roles/apache: Configure mod_userdir

By default, per-user directories (i.e. `/~username/`) are disabled in Fedora's configuration of Apache. This commit introduces a new variable, `apache_userdir`, which can be used to enable this feature. It should be set to a string other than *disabled*, which is the path under users' home directories that will be served, if it is accessible. Normally, the value would be `public_html`.
2018-12-30 15:18:31 -06:00 · 2018-12-30 15:18:31 -06:00 · ea1f52814d
parent 972dbd1fdf
commit ea1f52814d
2 changed files with 56 additions and 0 deletions
--- a/roles/apache/tasks/main.yml
+++ b/roles/apache/tasks/main.yml
@ -57,6 +57,18 @@
    setype=httpd_config_t
  notify: reload httpd

+- name: ensure apache userdir module is configured
+  template:
+    src=userdir.httpd.conf.j2
+    dest=/etc/httpd/conf.d/userdir.conf
+    mode=0644
+  notify: reload httpd
+- name: ensure selinux is configured for apache user directories
+  seboolean:
+    name=httpd_enable_homedirs
+    persistent=yes
+    state={{ 'yes' if apache_userdir is defined else 'no' }}
+
 - name: ensure apache mpm module is configured
  template:
    src=mpm.httpd.conf.j2
--- a/roles/apache/templates/userdir.httpd.conf.j2
+++ b/roles/apache/templates/userdir.httpd.conf.j2
@ -0,0 +1,44 @@
+#
+# UserDir: The name of the directory that is appended onto a user's home
+# directory if a ~user request is received.
+#
+# The path to the end user account 'public_html' directory must be
+# accessible to the webserver userid.  This usually means that ~userid
+# must have permissions of 711, ~userid/public_html must have permissions
+# of 755, and documents contained therein must be world-readable.
+# Otherwise, the client will only receive a "403 Forbidden" message.
+#
+<IfModule mod_userdir.c>
+    #
+    # UserDir is disabled by default since it can confirm the presence
+    # of a username on the system (depending on home directory
+    # permissions).
+    #
+{% if apache_userdir is defined %}
+    #UserDir disabled
+{% else %}
+    UserDir disabled
+{% endif %}
+
+    #
+    # To enable requests to /~user/ to serve the user's public_html
+    # directory, remove the "UserDir disabled" line above, and uncomment
+    # the following line instead:
+    # 
+{% if apache_userdir is defined %}
+    UserDir {{ apache_userdir }}
+{% else %}
+    #UserDir public_html
+{% endif %}
+</IfModule>
+
+#
+# Control access to UserDir directories.  The following is an example
+# for a site where these directories are restricted to read-only.
+#
+<Directory "/home/*/public_html">
+    AllowOverride FileInfo AuthConfig Limit Indexes
+    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
+    Require method GET POST OPTIONS
+</Directory>
+