Saltstack Official Apache Formula

modules.sls 21KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527
  1. # -*- coding: utf-8 -*-
  2. # vim: ft=yaml
  3. ---
  4. apache:
  5. lookup:
  6. master: template-master
  7. # apache version (generally '2.2' or '2.4')
  8. # version: '2.2'
  9. # Default value for AddDefaultCharset in RedHat configuration
  10. default_charset: 'UTF-8'
  11. # Should we enforce DocumentRoot user/group?
  12. document_root_user: null # Defaults to: apache.user
  13. document_root_group: null # Defaults to: apache.group
  14. # Just for testing purposes
  15. winner: lookup
  16. added_in_lookup: lookup_value
  17. # Using bash package and udev service as an example. This allows us to
  18. # test the template formula itself. You should set these parameters to
  19. # examples that make sense in the contexto of the formula you're writing.
  20. # pkg:
  21. # deps:
  22. # mod_ssl # redhat
  23. # mod_security # redhat
  24. # mod_geoip # redhat
  25. # GeoIP # redhat
  26. # libapache2-mod-security2 # Debian
  27. global:
  28. # global apache directives
  29. AllowEncodedSlashes: 'On'
  30. name_virtual_hosts:
  31. - interface: '*'
  32. port: 80
  33. - interface: '*'
  34. port: 443
  35. # ``apache.vhosts`` formula additional configuration:
  36. # fqdn should be added to /etc/hosts i.e. ##
  37. # $ tail -3 /etc/hosts
  38. # 127.0.0.1 example.com
  39. # 127.0.0.1 www.redirectmatch.com
  40. # 127.0.0.1 www.proxyexample.com
  41. sites:
  42. example.net:
  43. template_file: salt://apache/config/vhosts/minimal.tmpl
  44. port: '8081'
  45. example.com: # must be unique; used as an ID declaration in Salt.
  46. enabled: true
  47. # or minimal.tmpl or redirect.tmpl or proxy.tmpl
  48. template_file: salt://apache/config/vhosts/standard.tmpl
  49. ####################### DEFAULT VALUES BELOW ############################
  50. # NOTE: the values below are simply default settings that *can* be
  51. # overridden and are not required in order to use this formula to create
  52. # vhost entries.
  53. #
  54. # Do not copy the values below into your Pillar unless you intend to
  55. # modify these vaules.
  56. ####################### DEFAULT VALUES BELOW ############################
  57. template_engine: jinja
  58. interface: '*'
  59. port: '443'
  60. exclude_listen_directive: true # Do not add a Listen directive in httpd.conf
  61. ServerName: example.com # uses the unique ID above unless specified
  62. # ServerAlias: www.example.com # Do not add ServerAlias unless defined
  63. ServerAdmin: webmaster@example.com
  64. LogLevel: warn
  65. # E.g.: /var/log/apache2/example.com-error.log
  66. # ErrorLog: /path/to/logs/example.com-error.log
  67. # E.g.: /var/log/apache2/example.com-access.log
  68. # CustomLog: /path/to/logs/example.com-access.log
  69. # E.g., /var/www/example.com
  70. DocumentRoot: /path/to/www/dir/example.com
  71. # do not enforce user, defaults to lookup:document_root_user or apache.user
  72. DocumentRootUser: null
  73. # Force group, defaults to lookup:document_root_group or apache.user
  74. DocumentRootGroup: null
  75. {%- if grains.os_family in ('Debian', 'Suse', 'Gentoo') %}
  76. SSLCertificateFile: /etc/apache2/conf/server.crt
  77. SSLCertificateKeyFile: /etc/apache2/conf/server.key
  78. {%- else %}
  79. SSLCertificateFile: /etc/httpd/conf/server.crt
  80. SSLCertificateKeyFile: /etc/httpd/conf/server.key
  81. {%- endif %}
  82. # SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer
  83. SSLCertificateFile_content: |
  84. -----BEGIN CERTIFICATE-----
  85. MIIDYTCCAkkCFCKCcuwB/Ze9bI5/75oRChNH8RzHMA0GCSqGSIb3DQEBCwUAMG0x
  86. CzAJBgNVBAYTAklFMREwDwYDVQQIDAhDb25uYWNodDESMBAGA1UEBwwJQ29ubWFp
  87. Y25lMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxFDASBgNVBAMM
  88. C2V4YW1wbGUuY29tMB4XDTIwMTAwMzEzMzI1N1oXDTIxMTAwMzEzMzI1N1owbTEL
  89. MAkGA1UEBhMCSUUxETAPBgNVBAgMCENvbm5hY2h0MRIwEAYDVQQHDAlDb25tYWlj
  90. bmUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEUMBIGA1UEAwwL
  91. ZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSl0qL
  92. ol+/b3R9VccpOLe5Cg1Tf1zstAzV5TvjcjSdytdwMDGy9J8Yi2EcMZ1wNdMkvf4D
  93. mr+72Za+qeHHc0ZA+fIJoV+tTcbLbV/mhv0i0i7Zldi3QuvIVBpLR2Z5s5mXZ7C8
  94. yz8VpF9enQkS3uNnbNuZNT3ElGHmlAj1yHsh0K+TbvZrygFkG0wvYwivhlt1Zcbo
  95. th4LJ+gBwNIdSJUiAa58VO5ZNeenM9DquJfZVcFc1bDFqzU0T9KY4PsxmzO1A2+m
  96. TDHoGR4nCz7B+5Ec4USyBUuKo2FhALBEtYz2hlwaf9XasSSvmzO5hhPCQ3nJ4qeY
  97. i+BLCSpiq2lApPVZAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAD9/78A4ygQWbO27
  98. jQPm+2Zg0f9Sn1tcD4tOVao0MlAfWrALjbmj82hg+givEQKAuN7ptthYoaJcOxHl
  99. aUe++y3bQiCznN73yKSJZFgG5fYR8tyMslsYRBcKSay0nvPhN/3Jry0nNehDREQ+
  100. 2H0vB595bymGNTmux13sNwOZH1i8KEgxdLcFbje87+CbhCGbFhS3lHPY2FeXnHpO
  101. W60Zchwsy06xMjo4rzbQatdJj/HAh6lIx0YmNDX/d3dCLpZlkvUBT6ENVhipi5bb
  102. 2pF/Awob8AYWbIn4N7gmIP5Sb0tugpEgrSgSyDdZNWoFDChvfHXcNUP8lblIftAl
  103. ylssbnQ=
  104. -----END CERTIFICATE-----
  105. SSLCertificateKeyFile_content: |
  106. -----BEGIN RSA PRIVATE KEY-----
  107. MIIEowIBAAKCAQEA0pdKi6Jfv290fVXHKTi3uQoNU39c7LQM1eU743I0ncrXcDAx
  108. svSfGIthHDGdcDXTJL3+A5q/u9mWvqnhx3NGQPnyCaFfrU3Gy21f5ob9ItIu2ZXY
  109. t0LryFQaS0dmebOZl2ewvMs/FaRfXp0JEt7jZ2zbmTU9xJRh5pQI9ch7IdCvk272
  110. a8oBZBtML2MIr4ZbdWXG6LYeCyfoAcDSHUiVIgGufFTuWTXnpzPQ6riX2VXBXNWw
  111. xas1NE/SmOD7MZsztQNvpkwx6BkeJws+wfuRHOFEsgVLiqNhYQCwRLWM9oZcGn/V
  112. 2rEkr5szuYYTwkN5yeKnmIvgSwkqYqtpQKT1WQIDAQABAoIBAQCI39SP1UWuQ17P
  113. Z8U+waKIHkRzFMDtCEmfbJL0TfJs7L4CKRDkY6JUbaL8lDLkD9fgdax340jja5VS
  114. 70/UNtRevxXVtJFfLsIazkgaqXo1+65/talZ06E0X5WHgCzWxSj7A2YYD3I9OszR
  115. zfdr0Hq1akeA2N4AuwC2wVjhhyCg5Lg4xY0l+kRFLrPU4RctsjCAaveVIm3wmJVd
  116. vmHO9hKcR3nxuIx0/cPYe20WgGSqbYJQburE1uXp26uz/Jek/u8FNFIEjWCWB+vj
  117. eRQOcxngebyWCh0dyoxb3nL28Yty9O1MlLP2b0YMmep1ZfEFtwn4M2d8FdW1WCmJ
  118. viOGFx4BAoGBAPTYSIpyxea1qaeNmT97e4YgPwV3rajhdPRYSQKyCsjKHk7Q/uxk
  119. Phddo0ymiGKLCRAUwg9py900slY8mZKbdrVxXV4EEhngrWrr2gpfzxkEF1i0d4bS
  120. 2OuRCbkfE23glxqtVjvnTlrRANaXgk5mUQCL1YDUf+hrpEvF0pTbDRYpAoGBANwv
  121. ffy+Sk+e0v+NlthhNHUDcXisIoW7b/DoT0H8DtbJV/QVexaGln7Ts6EgaH2NdpC+
  122. dyLKa+l7oIeKgXeHm2Tgm879di/ChQCkoAHIUu5Nm0c5D2Vst26JrfCA7vZb9ddI
  123. FMFt5bsDgRqFzTXFe0k9TEIBiF0Pp5xfHVwNWeuxAoGAGNY3xZOO77BN3WlHumDU
  124. Tu7Gdc+GFjOIoaCzB0r4PRYDrQsWUPR6N/SPtB7Qhu6DpNX2OYoJ3A6UaJsNGQoc
  125. KJuvVPIkw+s+rDHwlEzTvT3lAGKOHWcWCg9UZSr51ZOKwHIE5V65XA0HgL0twrYu
  126. UVfd+IuVzgXdTLJsgh0WXsECgYApcgcU+/yg4BR3Zf9u2100aWGChWQ6J/36KsBA
  127. e2GPrHaRyzlQFCVf2hmFysPgXjBjLnbeZZvKZyrgWIHmLfBiHKU3YR5N/x9p75Lu
  128. wvZZROJllagAP2aHuAK1so9IcCbmTvsZLcaAXTh/9Y+a/4ElWBRymDdCzR+Pn5e3
  129. LAwxAQKBgBHH42ri6pHbRptINzJ9sw3PhwewQZtGu3sfvrOknBs3togptCrjBWDF
  130. eOGuFmjHO9vnhWs2yWQYETL1jt+CWgzRc4o4akB3qH5sXar5F7h06y16RFV9u6UJ
  131. qaGqPFcy/l/5H6uNPLZt4Ufg3T0Mz0Az+Dti99KqVLKeqWQvXVc4
  132. -----END RSA PRIVATE KEY-----
  133. Directory:
  134. # "default" is a special case; uses DocumentRoot value
  135. # E.g.: /var/www/example.com
  136. default:
  137. Options: -Indexes +FollowSymLinks
  138. Order: allow,deny # For Apache < 2.4
  139. Allow: from all # For apache < 2.4
  140. Require: all granted # For apache > 2.4.
  141. AllowOverride: None
  142. # Formula_Append: |
  143. # Additional config as a
  144. # multi-line string here
  145. redirectmatch.com:
  146. # Use RedirectMatch Directive
  147. # - https://httpd.apache.org/docs/2.4/fr/mod/mod_alias.html#redirectmatch
  148. # Require module mod_alias
  149. enabled: true
  150. template_file: salt://apache/config/vhosts/redirect.tmpl
  151. ServerName: www.redirectmatch.com
  152. ServerAlias: www.redirectmatch.com
  153. RedirectMatch: true
  154. RedirectSource: '^/$'
  155. RedirectTarget: '/subdirectory'
  156. DocumentRoot: /var/www/html/
  157. port: '8083'
  158. 8084-proxyexample.com:
  159. template_file: salt://apache/config/vhosts/redirect.tmpl
  160. ServerName: www.proxyexample.com
  161. ServerAlias: www.proxyexample.com
  162. RedirectSource: '/'
  163. RedirectTarget: 'https://www.proxyexample.com/'
  164. DocumentRoot: /var/www/proxy
  165. port: '8084'
  166. 8443-proxyexample.com:
  167. template_file: salt://apache/config/vhosts/proxy.tmpl
  168. ServerName: www.proxyexample.com
  169. ServerAlias: www.proxyexample.com
  170. interface: '*'
  171. port: '8443'
  172. DocumentRoot: /var/www/proxy
  173. Rewrite: |
  174. RewriteRule ^/webmail$ /webmail/ [R]
  175. RewriteRule ^/webmail(.*) http://mail.example.com$1 [P,L]
  176. RewriteRule ^/vicescws(.*) http://svc.example.com:92$1 [P,L]
  177. SSLCertificateFile: /etc/httpd/conf/server.crt
  178. SSLCertificateKeyFile: /etc/httpd/conf/server.key
  179. # SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer
  180. SSLCertificateFile_content: |
  181. -----BEGIN CERTIFICATE-----
  182. MIIDYTCCAkkCFCKCcuwB/Ze9bI5/75oRChNH8RzHMA0GCSqGSIb3DQEBCwUAMG0x
  183. CzAJBgNVBAYTAklFMREwDwYDVQQIDAhDb25uYWNodDESMBAGA1UEBwwJQ29ubWFp
  184. Y25lMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxFDASBgNVBAMM
  185. C2V4YW1wbGUuY29tMB4XDTIwMTAwMzEzMzI1N1oXDTIxMTAwMzEzMzI1N1owbTEL
  186. MAkGA1UEBhMCSUUxETAPBgNVBAgMCENvbm5hY2h0MRIwEAYDVQQHDAlDb25tYWlj
  187. bmUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEUMBIGA1UEAwwL
  188. ZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSl0qL
  189. ol+/b3R9VccpOLe5Cg1Tf1zstAzV5TvjcjSdytdwMDGy9J8Yi2EcMZ1wNdMkvf4D
  190. mr+72Za+qeHHc0ZA+fIJoV+tTcbLbV/mhv0i0i7Zldi3QuvIVBpLR2Z5s5mXZ7C8
  191. yz8VpF9enQkS3uNnbNuZNT3ElGHmlAj1yHsh0K+TbvZrygFkG0wvYwivhlt1Zcbo
  192. th4LJ+gBwNIdSJUiAa58VO5ZNeenM9DquJfZVcFc1bDFqzU0T9KY4PsxmzO1A2+m
  193. TDHoGR4nCz7B+5Ec4USyBUuKo2FhALBEtYz2hlwaf9XasSSvmzO5hhPCQ3nJ4qeY
  194. i+BLCSpiq2lApPVZAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAD9/78A4ygQWbO27
  195. jQPm+2Zg0f9Sn1tcD4tOVao0MlAfWrALjbmj82hg+givEQKAuN7ptthYoaJcOxHl
  196. aUe++y3bQiCznN73yKSJZFgG5fYR8tyMslsYRBcKSay0nvPhN/3Jry0nNehDREQ+
  197. 2H0vB595bymGNTmux13sNwOZH1i8KEgxdLcFbje87+CbhCGbFhS3lHPY2FeXnHpO
  198. W60Zchwsy06xMjo4rzbQatdJj/HAh6lIx0YmNDX/d3dCLpZlkvUBT6ENVhipi5bb
  199. 2pF/Awob8AYWbIn4N7gmIP5Sb0tugpEgrSgSyDdZNWoFDChvfHXcNUP8lblIftAl
  200. ylssbnQ=
  201. -----END CERTIFICATE-----
  202. SSLCertificateKeyFile_content: |
  203. -----BEGIN RSA PRIVATE KEY-----
  204. MIIEowIBAAKCAQEA0pdKi6Jfv290fVXHKTi3uQoNU39c7LQM1eU743I0ncrXcDAx
  205. svSfGIthHDGdcDXTJL3+A5q/u9mWvqnhx3NGQPnyCaFfrU3Gy21f5ob9ItIu2ZXY
  206. t0LryFQaS0dmebOZl2ewvMs/FaRfXp0JEt7jZ2zbmTU9xJRh5pQI9ch7IdCvk272
  207. a8oBZBtML2MIr4ZbdWXG6LYeCyfoAcDSHUiVIgGufFTuWTXnpzPQ6riX2VXBXNWw
  208. xas1NE/SmOD7MZsztQNvpkwx6BkeJws+wfuRHOFEsgVLiqNhYQCwRLWM9oZcGn/V
  209. 2rEkr5szuYYTwkN5yeKnmIvgSwkqYqtpQKT1WQIDAQABAoIBAQCI39SP1UWuQ17P
  210. Z8U+waKIHkRzFMDtCEmfbJL0TfJs7L4CKRDkY6JUbaL8lDLkD9fgdax340jja5VS
  211. 70/UNtRevxXVtJFfLsIazkgaqXo1+65/talZ06E0X5WHgCzWxSj7A2YYD3I9OszR
  212. zfdr0Hq1akeA2N4AuwC2wVjhhyCg5Lg4xY0l+kRFLrPU4RctsjCAaveVIm3wmJVd
  213. vmHO9hKcR3nxuIx0/cPYe20WgGSqbYJQburE1uXp26uz/Jek/u8FNFIEjWCWB+vj
  214. eRQOcxngebyWCh0dyoxb3nL28Yty9O1MlLP2b0YMmep1ZfEFtwn4M2d8FdW1WCmJ
  215. viOGFx4BAoGBAPTYSIpyxea1qaeNmT97e4YgPwV3rajhdPRYSQKyCsjKHk7Q/uxk
  216. Phddo0ymiGKLCRAUwg9py900slY8mZKbdrVxXV4EEhngrWrr2gpfzxkEF1i0d4bS
  217. 2OuRCbkfE23glxqtVjvnTlrRANaXgk5mUQCL1YDUf+hrpEvF0pTbDRYpAoGBANwv
  218. ffy+Sk+e0v+NlthhNHUDcXisIoW7b/DoT0H8DtbJV/QVexaGln7Ts6EgaH2NdpC+
  219. dyLKa+l7oIeKgXeHm2Tgm879di/ChQCkoAHIUu5Nm0c5D2Vst26JrfCA7vZb9ddI
  220. FMFt5bsDgRqFzTXFe0k9TEIBiF0Pp5xfHVwNWeuxAoGAGNY3xZOO77BN3WlHumDU
  221. Tu7Gdc+GFjOIoaCzB0r4PRYDrQsWUPR6N/SPtB7Qhu6DpNX2OYoJ3A6UaJsNGQoc
  222. KJuvVPIkw+s+rDHwlEzTvT3lAGKOHWcWCg9UZSr51ZOKwHIE5V65XA0HgL0twrYu
  223. UVfd+IuVzgXdTLJsgh0WXsECgYApcgcU+/yg4BR3Zf9u2100aWGChWQ6J/36KsBA
  224. e2GPrHaRyzlQFCVf2hmFysPgXjBjLnbeZZvKZyrgWIHmLfBiHKU3YR5N/x9p75Lu
  225. wvZZROJllagAP2aHuAK1so9IcCbmTvsZLcaAXTh/9Y+a/4ElWBRymDdCzR+Pn5e3
  226. LAwxAQKBgBHH42ri6pHbRptINzJ9sw3PhwewQZtGu3sfvrOknBs3togptCrjBWDF
  227. eOGuFmjHO9vnhWs2yWQYETL1jt+CWgzRc4o4akB3qH5sXar5F7h06y16RFV9u6UJ
  228. qaGqPFcy/l/5H6uNPLZt4Ufg3T0Mz0Az+Dti99KqVLKeqWQvXVc4
  229. -----END RSA PRIVATE KEY-----
  230. SSLCertificateChainFile_content: |
  231. -----BEGIN CERTIFICATE-----
  232. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  233. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  234. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  235. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  236. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  237. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  238. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  239. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  240. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  241. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  242. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  243. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  244. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  245. -----END CERTIFICATE-----
  246. -----BEGIN CERTIFICATE-----
  247. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  248. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  249. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  250. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  251. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  252. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  253. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  254. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  255. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  256. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  257. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  258. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  259. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  260. -----END CERTIFICATE-----
  261. ProxyRequests: 'Off'
  262. ProxyPreserveHost: 'On'
  263. ProxyRoute:
  264. example prod proxy route:
  265. ProxyPassSource: '/'
  266. ProxyPassTarget: 'http://prod.example.com:85/'
  267. ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
  268. ProxyPassReverseSource: '/'
  269. ProxyPassReverseTarget: 'http://prod.example.com:85/'
  270. example webmail proxy route:
  271. ProxyPassSource: '/webmail/'
  272. ProxyPassTarget: 'http://mail.example.com/'
  273. ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
  274. ProxyPassReverseSource: '/webmail/'
  275. ProxyPassReverseTarget: 'http://mail.example.com/'
  276. example service proxy route:
  277. ProxyPassSource: '/svc/'
  278. ProxyPassTarget: 'http://svc.example.com:92/'
  279. ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
  280. ProxyPassReverseSource: '/svc/'
  281. ProxyPassReverseTarget: 'http://svc.example.com:92/'
  282. Location:
  283. /:
  284. Require: false
  285. # Formula_Append: |
  286. # SecRuleRemoveById 981231
  287. # SecRuleRemoveById 981173
  288. /error:
  289. Require: 'all granted'
  290. /docs:
  291. Order: allow,deny # For Apache < 2.4
  292. Allow: from all # For apache < 2.4
  293. Require: all granted # For apache > 2.4.
  294. # Formula_Append: |
  295. # Additional config as a
  296. # multi-line string here
  297. LocationMatch:
  298. '^[.\\/]+([Ww][Ee][Bb][Mm][Aa][Ii][Ll])[.\\/]':
  299. Require: false
  300. Formula_Append: |
  301. RequestHeader set Host mail.example.com
  302. '^[.\\/]+([Ss][Vv][Cc])[.\\/]':
  303. Require: false
  304. Formula_Append: |
  305. Require ip 123.123.13.6 84.24.25.74
  306. Proxy_control:
  307. '*':
  308. AllowAll: false
  309. AllowCountry: false
  310. # - DE
  311. AllowIP:
  312. - 12.5.25.32
  313. - 12.5.25.33
  314. Alias:
  315. /docs: /usr/share/docs
  316. ScriptAlias:
  317. /cgi-bin/: /var/www/cgi-bin/
  318. # Formula_Append: |
  319. # \#Additional config as a
  320. # \#multi-line string here
  321. # ``apache.debian_full`` formula additional configuration:
  322. register-site:
  323. # any name as an array index, and you can duplicate this section
  324. unique_value_here:
  325. name: 'myname'
  326. path: 'salt://apache/files/myname.conf'
  327. state: 'enabled'
  328. # Optional - use managed file as Jinja Template
  329. # template: true
  330. # defaults:
  331. # custom_var: "default value"
  332. modules:
  333. enabled: # List modules to enable
  334. - ssl
  335. - rewrite
  336. - proxy
  337. - proxy_ajp
  338. - proxy_html
  339. - headers
  340. # geoip
  341. - status
  342. - dav
  343. - dav_fs
  344. - dav_lock
  345. - auth_digest
  346. - socache_shmcb
  347. - xml2enc
  348. - ldap
  349. disabled: # List modules to disable
  350. - geoip
  351. flags:
  352. enabled: # List server flags to enable
  353. - SSL
  354. disabled: # List server flags to disable
  355. - status
  356. # KeepAlive: Whether or not to allow persistent connections (more than
  357. # one request per connection). Set to "Off" to deactivate.
  358. keepalive: 'On'
  359. TimeOut: 60 # software default is 60 seconds
  360. security:
  361. # can be Full | OS | Minimal | Minor | Major | Prod
  362. # where Full conveys the most information, and Prod the least.
  363. ServerTokens: Prod
  364. # [debian only] configure mod_ssl
  365. ssl:
  366. SSLCipherSuite: 'HIGH:!aNULL'
  367. SSLHonorCipherOrder: 'Off'
  368. SSLProtocol: 'all -SSLv3'
  369. SSLUseStapling: 'Off'
  370. SSLStaplingResponderTimeout: '5'
  371. SSLStaplingReturnResponderErrors: 'Off'
  372. SSLStaplingCache: 'shmcb:/var/run/ocsp(128000)'
  373. # ``apache.mod_remoteip`` formula additional configuration:
  374. mod_remoteip:
  375. RemoteIPHeader: X-Forwarded-For
  376. RemoteIPTrustedProxy:
  377. - 10.0.8.0/24
  378. - 127.0.0.1
  379. RemoteIPInternalProxy:
  380. - 10.10.8.0/24
  381. - 127.0.0.1
  382. # ``apache.mod_security`` formula additional configuration:
  383. mod_security:
  384. crs_install: false
  385. # If not set, default distro's configuration is installed as is
  386. manage_config: true
  387. sec_rule_engine: 'On'
  388. sec_request_body_access: 'On'
  389. sec_request_body_limit: '14000000'
  390. sec_request_body_no_files_limit: '114002'
  391. sec_request_body_in_memory_limit: '114002'
  392. sec_request_body_limit_action: 'Reject'
  393. sec_pcre_match_limit: '15000'
  394. sec_pcre_match_limit_recursion: '15000'
  395. sec_debug_log_level: '3'
  396. rules:
  397. enabled: ~
  398. modsecurity_crs_10_setup.conf:
  399. rule_set: ''
  400. enabled: true
  401. modsecurity_crs_20_protocol_violations.conf:
  402. rule_set: 'base_rules'
  403. enabled: false
  404. custom_rule_files:
  405. # any name as an array index, and you can duplicate this section
  406. UNIQUE_VALUE_HERE:
  407. file: 'myname'
  408. # path/to/modsecurity/custom/file
  409. path: 'salt://apache/files/dummy.conf'
  410. enabled: false
  411. mod_ssl:
  412. # set this to true if you want to override your distributions default TLS
  413. # configuration
  414. manage_tls_defaults: false
  415. # This stuff is deliberately not configured via map.jinja resp.
  416. # apache:lookup. We're unable to know sane defaults for each release of
  417. # every distribution.
  418. # See https://github.com/saltstack-formulas/openssh-formula/issues/102 for
  419. # a related discussion Have a look at bettercrypto.org for up-to-date
  420. # settings.
  421. # These are default values:
  422. # yamllint disable-line rule:line-length
  423. SSLCipherSuite: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
  424. # Mitigate the CRIME attack
  425. SSLCompression: 'Off'
  426. SSLProtocol: all -SSLv2 -SSLv3 -TLSv1
  427. SSLHonorCipherOrder: 'On'
  428. SSLOptions: "+StrictRequire"
  429. server_status_require:
  430. ip:
  431. - 10.8.8.0/24
  432. host:
  433. - foo.example.com
  434. tofs:
  435. # The files_switch key serves as a selector for alternative
  436. # directories under the formula files directory. See TOFS pattern
  437. # doc for more info.
  438. # Note: Any value not evaluated by `config.get` will be used literally.
  439. # This can be used to set custom paths, as many levels deep as required.
  440. files_switch:
  441. - any/path/can/be/used/here
  442. - id
  443. - roles
  444. - osfinger
  445. - os
  446. - os_family
  447. # All aspects of path/file resolution are customisable using the options below.
  448. # This is unnecessary in most cases; there are sensible defaults.
  449. # Default path: salt://< path_prefix >/< dirs.files >/< dirs.default >
  450. # I.e.: salt://apache/files/default
  451. # path_prefix: template_alt
  452. # dirs:
  453. # files: files_alt
  454. # default: default_alt
  455. # The entries under `source_files` are prepended to the default source files
  456. # given for the state
  457. # source_files:
  458. # apache-config-file-file-managed:
  459. # - 'example_alt.tmpl'
  460. # - 'example_alt.tmpl.jinja'
  461. # For testing purposes
  462. source_files:
  463. apache-config-file-file-managed:
  464. - 'example.tmpl.jinja'
  465. apache-subcomponent-config-file-file-managed:
  466. - 'subcomponent-example.tmpl.jinja'
  467. # Just for testing purposes
  468. winner: pillar
  469. added_in_pillar: pillar_value