Saltstack Official Apache Formula
Вы не можете выбрать более 25 тем Темы должны начинаться с буквы или цифры, могут содержать дефисы(-) и должны содержать не более 35 символов.

11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
9 лет назад
8 лет назад
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315
  1. # ``apache`` formula configuration:
  2. apache:
  3. # lookup section overrides ``map.jinja`` values
  4. lookup:
  5. server: apache2
  6. service: apache2
  7. vhostdir: /etc/apache2/sites-available
  8. confdir: /etc/apache2/conf.d
  9. confext: .conf
  10. logdir: /var/log/apache2
  11. wwwdir: /srv/apache2
  12. # apache version (generally '2.2' or '2.4')
  13. version: '2.2'
  14. # ``apache.mod_wsgi`` formula additional configuration:
  15. mod_wsgi: mod_wsgi
  16. # Default value for AddDefaultCharset in RedHat configuration
  17. default_charset: 'UTF-8'
  18. global:
  19. # global apache directives
  20. AllowEncodedSlashes: 'On'
  21. name_virtual_hosts:
  22. - interface: '*'
  23. port: 80
  24. - interface: '*'
  25. port: 443
  26. # ``apache.vhosts`` formula additional configuration:
  27. sites:
  28. example.net:
  29. template_file: salt://apache/vhosts/minimal.tmpl
  30. example.com: # must be unique; used as an ID declaration in Salt.
  31. enabled: True
  32. template_file: salt://apache/vhosts/standard.tmpl # or redirect.tmpl or proxy.tmpl
  33. ####################### DEFAULT VALUES BELOW ############################
  34. # NOTE: the values below are simply default settings that *can* be
  35. # overridden and are not required in order to use this formula to create
  36. # vhost entries.
  37. #
  38. # Do not copy the values below into your Pillar unless you intend to
  39. # modify these vaules.
  40. ####################### DEFAULT VALUES BELOW ############################
  41. template_engine: jinja
  42. interface: '*'
  43. port: '80'
  44. exclude_listen_directive: True # Do not add a Listen directive in httpd.conf
  45. ServerName: example.com # uses the unique ID above unless specified
  46. ServerAlias: www.example.com
  47. ServerAdmin: webmaster@example.com
  48. LogLevel: warn
  49. ErrorLog: /path/to/logs/example.com-error.log # E.g.: /var/log/apache2/example.com-error.log
  50. CustomLog: /path/to/logs/example.com-access.log # E.g.: /var/log/apache2/example.com-access.log
  51. DocumentRoot: /path/to/www/dir/example.com # E.g., /var/www/example.com
  52. SSLCertificateFile: /etc/ssl/mycert.pem # if ssl is desired
  53. SSLCertificateKeyFile: /etc/ssl/mycert.pem.key # if key for cert is needed or in an extra file
  54. SSLCertificateChainFile: /etc/ssl/mycert.chain.pem # if you require a chain of server certificates file
  55. Directory:
  56. # "default" is a special case; Adds ``/path/to/www/dir/example.com``
  57. # E.g.: /var/www/example.com
  58. default:
  59. Options: -Indexes +FollowSymLinks
  60. Order: allow,deny # For Apache < 2.4
  61. Allow: from all # For apache < 2.4
  62. Require: all granted # For apache > 2.4.
  63. AllowOverride: None
  64. Formula_Append: |
  65. Additional config as a
  66. multi-line string here
  67. 80-proxyexample.com:
  68. template_file: salt://apache/vhosts/redirect.tmpl
  69. ServerName: www.proxyexample.com
  70. ServerAlias: www.proxyexample.com
  71. RedirectSource: '/'
  72. RedirectTarget: 'https://www.proxyexample.com/'
  73. DocumentRoot: /var/www/proxy
  74. 443-proxyexample.com:
  75. template_file: salt://apache/vhosts/proxy.tmpl
  76. ServerName: www.proxyexample.com
  77. ServerAlias: www.proxyexample.com
  78. interface: '*'
  79. port: '443'
  80. DocumentRoot: /var/www/proxy
  81. Rewrite: |
  82. RewriteRule ^/webmail$ /webmail/ [R]
  83. RewriteRule ^/webmail(.*) http://mail.example.com$1 [P,L]
  84. RewriteRule ^/vicescws(.*) http://svc.example.com:92$1 [P,L]
  85. SSLCertificateFile: /etc/httpd/ssl/example.com.crt
  86. SSLCertificateKeyFile: /etc/httpd/ssl/example.com.key
  87. SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer
  88. SSLCertificateFile_content: |
  89. -----BEGIN CERTIFICATE-----
  90. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  91. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  92. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  93. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  94. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  95. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  96. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  97. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  98. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  99. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  100. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  101. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  102. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  103. -----END CERTIFICATE-----
  104. SSLCertificateKeyFile_content: |
  105. -----BEGIN PRIVATE KEY-----
  106. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  107. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  108. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  109. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  110. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  111. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  112. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  113. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  114. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  115. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  116. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  117. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  118. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  119. -----END PRIVATE KEY-----
  120. SSLCertificateChainFile_content: |
  121. -----BEGIN CERTIFICATE-----
  122. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  123. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  124. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  125. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  126. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  127. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  128. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  129. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  130. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  131. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  132. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  133. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  134. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  135. -----END CERTIFICATE-----
  136. -----BEGIN CERTIFICATE-----
  137. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  138. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  139. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  140. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  141. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  142. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  143. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  144. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  145. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  146. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  147. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  148. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  149. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  150. -----END CERTIFICATE-----
  151. ProxyRequests: 'Off'
  152. ProxyPreserveHost: 'On'
  153. ProxyRoute:
  154. example prod proxy route:
  155. ProxyPassSource: '/'
  156. ProxyPassTarget: 'http://prod.example.com:85/'
  157. ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
  158. ProxyPassReverseSource: '/'
  159. ProxyPassReverseTarget: 'http://prod.example.com:85/'
  160. example webmail proxy route:
  161. ProxyPassSource: '/webmail/'
  162. ProxyPassTarget: 'http://mail.example.com/'
  163. ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
  164. ProxyPassReverseSource: '/webmail/'
  165. ProxyPassReverseTarget: 'http://mail.example.com/'
  166. example service proxy route:
  167. ProxyPassSource: '/svc/'
  168. ProxyPassTarget: 'http://svc.example.com:92/'
  169. ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
  170. ProxyPassReverseSource: '/svc/'
  171. ProxyPassReverseTarget: 'http://svc.example.com:92/'
  172. Location:
  173. /:
  174. Require: False
  175. Formula_Append: |
  176. SecRuleRemoveById 981231
  177. SecRuleRemoveById 981173
  178. /error:
  179. Require: 'all granted'
  180. LocationMatch:
  181. '^[.\\/]+([Ww][Ee][Bb][Mm][Aa][Ii][Ll])[.\\/]':
  182. Require: False
  183. Formula_Append: |
  184. RequestHeader set Host mail.example.com
  185. '^[.\\/]+([Ss][Vv][Cc])[.\\/]':
  186. Require: False
  187. Formula_Append: |
  188. Require ip 123.123.13.6 84.24.25.74
  189. Proxy_control:
  190. '*':
  191. AllowAll: False
  192. AllowCountry:
  193. - DE
  194. AllowIP:
  195. - 12.5.25.32
  196. - 12.5.25.33
  197. Alias:
  198. /docs: /usr/share/docs
  199. Location:
  200. /docs:
  201. Order: allow,deny # For Apache < 2.4
  202. Allow: from all # For apache < 2.4
  203. Require: all granted # For apache > 2.4.
  204. Formula_Append: |
  205. Additional config as a
  206. multi-line string here
  207. Formula_Append: |
  208. Additional config as a
  209. multi-line string here
  210. # ``apache.debian_full`` formula additional configuration:
  211. register-site:
  212. # any name as an array index, and you can duplicate this section
  213. UNIQUE_VALUE_HERE:
  214. name: 'my name'
  215. path: 'salt://path/to/sites-available/conf/file'
  216. state: 'enabled'
  217. # Optional - use managed file as Jinja Template
  218. #template: true
  219. #defaults:
  220. # custom_var: "default value"
  221. modules:
  222. enabled: # List modules to enable
  223. - ldap
  224. - ssl
  225. disabled: # List modules to disable
  226. - rewrite
  227. # KeepAlive: Whether or not to allow persistent connections (more than
  228. # one request per connection). Set to "Off" to deactivate.
  229. keepalive: 'On'
  230. security:
  231. # can be Full | OS | Minimal | Minor | Major | Prod
  232. # where Full conveys the most information, and Prod the least.
  233. ServerTokens: Prod
  234. # ``apache.mod_remoteip`` formula additional configuration:
  235. mod_remoteip:
  236. RemoteIPHeader: X-Forwarded-For
  237. RemoteIPTrustedProxy:
  238. - 10.0.8.0/24
  239. - 127.0.0.1
  240. # ``apache.mod_security`` formula additional configuration:
  241. mod_security:
  242. crs_install: True
  243. # If not set, default distro's configuration is installed as is
  244. manage_config: True
  245. sec_rule_engine: 'On'
  246. sec_request_body_access: 'On'
  247. sec_request_body_limit: '14000000'
  248. sec_request_body_no_files_limit: '114002'
  249. sec_request_body_in_memory_limit: '114002'
  250. sec_request_body_limit_action: 'Reject'
  251. sec_pcre_match_limit: '15000'
  252. sec_pcre_match_limit_recursion: '15000'
  253. sec_debug_log_level: '3'
  254. rules:
  255. enabled:
  256. modsecurity_crs_10_setup.conf:
  257. rule_set: ''
  258. enabled: True
  259. modsecurity_crs_20_protocol_violations.conf:
  260. rule_set: 'base_rules'
  261. enabled: False
  262. custom_rule_files:
  263. # any name as an array index, and you can duplicate this section
  264. UNIQUE_VALUE_HERE:
  265. file: 'my name'
  266. path: 'salt://path/to/modsecurity/custom/file'
  267. enabled: True