Saltstack Official Apache Formula

pillar.example 13KB

11 vuotta sitten
7 vuotta sitten
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348
  1. # ``apache`` formula configuration:
  2. apache:
  3. # By default apache restart/reload states run (false skips)
  4. manage_service_states: True
  5. # lookup section overrides ``map.jinja`` values
  6. lookup:
  7. server: apache2
  8. service: apache2
  9. user: some_system_user
  10. group: some_system_group
  11. vhostdir: /etc/apache2/sites-available
  12. confdir: /etc/apache2/conf.d
  13. confext: .conf
  14. logdir: /var/log/apache2
  15. wwwdir: /srv/apache2
  16. # apache version (generally '2.2' or '2.4')
  17. version: '2.2'
  18. # ``apache.mod_wsgi`` formula additional configuration:
  19. mod_wsgi: mod_wsgi
  20. # Default value for AddDefaultCharset in RedHat configuration
  21. default_charset: 'UTF-8'
  22. global:
  23. # global apache directives
  24. AllowEncodedSlashes: 'On'
  25. name_virtual_hosts:
  26. - interface: '*'
  27. port: 80
  28. - interface: '*'
  29. port: 443
  30. # ``apache.vhosts`` formula additional configuration:
  31. sites:
  32. example.net:
  33. template_file: salt://apache/vhosts/minimal.tmpl
  34. example.com: # must be unique; used as an ID declaration in Salt.
  35. enabled: True
  36. template_file: salt://apache/vhosts/standard.tmpl # or minimal.tmpl or redirect.tmpl or proxy.tmpl
  37. ####################### DEFAULT VALUES BELOW ############################
  38. # NOTE: the values below are simply default settings that *can* be
  39. # overridden and are not required in order to use this formula to create
  40. # vhost entries.
  41. #
  42. # Do not copy the values below into your Pillar unless you intend to
  43. # modify these vaules.
  44. ####################### DEFAULT VALUES BELOW ############################
  45. template_engine: jinja
  46. interface: '*'
  47. port: '80'
  48. exclude_listen_directive: True # Do not add a Listen directive in httpd.conf
  49. ServerName: example.com # uses the unique ID above unless specified
  50. #ServerAlias: www.example.com # Do not add ServerAlias unless defined
  51. ServerAdmin: webmaster@example.com
  52. LogLevel: warn
  53. ErrorLog: /path/to/logs/example.com-error.log # E.g.: /var/log/apache2/example.com-error.log
  54. CustomLog: /path/to/logs/example.com-access.log # E.g.: /var/log/apache2/example.com-access.log
  55. DocumentRoot: /path/to/www/dir/example.com # E.g., /var/www/example.com
  56. SSLCertificateFile: /etc/ssl/mycert.pem # if ssl is desired
  57. SSLCertificateKeyFile: /etc/ssl/mycert.pem.key # if key for cert is needed or in an extra file
  58. SSLCertificateChainFile: /etc/ssl/mycert.chain.pem # if you require a chain of server certificates file
  59. Directory:
  60. # "default" is a special case; Adds ``/path/to/www/dir/example.com``
  61. # E.g.: /var/www/example.com
  62. default:
  63. Options: -Indexes +FollowSymLinks
  64. Order: allow,deny # For Apache < 2.4
  65. Allow: from all # For apache < 2.4
  66. Require: all granted # For apache > 2.4.
  67. AllowOverride: None
  68. Formula_Append: |
  69. Additional config as a
  70. multi-line string here
  71. redirectmatch.com:
  72. # Use RedirectMatch Directive https://httpd.apache.org/docs/2.4/fr/mod/mod_alias.html#redirectmatch
  73. # Require module mod_alias
  74. enabled: True
  75. template_file: salt://apache/vhosts/redirect.tmpl
  76. ServerName: www.redirectmatch.com
  77. ServerAlias: www.redirectmatch.com
  78. RedirectMatch: true
  79. RedirectSource: '^/$'
  80. RedirectTarget: '/subdirectory'
  81. DocumentRoot: /var/www/html/
  82. ErrorLog: ${APACHE_LOG_DIR}/error.log
  83. CustomLog: ${APACHE_LOG_DIR}/access.log
  84. 80-proxyexample.com:
  85. template_file: salt://apache/vhosts/redirect.tmpl
  86. ServerName: www.proxyexample.com
  87. ServerAlias: www.proxyexample.com
  88. RedirectSource: '/'
  89. RedirectTarget: 'https://www.proxyexample.com/'
  90. DocumentRoot: /var/www/proxy
  91. 443-proxyexample.com:
  92. template_file: salt://apache/vhosts/proxy.tmpl
  93. ServerName: www.proxyexample.com
  94. ServerAlias: www.proxyexample.com
  95. interface: '*'
  96. port: '443'
  97. DocumentRoot: /var/www/proxy
  98. Rewrite: |
  99. RewriteRule ^/webmail$ /webmail/ [R]
  100. RewriteRule ^/webmail(.*) http://mail.example.com$1 [P,L]
  101. RewriteRule ^/vicescws(.*) http://svc.example.com:92$1 [P,L]
  102. SSLCertificateFile: /etc/httpd/ssl/example.com.crt
  103. SSLCertificateKeyFile: /etc/httpd/ssl/example.com.key
  104. SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer
  105. SSLCertificateFile_content: |
  106. -----BEGIN CERTIFICATE-----
  107. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  108. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  109. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  110. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  111. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  112. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  113. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  114. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  115. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  116. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  117. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  118. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  119. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  120. -----END CERTIFICATE-----
  121. SSLCertificateKeyFile_content: |
  122. -----BEGIN PRIVATE KEY-----
  123. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  124. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  125. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  126. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  127. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  128. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  129. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  130. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  131. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  132. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  133. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  134. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  135. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  136. -----END PRIVATE KEY-----
  137. SSLCertificateChainFile_content: |
  138. -----BEGIN CERTIFICATE-----
  139. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  140. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  141. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  142. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  143. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  144. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  145. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  146. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  147. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  148. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  149. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  150. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  151. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  152. -----END CERTIFICATE-----
  153. -----BEGIN CERTIFICATE-----
  154. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  155. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  156. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  157. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  158. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  159. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  160. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  161. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  162. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  163. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  164. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  165. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  166. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  167. -----END CERTIFICATE-----
  168. ProxyRequests: 'Off'
  169. ProxyPreserveHost: 'On'
  170. ProxyRoute:
  171. example prod proxy route:
  172. ProxyPassSource: '/'
  173. ProxyPassTarget: 'http://prod.example.com:85/'
  174. ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
  175. ProxyPassReverseSource: '/'
  176. ProxyPassReverseTarget: 'http://prod.example.com:85/'
  177. example webmail proxy route:
  178. ProxyPassSource: '/webmail/'
  179. ProxyPassTarget: 'http://mail.example.com/'
  180. ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
  181. ProxyPassReverseSource: '/webmail/'
  182. ProxyPassReverseTarget: 'http://mail.example.com/'
  183. example service proxy route:
  184. ProxyPassSource: '/svc/'
  185. ProxyPassTarget: 'http://svc.example.com:92/'
  186. ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
  187. ProxyPassReverseSource: '/svc/'
  188. ProxyPassReverseTarget: 'http://svc.example.com:92/'
  189. Location:
  190. /:
  191. Require: False
  192. Formula_Append: |
  193. SecRuleRemoveById 981231
  194. SecRuleRemoveById 981173
  195. /error:
  196. Require: 'all granted'
  197. /docs:
  198. Order: allow,deny # For Apache < 2.4
  199. Allow: from all # For apache < 2.4
  200. Require: all granted # For apache > 2.4.
  201. Formula_Append: |
  202. Additional config as a
  203. multi-line string here
  204. LocationMatch:
  205. '^[.\\/]+([Ww][Ee][Bb][Mm][Aa][Ii][Ll])[.\\/]':
  206. Require: False
  207. Formula_Append: |
  208. RequestHeader set Host mail.example.com
  209. '^[.\\/]+([Ss][Vv][Cc])[.\\/]':
  210. Require: False
  211. Formula_Append: |
  212. Require ip 123.123.13.6 84.24.25.74
  213. Proxy_control:
  214. '*':
  215. AllowAll: False
  216. AllowCountry:
  217. - DE
  218. AllowIP:
  219. - 12.5.25.32
  220. - 12.5.25.33
  221. Alias:
  222. /docs: /usr/share/docs
  223. Formula_Append: |
  224. Additional config as a
  225. multi-line string here
  226. # ``apache.debian_full`` formula additional configuration:
  227. register-site:
  228. # any name as an array index, and you can duplicate this section
  229. UNIQUE_VALUE_HERE:
  230. name: 'my name'
  231. path: 'salt://path/to/sites-available/conf/file'
  232. state: 'enabled'
  233. # Optional - use managed file as Jinja Template
  234. #template: true
  235. #defaults:
  236. # custom_var: "default value"
  237. modules:
  238. enabled: # List modules to enable
  239. - ldap
  240. - ssl
  241. disabled: # List modules to disable
  242. - rewrite
  243. # KeepAlive: Whether or not to allow persistent connections (more than
  244. # one request per connection). Set to "Off" to deactivate.
  245. keepalive: 'On'
  246. security:
  247. # can be Full | OS | Minimal | Minor | Major | Prod
  248. # where Full conveys the most information, and Prod the least.
  249. ServerTokens: Prod
  250. # ``apache.mod_remoteip`` formula additional configuration:
  251. mod_remoteip:
  252. RemoteIPHeader: X-Forwarded-For
  253. RemoteIPTrustedProxy:
  254. - 10.0.8.0/24
  255. - 127.0.0.1
  256. # ``apache.mod_security`` formula additional configuration:
  257. mod_security:
  258. crs_install: True
  259. # If not set, default distro's configuration is installed as is
  260. manage_config: True
  261. sec_rule_engine: 'On'
  262. sec_request_body_access: 'On'
  263. sec_request_body_limit: '14000000'
  264. sec_request_body_no_files_limit: '114002'
  265. sec_request_body_in_memory_limit: '114002'
  266. sec_request_body_limit_action: 'Reject'
  267. sec_pcre_match_limit: '15000'
  268. sec_pcre_match_limit_recursion: '15000'
  269. sec_debug_log_level: '3'
  270. rules:
  271. enabled:
  272. modsecurity_crs_10_setup.conf:
  273. rule_set: ''
  274. enabled: True
  275. modsecurity_crs_20_protocol_violations.conf:
  276. rule_set: 'base_rules'
  277. enabled: False
  278. custom_rule_files:
  279. # any name as an array index, and you can duplicate this section
  280. UNIQUE_VALUE_HERE:
  281. file: 'my name'
  282. path: 'salt://path/to/modsecurity/custom/file'
  283. enabled: True
  284. mod_ssl:
  285. # set this to True if you want to override your distributions default TLS configuration
  286. manage_tls_defaults: False
  287. # This stuff is deliberately not configured via map.jinja resp. apache:lookup.
  288. # We're unable to know sane defaults for each release of every distribution.
  289. # See https://github.com/saltstack-formulas/openssh-formula/issues/102 for a related discussion
  290. # Have a look at bettercrypto.org for up-to-date settings.
  291. # These are default values:
  292. SSLCipherSuite: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
  293. # Mitigate the CRIME attack
  294. SSLCompression: Off
  295. SSLProtocol: all -SSLv2 -SSLv3 -TLSv1
  296. SSLHonorCipherOrder: On
  297. SSLOptions: "+StrictRequire"