Use standalone httpd role

In order to unify approach for managing Apache Web server, we migrate to usage of standalone `httpd` role instead of managing apache separately inside service roles. Change-Id: I5be9be18ec0b61a4c24f4ac670cf195db0a65dc8
2025-04-28 18:10:02 +02:00
parent a6b4f71010
commit 4a58212a5e
15 changed files with 198 additions and 465 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -224,19 +224,6 @@ keystone_web_server_bind_address: "{{ openstack_service_bind_address | default('
 ## Apache setup
 keystone_apache_log_level: info
 keystone_apache_custom_log_format: combined
 keystone_apache_servertokens: "Prod"
 keystone_apache_serversignature: "Off"
 ## Apache MPM tunables
 keystone_httpd_mpm_backend: "{{ openstack_apache_mpm_backend | default('event') }}"
 keystone_httpd_mpm_server_limit: "{{ keystone_wsgi_processes }}"
 keystone_httpd_mpm_start_servers: 2
 keystone_httpd_mpm_min_spare_threads: 25
 keystone_httpd_mpm_max_spare_threads: 75
 keystone_httpd_mpm_thread_limit: 64
 keystone_httpd_mpm_thread_child: 25
 keystone_httpd_mpm_max_requests: "{{ keystone_httpd_mpm_server_limit | int * keystone_httpd_mpm_thread_child | int }}"
 keystone_httpd_mpm_max_conn_child: 0
 ## uWSGI setup
 keystone_wsgi_threads: 1
@@ -276,6 +263,8 @@ keystone_pki_regen_cert: ""
 # By default, CA creation is controlled using the CA 'condition' field
 keystone_pki_create_ca: true
 # SAN which will be used by HTTP role to generate certificatess
 keystone_pki_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ keystone_node_address) }}"
 # An optional private certificate authority for when Keystone is an IDP
 keystone_idp_authority_name: "KeystoneIDPAuthority"
 keystone_pki_authorities:
@@ -293,46 +282,11 @@ keystone_pki_authorities:
    not_after: "+3650d"
    condition: "{{ (keystone_idp['certfile'] is defined) and _keystone_is_first_play_host }}"
 # By default, certificate creation is controlled using the certificates 'condition' field
 keystone_pki_create_certificates: true
 # Server certificate for Apache
 keystone_pki_certificates:
  - name: "keystone_{{ ansible_facts['hostname'] }}"
    provider: ownca
    cn: "{{ ansible_facts['hostname'] }}"
    san: "{{ 'DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ keystone_node_address }}"
    signed_by: "{{ keystone_pki_intermediate_cert_name }}"
    condition: "{{ keystone_backend_ssl }}"
 # Set to the value of keystone_idp_authority_name to regenerate the IDP CA
 keystone_pki_regen_ca: ""
 # keystone destination files for Apache SSL certificates
 keystone_ssl_cert: /etc/ssl/certs/keystone.pem
 keystone_ssl_key: /etc/ssl/private/keystone.key
 keystone_ssl_ca_cert: /etc/ssl/certs/keystone-ca.pem
 # Installation details for SSL certificates
 keystone_pki_install_certificates:
  # Apache certificates
  - src: "{{ keystone_user_ssl_cert | default(keystone_pki_certs_path ~ 'keystone_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}"
    dest: "{{ keystone_ssl_cert }}"
    owner: "{{ keystone_system_user_name }}"
    group: "{{ keystone_system_group_name }}"
    mode: "0644"
    condition: "{{ keystone_backend_ssl }}"
  - src: "{{ keystone_user_ssl_key | default(keystone_pki_keys_path ~ 'keystone_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
    dest: "{{ keystone_ssl_key }}"
    owner: "{{ keystone_system_user_name }}"
    group: "{{ keystone_system_group_name }}"
    mode: "0600"
    condition: "{{ keystone_backend_ssl }}"
  - src: "{{ keystone_user_ssl_ca_cert | default(keystone_pki_intermediate_cert_path) }}"
    dest: "{{ keystone_ssl_ca_cert }}"
    owner: "{{ keystone_system_user_name }}"
    group: "{{ keystone_system_group_name }}"
    mode: "0644"
    condition: "{{ keystone_user_ssl_ca_cert is defined }}"
  # IDP certificates
  - src: "{{ keystone_pki_dir ~ '/roots/' ~ keystone_idp_authority_name ~ '/certs/' ~ keystone_idp_authority_name ~ '.crt' }}"
    dest: "{{ keystone_idp['certfile'] | default('') }}"
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -13,33 +13,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 # NOTE(noonedeadpunk): Handler with the same name is triggered from the http role
 - name: Restart web server
-  ansible.builtin.service:
+  ansible.builtin.meta: noop
-    name: "{{ keystone_system_service_name }}"
+  when: false
    enabled: true
    state: restarted
    daemon_reload: "{{ (ansible_facts['service_mgr'] == 'systemd') | ternary('yes', omit) }}"
  register: _restart
  until: _restart is success
  retries: 5
  delay: 2
  listen:
    - "venv changed"
 - name: Wait for web server to complete starting
  ansible.builtin.wait_for:
    host: "{{ keystone_web_server_bind_address }}"
    port: "{{ item }}"
    timeout: 25
    delay: 10
  with_items:
    - "{{ keystone_service_port }}"
  register: _wait_check
  until: _wait_check is success
  retries: 5
  listen:
    - "venv changed"
    - "Restart web server"
 - name: Stop uWSGI
  ansible.builtin.service:
@@ -82,6 +59,7 @@
  listen:
    - "venv changed"
    - "Restart uWSGI"
    - "Start uWSGI"
 - name: Restart Shibd
  ansible.builtin.service:
--- a/tasks/keystone_apache.yml
+++ b/tasks/keystone_apache.yml
@@ -13,143 +13,62 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
- name: Create apache nogroup group
+- name: Clean-up old vhost files
  ansible.builtin.group:
    name: "nogroup"
    system: "yes"
 - name: Create apache nogroup user
  ansible.builtin.user:
    name: "nogroup"
    group: "nogroup"
    system: "yes"
    shell: "/bin/false"
 - name: Ensure apache log folder exists
  ansible.builtin.file:
    dest: "{{ keystone_apache_default_log_folder }}"
    state: directory
    owner: "{{ keystone_apache_default_log_owner }}"
    group: "{{ keystone_apache_default_log_grp }}"
    mode: "0755"
 - name: Ensure apache2 MPM for Debian/Ubuntu
  community.general.apache2_module:
    name: "{{ item.name }}"
    state: "{{ item.state }}"
    warn_mpm_absent: false
  with_items: "{{ keystone_apache_mpms | sort(attribute='state') }}"
  when:
    - ansible_facts['pkg_mgr'] == 'apt'
  notify: Restart web server
 - name: Ensure apache2 MPM for EL
  ansible.builtin.copy:
    content: |
      LoadModule mpm_{{ keystone_httpd_mpm_backend }}_module modules/mod_mpm_{{ keystone_httpd_mpm_backend }}.so
    dest: /etc/httpd/conf.modules.d/00-mpm.conf
    mode: "0644"
  when:
    - ansible_facts['pkg_mgr'] == 'dnf'
  notify: Restart web server
 ## NOTE(cloudnull):
 ## Module enable/disable process is only functional on Debian
 - name: Enable apache2 modules
  community.general.apache2_module:
    name: "{{ item.name }}"
    state: "{{ item.state }}"
  with_items: "{{ keystone_apache_modules }}"
  when:
    - ansible_facts['pkg_mgr'] == 'apt'
    - item.state == 'present'
  notify:
    - Restart web server
 - name: Place apache2 config files
  ansible.builtin.template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    owner: "root"
    group: "root"
    mode: "0644"
  with_items: "{{ keystone_apache_configs }}"
  notify:
    - Restart web server
 ## NOTE(cloudnull):
 ## Module enable/disable process is only functional on Debian
 - name: Disable apache2 modules
  community.general.apache2_module:
    name: "{{ item.name }}"
    state: "{{ item.state }}"
  with_items: "{{ keystone_apache_modules }}"
  when:
    - ansible_facts['pkg_mgr'] == 'apt'
    - item.state == 'absent'
  notify:
    - Restart web server
 ## NOTE(andymccr):
 ## We need to enable a module for httpd on RedHat/CentOS using LoadModule inside conf files
 - name: Enable/disable proxy_uwsgi_module
  ansible.builtin.lineinfile:
    dest: "/etc/httpd/conf.modules.d/00-proxy.conf"
    line: "LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so"
    state: "present"
  when:
    - ansible_facts['pkg_mgr'] == 'dnf'
  notify:
    - Restart web server
 - name: Disable default apache site
  ansible.builtin.file:
    path: "{{ item }}"
-    state: "absent"
+    state: absent
-  with_items: "{{ keystone_apache_default_sites }}"
+  loop: "{{ keystone_deprecated_apache_configs }}"
  notify:
    - Restart web server
- name: Enabled keystone vhost
+- name: Including HTTPD role
-  ansible.builtin.file:
+  ansible.builtin.import_role:
-    src: "{{ keystone_apache_site_available }}"
+    name: httpd
-    dest: "{{ keystone_apache_site_enabled }}"
+  vars:
-    state: "link"
+    httpd_pki_dir: "{{ keystone_pki_dir }}"
-  when:
+    httpd_pki_setup_host: "{{ keystone_pki_setup_host }}"
-    - keystone_apache_site_available is defined
+    httpd_ssl_protocol: "{{ keystone_ssl_protocol }}"
-    - keystone_apache_site_enabled is defined
+    httpd_ssl_cipher_suite_tls12: "{{ keystone_ssl_cipher_suite_tls12 }}"
-  notify:
+    httpd_ssl_cipher_suite_tls13: "{{ keystone_ssl_cipher_suite_tls13 }}"
-    - Restart web server
+    httpd_pki_regen_cert: "{{ keystone_pki_regen_cert }}"
-
+    httpd_extra_packages: "{{ keystone_sp_apache_mod_packages | selectattr('state', 'eq', 'present') | map(attribute='name') }}"
- name: Ensure Apache ServerName
+    httpd_extra_modules: "{{ keystone_apache_modules }}"
-  ansible.builtin.lineinfile:
+    httpd_vhosts:
-    dest: "{{ keystone_apache_conf }}"
+      - name: openstack_keystone
-    line: "ServerName {{ ansible_facts['hostname'] }}"
+        address: "{{ keystone_web_server_bind_address }}"
-  notify:
+        port: "{{ keystone_service_port }}"
-    - Restart web server
+        log_level: "{{  keystone_apache_log_level }}"
-
+        log_format: "{{ keystone_apache_custom_log_format }}"
- name: Ensure Apache ServerTokens
+        server_name: "{{ ansible_facts['hostname'] }}"
-  ansible.builtin.lineinfile:
+        headers:
-    dest: "{{ keystone_apache_security_conf }}"
+          - 'Header set X-Content-Type-Options "nosniff"'
-    regexp: "^ServerTokens"
+          - 'Header set X-XSS-Protection "1; mode=block"'
-    line: "ServerTokens {{ keystone_apache_servertokens }}"
+          - >-
-  notify:
+            Header set Content-Security-Policy "default-src 'self' https: wss:;"
-    - Restart web server
+          - >-
-
+            {% set scp_script_src = "script-src 'sha256-oBahlBFQem+nMs1JwgcBB03Hy8nRh5e8qEGTOcxmAuM=';" -%}
- name: Ensure Apache ServerSignature
+            {{ (keystone_sp != {}) | ternary('Header set Content-Security-Policy "' ~ scp_script_src ~ '"', '') }}
-  ansible.builtin.lineinfile:
+          - "Header set X-Frame-Options {{ keystone_x_frame_options | default('DENY') }}"
-    dest: "{{ keystone_apache_security_conf }}"
+        options: |-
-    regexp: "^ServerSignature"
+          {% set options = _keystone_httpd_base_options %}
-    line: "ServerSignature {{ keystone_apache_serversignature }}"
+          {% if keystone_sp_apache_mod_auth_openidc %}
-  notify:
+          {%   set _ = options.extend(_keystone_httpd_openidc_options) %}
-    - Restart web server
+          {% endif %}
-
+          {% if keystone_sp_apache_mod_shib %}
- name: Remove Listen from Apache config
+          {%   set _ = options.extend(_keystone_httpd_shib_options) %}
-  ansible.builtin.lineinfile:
+          {% endif %}
-    dest: "{{ keystone_apache_conf }}"
+          {% set _ = options.append('ProxyPass / uwsgi://127.0.0.1:' ~ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] ~ '/') %}
-    regexp: "^(Listen.*)"
+          {{ options }}
-    backrefs: true
+        locations: |-
-    line: "#\\1"
+          {% set locations = [] %}
-  notify:
+          {% if keystone_sp_apache_mod_auth_openidc %}
-    - Restart web server
+          {%   set _ = locations.extend(_keystone_httpd_openidc_locations) %}
          {% endif %}
          {% if keystone_sp_apache_mod_shib %}
          {%   set _ = locations.extend(_keystone_httpd_shib_locations) %}
          {% endif %}
          {{ locations }}
        directories: "{{ (keystone_sp != {}) | ternary(_keystone_httpd_sp_directories, []) }}"
        ssl: "{{ keystone_backend_ssl | ternary(_keystone_httpd_vhost_ssl, false) }}"
  tags:
    - horizon-install
    - horizon-config
    - httpd
--- a/tasks/keystone_install.yml
+++ b/tasks/keystone_install.yml
@@ -22,7 +22,6 @@
    mode: "{{ item.mode | default('0755') }}"
  with_items:
    - { path: "/var/lock/keystone", mode: "2755" }
    - { path: "/var/log/httpd", mode: "2755" }
  when:
    - ansible_facts['pkg_mgr'] == 'dnf'
@@ -58,15 +57,8 @@
  retries: 5
  delay: 2
  notify:
    - Restart web server
    - Restart uWSGI
 - name: Install/remove apache mod packages for federated authentication
  ansible.builtin.package:
    name: "{{ item.name }}"
    state: "{{ item.state }}"
  with_items: "{{ keystone_sp_apache_mod_packages }}"
 - name: Install the python venv
  ansible.builtin.import_role:
    name: "python_venv_build"
@@ -145,5 +137,3 @@
    dest: "/var/www/cgi-bin/keystone/main"
    state: link
    force: true
  notify:
    - Restart web server
--- a/tasks/keystone_ldap_setup.yml
+++ b/tasks/keystone_ldap_setup.yml
@@ -43,7 +43,6 @@
  no_log: true
  notify:
    - Restart uWSGI
    - Restart web server
 # Bug 1547542 - Older versions of the keystone role would deploy a blank
 # keystone.Default.conf and this will cause errors when adding LDAP-backed
@@ -55,4 +54,3 @@
  when: keystone_ldap.Default is not defined
  notify:
    - Restart uWSGI
    - Restart web server
--- a/tasks/keystone_post_install.yml
+++ b/tasks/keystone_post_install.yml
@@ -38,7 +38,6 @@
    config_type: "ini"
  notify:
    - Restart uWSGI
    - Restart web server
 - name: Implement policy.yaml if there are overrides configured
  openstack.config_template.config_template:
@@ -92,7 +91,6 @@
  with_items: "{{ keystone_core_files }}"
  notify:
    - Restart uWSGI
    - Restart web server
 - name: Cleanup fetched temp files
  ansible.builtin.file:
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -120,6 +120,21 @@
  tags:
    - always
 - name: Importing keystone_federation_sp_shib_setup tasks
  ansible.builtin.import_tasks: keystone_federation_sp_shib_setup.yml
  when:
    - keystone_sp_apache_mod_shib
    - not (keystone_use_uwsgi | bool)
  tags:
    - keystone-config
 - name: Importing keystone_apache tasks
  ansible.builtin.import_tasks: "keystone_apache.yml"
  when:
    - not (keystone_use_uwsgi | bool)
  tags:
    - keystone-config
 - name: Importing keystone_install tasks
  ansible.builtin.import_tasks: keystone_install.yml
  tags:
@@ -159,14 +174,6 @@
  tags:
    - keystone-config
 - name: Importing keystone_federation_sp_shib_setup tasks
  ansible.builtin.import_tasks: keystone_federation_sp_shib_setup.yml
  when:
    - keystone_sp_apache_mod_shib
    - not (keystone_use_uwsgi | bool)
  tags:
    - keystone-config
 - name: Create and install SSL certificates
  ansible.builtin.include_role:
    name: pki
@@ -177,19 +184,9 @@
    pki_create_ca: "{{ keystone_pki_create_ca }}"
    pki_authorities: "{{ keystone_pki_ca_certificates }}"
    pki_regen_ca: "{{ keystone_pki_regen_ca }}"
    pki_create_certificates: "{{ keystone_pki_create_certificates }}"
    pki_regen_cert: "{{ keystone_pki_regen_cert }}"
    pki_certificates: "{{ keystone_pki_certificates }}"
    pki_install_certificates: "{{ keystone_pki_install_certificates }}"
  when:
-    - (keystone_backend_ssl | bool) or (keystone_idp['certfile'] is defined)
+    - keystone_idp['certfile'] is defined
  tags:
    - keystone-config
 - name: Importing keystone_apache tasks
  ansible.builtin.import_tasks: "keystone_apache.yml"
  when:
    - not (keystone_use_uwsgi | bool)
  tags:
    - keystone-config
--- a/templates/keystone-httpd-mpm.conf.j2
+++ b/templates/keystone-httpd-mpm.conf.j2
@@ -1,10 +0,0 @@
 <IfModule mpm_{{ keystone_httpd_mpm_backend }}_module>
        ServerLimit              {{ keystone_httpd_mpm_server_limit }}
        StartServers             {{ keystone_httpd_mpm_start_servers }}
        MinSpareThreads          {{ keystone_httpd_mpm_min_spare_threads }}
        MaxSpareThreads          {{ keystone_httpd_mpm_max_spare_threads }}
        ThreadLimit              {{ keystone_httpd_mpm_thread_limit }}
        ThreadsPerChild          {{ keystone_httpd_mpm_thread_child }}
        MaxRequestWorkers        {{ keystone_httpd_mpm_max_requests }}
        MaxConnectionsPerChild   {{ keystone_httpd_mpm_max_conn_child }}
 </IfModule>
--- a/templates/keystone-httpd.conf.j2
+++ b/templates/keystone-httpd.conf.j2
@@ -1,147 +0,0 @@
 # {{ ansible_managed }}
 Listen {{ keystone_web_server_bind_address }}:{{ keystone_service_port }}
 <VirtualHost {{ keystone_web_server_bind_address }}:{{ keystone_service_port }}>
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    LogLevel  {{  keystone_apache_log_level }}
    ErrorLog  syslog:daemon
    CustomLog "|/usr/bin/env logger -p daemon.info -t {{ keystone_system_service_name }}" {{ keystone_apache_custom_log_format }}
    Options +FollowSymLinks
    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set Content-Security-Policy "default-src 'self' https: wss:;"
    {% if keystone_sp != {} -%}
    Header set Content-Security-Policy "script-src 'sha256-oBahlBFQem+nMs1JwgcBB03Hy8nRh5e8qEGTOcxmAuM=';"
    {% endif -%}
    Header set X-Frame-Options "{{ keystone_x_frame_options | default ('DENY') }}"
    {% if keystone_backend_ssl | bool -%}
    SSLEngine on
    SSLCertificateFile    {{ keystone_ssl_cert }}
    SSLCertificateKeyFile {{ keystone_ssl_key }}
    {% if keystone_user_ssl_ca_cert is defined -%}
    SSLCACertificateFile  {{ keystone_ssl_ca_cert }}
    {% endif -%}
    SSLCompression Off
    SSLProtocol {{ keystone_ssl_protocol }}
    SSLHonorCipherOrder On
    {% if keystone_ssl_cipher_suite_tls12 != "" -%}
    SSLCipherSuite {{ keystone_ssl_cipher_suite_tls12 }}
    {% endif -%}
    {% if keystone_ssl_cipher_suite_tls13 != "" -%}
    SSLCipherSuite TLSv1.3 {{ keystone_ssl_cipher_suite_tls13 }}
    {% endif -%}
    SSLOptions +StdEnvVars +ExportCertData
    {% endif -%}
    {% if keystone_sp_apache_mod_auth_openidc -%}
    OIDCClaimPrefix "{{ keystone_sp.trusted_idp_list.0.oidc_claim_prefix | default('OIDC-') }}"
    OIDCResponseType "{{ keystone_sp.trusted_idp_list.0.oidc_resp_type | default('id_token') }}"
    OIDCScope "{{ keystone_sp.trusted_idp_list.0.oidc_scope | default('openid email profile') }}"
    OIDCProviderMetadataURL {{ keystone_sp.trusted_idp_list.0.oidc_provider_metadata_url }}
    OIDCClientID {{ keystone_sp.trusted_idp_list.0.oidc_client_id }}
    OIDCClientSecret {{ keystone_sp.trusted_idp_list.0.oidc_client_secret }}
    OIDCCryptoPassphrase {{ keystone_sp.trusted_idp_list.0.oidc_crypto_passphrase }}
    OIDCRedirectURI {{ keystone_service_publicuri }}{{ keystone_sp.trusted_idp_list.0.oidc_redirect_path | default('/oidc_redirect') }}
    {% if _keystone_sp_apache_mod_auth_openidc_gte_2_4_11 is defined and _keystone_sp_apache_mod_auth_openidc_gte_2_4_11 -%}
    OIDCXForwardedHeaders {{ keystone_secure_proxy_ssl_header }}
    {% endif -%}
    {% if keystone_sp.trusted_idp_list.0.oidc_auth_verify_jwks_uri is defined -%}
    OIDCOAuthVerifyJwksUri {{ keystone_sp.trusted_idp_list.0.oidc_auth_verify_jwks_uri }}
    {% endif -%}
    {% if keystone_sp.trusted_idp_list.0.oidc_outgoing_proxy is defined -%}
    OIDCOutgoingProxy {{ keystone_sp.trusted_idp_list.0.oidc_outgoing_proxy }}
    {% endif -%}
    {% if keystone_sp.trusted_idp_list.0.oidc_oauth_introspection_endpoint is defined -%}
    OIDCOAuthIntrospectionEndpoint {{ keystone_sp.trusted_idp_list.0.oidc_oauth_introspection_endpoint }}
    {% endif -%}
    {% if keystone_sp.trusted_idp_list.0.oidc_oauth_client_id is defined -%}
    OIDCOAuthClientID {{ keystone_sp.trusted_idp_list.0.oidc_oauth_client_id }}
    {% endif -%}
    {% if keystone_sp.trusted_idp_list.0.oidc_oauth_client_secret is defined -%}
    OIDCOAuthClientSecret {{ keystone_sp.trusted_idp_list.0.oidc_oauth_client_secret }}
    {% endif -%}
    {% if keystone_sp.trusted_idp_list.0.oidc_pkce_method is defined -%}
    OIDCPKCEMethod {{ keystone_sp.trusted_idp_list.0.oidc_pkce_method }}
    {% endif -%}
    {% if keystone_cache_servers | length > 0 -%}
    OIDCCacheType memcache
    OIDCMemCacheServers "{{ keystone_cache_servers | join(' ') }}"
    {% endif %}
    {% if keystone_sp.trusted_idp_list.0.oidc_auth_request_params is defined -%}
    OIDCAuthRequestParams {{ keystone_sp.trusted_idp_list.0.oidc_auth_request_params }}
    {% endif %}
    {% if keystone_sp.trusted_idp_list.0.oidc_state_max_number_of_cookies is defined -%}
    OIDCStateMaxNumberOfCookies {{ keystone_sp.trusted_idp_list.0.oidc_state_max_number_of_cookies }}
    {% endif %}
    {% if keystone_sp.trusted_idp_list.0.oidc_default_url is defined -%}
    OIDCDefaultURL {{ keystone_sp.trusted_idp_list.0.oidc_default_url }}
    {% endif %}
    {% if keystone_sp.trusted_idp_list.0.oidc_claim_delimiter is defined -%}
    OIDCClaimDelimiter "{{ keystone_sp.trusted_idp_list.0.oidc_claim_delimiter }}"
    {% endif %}
    <Location {{ keystone_sp.trusted_idp_list.0.oidc_redirect_path | default('/oidc_redirect') }}>
      Require valid-user
      AuthType openid-connect
    </Location>
    <Location /v3/OS-FEDERATION/identity_providers/{{ keystone_sp.trusted_idp_list.0.name }}/protocols/openid/auth>
      Require valid-user
      AuthType auth-openidc
    </Location>
    <Location /v3/auth/OS-FEDERATION/websso/openid>
      Require valid-user
      AuthType openid-connect
    </Location>
    <Location /v3/auth/OS-FEDERATION/identity_providers/{{ keystone_sp.trusted_idp_list.0.name }}/protocols/openid/websso>
      Require valid-user
      AuthType openid-connect
    </Location>
    {% endif %}
    {%- if keystone_sp_apache_mod_shib -%}
    ShibURLScheme {{ keystone_service_publicuri_proto }}
    <Location /Shibboleth.sso>
        SetHandler shib
    </Location>
    <Location /v3/auth/OS-FEDERATION/websso/saml2>
        AuthType shibboleth
        ShibRequestSetting requireSession 1
        ShibRequestSetting exportAssertion 1
        ShibRequireSession On
        ShibExportAssertion On
        Require valid-user
    </Location>
    <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
        ShibRequestSetting requireSession 1
        AuthType shibboleth
        ShibExportAssertion Off
        Require valid-user
    </LocationMatch>
    {% endif %}
    {% if keystone_sp != {} -%}
    <Directory /var/www/cgi-bin/keystone>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        allow from all
    </Directory>
    {% endif %}
    {% if keystone_sp_apache_mod_shib -%}
    ProxyPass /Shibboleth.sso !
    {% endif -%}
    ProxyPass / uwsgi://127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] }}/
 </VirtualHost>
--- a/templates/keystone-ports.conf.j2
+++ b/templates/keystone-ports.conf.j2
@@ -1,6 +0,0 @@
 # {{ ansible_managed }}
 # We place a blank file here
 # Listen commands happen inside the individual VHost files
 # This allows for multiple services VHosts to exist without
 # overwriting Listen lines.
--- a/vars/debian.yml
+++ b/vars/debian.yml
@@ -41,11 +41,6 @@ keystone_service_distro_packages:
  - python3-keystone
  - python3-systemd
 keystone_apache_distro_packages:
  - apache2
  - apache2-utils
  - libapache2-mod-proxy-uwsgi
 keystone_idp_distro_packages:
  - ssl-cert
  - xmlsec1
@@ -62,47 +57,21 @@ keystone_sp_apache_mod_packages:
 keystone_developer_mode_distro_packages:
  - build-essential
-keystone_apache_default_sites:
+keystone_deprecated_apache_configs:
-  - "/etc/apache2/sites-enabled/000-default.conf"
+  - /etc/apache2/sites-available/keystone-httpd.conf
-
+  - /etc/apache2/sites-enabled/keystone-httpd.conf
 keystone_apache_site_available: "/etc/apache2/sites-available/keystone-httpd.conf"
 keystone_apache_site_enabled: "/etc/apache2/sites-enabled/keystone-httpd.conf"
 keystone_apache_conf: "/etc/apache2/apache2.conf"
 keystone_apache_default_log_folder: "/var/log/apache2"
 keystone_apache_default_log_owner: "root"
 keystone_apache_default_log_grp: "adm"
 keystone_apache_security_conf: "/etc/apache2/conf-available/security.conf"
 keystone_apache_configs:
  - { src: "keystone-ports.conf.j2", dest: "/etc/apache2/ports.conf" }
  - { src: "keystone-httpd.conf.j2", dest: "/etc/apache2/sites-available/keystone-httpd.conf" }
  - { src: "keystone-httpd-mpm.conf.j2", dest: "/etc/apache2/mods-available/mpm_{{ keystone_httpd_mpm_backend }}.conf" }
 keystone_apache_mpms:
  - name: "mpm_event"
    state: "{{ (keystone_httpd_mpm_backend == 'event') | ternary('present', 'absent') }}"
  - name: "mpm_worker"
    state: "{{ (keystone_httpd_mpm_backend == 'worker') | ternary('present', 'absent') }}"
  - name: "mpm_prefork"
    state: "{{ (keystone_httpd_mpm_backend == 'prefork') | ternary('present', 'absent') }}"
 keystone_apache_modules:
  - name: "ssl"
    state: "{{ (keystone_backend_ssl | bool) | ternary('present', 'absent') }}"
  - name: "shib"
    state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}"
  - name: "auth_openidc"
    state: "{{ keystone_sp_apache_mod_auth_openidc | ternary('present', 'absent') }}"
  - name: "proxy_uwsgi"
    state: "present"
  - name: "headers"
    state: "present"
 # This can be enabled when Apache2.5+ is available
 #  - name: "mod_journald"
 #    state: "present
 keystone_system_service_name: "{{ (keystone_use_uwsgi | bool) | ternary('keystone-wsgi-public', 'apache2') }}"
 keystone_uwsgi_bin: "/usr/bin"
 keystone_sshd: ssh
--- a/vars/distro_install.yml
+++ b/vars/distro_install.yml
@@ -19,7 +19,7 @@
 # enabled.
 #
 keystone_package_list: |-
-  {% set packages = keystone_distro_packages | union((keystone_use_uwsgi | bool) | ternary([], keystone_apache_distro_packages)) %}
+  {% set packages = keystone_distro_packages %}
  {% if keystone_idp != {} %}
  {%   set _ = packages.extend(keystone_idp_distro_packages) %}
  {% endif %}
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -77,3 +77,116 @@ _keystone_cache_backend_package: |-
  {%-   endif %}
  {%- endfor %}
  oslo.cache[{{ oslo.backend }}]
 _keystone_httpd_vhost_ssl: |-
  {% set ssl_options = {} %}
  {% if (keystone_user_ssl_cert is defined and keystone_user_ssl_cert) and (keystone_user_ssl_key is defined and keystone_user_ssl_key) %}
  {%   set _ = ssl_options.update({'cert': keystone_user_ssl_cert, 'key': keystone_user_ssl_key}) %}
  {%   if keystone_user_ssl_ca_cert is defined and keystone_user_ssl_ca_cert %}
  {%     set _ = ssl_options.update({'ca': keystone_user_ssl_ca_cert}) %}
  {%   endif %}
  {% else %}
  {%   set _ = ssl_options.update({'san': keystone_pki_san}) %}
  {% endif %}
  {{ ssl_options }}
 _keystone_httpd_base_options:
  - Options +FollowSymLinks
 _keystone_httpd_shib_options:
  - "ShibURLScheme {{ keystone_service_publicuri_proto }}"
  - "ProxyPass /Shibboleth.sso !"
  - "<LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>"
  - "   ShibRequestSetting requireSession 1"
  - "   AuthType shibboleth"
  - "   ShibExportAssertion Off"
  - "   Require valid-user"
  - "</LocationMatch>"
 _keystone_httpd_openidc_base_options:
  - "OIDCClaimPrefix \"{{ keystone_sp.trusted_idp_list.0.oidc_claim_prefix | default('OIDC-') }}\""
  - "OIDCResponseType \"{{ keystone_sp.trusted_idp_list.0.oidc_resp_type | default('id_token') }}\""
  - "OIDCScope \"{{ keystone_sp.trusted_idp_list.0.oidc_scope | default('openid email profile') }}\""
  - "OIDCProviderMetadataURL {{ keystone_sp.trusted_idp_list.0.oidc_provider_metadata_url }}"
  - "OIDCClientID {{ keystone_sp.trusted_idp_list.0.oidc_client_id }}"
  - "OIDCClientSecret {{ keystone_sp.trusted_idp_list.0.oidc_client_secret }}"
  - "OIDCCryptoPassphrase {{ keystone_sp.trusted_idp_list.0.oidc_crypto_passphrase }}"
  - "OIDCRedirectURI {{ keystone_service_publicuri }}{{ keystone_sp.trusted_idp_list.0.oidc_redirect_path | default('/oidc_redirect') }}"
 _keystone_httpd_openidc_options: |-
  {% set openidc_options = _keystone_httpd_openidc_base_options %}
  {% if _keystone_sp_apache_mod_auth_openidc_gte_2_4_11 is defined and _keystone_sp_apache_mod_auth_openidc_gte_2_4_11 %}
  {%   set _ = openidc_options.append('OIDCXForwardedHeaders ' ~ keystone_secure_proxy_ssl_header) %}
  {% endif %}
  {% if keystone_sp.trusted_idp_list.0.oidc_auth_verify_jwks_uri is defined %}
  {%   set _ = openidc_options.append('OIDCOAuthVerifyJwksUri ' ~ keystone_sp.trusted_idp_list.0.oidc_auth_verify_jwks_uri) %}
  {% endif %}
  {% if keystone_sp.trusted_idp_list.0.oidc_outgoing_proxy is defined %}
  {%   set _ = openidc_options.append('OIDCOutgoingProxy ' ~ keystone_sp.trusted_idp_list.0.oidc_outgoing_proxy) %}
  {% endif %}
  {% if keystone_sp.trusted_idp_list.0.oidc_oauth_introspection_endpoint is defined %}
  {%   set _ = openidc_options.append('OIDCOAuthIntrospectionEndpoint ' ~ keystone_sp.trusted_idp_list.0.oidc_oauth_introspection_endpoint) %}
  {% endif %}
  {% if keystone_sp.trusted_idp_list.0.oidc_oauth_client_id is defined %}
  {%   set _ = openidc_options.append('OIDCOAuthClientID ' ~ keystone_sp.trusted_idp_list.0.oidc_oauth_client_id) %}
  {% endif %}
  {% if keystone_sp.trusted_idp_list.0.oidc_oauth_client_secret is defined %}
  {%   set _ = openidc_options.append('OIDCOAuthClientSecret ' ~ keystone_sp.trusted_idp_list.0.oidc_oauth_client_secret) %}
  {% endif %}
  {% if keystone_sp.trusted_idp_list.0.oidc_pkce_method is defined %}
  {%   set _ = openidc_options.append('OIDCPKCEMethod ' ~ keystone_sp.trusted_idp_list.0.oidc_pkce_method) %}
  {% endif %}
  {% if keystone_cache_servers | length > 0 -%}
  {%   set _ = openidc_options.append('OIDCCacheType memcache') %}
  {%   set _ = openidc_options.append('OIDCMemCacheServers "' ~ keystone_cache_servers | join(' ') ~ '"') %}
  {% endif %}
  {% if keystone_sp.trusted_idp_list.0.oidc_auth_request_params is defined %}
  {%   set _ = openidc_options.append('OIDCAuthRequestParams ' ~ keystone_sp.trusted_idp_list.0.oidc_auth_request_params) %}
  {% endif %}
  {% if keystone_sp.trusted_idp_list.0.oidc_state_max_number_of_cookies is defined -%}
  {%   set _ = openidc_options.append('OIDCStateMaxNumberOfCookies ' ~ keystone_sp.trusted_idp_list.0.oidc_state_max_number_of_cookies) %}
  {% endif %}
  {% if keystone_sp.trusted_idp_list.0.oidc_default_url is defined %}
  {%   set _ = openidc_options.append('OIDCDefaultURL ' ~ keystone_sp.trusted_idp_list.0.oidc_default_url) %}
  {% endif %}
  {% if keystone_sp.trusted_idp_list.0.oidc_claim_delimiter is defined %}
  {%   set _ = openidc_options.append('OIDCClaimDelimiter ' ~ keystone_sp.trusted_idp_list.0.oidc_claim_delimiter) %}
  {% endif %}
  {{ openidc_options }}
 _keystone_httpd_openidc_location_options:
  - Require valid-user
  - AuthType openid-connect
 _keystone_httpd_openidc_locations:
  - path: "{{ keystone_sp.trusted_idp_list.0.oidc_redirect_path | default('/oidc_redirect') }}"
    options: "{{ _keystone_httpd_openidc_location_options }}"
  - path: "/v3/OS-FEDERATION/identity_providers/{{ keystone_sp.trusted_idp_list.0.name }}/protocols/openid/auth"
    options:
      - Require valid-user
      - AuthType auth-openidc
  - path: /v3/auth/OS-FEDERATION/websso/openid
    options: "{{ _keystone_httpd_openidc_location_options }}"
  - path: /v3/auth/OS-FEDERATION/identity_providers/{{ keystone_sp.trusted_idp_list.0.name }}/protocols/openid/websso
    options: "{{ _keystone_httpd_openidc_location_options }}"
 _keystone_httpd_shib_locations:
  - path: /CShibboleth.sso
    options:
      - SetHandler shib
  - path: /v3/auth/OS-FEDERATION/websso/saml2\
    options:
      - AuthType shibboleth
      - ShibRequestSetting requireSession 1
      - ShibRequestSetting exportAssertion 1
      - ShibRequireSession On
      - ShibExportAssertion On
      - Require valid-user
 _keystone_httpd_sp_directories:
  - path: /var/www/cgi-bin/keystone
    options:
      - Options Indexes FollowSymLinks MultiViews
      - AllowOverride All
      - Order allow,deny
      - allow from all
--- a/vars/redhat.yml
+++ b/vars/redhat.yml
@@ -35,11 +35,6 @@ keystone_service_distro_packages:
  - openstack-keystone
  - python3-systemd
 keystone_apache_distro_packages:
  - httpd
  - httpd-tools
  - mod_ssl
 keystone_idp_distro_packages:
  - xmlsec1
@@ -55,23 +50,8 @@ keystone_sp_apache_mod_packages:
 keystone_developer_mode_distro_packages:
  - gcc
-keystone_apache_default_sites:
+keystone_deprecated_apache_configs:
-  - "/etc/httpd/conf.d/userdir.conf"
+  - /etc/httpd/conf.d/keystone-httpd.conf
  - "/etc/httpd/conf.d/welcome.conf"
  - "/etc/httpd/conf.d/ssl.conf"
 keystone_apache_conf: "/etc/httpd/conf/httpd.conf"
 keystone_apache_default_log_folder: "/var/log/httpd"
 keystone_apache_default_log_owner: "root"
 keystone_apache_default_log_grp: "root"
 keystone_apache_security_conf: "{{ keystone_apache_conf }}"
 keystone_apache_configs:
  - { src: "keystone-ports.conf.j2", dest: "/etc/httpd/conf.d/ports.conf" }
  - { src: "keystone-httpd.conf.j2", dest: "/etc/httpd/conf.d/keystone-httpd.conf" }
  - { src: "keystone-httpd-mpm.conf.j2", dest: "/etc/httpd/conf.modules.d/mpm_{{ keystone_httpd_mpm_backend }}.conf" }
 keystone_system_service_name: "{{ (keystone_use_uwsgi | bool) | ternary('keystone-wsgi-public', 'httpd') }}"
 keystone_uwsgi_bin: "/usr/sbin"
--- a/vars/source_install.yml
+++ b/vars/source_install.yml
@@ -19,7 +19,7 @@
 # enabled.
 #
 keystone_package_list: |-
-  {% set packages = keystone_distro_packages | union((keystone_use_uwsgi | bool) | ternary([], keystone_apache_distro_packages)) %}
+  {% set packages = keystone_distro_packages %}
  {% if keystone_idp != {} %}
  {%   set _ = packages.extend(keystone_idp_distro_packages) %}
  {% endif %}