Improve Apache2 configuration and make possible to use FPM with Apache2

roles/webserver/tasks/apache2.yml

@@ -6,7 +6,31 @@
     - 'web'
     - 'apache2'
 
-- name: 'Install logrotate configuration for Apache'
+- name: 'Enable Apache2 default modules'
+  apache2_module:
+    name: '{{ item }}'
+    state: 'present'
+  with_items:
+    - 'ssl'
+    - 'rewrite'
+    - 'expires'
+    - 'headers'
+  tags:
+    - 'web'
+    - 'apache2'
+
+- name: 'Enable Apache2 default modules (Debian >= 9)'
+  apache2_module:
+    name: '{{ item }}'
+    state: 'present'
+  with_items:
+    - 'http2'
+  when: ansible_lsb.major_release|int >= 9
+  tags:
+    - 'web'
+    - 'apache2'
+
+- name: 'Install logrotate configuration for Apache2'
   template:
     src: 'logrotate/apache2.j2'
     dest: '/etc/logrotate.d/apache2'
@@ -17,7 +41,7 @@
     - 'web'
     - 'apache2'
 
-- name: 'Install SSL vhost configuration for Apache'
+- name: 'Install SSL vhost configuration for Apache2'
   template:
     src: 'apache2/vhost_ssl.j2'
     dest: '/etc/apache2/vhost_ssl-{{ item }}.conf'
@@ -32,7 +56,7 @@
     - 'web'
     - 'apache2'
 
-- name: 'Install SSL vhost configuration for Apache (Lets Encrypt certificates)'
+- name: 'Install SSL vhost configuration for Apache2 (Lets Encrypt certificates)'
   template:
     src: 'apache2/vhost_ssl_auto.j2'
     dest: '/etc/apache2/vhost_ssl_auto-{{ item.split(" ")[0] }}.conf'

roles/webserver/tasks/php.yml

@@ -25,7 +25,6 @@
     - 'php{{ php_version }}-curl'
     - 'php{{ php_version }}-gd'
     - 'php{{ php_version }}-intl'
-    - 'php{{ php_version }}-mcrypt'
     - 'php{{ php_version }}-mysql'
     - 'php{{ php_version }}-pgsql'
     - 'php{{ php_version }}-sqlite3'
@@ -34,6 +33,17 @@
     - 'web'
     - 'php'
 
+- name: 'Install common PHP dependencies (Debian >= 9 and PHP < 7.2)'
+  apt:
+    pkg: '{{ item }}'
+    state: 'present'
+  with_items:
+    - 'php{{ php_version }}-mcrypt'
+  when: with_php and ansible_lsb.major_release|int >= 9 and php_version|float < 7.2
+  tags:
+    - 'web'
+    - 'php'
+
 - name: 'Create PHP log directory'
   file:
     path: '/var/log/php'
@@ -110,6 +120,39 @@
     - 'web'
     - 'php'
 
+- name: 'Configure Apache2 modules for php-fpm{{ php_version }}'
+  apache2_module:
+    name: '{{ item.name }}'
+    state: '{{ item.state }}'
+    ignore_configcheck: '{{ item.ignore_configcheck }}'
+  with_items:
+    - {name: 'mpm_prefork', state: 'absent', ignore_configcheck: 'yes'}
+    - {name: 'mpm_event', state: 'present', ignore_configcheck: 'yes'}
+    - {name: 'php{{ php_version }}', state: 'absent', ignore_configcheck: 'no'}
+    - {name: 'proxy_fcgi', state: 'present', ignore_configcheck: 'no'}
+  when: with_fpm and with_apache2
+  notify:
+      - 'Reload apache2'
+  tags:
+    - 'web'
+    - 'php'
+
+- name: 'Configure Apache2 modules for modphp{{ php_version }}'
+  apache2_module:
+    name: '{{ item.name }}'
+    state: '{{ item.state }}'
+    ignore_configcheck: '{{ item.ignore_configcheck }}'
+  with_items:
+    - {name: 'mpm_event', state: 'absent', ignore_configcheck: 'yes'}
+    - {name: 'mpm_prefork', state: 'present', ignore_configcheck: 'yes'}
+    - {name: 'php{{ php_version }}', state: 'present', ignore_configcheck: 'no'}
+  when: with_modphp
+  notify:
+      - 'Reload apache2'
+  tags:
+    - 'web'
+    - 'php'
+
 - name: 'Install local PHP configuration (Debian < 8)'
   template:
     src: 'php/php-config-web.ini.j2'
@@ -349,6 +392,18 @@
     - 'web'
     - 'php'
 
+- name: 'Install Apache2 config files for PHP FPM'
+  template:
+    src: 'fpm/apache2/fpm-pool.conf.j2'
+    dest: '/etc/apache2/conf-available/fpm-pool.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  when: with_fpm and with_apache2
+  tags:
+    - 'web'
+    - 'php'
+
 - name: 'Install Nginx config files for PHP FPM (fpm servers pool)'
   template:
     src: 'fpm/nginx/fpm-pool.conf.j2'

roles/webserver/templates/apache2/pga_vhost.j2

@@ -29,8 +29,17 @@
         php_admin_value post_max_size 128M
     </IfModule>
 
+    <IfModule php7_module>
+        php_admin_value max_execution_time 240
+        php_admin_value upload_max_filesize 128M
+        php_admin_value post_max_size 128M
+    </IfModule>
+
+{% if with_fpm %}
+    Include conf-available/fpm-pool.conf
+{% endif %}
+
     LogLevel warn
     CustomLog ${APACHE_LOG_DIR}/pga.access.log combined
     ErrorLog ${APACHE_LOG_DIR}/pga.error.log
-
 </VirtualHost>

roles/webserver/templates/apache2/pma_vhost.j2

@@ -32,6 +32,10 @@
         php_admin_value post_max_size 128M
     </IfModule>
 
+{% if with_fpm %}
+    Include conf-available/fpm-pool.conf
+{% endif %}
+
     LogLevel warn
     CustomLog ${APACHE_LOG_DIR}/pma.access.log combined
     ErrorLog ${APACHE_LOG_DIR}/pma.error.log
@@ -42,6 +46,10 @@
 <VirtualHost {%if phpmyadmin_vhostip %}{{ phpmyadmin_vhostip }}{% else %}*{% endif %}:{%if phpmyadmin_vhostport %}{{ phpmyadmin_vhostport }}{% else %}443{% endif %}>
     ServerName {{ phpmyadmin_vhostname }}
 
+    <IfModule http2_module>
+        Protocols h2 http/1.1
+    </IfModule>
+
     Include vhost_ssl_auto-{{ phpmyadmin_vhostname }}.conf
 
     DocumentRoot /usr/share/phpmyadmin
@@ -64,6 +72,16 @@
         php_admin_value post_max_size 128M
     </IfModule>
 
+    <IfModule php7_module>
+        php_admin_value max_execution_time 240
+        php_admin_value upload_max_filesize 128M
+        php_admin_value post_max_size 128M
+    </IfModule>
+
+{% if with_fpm %}
+    Include conf-available/fpm-pool.conf
+{% endif %}
+
     LogLevel warn
     CustomLog ${APACHE_LOG_DIR}/pma.access.log combined
     ErrorLog ${APACHE_LOG_DIR}/pma.error.log

roles/webserver/templates/apache2/sys_vhost.j2

@@ -29,6 +29,10 @@
         Allow from all
     </Directory>
 
+{% if with_fpm %}
+    Include conf-available/fpm-pool.conf
+{% endif %}
+
     LogLevel warn
     CustomLog ${APACHE_LOG_DIR}/sys.access.log combined
     ErrorLog ${APACHE_LOG_DIR}/sys.error.log
@@ -39,6 +43,10 @@
 <VirtualHost {%if phpsyscheck_vhostip %}{{ phpsyscheck_vhostip }}{% else %}*{% endif %}:{%if phpsyscheck_vhostport %}{{ phpsyscheck_vhostport }}{% else %}443{% endif %}>
     ServerName {{ phpsyscheck_vhostname }}
 
+    <IfModule http2_module>
+        Protocols h2 http/1.1
+    </IfModule>
+
     Include vhost_ssl_auto-{{ phpsyscheck_vhostname }}.conf
 
     DocumentRoot /etc/phpsyscheck
@@ -60,6 +68,16 @@
         Allow from all
     </Directory>
 
+    <IfModule php7_module>
+        php_admin_value max_execution_time 240
+        php_admin_value upload_max_filesize 128M
+        php_admin_value post_max_size 128M
+    </IfModule>
+
+{% if with_fpm %}
+    Include conf-available/fpm-pool.conf
+{% endif %}
+
     LogLevel warn
     CustomLog ${APACHE_LOG_DIR}/sys.access.log combined
     ErrorLog ${APACHE_LOG_DIR}/sys.error.log

roles/webserver/templates/fpm/apache2/fpm-pool.conf.j2

@@ -0,0 +1,30 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog() }}
+{% endif -%}
+<IfModule proxy_fcgi_module>
+    <FilesMatch ".+\.ph(p[3457]?|t|tml)$">
+    {% if ansible_lsb.major_release|int >= 9 %}
+        SetHandler "proxy:unix:/run/php/php{{ php_version }}-fpm-pool-www0.sock|fcgi://localhost"
+    {% else %}
+        SetHandler "proxy:unix:/var/run/php5-fpm-pool-www0.sock|fcgi://localhost"
+    {% endif %}
+    </FilesMatch>
+    <FilesMatch ".+\.phps$">
+        <IfVersion >= 2.4>
+            Require all denied
+        </IfVersion>
+        <IfVersion < 2.4>
+            Deny From All
+        </IfVersion>
+    </FilesMatch>
+    # Deny access to files without filename (e.g. '.php')
+    <FilesMatch "^\.ph(p[3457]?|t|tml|ps)$">
+        <IfVersion >= 2.4>
+            Require all denied
+        </IfVersion>
+        <IfVersion < 2.4>
+            Deny From All
+        </IfVersion>
+    </FilesMatch>
+</IfModule>