library/roles/apache: Support for the apache info and status modules, with ACLs.

apache/defaults/main.yml

@@ -37,6 +37,16 @@ apache_http_proxy_modules:
   - proxy_ajp
   - proxy_http
 
+apache_status_module: True  
+apache_status_location: '/server-status'
+apache_status_allowed_hosts:
+  - 127.0.0.1/8
+
+apache_info_module: True
+apache_info_location: '/server-info'
+apache_info_allowed_hosts:
+  - 127.0.0.1/8
+
 apache_basic_auth: False
 apache_basic_auth_single_file: True
 apache_basic_auth_dir: /etc/apache2/auth

apache/tasks/apache-modules.yml

@@ -1,7 +1,7 @@
 ---
 - name: Load the apache ssl modules
   apache2_module: name={{ item }} state=present
-  with_items: apache_ssl_modules
+  with_items: '{{ apache_ssl_modules }}'
   when:
     - apache_ssl_modules_enabled
     - is_trusty
@@ -10,14 +10,43 @@
 
 - name: Load some apache proxy modules
   apache2_module: name={{ item }} state=present
-  with_items: apache_http_proxy_modules
+  with_items: '{{ apache_http_proxy_modules }}'
   when: apache_http_proxy_modules_enabled
   notify: apache2 reload
   tags: [ 'apache', 'apache_mods' ]
 
 - name: Load additional apache modules if any
   apache2_module: name={{ item }} state=present
-  with_items: apache_additional_modules_list
+  with_items: '{{ apache_additional_modules_list }}'
   when: apache_additional_modules
   notify: apache2 reload
   tags: [ 'apache', 'apache_mods' ]
+
+- name: Load the apache status module
+  apache2_module: name={{ item }} state=present
+  with_items: status
+  when: apache_status_module 
+  notify: apache2 reload
+  tags: [ 'apache', 'apache_mods', 'apache_status' ]
+
+- name: Configure the apache status module
+  template: src={{ item }}.j2 dest=/etc/apache2/mods-available/{{ item }} owner=root group=root mode=0644
+  with_items: status.conf
+  when: apache_status_module 
+  notify: apache2 reload
+  tags: [ 'apache', 'apache_mods', 'apache_status' ]
+
+- name: Load the apache info module
+  apache2_module: name={{ item }} state=present
+  with_items: info
+  when: apache_info_module 
+  notify: apache2 reload
+  tags: [ 'apache', 'apache_mods', 'apache_info' ]
+
+- name: Configure the apache info module
+  template: src={{ item }}.j2 dest=/etc/apache2/mods-available/{{ item }} owner=root group=root mode=0644
+  with_items: info.conf
+  when: apache_info_module 
+  notify: apache2 reload
+  tags: [ 'apache', 'apache_mods', 'apache_info' ]
+

apache/templates/info.conf.j2

@@ -0,0 +1,20 @@
+<IfModule mod_info.c>
+
+	# Allow remote server configuration reports, with the URL of
+	#  http://servername/server-info (requires that mod_info.c be loaded).
+	# Uncomment and change the "192.0.2.0/24" to allow access from other hosts.
+	#
+	<Location {{ apache_info_location }}>
+		SetHandler server-info
+		Require local
+        {% if nagios_monitoring_server_ip is defined %}
+        {% for addr in nagios_monitoring_server_ip %}
+        Require ip {{ addr }}/24
+        {% endfor %}
+        {% endif %}
+        {% for addr in apache_info_allowed_hosts %}
+        Require ip {{ addr }}
+        {% endfor %}
+	</Location>
+
+</IfModule>

apache/templates/status.conf.j2

@@ -0,0 +1,32 @@
+<IfModule mod_status.c>
+	# Allow server status reports generated by mod_status,
+	# with the URL of http://servername/server-status
+	# Uncomment and change the "192.0.2.0/24" to allow access from other hosts.
+
+	<Location {{ apache_status_location }}>
+		SetHandler server-status
+		Require local
+        {% if nagios_monitoring_server_ip is defined %}
+        {% for addr in nagios_monitoring_server_ip %}
+        Require ip {{ addr }}/24
+        {% endfor %}
+        {% endif %}
+        {% for addr in apache_status_allowed_hosts %}
+        Require ip {{ addr }}
+        {% endfor %}
+	</Location>
+
+	# Keep track of extended status information for each request
+	ExtendedStatus On
+
+	# Determine if mod_status displays the first 63 characters of a request or
+	# the last 63, assuming the request itself is greater than 63 chars.
+	# Default: Off
+	#SeeRequestTail On
+
+	<IfModule mod_proxy.c>
+		# Show Proxy LoadBalancer status in mod_status
+		ProxyStatus On
+	</IfModule>
+
+</IfModule>