Saltstack Official Apache Formula
Вы не можете выбрать более 25 тем Темы должны начинаться с буквы или цифры, могут содержать дефисы(-) и должны содержать не более 35 символов.

11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
9 лет назад
9 лет назад
8 лет назад
7 лет назад
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371
  1. # ``apache`` formula configuration:
  2. apache:
  3. # By default apache restart/reload states run (false skips)
  4. manage_service_states: True
  5. # lookup section overrides ``map.jinja`` values
  6. lookup:
  7. server: apache2
  8. service: apache2
  9. user: some_system_user
  10. group: some_system_group
  11. vhostdir: /etc/apache2/sites-available
  12. confdir: /etc/apache2/conf.d
  13. confext: .conf
  14. logdir: /var/log/apache2
  15. wwwdir: /srv/apache2
  16. # apache version (generally '2.2' or '2.4')
  17. version: '2.2'
  18. # ``apache.mod_wsgi`` formula additional configuration:
  19. mod_wsgi: mod_wsgi
  20. # Default value for AddDefaultCharset in RedHat configuration
  21. default_charset: 'UTF-8'
  22. # Should we enforce DocumentRoot user/group?
  23. # Default: do not enforce
  24. document_root_user: www-data # Force user if specified, leave it default if not
  25. document_root_group: null # Do not enforce group
  26. global:
  27. # global apache directives
  28. AllowEncodedSlashes: 'On'
  29. name_virtual_hosts:
  30. - interface: '*'
  31. port: 80
  32. - interface: '*'
  33. port: 443
  34. # ``apache.vhosts`` formula additional configuration:
  35. sites:
  36. example.net:
  37. template_file: salt://apache/vhosts/minimal.tmpl
  38. example.com: # must be unique; used as an ID declaration in Salt.
  39. enabled: True
  40. template_file: salt://apache/vhosts/standard.tmpl # or minimal.tmpl or redirect.tmpl or proxy.tmpl
  41. ####################### DEFAULT VALUES BELOW ############################
  42. # NOTE: the values below are simply default settings that *can* be
  43. # overridden and are not required in order to use this formula to create
  44. # vhost entries.
  45. #
  46. # Do not copy the values below into your Pillar unless you intend to
  47. # modify these vaules.
  48. ####################### DEFAULT VALUES BELOW ############################
  49. template_engine: jinja
  50. interface: '*'
  51. port: '80'
  52. exclude_listen_directive: True # Do not add a Listen directive in httpd.conf
  53. ServerName: example.com # uses the unique ID above unless specified
  54. #ServerAlias: www.example.com # Do not add ServerAlias unless defined
  55. ServerAdmin: webmaster@example.com
  56. LogLevel: warn
  57. ErrorLog: /path/to/logs/example.com-error.log # E.g.: /var/log/apache2/example.com-error.log
  58. CustomLog: /path/to/logs/example.com-access.log # E.g.: /var/log/apache2/example.com-access.log
  59. DocumentRoot: /path/to/www/dir/example.com # E.g., /var/www/example.com
  60. DocumentRootUser: null # do not enforce user, defaults to lookup:document_root_user
  61. DocumentRootGroup: www-data # Force group, defaults to lookup:document_root_group
  62. SSLCertificateFile: /etc/ssl/mycert.pem # if ssl is desired
  63. SSLCertificateKeyFile: /etc/ssl/mycert.pem.key # if key for cert is needed or in an extra file
  64. SSLCertificateChainFile: /etc/ssl/mycert.chain.pem # if you require a chain of server certificates file
  65. Directory:
  66. # "default" is a special case; uses DocumentRoot value
  67. # E.g.: /var/www/example.com
  68. default:
  69. Options: -Indexes +FollowSymLinks
  70. Order: allow,deny # For Apache < 2.4
  71. Allow: from all # For apache < 2.4
  72. Require: all granted # For apache > 2.4.
  73. AllowOverride: None
  74. Formula_Append: |
  75. Additional config as a
  76. multi-line string here
  77. redirectmatch.com:
  78. # Use RedirectMatch Directive https://httpd.apache.org/docs/2.4/fr/mod/mod_alias.html#redirectmatch
  79. # Require module mod_alias
  80. enabled: True
  81. template_file: salt://apache/vhosts/redirect.tmpl
  82. ServerName: www.redirectmatch.com
  83. ServerAlias: www.redirectmatch.com
  84. RedirectMatch: true
  85. RedirectSource: '^/$'
  86. RedirectTarget: '/subdirectory'
  87. DocumentRoot: /var/www/html/
  88. ErrorLog: ${APACHE_LOG_DIR}/error.log
  89. CustomLog: ${APACHE_LOG_DIR}/access.log
  90. 80-proxyexample.com:
  91. template_file: salt://apache/vhosts/redirect.tmpl
  92. ServerName: www.proxyexample.com
  93. ServerAlias: www.proxyexample.com
  94. RedirectSource: '/'
  95. RedirectTarget: 'https://www.proxyexample.com/'
  96. DocumentRoot: /var/www/proxy
  97. 443-proxyexample.com:
  98. template_file: salt://apache/vhosts/proxy.tmpl
  99. ServerName: www.proxyexample.com
  100. ServerAlias: www.proxyexample.com
  101. interface: '*'
  102. port: '443'
  103. DocumentRoot: /var/www/proxy
  104. Rewrite: |
  105. RewriteRule ^/webmail$ /webmail/ [R]
  106. RewriteRule ^/webmail(.*) http://mail.example.com$1 [P,L]
  107. RewriteRule ^/vicescws(.*) http://svc.example.com:92$1 [P,L]
  108. SSLCertificateFile: /etc/httpd/ssl/example.com.crt
  109. SSLCertificateKeyFile: /etc/httpd/ssl/example.com.key
  110. SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer
  111. SSLCertificateFile_content: |
  112. -----BEGIN CERTIFICATE-----
  113. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  114. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  115. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  116. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  117. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  118. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  119. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  120. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  121. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  122. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  123. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  124. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  125. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  126. -----END CERTIFICATE-----
  127. SSLCertificateKeyFile_content: |
  128. -----BEGIN PRIVATE KEY-----
  129. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  130. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  131. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  132. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  133. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  134. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  135. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  136. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  137. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  138. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  139. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  140. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  141. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  142. -----END PRIVATE KEY-----
  143. SSLCertificateChainFile_content: |
  144. -----BEGIN CERTIFICATE-----
  145. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  146. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  147. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  148. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  149. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  150. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  151. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  152. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  153. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  154. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  155. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  156. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  157. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  158. -----END CERTIFICATE-----
  159. -----BEGIN CERTIFICATE-----
  160. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  161. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  162. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  163. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  164. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  165. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  166. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  167. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  168. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  169. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  170. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  171. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  172. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  173. -----END CERTIFICATE-----
  174. ProxyRequests: 'Off'
  175. ProxyPreserveHost: 'On'
  176. ProxyRoute:
  177. example prod proxy route:
  178. ProxyPassSource: '/'
  179. ProxyPassTarget: 'http://prod.example.com:85/'
  180. ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
  181. ProxyPassReverseSource: '/'
  182. ProxyPassReverseTarget: 'http://prod.example.com:85/'
  183. example webmail proxy route:
  184. ProxyPassSource: '/webmail/'
  185. ProxyPassTarget: 'http://mail.example.com/'
  186. ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
  187. ProxyPassReverseSource: '/webmail/'
  188. ProxyPassReverseTarget: 'http://mail.example.com/'
  189. example service proxy route:
  190. ProxyPassSource: '/svc/'
  191. ProxyPassTarget: 'http://svc.example.com:92/'
  192. ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
  193. ProxyPassReverseSource: '/svc/'
  194. ProxyPassReverseTarget: 'http://svc.example.com:92/'
  195. Location:
  196. /:
  197. Require: False
  198. Formula_Append: |
  199. SecRuleRemoveById 981231
  200. SecRuleRemoveById 981173
  201. /error:
  202. Require: 'all granted'
  203. /docs:
  204. Order: allow,deny # For Apache < 2.4
  205. Allow: from all # For apache < 2.4
  206. Require: all granted # For apache > 2.4.
  207. Formula_Append: |
  208. Additional config as a
  209. multi-line string here
  210. LocationMatch:
  211. '^[.\\/]+([Ww][Ee][Bb][Mm][Aa][Ii][Ll])[.\\/]':
  212. Require: False
  213. Formula_Append: |
  214. RequestHeader set Host mail.example.com
  215. '^[.\\/]+([Ss][Vv][Cc])[.\\/]':
  216. Require: False
  217. Formula_Append: |
  218. Require ip 123.123.13.6 84.24.25.74
  219. Proxy_control:
  220. '*':
  221. AllowAll: False
  222. AllowCountry:
  223. - DE
  224. AllowIP:
  225. - 12.5.25.32
  226. - 12.5.25.33
  227. Alias:
  228. /docs: /usr/share/docs
  229. Formula_Append: |
  230. Additional config as a
  231. multi-line string here
  232. # ``apache.debian_full`` formula additional configuration:
  233. register-site:
  234. # any name as an array index, and you can duplicate this section
  235. UNIQUE_VALUE_HERE:
  236. name: 'my name'
  237. path: 'salt://path/to/sites-available/conf/file'
  238. state: 'enabled'
  239. # Optional - use managed file as Jinja Template
  240. #template: true
  241. #defaults:
  242. # custom_var: "default value"
  243. modules:
  244. enabled: # List modules to enable
  245. - ldap
  246. - ssl
  247. disabled: # List modules to disable
  248. - rewrite
  249. flags:
  250. enabled: # List server flags to enable
  251. - SSL
  252. disabled: # List server flags to disable
  253. - status
  254. # KeepAlive: Whether or not to allow persistent connections (more than
  255. # one request per connection). Set to "Off" to deactivate.
  256. keepalive: 'On'
  257. security:
  258. # can be Full | OS | Minimal | Minor | Major | Prod
  259. # where Full conveys the most information, and Prod the least.
  260. ServerTokens: Prod
  261. # [debian only] configure mod_ssl
  262. ssl:
  263. SSLCipherSuite: 'HIGH:!aNULL'
  264. SSLHonorCipherOrder: 'Off'
  265. SSLProtocol: 'all -SSLv3'
  266. SSLUseStapling: 'Off'
  267. SSLStaplingResponderTimeout: '5'
  268. SSLStaplingReturnResponderErrors: 'Off'
  269. SSLStaplingCache: 'shmcb:/var/run/ocsp(128000)'
  270. # ``apache.mod_remoteip`` formula additional configuration:
  271. mod_remoteip:
  272. RemoteIPHeader: X-Forwarded-For
  273. RemoteIPTrustedProxy:
  274. - 10.0.8.0/24
  275. - 127.0.0.1
  276. # ``apache.mod_security`` formula additional configuration:
  277. mod_security:
  278. crs_install: True
  279. # If not set, default distro's configuration is installed as is
  280. manage_config: True
  281. sec_rule_engine: 'On'
  282. sec_request_body_access: 'On'
  283. sec_request_body_limit: '14000000'
  284. sec_request_body_no_files_limit: '114002'
  285. sec_request_body_in_memory_limit: '114002'
  286. sec_request_body_limit_action: 'Reject'
  287. sec_pcre_match_limit: '15000'
  288. sec_pcre_match_limit_recursion: '15000'
  289. sec_debug_log_level: '3'
  290. rules:
  291. enabled:
  292. modsecurity_crs_10_setup.conf:
  293. rule_set: ''
  294. enabled: True
  295. modsecurity_crs_20_protocol_violations.conf:
  296. rule_set: 'base_rules'
  297. enabled: False
  298. custom_rule_files:
  299. # any name as an array index, and you can duplicate this section
  300. UNIQUE_VALUE_HERE:
  301. file: 'my name'
  302. path: 'salt://path/to/modsecurity/custom/file'
  303. enabled: True
  304. mod_ssl:
  305. # set this to True if you want to override your distributions default TLS configuration
  306. manage_tls_defaults: False
  307. # This stuff is deliberately not configured via map.jinja resp. apache:lookup.
  308. # We're unable to know sane defaults for each release of every distribution.
  309. # See https://github.com/saltstack-formulas/openssh-formula/issues/102 for a related discussion
  310. # Have a look at bettercrypto.org for up-to-date settings.
  311. # These are default values:
  312. SSLCipherSuite: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
  313. # Mitigate the CRIME attack
  314. SSLCompression: Off
  315. SSLProtocol: all -SSLv2 -SSLv3 -TLSv1
  316. SSLHonorCipherOrder: On
  317. SSLOptions: "+StrictRequire"