Saltstack Official Apache Formula
Вы не можете выбрать более 25 тем Темы должны начинаться с буквы или цифры, могут содержать дефисы(-) и должны содержать не более 35 символов.

11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
9 лет назад
8 лет назад
7 лет назад
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331
  1. # ``apache`` formula configuration:
  2. apache:
  3. # lookup section overrides ``map.jinja`` values
  4. lookup:
  5. server: apache2
  6. service: apache2
  7. user: some_system_user
  8. group: some_system_group
  9. vhostdir: /etc/apache2/sites-available
  10. confdir: /etc/apache2/conf.d
  11. confext: .conf
  12. logdir: /var/log/apache2
  13. wwwdir: /srv/apache2
  14. # apache version (generally '2.2' or '2.4')
  15. version: '2.2'
  16. # ``apache.mod_wsgi`` formula additional configuration:
  17. mod_wsgi: mod_wsgi
  18. # Default value for AddDefaultCharset in RedHat configuration
  19. default_charset: 'UTF-8'
  20. global:
  21. # global apache directives
  22. AllowEncodedSlashes: 'On'
  23. name_virtual_hosts:
  24. - interface: '*'
  25. port: 80
  26. - interface: '*'
  27. port: 443
  28. # ``apache.vhosts`` formula additional configuration:
  29. sites:
  30. example.net:
  31. template_file: salt://apache/vhosts/minimal.tmpl
  32. example.com: # must be unique; used as an ID declaration in Salt.
  33. enabled: True
  34. template_file: salt://apache/vhosts/standard.tmpl # or minimal.tmpl or redirect.tmpl or proxy.tmpl
  35. ####################### DEFAULT VALUES BELOW ############################
  36. # NOTE: the values below are simply default settings that *can* be
  37. # overridden and are not required in order to use this formula to create
  38. # vhost entries.
  39. #
  40. # Do not copy the values below into your Pillar unless you intend to
  41. # modify these vaules.
  42. ####################### DEFAULT VALUES BELOW ############################
  43. template_engine: jinja
  44. interface: '*'
  45. port: '80'
  46. exclude_listen_directive: True # Do not add a Listen directive in httpd.conf
  47. ServerName: example.com # uses the unique ID above unless specified
  48. ServerAlias: www.example.com
  49. ServerAdmin: webmaster@example.com
  50. LogLevel: warn
  51. ErrorLog: /path/to/logs/example.com-error.log # E.g.: /var/log/apache2/example.com-error.log
  52. CustomLog: /path/to/logs/example.com-access.log # E.g.: /var/log/apache2/example.com-access.log
  53. DocumentRoot: /path/to/www/dir/example.com # E.g., /var/www/example.com
  54. SSLCertificateFile: /etc/ssl/mycert.pem # if ssl is desired
  55. SSLCertificateKeyFile: /etc/ssl/mycert.pem.key # if key for cert is needed or in an extra file
  56. SSLCertificateChainFile: /etc/ssl/mycert.chain.pem # if you require a chain of server certificates file
  57. Directory:
  58. # "default" is a special case; Adds ``/path/to/www/dir/example.com``
  59. # E.g.: /var/www/example.com
  60. default:
  61. Options: -Indexes +FollowSymLinks
  62. Order: allow,deny # For Apache < 2.4
  63. Allow: from all # For apache < 2.4
  64. Require: all granted # For apache > 2.4.
  65. AllowOverride: None
  66. Formula_Append: |
  67. Additional config as a
  68. multi-line string here
  69. 80-proxyexample.com:
  70. template_file: salt://apache/vhosts/redirect.tmpl
  71. ServerName: www.proxyexample.com
  72. ServerAlias: www.proxyexample.com
  73. RedirectSource: '/'
  74. RedirectTarget: 'https://www.proxyexample.com/'
  75. DocumentRoot: /var/www/proxy
  76. 443-proxyexample.com:
  77. template_file: salt://apache/vhosts/proxy.tmpl
  78. ServerName: www.proxyexample.com
  79. ServerAlias: www.proxyexample.com
  80. interface: '*'
  81. port: '443'
  82. DocumentRoot: /var/www/proxy
  83. Rewrite: |
  84. RewriteRule ^/webmail$ /webmail/ [R]
  85. RewriteRule ^/webmail(.*) http://mail.example.com$1 [P,L]
  86. RewriteRule ^/vicescws(.*) http://svc.example.com:92$1 [P,L]
  87. SSLCertificateFile: /etc/httpd/ssl/example.com.crt
  88. SSLCertificateKeyFile: /etc/httpd/ssl/example.com.key
  89. SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer
  90. SSLCertificateFile_content: |
  91. -----BEGIN CERTIFICATE-----
  92. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  93. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  94. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  95. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  96. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  97. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  98. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  99. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  100. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  101. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  102. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  103. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  104. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  105. -----END CERTIFICATE-----
  106. SSLCertificateKeyFile_content: |
  107. -----BEGIN PRIVATE KEY-----
  108. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  109. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  110. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  111. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  112. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  113. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  114. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  115. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  116. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  117. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  118. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  119. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  120. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  121. -----END PRIVATE KEY-----
  122. SSLCertificateChainFile_content: |
  123. -----BEGIN CERTIFICATE-----
  124. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  125. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  126. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  127. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  128. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  129. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  130. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  131. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  132. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  133. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  134. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  135. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  136. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  137. -----END CERTIFICATE-----
  138. -----BEGIN CERTIFICATE-----
  139. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  140. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  141. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  142. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  143. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  144. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  145. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  146. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  147. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  148. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  149. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  150. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  151. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  152. -----END CERTIFICATE-----
  153. ProxyRequests: 'Off'
  154. ProxyPreserveHost: 'On'
  155. ProxyRoute:
  156. example prod proxy route:
  157. ProxyPassSource: '/'
  158. ProxyPassTarget: 'http://prod.example.com:85/'
  159. ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
  160. ProxyPassReverseSource: '/'
  161. ProxyPassReverseTarget: 'http://prod.example.com:85/'
  162. example webmail proxy route:
  163. ProxyPassSource: '/webmail/'
  164. ProxyPassTarget: 'http://mail.example.com/'
  165. ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
  166. ProxyPassReverseSource: '/webmail/'
  167. ProxyPassReverseTarget: 'http://mail.example.com/'
  168. example service proxy route:
  169. ProxyPassSource: '/svc/'
  170. ProxyPassTarget: 'http://svc.example.com:92/'
  171. ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
  172. ProxyPassReverseSource: '/svc/'
  173. ProxyPassReverseTarget: 'http://svc.example.com:92/'
  174. Location:
  175. /:
  176. Require: False
  177. Formula_Append: |
  178. SecRuleRemoveById 981231
  179. SecRuleRemoveById 981173
  180. /error:
  181. Require: 'all granted'
  182. /docs:
  183. Order: allow,deny # For Apache < 2.4
  184. Allow: from all # For apache < 2.4
  185. Require: all granted # For apache > 2.4.
  186. Formula_Append: |
  187. Additional config as a
  188. multi-line string here
  189. LocationMatch:
  190. '^[.\\/]+([Ww][Ee][Bb][Mm][Aa][Ii][Ll])[.\\/]':
  191. Require: False
  192. Formula_Append: |
  193. RequestHeader set Host mail.example.com
  194. '^[.\\/]+([Ss][Vv][Cc])[.\\/]':
  195. Require: False
  196. Formula_Append: |
  197. Require ip 123.123.13.6 84.24.25.74
  198. Proxy_control:
  199. '*':
  200. AllowAll: False
  201. AllowCountry:
  202. - DE
  203. AllowIP:
  204. - 12.5.25.32
  205. - 12.5.25.33
  206. Alias:
  207. /docs: /usr/share/docs
  208. Formula_Append: |
  209. Additional config as a
  210. multi-line string here
  211. # ``apache.debian_full`` formula additional configuration:
  212. register-site:
  213. # any name as an array index, and you can duplicate this section
  214. UNIQUE_VALUE_HERE:
  215. name: 'my name'
  216. path: 'salt://path/to/sites-available/conf/file'
  217. state: 'enabled'
  218. # Optional - use managed file as Jinja Template
  219. #template: true
  220. #defaults:
  221. # custom_var: "default value"
  222. modules:
  223. enabled: # List modules to enable
  224. - ldap
  225. - ssl
  226. disabled: # List modules to disable
  227. - rewrite
  228. # KeepAlive: Whether or not to allow persistent connections (more than
  229. # one request per connection). Set to "Off" to deactivate.
  230. keepalive: 'On'
  231. security:
  232. # can be Full | OS | Minimal | Minor | Major | Prod
  233. # where Full conveys the most information, and Prod the least.
  234. ServerTokens: Prod
  235. # ``apache.mod_remoteip`` formula additional configuration:
  236. mod_remoteip:
  237. RemoteIPHeader: X-Forwarded-For
  238. RemoteIPTrustedProxy:
  239. - 10.0.8.0/24
  240. - 127.0.0.1
  241. # ``apache.mod_security`` formula additional configuration:
  242. mod_security:
  243. crs_install: True
  244. # If not set, default distro's configuration is installed as is
  245. manage_config: True
  246. sec_rule_engine: 'On'
  247. sec_request_body_access: 'On'
  248. sec_request_body_limit: '14000000'
  249. sec_request_body_no_files_limit: '114002'
  250. sec_request_body_in_memory_limit: '114002'
  251. sec_request_body_limit_action: 'Reject'
  252. sec_pcre_match_limit: '15000'
  253. sec_pcre_match_limit_recursion: '15000'
  254. sec_debug_log_level: '3'
  255. rules:
  256. enabled:
  257. modsecurity_crs_10_setup.conf:
  258. rule_set: ''
  259. enabled: True
  260. modsecurity_crs_20_protocol_violations.conf:
  261. rule_set: 'base_rules'
  262. enabled: False
  263. custom_rule_files:
  264. # any name as an array index, and you can duplicate this section
  265. UNIQUE_VALUE_HERE:
  266. file: 'my name'
  267. path: 'salt://path/to/modsecurity/custom/file'
  268. enabled: True
  269. mod_ssl:
  270. # set this to True if you want to override your distributions default TLS configuration
  271. manage_tls_defaults: False
  272. # This stuff is deliberately not configured via map.jinja resp. apache:lookup.
  273. # We're unable to know sane defaults for each release of every distribution.
  274. # See https://github.com/saltstack-formulas/openssh-formula/issues/102 for a related discussion
  275. # Have a look at bettercrypto.org for up-to-date settings.
  276. # These are default values:
  277. SSLCipherSuite: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
  278. # Mitigate the CRIME attack
  279. SSLCompression: Off
  280. SSLProtocol: all -SSLv2 -SSLv3 -TLSv1
  281. SSLHonorCipherOrder: On
  282. SSLOptions: "+StrictRequire"