o /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg"
-  when:
-    - ansible_distribution == "Debian"
-    - ansible_distribution_major_version|int() >= 11
-
-- name: sury repo in sources list, debian11
-  tags: apt
-  lineinfile:
-    dest: /etc/apt/sources.list.d/php-sury.list
-    line: 'deb https://packages.sury.org/php/ bullseye main'
-    create: yes
-  when:
-    - ansible_distribution == "Debian"
-    - ansible_distribution_major_version|int() == 11
-
-- name: sury repo in sources list, debian12
-  tags: apt
-  lineinfile:
-    dest: /etc/apt/sources.list.d/php-sury.list
-    line: 'deb https://packages.sury.org/php/ bookworm main'
-    create: yes
-  when:
-    - ansible_distribution == "Debian"
-    - ansible_distribution_major_version|int() == 12
-
-- name: apt update, debian11-99
-  tags: apt
-  apt:
-    update_cache: yes
-  when: 
-    - ansible_distribution == "Debian"
-    - ansible_distribution_major_version|int() >= 11
-
-- name: set phpver for debian11 ubuntu20
-  set_fact:
-    phpver: "7.4"
-  when:
-    - ansible_distribution == "Debian"
-    - ansible_distribution_major_version|int() == 12
-
-- name: set phpver for debian debian12
-  set_fact:
-    phpver: "8.2"
-  when:
-    - ansible_distribution == "Debian"
-    - ansible_distribution_major_version|int() == 12
-
-- name: set phpver for ubuntu20
-  set_fact:
-    phpver: "7.4"
-    # default, ubuntuba nem teszunk sury repot
-  when:
-    - ansible_distribution == "Ubuntu"
-    - ansible_distribution_major_version|int() == 20
-
-- name: set phpver for debian ubuntu22
-  set_fact:
-    phpver: "8.1"
-    # default, ubuntuba nem teszunk sury repot
-  when:
-    - ansible_distribution == "Ubuntu"
-    - ansible_distribution_major_version|int() == 22
-
-
-- name: install packages [phpver]
-  tags: apt
-  apt:
-    name:
-      - apache2
-      - mariadb-client
-      - "php{{ phpver }}-cli"
-      - "php{{ phpver }}-fpm"
-      - "php{{ phpver }}-bcmath"
-      - "php{{ phpver }}-curl"
-      - "php{{ phpver }}-gd"
-      - "php{{ phpver }}-ldap"
-      - "php{{ phpver }}-mbstring"
-      - "php{{ phpver }}-mongodb"
-      - "php{{ phpver }}-mysql"
-      - "php{{ phpver }}-opcache"
-      - "php{{ phpver }}-readline"
-      - "php{{ phpver }}-redis"
-      - "php{{ phpver }}-soap"
-      - "php{{ phpver }}-xml"
-      - "php{{ phpver }}-zip"
-    state: present
-  when:
-    - phpver is defined
-
-- name: install json for php7.4 [phpver]
-  tags: apt
-  apt:
-    name:
-      - "php{{ phpver }}-json"
-    state: present
-  when:
-    - phpver is defined
-    - phpver == "7.4"
-
-- name: php fpm/pool.d/www.conf [phpver]
   template:
-    src: pool_www.conf
-    dest: "/etc/php/{{ phpver }}/fpm/pool.d/www.conf"
-  when:
-    - phpver is defined
-
-- name: conf-available
-  copy:
     src: "{{ item }}"
     dest: /etc/apache2/conf-available
   with_items:
     - other-vhosts-access-log.conf
     - charset.conf
+
+- name: conf-available files
+  copy:
+    src: "{{ item }}"
+    dest: /etc/apache2/conf-available
+  with_items:
     - log-detailed.conf
 
 - name: enable confs / modules, debian0-10
@@ -209,120 +77,14 @@
     - ansible_distribution == "Debian"
     - ansible_distribution_major_version|int() < 11
 
-- name: virtualhost config, debian11-99 ubuntu20-99
+- name: virtualhost config, debian11-99 ubuntu20-99 redhat
   template:
     src: 000-default_fpm.conf
     dest: /etc/apache2/sites-available/000-default.conf
   when: 
     - (ansible_distribution == "Debian" and ansible_distribution_major_version|int() >= 11) or
-      (ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int() >= 20)
+      (ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int() >= 20) or
-
+      ansible_distribution == "RedHat"
-- name: php config, debian8
-  copy:
-    src: hws.php.ini.modphp
-    dest: /etc/php5
-  when:
-    - ansible_distribution == "Debian"
-    - ansible_distribution_major_version == "8"
-
-- name: php config symlinks, debian8
-  file:
-    state: link
-    src: /etc/php5/hws.php.ini
-    path: "/etc/php5/{{ item }}/conf.d/hws.php.ini"
-  with_items:
-    - apache2
-    - cli
-  when:
-    - ansible_distribution == "Debian"
-    - ansible_distribution_major_version == "8"
-
-- name: php config, debian9
-  copy:
-    src: hws.php.ini.modphp
-    dest: /etc/php/7.0/hws.php.ini
-  when:
-    - ansible_distribution == "Debian"
-    - ansible_distribution_major_version == "9"
-
-- name: php config, debian10
-  copy:
-    src: hws.php.ini.modphp
-    dest: /etc/php/7.3/hws.php.ini
-  when:
-    - ansible_distribution == "Debian"
-    - ansible_distribution_major_version == "10"
-
-#- name: php config, bullseye
-#  copy:
-#    src: hws.php.ini.fpm
-#    dest: /etc/php/7.4/hws.php.ini
-#  when:
-#    - (ansible_distribution == "Debian" and ansible_distribution_major_version|int() == 11) or
-#      (ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int() >= 20)
-
-- name: php config symlinks, debian9
-  file:
-    state: link
-    src: /etc/php/7.0/hws.php.ini
-    path: "/etc/php/7.0/{{ item }}/conf.d/hws.php.ini"
-  with_items:
-    - apache2
-    - cli
-  when:
-    - ansible_distribution == "Debian"
-    - ansible_distribution_major_version == "9"
-
-- name: php config symlinks, debian10
-  file:
-    state: link
-    src: /etc/php/7.3/hws.php.ini
-    path: "/etc/php/7.3/{{ item }}/conf.d/hws.php.ini"
-  with_items:
-    - apache2
-    - cli
-  when:
-    - ansible_distribution == "Debian"
-    - ansible_distribution_major_version == "10"
-
-#- name: php config symlinks, bullseye
-#  file:
-#    state: link
-#    src: /etc/php/7.4/hws.php.ini
-#    path: "/etc/php/7.4/{{ item }}/conf.d/hws.php.ini"
-#  with_items:
-#    - fpm
-#    - cli
-#  when:
-#    - ansible_distribution == "Debian"
-#    - ansible_distribution_major_version == "11"
-
-
-- name: php logrotate config
-  copy:
-    src: logrotate.conf
-    dest: /etc/logrotate.d/php
-
-- name: security.conf ServerTokens, debian11-99 ubuntu20-99
-  tags: apt
-  lineinfile:
-    dest: /etc/apache2/conf-available/security.conf
-    regexp: "^ServerTokens"
-    line: "ServerTokens Prod"
-  when: 
-    - (ansible_distribution == "Debian" and ansible_distribution_major_version|int() >= 11) or
-      (ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int() >= 20)
-
-
-- name: security.conf ServerSignature, debian11-99 ubuntu20-99
-  tags: apt
-  lineinfile:
-    dest: /etc/apache2/conf-available/security.conf
-    regexp: "^ServerSignature"
-    line: "ServerSignature Off"
-  when: 
-    - (ansible_distribution == "Debian" and ansible_distribution_major_version|int() >= 11) or
-      (ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int() >= 20)
 
 
 # vim: set tabstop=2 shiftwidth=2 expandtab smarttab:

tasks/redhat.yml

@@ -0,0 +1,160 @@
+---
+- name: set phpver for rhel9
+  set_fact:
+    phpver: "84"
+  when:
+    - ansible_distribution == "RedHat"
+    - ansible_distribution_major_version|int() == 9
+
+- name: install remi repo
+  tags: dnf
+  dnf:
+    name: "https://rpms.remirepo.net/enterprise/remi-release-9.rpm"
+    disable_gpg_check: yes
+
+#- name: dnf module php [phpver]
+#  tags: dnf
+#  dnf:
+#    name:
+#      - "@php:remi-{{ phpver }}"
+
+- name: install packages
+  tags: dnf
+  dnf:
+    name:
+      - httpd
+      - mod_ssl
+      - mysql
+      - redis
+      - "php{{ phpver }}-php-fpm"
+      - "php{{ phpver }}-php-cli"
+      - "php{{ phpver }}-php-bcmath"
+      - "php{{ phpver }}-php-gd"
+      - "php{{ phpver }}-php-ldap"
+      - "php{{ phpver }}-php-mbstring"
+      - "php{{ phpver }}-php-mysqlnd"
+      - "php{{ phpver }}-php-opcache"
+      - "php{{ phpver }}-php-soap"
+      - "php{{ phpver }}-php-xml"
+      - "php{{ phpver }}-php-pecl-zip"
+      - "php{{ phpver }}-php-pecl-mongodb"
+      - "php{{ phpver }}-php-pecl-redis6"
+      - "php{{ phpver }}-php-process"
+  when:
+    - phpver is defined
+
+- name: enable httpd service 
+  systemd_service:
+    name: httpd
+    enabled: true
+
+- name: enable redis service 
+  systemd_service:
+    name: redis
+    enabled: true
+
+- name: enable php-fpm service [phpver]
+  systemd_service:
+    name: "php{{ phpver }}-php-fpm"
+    enabled: true
+
+- name: php-fpm.d/www.conf [phpver]
+  template:
+    src: pool_www.conf_redhat
+    dest: "/etc/opt/remi/php{{ phpver }}/php-fpm.d/www.conf"
+  when:
+    - phpver is defined
+
+- name: httpd.conf remove conf.d include
+  lineinfile:
+    path: /etc/httpd/conf/httpd.conf
+    regex: "^IncludeOptional conf.d/\\*.conf"
+    state: absent
+
+- name: httpd.conf add conf-enabled include
+  lineinfile:
+    path: /etc/httpd/conf/httpd.conf
+    line: "IncludeOptional conf-enabled/*.conf"
+
+- name: httpd.conf add sites-enabled include
+  lineinfile:
+    path: /etc/httpd/conf/httpd.conf
+    line: "IncludeOptional sites-enabled/*.conf"
+
+- name: /etc/apache2 symlink
+  file:
+    path: /etc/apache2
+    src: httpd
+    state: link
+
+- name: /var/log/apache2 symlink
+  file:
+    path: /var/log/apache2
+    src: httpd
+    state: link
+
+- name: /etc/apache2/conf-enabled
+  file:
+    path: /etc/apache2/conf-enabled
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+
+- name: /etc/apache2/conf-available
+  file:
+    path: /etc/apache2/conf-available
+    src: conf-enabled
+    state: link
+
+- name: /etc/apache2/sites-enabled
+  file:
+    path: /etc/apache2/sites-enabled
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+
+- name: /etc/apache2/sites-available
+  file:
+    path: /etc/apache2/sites-available
+    src: sites-enabled
+    state: link
+
+- name: create security.conf
+  copy:
+    src: security.conf_redhat
+    dest: /etc/apache2/conf-enabled/security.conf
+
+- name: create index.conf
+  copy:
+    content: "DirectoryIndex index.html index.php\n"
+    dest: /etc/apache2/conf-enabled/index.conf
+
+- name: ssl.conf
+  template:
+    src: redhat_ssl.conf
+    dest: "/etc/apache2/conf-enabled/ssl.conf"
+
+- name: set httpd_can_network_connect
+  seboolean:
+    name: httpd_can_network_connect
+    state: true
+    persistent: yes
+  when:
+    - ansible_selinux.status == 'enabled'
+
+- name: set httpd_can_sendmail
+  seboolean:
+    name: httpd_can_sendmail
+    state: true
+    persistent: yes
+  when:
+    - ansible_selinux.status == 'enabled'
+
+#D- name: php logrotate config
+#D  copy:
+#D    src: logrotate.conf
+#D    dest: /etc/logrotate.d/php
+
+# vim: set tabstop=2 shiftwidth=2 expandtab smarttab:

templates/000-default_fpm.conf

@@ -1,15 +1,43 @@
+#<VirtualHost *:80>
+{% if ansible_distribution == "RedHat" %}
+#    ErrorLog /var/log/httpd/notls.log
+#    CustomLog /var/log/httpd/notls.log detailed
+{% else %}
+#    ErrorLog ${APACHE_LOG_DIR}/notls.log
+#    CustomLog ${APACHE_LOG_DIR}/notls.log detailed
+{% endif %}
+#    RewriteEngine On
+#    RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/
+#    RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [R,L]
+#</VirtualHost>
+#<VirtualHost *:443>
+#    SSLEngine on
+#    SSLCertificateFile /etc/ssl/i.hwstudio.hu/fullchain.pem
+#    SSLCertificateKeyFile /etc/ssl/i.hwstudio.hu/privkey.pem
+#    #ServerName 
+#    #Header always set Strict-Transport-Security "max-age=31536000;"
+
 <VirtualHost *:80>
     DocumentRoot /var/www/def/public
 
+{% if ansible_distribution == "RedHat" %}
+    ErrorLog /var/log/httpd/error.log
+    CustomLog /var/log/httpd/access.log detailed
+{% else %}
     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log detailed
+{% endif %}
     <Directory /var/www/def/public>
             Options -Indexes +FollowSymLinks +MultiViews
             AllowOverride All
             Require all granted
     </Directory>
     <Files "*.php">
+{% if ansible_distribution == "RedHat" %}
+        SetHandler "proxy:unix:/var/opt/remi/php{{ phpver }}/run/php-fpm/www.sock|fcgi://localhost"
+{% else %}
         SetHandler "proxy:unix:/run/php/php{{ phpver }}-fpm.sock|fcgi://localhost"
+{% endif %}
     </Files>
 </VirtualHost>
 

templates/other-vhosts-access-log.conf

@@ -1,5 +1,9 @@
 # Define an access log for VirtualHosts that don't define their own logfile
 #CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log vhost_combined
+{% if ansible_distribution == "RedHat" %}
+CustomLog /var/log/httpd/other_vhosts_access.log detailed
+{% else %}
 CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log detailed
+{% endif %}
 
 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet

templates/pool_www.conf_redhat

@@ -0,0 +1,20 @@
+[www]
+user = apache
+group = apache
+listen = /var/opt/remi/php{{ phpver }}/run/php-fpm/www.sock
+listen.acl_users = apache
+listen.allowed_clients = 127.0.0.1
+pm = dynamic
+pm.max_children = 50
+pm.start_servers = 5
+pm.min_spare_servers = 5
+pm.max_spare_servers = 35
+slowlog = /var/opt/remi/php{{ phpver }}/log/php-fpm/www-slow.log
+php_admin_value[error_log] = /var/opt/remi/php{{ phpver }}/log/php-fpm/www-error.log
+php_admin_flag[log_errors] = on
+php_value[session.save_handler] = files
+php_value[session.save_path]    = /var/opt/remi/php{{ phpver }}/lib/php/session
+php_value[soap.wsdl_cache_dir]  = /var/opt/remi/php{{ phpver }}/lib/php/wsdlcache
+
+php_admin_value[user_ini.filename] = .php.ini
+php_admin_value[user_ini.cache_ttl] = 60

templates/redhat_ssl.conf

@@ -0,0 +1,8 @@
+Listen 443 https
+SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
+SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
+SSLSessionCacheTimeout  300
+SSLCryptoDevice builtin
+SSLCipherSuite HIGH+ECDHE:!aNULL:!SHA1:!SHA256:!SHA384
+SSLHonorCipherOrder on
+SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1