diff --git a/templates/keystone-httpd.conf.j2 b/templates/keystone-httpd.conf.j2
index 0bbbacc3..6421514a 100644
--- a/templates/keystone-httpd.conf.j2
+++ b/templates/keystone-httpd.conf.j2
@@ -47,7 +47,7 @@ Listen {{ keystone_web_server_bind_address }}:{{ keystone_service_port }}
     OIDCClientSecret {{ keystone_sp.trusted_idp_list.0.oidc_client_secret }}
     OIDCCryptoPassphrase {{ keystone_sp.trusted_idp_list.0.oidc_crypto_passphrase }}
     OIDCRedirectURI {{ keystone_service_publicuri }}{{ keystone_sp.trusted_idp_list.0.oidc_redirect_path | default('/oidc_redirect') }}
-    {% if _keystone_sp_apache_mod_auth_openidc_gte_2_4_11 is defined -%}
+    {% if _keystone_sp_apache_mod_auth_openidc_gte_2_4_11 is defined and _keystone_sp_apache_mod_auth_openidc_gte_2_4_11 -%}
     OIDCXForwardedHeaders {{ keystone_secure_proxy_ssl_header }}
     {% endif -%}
     {% if keystone_sp.trusted_idp_list.0.oidc_auth_verify_jwks_uri is defined -%}
diff --git a/vars/debian.yml b/vars/debian.yml
index ba1a7e89..a0f96ab0 100644
--- a/vars/debian.yml
+++ b/vars/debian.yml
@@ -52,6 +52,9 @@ keystone_idp_distro_packages:
   - ssl-cert
   - xmlsec1
 
+# From 2.4.11, mod_auth_openidc ignores X-Forwarded headers unless explicitly configured
+_keystone_sp_apache_mod_auth_openidc_gte_2_4_11: True
+
 keystone_sp_apache_mod_packages:
   - name: libapache2-mod-shib
     state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}"
diff --git a/vars/redhat.yml b/vars/redhat.yml
index 2c590102..277306a3 100644
--- a/vars/redhat.yml
+++ b/vars/redhat.yml
@@ -45,6 +45,9 @@ keystone_apache_distro_packages:
 keystone_idp_distro_packages:
   - xmlsec1
 
+# From 2.4.11, mod_auth_openidc ignores X-Forwarded headers unless explicitly configured
+_keystone_sp_apache_mod_auth_openidc_gte_2_4_11: True
+
 keystone_sp_apache_mod_packages:
   - name: shibboleth
     state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}"
diff --git a/vars/ubuntu-18.04.yml b/vars/ubuntu-18.04.yml
deleted file mode 100644
index 5ce9e407..00000000
--- a/vars/ubuntu-18.04.yml
+++ /dev/null
@@ -1,102 +0,0 @@
----
-# Copyright 2016, Rackspace US, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-cache_timeout: 600
-
-keystone_distro_packages:
-  - git
-  - openssh-server
-  - rsync
-  - cron
-  - libpython3-dev
-
-keystone_devel_distro_packages:
-  - docutils-common
-  - libffi-dev
-  - libjs-sphinxdoc
-  - libjs-underscore
-  - libldap2-dev
-  - libsasl2-dev
-  - libsystemd-dev
-  - libssl-dev
-  - libxslt1.1
-  - libxslt1-dev
-  - libxml2-dev
-  - pkg-config
-
-keystone_service_distro_packages:
-  - python3-keystone
-  - python3-systemd
-  - uwsgi
-  - uwsgi-plugin-python3
-
-keystone_apache_distro_packages:
-  - apache2
-  - apache2-utils
-  - libapache2-mod-proxy-uwsgi
-
-keystone_idp_distro_packages:
-  - ssl-cert
-  - xmlsec1
-
-keystone_sp_apache_mod_packages:
-  - name: libapache2-mod-shib2
-    state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}"
-  - name: libapache2-mod-auth-openidc
-    state: "{{ keystone_sp_apache_mod_auth_openidc | ternary('present', 'absent') }}"
-
-keystone_developer_mode_distro_packages:
-  - build-essential
-
-keystone_oslomsg_amqp1_distro_packages:
-  - libsasl2-modules
-  - sasl2-bin
-
-keystone_apache_default_sites:
-  - "/etc/apache2/sites-enabled/000-default.conf"
-
-keystone_apache_site_available: "/etc/apache2/sites-available/keystone-httpd.conf"
-keystone_apache_site_enabled: "/etc/apache2/sites-enabled/keystone-httpd.conf"
-keystone_apache_conf: "/etc/apache2/apache2.conf"
-keystone_apache_default_log_folder: "/var/log/apache2"
-keystone_apache_default_log_owner: "root"
-keystone_apache_default_log_grp: "adm"
-keystone_apache_security_conf: "/etc/apache2/conf-available/security.conf"
-
-keystone_apache_configs:
-  - { src: "keystone-ports.conf.j2", dest: "/etc/apache2/ports.conf" }
-  - { src: "keystone-httpd.conf.j2", dest: "/etc/apache2/sites-available/keystone-httpd.conf" }
-  - { src: "keystone-httpd-mpm.conf.j2", dest: "/etc/apache2/mods-available/mpm_{{ keystone_httpd_mpm_backend }}.conf" }
-
-keystone_apache_modules:
-  - name: "ssl"
-    state: "{{ (keystone_backend_ssl | bool) | ternary('present', 'absent') }}"
-  - name: "shib2"
-    state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}"
-  - name: "auth_openidc"
-    state: "{{ keystone_sp_apache_mod_auth_openidc | ternary('present', 'absent') }}"
-  - name: "proxy_uwsgi"
-    state: "present"
-  - name: "headers"
-    state: "present"
-# This can be enabled when Apache2.5+ is available
-#  - name: "mod_journald"
-#    state: "present
-
-keystone_system_service_name: "{{ (keystone_use_uwsgi | bool) | ternary('keystone-wsgi-public', 'apache2') }}"
-
-keystone_uwsgi_bin: '/usr/bin'
-
-keystone_sshd: ssh
diff --git a/vars/ubuntu-22.04.yml b/vars/ubuntu-22.04.yml
deleted file mode 100644
index 3bce800e..00000000
--- a/vars/ubuntu-22.04.yml
+++ /dev/null
@@ -1,106 +0,0 @@
----
-# Copyright 2016, Rackspace US, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-cache_timeout: 600
-
-keystone_distro_packages:
-  - git
-  - libldap-common
-  - openssh-server
-  - rsync
-  - cron
-  - libpython3-dev
-
-keystone_devel_distro_packages:
-  - docutils-common
-  - libffi-dev
-  - libjs-sphinxdoc
-  - libjs-underscore
-  - libldap2-dev
-  - libsasl2-dev
-  - libsystemd-dev
-  - libssl-dev
-  - libxslt1.1
-  - libxslt1-dev
-  - libxml2-dev
-  - pkg-config
-
-keystone_service_distro_packages:
-  - python3-keystone
-  - python3-systemd
-  - uwsgi
-  - uwsgi-plugin-python3
-
-keystone_apache_distro_packages:
-  - apache2
-  - apache2-utils
-  - libapache2-mod-proxy-uwsgi
-
-keystone_idp_distro_packages:
-  - ssl-cert
-  - xmlsec1
-
-keystone_sp_apache_mod_packages:
-  - name: libapache2-mod-shib
-    state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}"
-  - name: libapache2-mod-auth-openidc
-    state: "{{ keystone_sp_apache_mod_auth_openidc | ternary('present', 'absent') }}"
-
-keystone_developer_mode_distro_packages:
-  - build-essential
-
-keystone_oslomsg_amqp1_distro_packages:
-  - libsasl2-modules
-  - sasl2-bin
-
-keystone_apache_default_sites:
-  - "/etc/apache2/sites-enabled/000-default.conf"
-
-keystone_apache_site_available: "/etc/apache2/sites-available/keystone-httpd.conf"
-keystone_apache_site_enabled: "/etc/apache2/sites-enabled/keystone-httpd.conf"
-keystone_apache_conf: "/etc/apache2/apache2.conf"
-keystone_apache_default_log_folder: "/var/log/apache2"
-keystone_apache_default_log_owner: "root"
-keystone_apache_default_log_grp: "adm"
-keystone_apache_security_conf: "/etc/apache2/conf-available/security.conf"
-
-keystone_apache_configs:
-  - { src: "keystone-ports.conf.j2", dest: "/etc/apache2/ports.conf" }
-  - { src: "keystone-httpd.conf.j2", dest: "/etc/apache2/sites-available/keystone-httpd.conf" }
-  - { src: "keystone-httpd-mpm.conf.j2", dest: "/etc/apache2/mods-available/mpm_{{ keystone_httpd_mpm_backend }}.conf" }
-
-keystone_apache_modules:
-  - name: "ssl"
-    state: "{{ (keystone_backend_ssl | bool) | ternary('present', 'absent') }}"
-  - name: "shib"
-    state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}"
-  - name: "auth_openidc"
-    state: "{{ keystone_sp_apache_mod_auth_openidc | ternary('present', 'absent') }}"
-  - name: "proxy_uwsgi"
-    state: "present"
-  - name: "headers"
-    state: "present"
-# This can be enabled when Apache2.5+ is available
-#  - name: "mod_journald"
-#    state: "present
-
-keystone_system_service_name: "{{ (keystone_use_uwsgi | bool) | ternary('keystone-wsgi-public', 'apache2') }}"
-
-keystone_uwsgi_bin: '/usr/bin'
-
-keystone_sshd: ssh
-
-# From 2.4.11, mod_auth_openidc ignores X-Forwarded headers unless explicitly configured
-_keystone_sp_apache_mod_auth_openidc_gte_2_4_11: True