Procházet zdrojové kódy

remove ng stuff (#255)

* remove -ng stuff

* remove ng from template

* remove -ng from readme

* manage listen directive with disabled vhosts

* add json filter

* remove hardcoded path
pull/261/head
karim Hamza před 5 roky
rodič
revize
ba2368907d
19 změnil soubory, kde provedl 421 přidání a 2142 odebrání
  1. +0
    -149
      README-ng.rst
  2. +81
    -175
      README.rst
  3. +0
    -118
      apache/config-ng.sls
  4. +65
    -87
      apache/config.sls
  5. +0
    -40
      apache/files/RedHat/apache-2.4-ng.config.jinja
  6. +28
    -386
      apache/files/RedHat/apache-2.4.config.jinja
  7. +0
    -86
      apache/modules-ng.sls
  8. +8
    -28
      apache/modules.sls
  9. +1
    -2
      apache/osfamilymap.yaml
  10. +0
    -41
      apache/vhosts/cleanup.sls
  11. +0
    -37
      apache/vhosts/minimal.tmpl
  12. +0
    -131
      apache/vhosts/proxy.tmpl
  13. +0
    -51
      apache/vhosts/redirect.tmpl
  14. +0
    -65
      apache/vhosts/standard.sls
  15. +0
    -136
      apache/vhosts/standard.tmpl
  16. +6
    -6
      apache/vhosts/vhost.conf.jinja
  17. +110
    -110
      apache/vhosts/vhost.sls
  18. +0
    -372
      pillar.example
  19. +122
    -122
      pillar.example.yaml

+ 0
- 149
README-ng.rst Zobrazit soubor

@@ -1,149 +0,0 @@
======
apache
======
Formulas to set up and configure the Apache HTTP server.
This Formula uses the concepts of ``directive`` and ``container`` in pillars
* ``directive`` is an httpd directive https://httpd.apache.org/docs/2.4/en/mod/directives.html
* ``container`` is what described the `configuration sections` https://httpd.apache.org/docs/2.4/en/sections.html
see examples below for more explanation
Also it includes and enforce some hardening rules to prevent security issues
See `<Hardening.md>`_ and `<apache/hardening-values.yaml>`_.
.. note::
See the full `Salt Formulas installation and usage instructions
<http://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html>`_.
Available states
================
.. contents::
:local:
``apache``
----------
Installs the Apache package and starts the service.
``apache.config-ng``
-----------------
Configures apache server.
The configuration is done by merging the pillar content with defaults
present in the state `<apache/defaults/RedHat/defaults-apache-2.4.yaml>`_
.. code:: yaml
apache:
server_apache_config:
directives:
- Timeout: 5
containers:
IfModule:
-
item: 'mime_module'
directives:
- AddType: 'application/x-font-ttf ttc ttf'
- AddType: 'application/x-font-opentype otf'
- AddType: 'application/x-font-woff woff2'
``apache.modules-ng``
------------------
Enables and disables Apache modules.
``apache.vhosts.vhost-ng``
--------------------------
Configures Apache name-based virtual hosts and creates virtual host directories using data from Pillar.
All necessary data must be provided in the pillar
Exceptions are :
* ``CustomLog`` default is ``/path/apache/log/ServerName-access.log combined``
* if ``Logformat`` is defined in pillar, ``CustomLog`` is enforced to ``/path/apache/log/ServerName-access.log Logformat``
* ``ErrorLog`` is enforced to ``/path/apache/log/ServerName-error.log``
Example Pillar:
Create two vhosts ``example.com.conf`` and ``test.example.com.conf``
.. code:: yaml
apache:
VirtualHost:
example.com: # <-- this is an id decalaration used in salt and default ServerName
item: '*:80'
directives:
- RewriteEngine: 'on'
- Header: 'set Access-Control-Allow-Methods GET,PUT,POST,DELETE,OPTIONS'
containers:
Location:
item: '/test.html'
directives:
- Require: 'all granted'
site_id_declaration:
item: '10.10.1.1:8080'
directives:
- ServerName: 'test.example.com'
- LogFormat: '"%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %{ms}T"'
Files produced by these pillars :
``example.com.conf``
.. code:: bash
<VirtualHost *:80>
ServerName example.com
CustomLog /var/log/httpd/example.com-access.log combined
ErrorLog /var/log/httpd/example.com-error.log
RewriteEngine on
Header set Access-Control-Allow-Methods GET,PUT,POST,DELETE,OPTIONS
<Location /test.html>
Require all granted
</Location>
</VirtualHost>
``test.example.com.conf``
.. code:: bash
<VirtualHost 10.10.1.1:8080>
ServerName test.example.com
CustomLog /var/log/httpd/test.example.com-access.log "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %{ms}T"
ErrorLog /var/log/httpd/test.example.com-error.log
</VirtualHost>
this will delete ``test.example.com.conf``
.. code:: yaml
apache:
VirtualHost:
test.example.com:
item: '10.10.1.1:8080'
absent: True # <-- delete test.example.com.conf
directives:
- ServerName: 'test.example.com'
``apache.uninstall``
----------
Stops the Apache service and uninstalls the package.

+ 81
- 175
README.rst Zobrazit soubor

@@ -2,10 +2,18 @@
apache
======

Formulas to set up and configure the Apache HTTP server.

.. note:: See `<README-ng.rst>`_ for new gen of the state.
This Formula uses the concepts of ``directive`` and ``container`` in pillars

Formulas to set up and configure the Apache HTTP server.
* ``directive`` is an httpd directive https://httpd.apache.org/docs/2.4/en/mod/directives.html
* ``container`` is what described the `configuration sections` https://httpd.apache.org/docs/2.4/en/sections.html

see examples below for more explanation

Also it includes and enforce some hardening rules to prevent security issues

See `<Hardening.md>`_ and `<apache/hardening-values.yaml>`_.

.. note::

@@ -26,218 +34,116 @@ Installs the Apache package and starts the service.
``apache.config``
-----------------

Configures apache based on os_family
Configures apache server.

``apache.certificates``
-----------------
The configuration is done by merging the pillar content with defaults
present in the state `<apache/defaults/RedHat/defaults-apache-2.4.yaml>`_

Deploy SSL certificates from pillars
.. code:: yaml

``apache.mod_mpm``
------------------
apache:
server_apache_config:
directives:
- Timeout: 5
containers:
IfModule:
-
item: 'mime_module'
directives:
- AddType: 'application/x-font-ttf ttc ttf'
- AddType: 'application/x-font-opentype otf'
- AddType: 'application/x-font-woff woff2'

Configures the apache mpm modules on Debian ``mpm_prefork``, ``mpm_worker`` or ``mpm_event`` (Debian Only)

``apache.modules``
------------------

Enables and disables Apache modules.

``apache.mod_rewrite``
----------------------

Enabled the Apache module mod_rewrite (Debian and FreeBSD only)

``apache.mod_proxy``
-------------------

Enables the Apache module mod_proxy. (Debian and FreeBSD only)

``apache.mod_proxy_http``
-------------------------

Enables the Apache module mod_proxy_http and requires the Apache module mod_proxy to be enabled. (Debian Only)

``apache.mod_proxy_fcgi``
-------------------------

Enables the Apache module mod_proxy_fcgi and requires the Apache module mod_proxy to be enabled. (Debian Only)

``apache.mod_wsgi``
-------------------

Installs the mod_wsgi package and enables the Apache module.

``apache.mod_actions``
----------------------

Enables the Apache module mod_actions. (Debian Only)

``apache.mod_headers``
----------------------

Enables the Apache module mod_headers. (Debian Only)

``apache.mod_pagespeed``
------------------------

Installs and Enables the mod_pagespeed module. (Debian and RedHat Only)

``apache.mod_perl2``
-------------------

Installs and enables the mod_perl2 module (Debian and FreeBSD only)

``apache.mod_geoip``
-------------------

Installs and enables the mod_geoIP (RedHat only)

``apache.mod_php5``
-------------------

Installs and enables the mod_php5 module

``apache.mod_cgi``
---------------------

Enables mod_cgi. (FreeBSD only)

``apache.mod_fcgid``
--------------------

Installs and enables the mod_fcgid module (Debian only)

``apache.mod_fastcgi``
--------------------

Installs and enables the mod_fastcgi module

``apache.mod_dav_svn``
--------------------

Installs and enables the mod_dav_svn module (Debian only)

``apache.mod_security``
----------------------

Installs an enables the `Apache mod_security2 WAF`<http://modsecurity.org/>`_
using data from Pillar. (Debian and RedHat Only)

Allows you to install the basic Core Rules (CRS) and some basic configuration for mod_security2
``apache.vhosts.vhost``
--------------------------

``apache.mod_security.rules``
-----------------------------
Configures Apache name-based virtual hosts and creates virtual host directories using data from Pillar.

This state can create symlinks based on basic Core Rules package. (Debian only)
Or it can distribute a mod_security rule file and place it /etc/modsecurity/
All necessary data must be provided in the pillar

``apache.mod_socache_shmcb``
---------------------
Exceptions are :

Enables mod_socache_shmcb. (FreeBSD only)
* ``CustomLog`` default is ``/path/apache/log/ServerName-access.log combined``

``apache.mod_ssl``
----------------------
* if ``Logformat`` is defined in pillar, ``CustomLog`` is enforced to ``/path/apache/log/ServerName-access.log Logformat``

Installs and enables the mod_ssl module (Debian, RedHat and FreeBSD only)
* ``ErrorLog`` is enforced to ``/path/apache/log/ServerName-error.log``

``apache.mod_suexec``
---------------------
Example Pillar:

Enables mod_suexec. (FreeBSD only)
Create two vhosts ``example.com.conf`` and ``test.example.com.conf``

``apache.mod_vhost_alias``
----------------------
.. code:: yaml

Enables the Apache module vhost_alias (Debian Only)
apache:
VirtualHost:
example.com: # <-- this is an id decalaration used in salt and default ServerName
item: '*:80'
directives:
- RewriteEngine: 'on'
- Header: 'set Access-Control-Allow-Methods GET,PUT,POST,DELETE,OPTIONS'
containers:
Location:
item: '/test.html'
directives:
- Require: 'all granted'
site_id_declaration:
item: '10.10.1.1:8080'
directives:
- ServerName: 'test.example.com'
- LogFormat: '"%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %{ms}T"'

``apache.mod_remoteip``
----------------------
Files produced by these pillars :

Enables and configures the Apache module mod_remoteip using data from Pillar. (Debian Only)
``example.com.conf``

``apache.mod_xsendfile``
----------------------
.. code:: bash

Installs and enables mod_xsendfile module. (Debian Only)
<VirtualHost *:80>
ServerName example.com
CustomLog /var/log/httpd/example.com-access.log combined
ErrorLog /var/log/httpd/example.com-error.log
RewriteEngine on
Header set Access-Control-Allow-Methods GET,PUT,POST,DELETE,OPTIONS
<Location /test.html>
Require all granted
</Location>
</VirtualHost>

``apache.own_default_vhost``
--------------------------

Replace default vhost with own version. By default, it's 503 code. (Debian Only)
``test.example.com.conf``

``apache.no_default_vhost``
--------------------------
.. code:: bash

Remove the default vhost. (Debian Only)
<VirtualHost 10.10.1.1:8080>
ServerName test.example.com
CustomLog /var/log/httpd/test.example.com-access.log "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %{ms}T"
ErrorLog /var/log/httpd/test.example.com-error.log
</VirtualHost>

``apache.vhosts.standard``
--------------------------

Configures Apache name-based virtual hosts and creates virtual host directories using data from Pillar.

Example Pillar:
this will delete ``test.example.com.conf``

.. code:: yaml

apache:
sites:
example.com: # must be unique; used as an ID declaration in Salt; also passed to the template context as {{ id }}
template_file: salt://apache/vhosts/standard.tmpl
VirtualHost:
test.example.com:
item: '10.10.1.1:8080'
absent: True # <-- delete test.example.com.conf
directives:
- ServerName: 'test.example.com'

When using the provided templates, one can use a space separated list
of interfaces to bind to. For example, to bind both IPv4 and IPv6:

.. code:: yaml

apache:
sites:
example.com:
interface: '1.2.3.4 [2001:abc:def:100::3]'

``apache.manage_security``
--------------------------

Configures Apache's security.conf options by reassinging them using data from Pillar.

``apache.server_status``
--------------------------

Configures Apache's server_status handler for localhost

``apache.debian_full``
----------------------

Installs and configures Apache on Debian and Ubuntu systems.

``apache.uninstall``
----------

Stops the Apache service and uninstalls the package.

These states are ordered using the ``order`` declaration. Different stages
are divided into the following number ranges:

1) apache will use 1-500 for ordering
2) apache will reserve 1 -100 as unused
3) apache will reserve 101-150 for pre pkg install
4) apache will reserve 151-200 for pkg install
5) apache will reserve 201-250 for pkg configure
6) apache will reserve 251-300 for downloads, git stuff, load data
7) apache will reserve 301-400 for unknown purposes
8) apache will reserve 401-450 for service restart-reloads
9) apache WILL reserve 451-460 for service.running
10) apache will reserve 461-500 for cmd requiring operational services

Example Pillar:

.. code:: yaml

apache:
register-site:
# any name as an array index, and you can duplicate this section
{{UNIQUE}}:
name: 'my name'
path: 'salt://path/to/sites-available/conf/file'
state: 'enabled'

+ 0
- 118
apache/config-ng.sls Zobrazit soubor

@@ -1,118 +0,0 @@
{% from "apache/map.jinja" import apache with context %}
{% import_yaml "apache/hardening-values.yaml" as hardening_values %}
{% import_yaml "apache/defaults/" ~ salt['grains.get']('os_family') ~ "/defaults-apache-" ~ apache.version ~ ".yaml" as global_defaults %}
include:
- apache
- apache.mod_ssl
- apache.hardening
{# merge defaults with pillar content #}
{% set pillar_server_config = salt['pillar.get']('apache:server_apache_config', {}) %}
{% set server_config = salt['apache_directives.merge_container_with_additional_data'](
global_defaults.server_apache_config,
pillar_server_config) %}
{# enforce directives values #}
{% for directive, directive_data in hardening_values.enforced_directives.items() %}
{% set server_config = salt['apache_directives.enforce_directive_value'](directive,
directive_data,
container_name='server',
container_data=server_config) %}
{% endfor %}
{# merge server config with hardened sections #}
{% set server_config = salt['apache_directives.enforce_security_directives_into_containers'](
server_config,
hardening_values.enforced_containers ) %}
{# remove containers #}
{% for container_name_to_remove, items_names in hardening_values.containers_to_remove.items() %}
{% for item_name in items_names %}
{% set server_config = salt['apache_directives.remove_container'](
server_config,
container_name_to_remove,
item_name) %}
{% endfor %}
{% endfor %}
{# add supplemental security directives in server configuration #}
{% for d_directive in hardening_values.server_supplemental_directives %}
{% for directive, value in d_directive.items() %}
{% set server_config = salt['apache_directives.append_to_container_directives'](
directive,
value,
server_config) %}
{% endfor %}
{% endfor %}
{% if grains['os_family']=="RedHat" %}
{{ apache.logdir }}:
file.directory:
- makedirs: True
- require:
- pkg: apache
- user: root
- group: {{ apache.group }}
- dir_mode: 750
- watch_in:
- module: apache-restart
- require_in:
- module: apache-restart
- module: apache-reload
- service: apache
{{ apache.configfile }}:
file.managed:
- template: jinja
- source:
- salt://apache/files/{{ salt['grains.get']('os_family') }}/apache-{{ apache.version }}-ng.config.jinja
- user: root
- group: root
- mode: 644
- require:
- pkg: apache
- watch_in:
- module: apache-restart
- require_in:
- module: apache-restart
- module: apache-reload
- service: apache
- context:
apache: {{ apache }}
server_config: {{ server_config | json }}
{{ apache.vhostdir_ng }}:
file.directory:
- makedirs: True
- require:
- pkg: apache
- user: root
- group: root
- dir_mode: 755
- file_mode: 644
- recurse:
- user
- group
- mode
- watch_in:
- module: apache-restart
- require_in:
- module: apache-restart
- module: apache-reload
- service: apache
/etc/httpd/conf.d/welcome.conf:
file.managed:
- source:
- salt://apache/files/{{ salt['grains.get']('os_family') }}/welcome.conf
- user: root
- group: root
- mode: 644
- require:
- pkg: apache
- watch_in:
- service: apache
{% endif %}

+ 65
- 87
apache/config.sls Zobrazit soubor

@@ -1,13 +1,61 @@
{% from "apache/map.jinja" import apache with context %}
{% import_yaml "apache/hardening-values.yaml" as hardening_values %}
{% import_yaml "apache/defaults/" ~ salt['grains.get']('os_family') ~ "/defaults-apache-" ~ apache.version ~ ".yaml" as global_defaults %}

include:
- apache
- apache.mod_ssl
- apache.hardening

{# merge defaults with pillar content #}
{% set pillar_server_config = salt['pillar.get']('apache:server_apache_config', {}) %}
{% set server_config = salt['apache_directives.merge_container_with_additional_data'](
global_defaults.server_apache_config,
pillar_server_config) %}

{# enforce directives values #}
{% for directive, directive_data in hardening_values.enforced_directives.items() %}
{% set server_config = salt['apache_directives.enforce_directive_value'](directive,
directive_data,
container_name='server',
container_data=server_config) %}
{% endfor %}

{# merge server config with hardened sections #}
{% set server_config = salt['apache_directives.enforce_security_directives_into_containers'](
server_config,
hardening_values.enforced_containers ) %}

{# remove containers #}
{% for container_name_to_remove, items_names in hardening_values.containers_to_remove.items() %}
{% for item_name in items_names %}
{% set server_config = salt['apache_directives.remove_container'](
server_config,
container_name_to_remove,
item_name) %}
{% endfor %}
{% endfor %}

{# add supplemental security directives in server configuration #}
{% for d_directive in hardening_values.server_supplemental_directives %}
{% for directive, value in d_directive.items() %}
{% set server_config = salt['apache_directives.append_to_container_directives'](
directive,
value,
server_config) %}
{% endfor %}
{% endfor %}

{% if grains['os_family']=="RedHat" %}

{{ apache.logdir }}:
file.directory:
- makedirs: True
- require:
- pkg: apache
- user: root
- group: {{ apache.group }}
- dir_mode: 750
- watch_in:
- module: apache-restart
- require_in:
@@ -20,6 +68,9 @@ include:
- template: jinja
- source:
- salt://apache/files/{{ salt['grains.get']('os_family') }}/apache-{{ apache.version }}.config.jinja
- user: root
- group: root
- mode: 644
- require:
- pkg: apache
- watch_in:
@@ -29,13 +80,22 @@ include:
- module: apache-reload
- service: apache
- context:
apache: {{ apache | json }}
apache: {{ apache | json}}
server_config: {{ server_config | json }}

{{ apache.vhostdir }}:
file.directory:
- makedirs: True
- require:
- pkg: apache
- user: root
- group: root
- dir_mode: 755
- file_mode: 644
- recurse:
- user
- group
- mode
- watch_in:
- module: apache-restart
- require_in:
@@ -43,98 +103,16 @@ include:
- module: apache-reload
- service: apache

{% if grains['os_family']=="Debian" %}
/etc/apache2/envvars:
file.managed:
- template: jinja
- source:
- salt://apache/files/{{ salt['grains.get']('os_family') }}/envvars-{{ apache.version }}.jinja
- require:
- pkg: apache
- watch_in:
- module: apache-restart
- require_in:
- module: apache-restart
- module: apache-reload
- service: apache

{{ apache.portsfile }}:
file.managed:
- template: jinja
- source:
- salt://apache/files/{{ salt['grains.get']('os_family') }}/ports-{{ apache.version }}.conf.jinja
- require:
- pkg: apache
- watch_in:
- module: apache-restart
- require_in:
- module: apache-restart
- module: apache-reload
- service: apache
- context:
apache: {{ apache | json }}

{% endif %}

{% if grains['os_family']=="RedHat" %}
{{ apache.confdir }}/welcome.conf:
file.absent:
- require:
- pkg: apache
- watch_in:
- module: apache-restart
- require_in:
- module: apache-restart
- module: apache-reload
- service: apache
{% endif %}

{% if grains['os_family']=="Suse" or salt['grains.get']('os') == 'SUSE' %}
/etc/apache2/global.conf:
file.managed:
- template: jinja
- source:
- salt://apache/files/{{ salt['grains.get']('os_family') }}/global.config.jinja
- require:
- pkg: apache
- watch_in:
- module: apache-restart
- require_in:
- module: apache-restart
- module: apache-reload
- service: apache
- context:
apache: {{ apache | json }}
{% endif %}

{% if grains['os_family']=="FreeBSD" %}
/usr/local/etc/{{ apache.service }}/envvars.d/by_salt.env:
file.managed:
- template: jinja
- source:
- salt://apache/files/{{ salt['grains.get']('os_family') }}/envvars-{{ apache.version }}.jinja
- salt://apache/files/{{ salt['grains.get']('os_family') }}/welcome.conf
- user: root
- group: root
- mode: 644
- require:
- pkg: apache
- watch_in:
- module: apache-restart
- require_in:
- module: apache-restart
- module: apache-reload
- service: apache

{{ apache.portsfile }}:
file.managed:
- template: jinja
- source:
- salt://apache/files/{{ salt['grains.get']('os_family') }}/ports-{{ apache.version }}.conf.jinja
- require:
- pkg: apache
- watch_in:
- module: apache-restart
- require_in:
- module: apache-restart
- module: apache-reload
- service: apache
- context:
apache: {{ apache | json }}
{% endif %}

+ 0
- 40
apache/files/RedHat/apache-2.4-ng.config.jinja Zobrazit soubor

@@ -1,40 +0,0 @@
#
# This file is managed by Salt! Do not edit by hand!
#
{%- from "apache/map.jinja" import apache with context %}
{%- import_yaml "apache/hardening-values.yaml" as hardening_values %}
{%- from "apache/lib.sls" import directives_output, container_output with context %}
{%- set list_interfaces_ports = [] %}
{%- for name, vhost in salt['pillar.get']('apache:VirtualHost', {}).items() %}
{%- set items = vhost.item.split() %}
{%- for item in items if item not in list_interfaces_ports %}
{%- do list_interfaces_ports.append(item) %}
{%- endfor %}
{%- endfor %}
{%- for item in list_interfaces_ports %}
Listen {{ item }}
{% else %}
Listen *:80
{%- endfor %}
{{ directives_output(server_config, 0) }}
Include conf.modules.d/*.conf
User {{ apache.user }}
Group {{ apache.group }}
{%- for container_name, container_data_list in server_config.get('containers', {}).items() %}
{%- for container_data in container_data_list %}
{{ container_output(container_name, container_data) }}
{%- endfor %}
{%- endfor %}
IncludeOptional {{ apache.confdir }}/*.conf
{%- if apache.vhostdir_ng != apache.confdir %}
IncludeOptional {{ apache.vhostdir_ng }}/*.conf
{%- endif %}

+ 28
- 386
apache/files/RedHat/apache-2.4.config.jinja Zobrazit soubor

@@ -1,400 +1,42 @@
#
# This file is managed by Salt! Do not edit by hand!
#
{% from "apache/map.jinja" import apache with context %}
#
# This is the main Apache HTTP server configuration file. It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
# In particular, see
# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path. If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so 'log/access_log'
# with ServerRoot set to '/www' will be interpreted by the
# server as '/www/log/access_log', where as '/log/access_log' will be
# interpreted as '/log/access_log'.

#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# Do not add a slash at the end of the directory path. If you point
# ServerRoot at a non-local disk, be sure to specify a local disk on the
# Mutex directive, if file-based mutexes are used. If you wish to share the
# same ServerRoot for multiple httpd daemons, you will need to change at
# least PidFile.
#
ServerRoot "{{ apache.get('serverroot', '/etc/httpd') }}"

#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80

{% if salt['pillar.get']('apache:sites') is mapping %}
{%- set listen_directives = [] %}
{%- for id, site in salt['pillar.get']('apache:sites').items() %}
{%- set interfaces = site.get('interface', '*').split() %}
{%- set port = site.get('port', 80) %}
{%- for interface in interfaces %}
{%- if not site.get('exclude_listen_directive', False) and not port == '*' %}
{%- set listen_directive = interface ~ ':' ~ port %}
{%- if listen_directive not in listen_directives %}
{%- do listen_directives.append(listen_directive) %}
{%- endif %}
{%- endif %}
{%- endfor %}
{%- endfor %}
{%- for listen in listen_directives %}
Listen {{ listen }}
{%- endfor %}
{%- else %}
Listen 80

<IfModule mod_ssl.c>
Listen 443
</IfModule>

<IfModule mod_gnutls.c>
Listen 443
</IfModule>
{%- from "apache/map.jinja" import apache with context %}
{%- import_yaml "apache/hardening-values.yaml" as hardening_values %}
{%- from "apache/lib.sls" import directives_output, container_output with context %}

{%- set list_interfaces_ports = [] %}
{%- for name, vhost in salt['pillar.get']('apache:VirtualHost', {}).items() %}
{%- if not vhost.get('absent', False) %}
{%- set items = vhost.item.split() %}
{%- for item in items if item not in list_interfaces_ports %}
{%- do list_interfaces_ports.append(item) %}
{%- endfor %}
{%- endif %}
{%- endfor %}

#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#
Include conf.modules.d/*.conf

#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User apache
Group apache

# 'Main' server configuration
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition. These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#

#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. admin@your-domain.com
#
ServerAdmin root@localhost

#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
#ServerName www.example.com:80

#
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# <Directory> blocks below.
#
<Directory />
AllowOverride none
Require all denied
</Directory>

#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#

#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "{{ apache.get('docroot', apache.wwwdir + '/html') }}"

#
# Relax access to content within {{ apache.wwwdir }}.
#
<Directory "{{ apache.wwwdir }}">
AllowOverride None
# Allow open access:
Require all granted
</Directory>

# Further relax access to the default document root:
<Directory "{{ apache.get('docroot', apache.wwwdir + '/html') }}">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks

#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride None

#
# Controls who can get stuff from this server.
#
Require all granted
</Directory>

#
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>

#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ".ht*">
Require all denied
</Files>

#
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog "{{ apache.logdir }}/error_log"

#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn

<IfModule log_config_module>
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
{%- for log_format in salt['pillar.get']('apache:log_formats', []) %}
LogFormat {{ log_format }}
{%- endfor %}

<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>

#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost>
# container, they will be logged here. Contrariwise, if you *do*
# define per-<VirtualHost> access logfiles, transactions will be
# logged therein and *not* in this file.
#
#CustomLog "logs/access_log" common

#
# If you prefer a logfile with access, agent, and referer information
# (Combined Logfile Format) you can use the following directive.
#
CustomLog "{{ apache.logdir }}/access_log" combined
</IfModule>

<IfModule alias_module>
#
# Redirect: Allows you to tell clients about documents that used to
# exist in your server's namespace, but do not anymore. The client
# will make a new request for the document at its new location.
# Example:
# Redirect permanent /foo http://www.example.com/bar

#
# Alias: Maps web paths into filesystem paths and is used to
# access content that does not live under the DocumentRoot.
# Example:
# Alias /webpath /full/filesystem/path
#
# If you include a trailing / on /webpath then the server will
# require it to be present in the URL. You will also likely
# need to provide a <Directory> section to allow access to
# the filesystem path.

#
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the target directory are treated as applications and
# run by the server when requested rather than as documents sent to the
# client. The same rules about trailing "/" apply to ScriptAlias
# directives as to Alias.
#
ScriptAlias /cgi-bin/ "{{ apache.wwwdir }}/cgi-bin/"

</IfModule>

#
# "{{ apache.wwwdir }}/cgi-bin/" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "{{ apache.wwwdir }}/cgi-bin/">
AllowOverride None
Options None
Require all granted
</Directory>

<IfModule mime_module>
#
# TypesConfig points to the file containing the list of mappings from
# filename extension to MIME-type.
#
TypesConfig /etc/mime.types

#
# AddType allows you to add to or override the MIME configuration
# file specified in TypesConfig for specific file types.
#
#AddType application/x-gzip .tgz
#
# AddEncoding allows you to have certain browsers uncompress
# information on the fly. Note: Not all browsers support this.
#
#AddEncoding x-compress .Z
#AddEncoding x-gzip .gz .tgz
#
# If the AddEncoding directives above are commented-out, then you
# probably should define those extensions to indicate media types:
#
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz

#
# AddHandler allows you to map certain file extensions to "handlers":
# actions unrelated to filetype. These can be either built into the server
# or added with the Action directive (see below)
#
# To use CGI scripts outside of ScriptAliased directories:
# (You will also need to add "ExecCGI" to the "Options" directive.)
#
#AddHandler cgi-script .cgi

# For type maps (negotiated resources):
#AddHandler type-map var

#
# Filters allow you to process content before it is sent to the client.
#
# To parse .shtml files for server-side includes (SSI):
# (You will also need to add "Includes" to the "Options" directive.)
#
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
</IfModule>
{%- for item in list_interfaces_ports %}
Listen {{ item }}
{% else %}
Listen *:80
{%- endfor %}

#
# Specify a default charset for all content served; this enables
# interpretation of all content as UTF-8 by default. To use the
# default browser choice (ISO-8859-1), or to allow the META tags
# in HTML content to override this choice, comment out this
# directive:
#
AddDefaultCharset {{ apache.default_charset }}
{{ directives_output(server_config, 0) }}

<IfModule mime_magic_module>
#
# The mod_mime_magic module allows the server to use various hints from the
# contents of the file itself to determine its type. The MIMEMagicFile
# directive tells the module where the hint definitions are located.
#
MIMEMagicFile conf/magic
</IfModule>
Include conf.modules.d/*.conf

#
# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
#
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
#
User {{ apache.user }}
Group {{ apache.group }}

#
# EnableMMAP and EnableSendfile: On systems that support it,
# memory-mapping or the sendfile syscall may be used to deliver
# files. This usually improves server performance, but must
# be turned off when serving from networked-mounted
# filesystems or if support for these functions is otherwise
# broken on your system.
# Defaults if commented: EnableMMAP On, EnableSendfile Off
#
#EnableMMAP off
EnableSendfile on

{%- for directive, dvalue in salt['pillar.get']('apache:global', {}).items() %}
{{ directive }} {{ dvalue }}
{%- for container_name, container_data_list in server_config.get('containers', {}).items() %}
{%- for container_data in container_data_list %}
{{ container_output(container_name, container_data) }}
{%- endfor %}
{%- endfor %}

# Supplemental configuration
#
# Load config files in the "/etc/httpd/conf.d" directory, if any.

IncludeOptional {{ apache.confdir }}/*.conf
{% if apache.vhostdir != apache.confdir %}
{%- if apache.vhostdir != apache.confdir %}
IncludeOptional {{ apache.vhostdir }}/*.conf
{% endif %}

# Added for security enhancements
TraceEnable off
ServerSignature off
ServerTokens Prod
{%- endif %}

+ 0
- 86
apache/modules-ng.sls Zobrazit soubor

@@ -1,86 +0,0 @@
{%- import_yaml "apache/hardening-values.yaml" as hardening_values %}

{% if grains['os_family']=="Debian" %}

include:
- apache

{% for module in salt['pillar.get']('apache:modules:enabled', []) %}
a2enmod {{ module }}:
cmd.run:
- unless: ls /etc/apache2/mods-enabled/{{ module }}.load
- order: 225
- require:
- pkg: apache
- watch_in:
- module: apache-restart
{% endfor %}

{% for module in salt['pillar.get']('apache:modules:disabled', []) %}
a2dismod -f {{ module }}:
cmd.run:
- onlyif: ls /etc/apache2/mods-enabled/{{ module }}.load
- order: 225
- require:
- pkg: apache
- watch_in:
- module: apache-restart
{% endfor %}

{% elif grains['os_family']=="RedHat" %}

include:
- apache

{% for module in salt['pillar.get']('apache:modules:enabled', default=hardening_values.modules.enforce_enabled, merge=True) if module not in hardening_values.modules.enforce_disabled %}
find /etc/httpd/ -name '*.conf' -type f -exec sed -i -e 's/\(^#\)\(\s*LoadModule.{{ module }}_module\)/\2/g' {} \;:
cmd.run:
- unless: httpd -M 2> /dev/null | grep "[[:space:]]{{ module }}_module"
- order: 225
- require:
- pkg: apache
- watch_in:
- module: apache-restart
{% endfor %}

{% for module in salt['pillar.get']('apache:modules:disabled', default=hardening_values.modules.enforce_disabled, merge=True) if module not in hardening_values.modules.enforce_enabled %}
find /etc/httpd/ -name '*.conf' -type f -exec sed -i -e 's/\(^\s*LoadModule.{{ module }}_module\)/#\1/g' {} \;:
cmd.run:
- onlyif: httpd -M 2> /dev/null | grep "[[:space:]]{{ module }}_module"
- order: 225
- require:
- pkg: apache
- watch_in:
- module: apache-restart
{% endfor %}



{% elif salt['grains.get']('os_family') == 'Suse' or salt['grains.get']('os') == 'SUSE' %}

include:
- apache

{% for module in salt['pillar.get']('apache:modules:enabled', []) %}
a2enmod {{ module }}:
cmd.run:
- unless: egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep {{ module }}
- order: 225
- require:
- pkg: apache
- watch_in:
- module: apache-restart
{% endfor %}

{% for module in salt['pillar.get']('apache:modules:disabled', []) %}
a2dismod -f {{ module }}:
cmd.run:
- onlyif: egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep {{ module }}
- order: 225
- require:
- pkg: apache
- watch_in:
- module: apache-restart
{% endfor %}

{% endif %}

+ 8
- 28
apache/modules.sls Zobrazit soubor

@@ -1,3 +1,5 @@
{%- import_yaml "apache/hardening-values.yaml" as hardening_values %}

{% if grains['os_family']=="Debian" %}

include:
@@ -12,10 +14,6 @@ a2enmod {{ module }}:
- pkg: apache
- watch_in:
- module: apache-restart
- require_in:
- module: apache-restart
- module: apache-reload
- service: apache
{% endfor %}

{% for module in salt['pillar.get']('apache:modules:disabled', []) %}
@@ -27,18 +25,14 @@ a2dismod -f {{ module }}:
- pkg: apache
- watch_in:
- module: apache-restart
- require_in:
- module: apache-restart
- module: apache-reload
- service: apache
{% endfor %}

{% elif grains['os_family']=="RedHat" %}

include:
- apache
{% for module in salt['pillar.get']('apache:modules:enabled', []) %}
{% for module in salt['pillar.get']('apache:modules:enabled', default=hardening_values.modules.enforce_enabled, merge=True) if module not in hardening_values.modules.enforce_disabled %}
find /etc/httpd/ -name '*.conf' -type f -exec sed -i -e 's/\(^#\)\(\s*LoadModule.{{ module }}_module\)/\2/g' {} \;:
cmd.run:
- unless: httpd -M 2> /dev/null | grep "[[:space:]]{{ module }}_module"
@@ -47,13 +41,9 @@ find /etc/httpd/ -name '*.conf' -type f -exec sed -i -e 's/\(^#\)\(\s*LoadModule
- pkg: apache
- watch_in:
- module: apache-restart
- require_in:
- module: apache-restart
- module: apache-reload
- service: apache
{% endfor %}

{% for module in salt['pillar.get']('apache:modules:disabled', []) %}
{% for module in salt['pillar.get']('apache:modules:disabled', default=hardening_values.modules.enforce_disabled, merge=True) if module not in hardening_values.modules.enforce_enabled %}
find /etc/httpd/ -name '*.conf' -type f -exec sed -i -e 's/\(^\s*LoadModule.{{ module }}_module\)/#\1/g' {} \;:
cmd.run:
- onlyif: httpd -M 2> /dev/null | grep "[[:space:]]{{ module }}_module"
@@ -62,17 +52,15 @@ find /etc/httpd/ -name '*.conf' -type f -exec sed -i -e 's/\(^\s*LoadModule.{{ m
- pkg: apache
- watch_in:
- module: apache-restart
- require_in:
- module: apache-restart
- module: apache-reload
- service: apache
{% endfor %}



{% elif salt['grains.get']('os_family') == 'Suse' or salt['grains.get']('os') == 'SUSE' %}

include:
- apache
{% for module in salt['pillar.get']('apache:modules:enabled', []) %}
a2enmod {{ module }}:
cmd.run:
@@ -82,10 +70,6 @@ a2enmod {{ module }}:
- pkg: apache
- watch_in:
- module: apache-restart
- require_in:
- module: apache-restart
- module: apache-reload
- service: apache
{% endfor %}

{% for module in salt['pillar.get']('apache:modules:disabled', []) %}
@@ -97,10 +81,6 @@ a2dismod -f {{ module }}:
- pkg: apache
- watch_in:
- module: apache-restart
- require_in:
- module: apache-restart
- module: apache-reload
- service: apache
{% endfor %}

{% endif %}

+ 1
- 2
apache/osfamilymap.yaml Zobrazit soubor

@@ -44,8 +44,7 @@ RedHat:
mod_geoip: mod_geoip
mod_geoip_database: GeoIP

vhostdir: /etc/httpd/vhosts.d
vhostdir_ng: /etc/httpd/conf.d
vhostdir: /etc/httpd/conf.d
confdir: /etc/httpd/conf.d
confext: .conf
default_site: default

+ 0
- 41
apache/vhosts/cleanup.sls Zobrazit soubor

@@ -1,41 +0,0 @@
{% from "apache/map.jinja" import apache with context %}

include:
- apache

{% if grains.os_family == 'Debian' %}

{% set dirpath = '/etc/apache2/sites-enabled' %}

{# Add . and .. to make it easier to not clean those #}
{% set valid_sites = ['.', '..', ] %}

{# Take sites from apache.vhosts.standard #}
{% for id, site in salt['pillar.get']('apache:sites', {}).items() %}
{% do valid_sites.append('{}{}'.format(id, apache.confext)) %}
{% endfor %}

{# Take sites from apache.register_site #}
{% for id, site in salt['pillar.get']('apache:register-site', {}) %}
{% do valid_sites.append('{}{}'.format(site.name, apache.confext)) %}
{% endfor %}


{% for filename in salt['file.readdir']('/etc/apache2/sites-enabled/') %}
{% if filename not in valid_sites %}

a2dissite {{ filename }}:
cmd.run:
- onlyif: "test -L {{ dirpath}}/{{ filename }} || test -f {{ dirpath}}/{{ filename }}"
- watch_in:
- module: apache-reload
- require_in:
- module: apache-restart
- module: apache-reload
- service: apache

{% endif %}
{% endfor %}


{% endif %}{# Debian #}

+ 0
- 37
apache/vhosts/minimal.tmpl Zobrazit soubor

@@ -1,37 +0,0 @@
#
# This file is managed by Salt! Do not edit by hand!
#
{# Define default values here so the template below can just focus on layout #}
{%- set sitename = site.get('ServerName', id) -%}

{%- set vals = {
'interfaces': site.get('interface', '*').split(),
'port': site.get('port', '80'),

'ServerName': sitename,
'ServerAlias': site.get('ServerAlias', ''),

'ServerAdmin': site.get('ServerAdmin', 'webmaster@{0}'.format(sitename)),

'LogLevel': site.get('LogLevel', 'warn'),
'ErrorLog': site.get('ErrorLog', '{0}/{1}-error.log'.format(map.logdir, sitename)),
'CustomLog': site.get('CustomLog', '{0}/{1}-access.log'.format(map.logdir, sitename)),
'LogFormat': site.get('LogFormat', '"%h %l %u %t \\\"%r\\\" %>s %b"'),


'DocumentRoot': site.get('DocumentRoot', '{0}/{1}'.format(map.wwwdir, sitename))
} -%}

<VirtualHost {% for intf in vals.interfaces %} {{intf}}:{{ vals.port }}{% endfor -%}>
ServerName {{ vals.ServerName }}
{% if site.get('ServerAlias') != False %}ServerAlias {{ vals.ServerAlias }}{% endif %}
{% if site.get('ServerAdmin') != False %}ServerAdmin {{ vals.ServerAdmin }}{% endif %}

{% if site.get('DocumentRoot') != False -%}DocumentRoot {{ vals.DocumentRoot }}{% endif %}

{% if site.get('LogLevel') != False -%}LogLevel {{ vals.LogLevel }}{% endif %}
{% if site.get('ErrorLog') != False -%}ErrorLog {{ vals.ErrorLog }}{% endif %}
{% if site.get('LogFormat') != False -%}LogFormat {{ vals.LogFormat }}{% endif %}
{% if site.get('CustomLog') != False -%}LogFormat {{ vals.LogFormat }} {{ sitename }}
CustomLog {{ vals.CustomLog }} {{ sitename }}{% endif %}
</VirtualHost>

+ 0
- 131
apache/vhosts/proxy.tmpl Zobrazit soubor

@@ -1,131 +0,0 @@
#
# This file is managed by Salt! Do not edit by hand!
#
{# Define default values here so the template below can just focus on layout #}
{% from "apache/map.jinja" import apache with context %}
{% set sitename = site.get('ServerName', id) %}
{% set vals = {
'interfaces': site.get('interface', '*').split(),
'port': site.get('port', '80'),

'ServerName': sitename,
'ServerAlias': site.get('ServerAlias', ''),

'ServerAdmin': site.get('ServerAdmin', 'webmaster@{0}'.format(sitename)),

'UseCanonicalName': site.get('UseCanonicalName'),

'LogLevel': site.get('LogLevel', 'warn'),
'ErrorLog': site.get('ErrorLog', '{0}/{1}-error.log'.format(map.logdir, sitename)),
'LogFormat': site.get('LogFormat', '"%a %l %u %t \\"%r\\" %>s %O \\"%{Referer}i\\" \\"%{User-Agent}i\\""'),
'CustomLog': site.get('CustomLog', '{0}/{1}-access.log'.format(map.logdir, sitename)),

'ProxyRequests': site.get('ProxyRequests', 'Off'),
'ProxyPreserveHost': site.get('ProxyPreserveHost', 'On'),
'ProxyRoute': site.get('ProxyRoute', {}),

'Location': {
'Order': 'allow,deny',
'Allow': 'from all',
'Require': 'all granted',
},
'LocationMatch': {
'Order': 'allow,deny',
'Allow': 'from all',
'Require': 'all granted',
},
} %}
<VirtualHost {%- for intf in vals.interfaces %} {{intf}}:{{ vals.port }}{% endfor -%}>
ServerName {{ vals.ServerName }}
{% if site.get('ServerAlias') != False %}ServerAlias {{ vals.ServerAlias }}{% endif %}
{% if site.get('ServerAdmin') != False %}ServerAdmin {{ vals.ServerAdmin }}{% endif %}
{% if site.get('UseCanonicalName') %}UseCanonicalName {{ vals.UseCanonicalName }}{% endif %}

{% if site.get('LogLevel') != False %}LogLevel {{ vals.LogLevel }}{% endif %}
{% if site.get('ErrorLog') != False %}ErrorLog {{ vals.ErrorLog }}{% endif %}
{% if site.get('LogFormat') != False -%}LogFormat {{ vals.LogFormat }}{% endif %}
{% if site.get('CustomLog') != False -%}LogFormat {{ vals.LogFormat }} {{ sitename }}
CustomLog {{ vals.CustomLog }} {{ sitename }}{% endif %}

{% if site.get('SSLCertificateFile') %}SSLEngine on
SSLCertificateFile {{ site.SSLCertificateFile }}
{% if site.get('SSLCertificateKeyFile') %}SSLCertificateKeyFile {{ site.SSLCertificateKeyFile }}{% endif %}
{% if site.get('SSLCertificateChainFile') %}SSLCertificateChainFile {{ site.SSLCertificateChainFile}}{% endif %}
{% endif %}
{% if site.get('Rewrite') %}RewriteEngine on
{{ site.Rewrite }}
{% endif %}
{% if site.get('SSLProxyEngine') %}SSLProxyEngine {{ site.SSLProxyEngine }}{% endif %}
ProxyRequests {{ vals.ProxyRequests }}
ProxyPreserveHost {{ vals.ProxyPreserveHost }}
{% if site.get('ProxyErrorOverride') %}ProxyErrorOverride {{ site.ProxyErrorOverride }} {% endif %}
{% if site.get('ProxyErrorDir') %}ProxyPass /{{ site.ProxyErrorDir }}/ ! {% endif %}
{% for proxy, proxyargs in vals.ProxyRoute|dictsort|reverse %}
{% set proxyvals = {
'ProxyPassSource': proxyargs.get('ProxyPassSource', '/'),
'ProxyPassTarget': proxyargs.get('ProxyPassTarget', 'https://{0}'.format(sitename)),
'ProxyPassTargetOptions': proxyargs.get('ProxyPassTargetOptions', ''),
'ProxyPassReverseSource': proxyargs.get('ProxyPassReverseSource', '/'),
'ProxyPassReverseTarget': proxyargs.get('ProxyPassReverseTarget', proxyargs.get('ProxyPassTarget', 'https://{0}'.format(sitename))),
} %}
######### {{proxy}} #########
ProxyPass {{ proxyvals.ProxyPassSource }} {{ proxyvals.ProxyPassTarget }} {{ proxyvals.ProxyPassTargetOptions }}
ProxyPassReverse {{ proxyvals.ProxyPassReverseSource }} {{ proxyvals.ProxyPassReverseTarget }}
{% endfor %}

{%- for path, loc in site.get('Location', {}).items() %}
{%- set lvals = {
'Order': loc.get('Order', vals.Location.Order),
'Allow': loc.get('Allow', vals.Location.Allow),
'Require': loc.get('Require', vals.Location.Require),
'Dav': loc.get('Dav', False),
} %}
<Location "{{ path }}">
{% if apache.version == '2.4' %}
{%- if lvals.get('Require') != False %}Require {{lvals.Require}}{% endif %}
{% else %}
{%- if lvals.get('Order') != False %}Order {{ lvals.Order }}{% endif %}
{%- if lvals.get('Allow') != False %}Allow {{ lvals.Allow }}{% endif %}
{% endif %}
{%- if loc.get('Formula_Append') %} {{ loc.Formula_Append|indent(8) }} {% endif %}
</Location>
{% endfor %}
{%- for regpath, locmat in site.get('LocationMatch', {}).items() %}
{%- set lmvals = {
'Order': locmat.get('Order', vals.LocationMatch.Order),
'Allow': locmat.get('Allow', vals.LocationMatch.Allow),
'Require': locmat.get('Require', vals.LocationMatch.Require),
'Dav': locmat.get('Dav', False),
} %}
<LocationMatch "{{ regpath }}">
{% if apache.version == '2.4' %}
{%- if lmvals.get('Require') != False %}Require {{lmvals.Require}}{% endif %}
{% else %}
{%- if lmvals.get('Order') != False %}Order {{ lmvals.Order }}{% endif %}
{%- if lmvals.get('Allow') != False %}Allow {{ lmvals.Allow }}{% endif %}
{% endif %}
{%- if locmat.get('Formula_Append') %} {{ locmat.Formula_Append|indent(8) }} {% endif %}
</LocationMatch>
{% endfor %}
{%- for proxypath, prox in site.get('Proxy_control', {}).items() %}
{%- set proxvals = {
'AllowAll': prox.get('AllowAll', vals.AllowAll),
'AllowCountry': prox.get('AllowCountry', vals.AllowCountry),
'AllowIP': prox.get('AllowIP', vals.AllowIP),
} %}
<Proxy "{{ proxypath }}">
{%- if proxvals.get('AllowAll') != False %}
Require all granted
{%- else %}
{% if proxvals.get('AllowCountry') != False %}{% set country_list = proxvals.get('AllowCountry', {}) %}GeoIPEnable On
{% for every_country in country_list %}SetEnvIf GEOIP_COUNTRY_CODE {{ every_country }} AllowCountry
{% endfor %}Require env AllowCountry {% endif %}
{% if proxvals.get('AllowIP') is defined %} {% set ip_list = proxvals.get('AllowIP', {}) %}
Require ip {% for every_ip in ip_list %}{{ every_ip }} {% endfor %} {% endif %}
{%- endif %}
</Proxy>
{%- endfor %}
{% if site.get('Formula_Append') %}
{{ site.Formula_Append|indent(4) }}
{% endif %}
</VirtualHost>

+ 0
- 51
apache/vhosts/redirect.tmpl Zobrazit soubor

@@ -1,51 +0,0 @@
#
# This file is managed by Salt! Do not edit by hand!
#
{# Define default values here so the template below can just focus on layout #}
{%- from "apache/map.jinja" import apache with context %}
{%- set sitename = site.get('ServerName', id) %}

{%- set vals = {
'interfaces': site.get('interface', '*').split(),
'port': site.get('port', '80'),

'ServerName': sitename,
'ServerAlias': site.get('ServerAlias', ''),

'ServerAdmin': site.get('ServerAdmin', 'webmaster@{0}'.format(sitename)),

'UseCanonicalName': site.get('UseCanonicalName'),

'LogLevel': site.get('LogLevel', 'warn'),
'ErrorLog': site.get('ErrorLog', '{0}/{1}-error.log'.format(map.logdir, sitename)),
'LogFormat': site.get('LogFormat', '"%h %l %u %t \\\"%r\\\" %>s %O"'),
'CustomLog': site.get('CustomLog', '{0}/{1}-access.log'.format(map.logdir, sitename)),
'RedirectSource': site.get('RedirectSource', '/'),
'RedirectTarget': site.get('RedirectTarget', 'https://{0}/'.format(sitename)),
} %}

<VirtualHost {%- for intf in vals.interfaces %} {{intf}}:{{ vals.port }}{% endfor -%}>
ServerName {{ vals.ServerName }}
{% if site.get('ServerAlias') != False %}ServerAlias {{ vals.ServerAlias }}{% endif %}

{% if site.get('ServerAdmin') != False %}ServerAdmin {{ vals.ServerAdmin }}{% endif %}

{% if site.get('UseCanonicalName') %}UseCanonicalName {{ vals.UseCanonicalName }}{% endif %}

{% if site.get('LogLevel') != False %}LogLevel {{ vals.LogLevel }}{% endif %}
{% if site.get('ErrorLog') != False %}ErrorLog {{ vals.ErrorLog }}{% endif %}
{% if site.get('LogFormat') != False -%}LogFormat {{ vals.LogFormat }}{% endif %}
{% if site.get('CustomLog') != False -%}LogFormat {{ vals.LogFormat }} {{ sitename }}
CustomLog {{ vals.CustomLog }} {{ sitename }}{% endif %}

{% if site.get('RedirectMatch') %}
RedirectMatch {{ vals.RedirectSource }} {{ vals.RedirectTarget }}
{% else %}
Redirect {{ vals.RedirectSource }} {{ vals.RedirectTarget }}
{% endif %}
{% if site.get('Formula_Append') %}
{{ site.Formula_Append|indent(4) }}
{% endif %}
</VirtualHost>

+ 0
- 65
apache/vhosts/standard.sls Zobrazit soubor

@@ -1,65 +0,0 @@
{% from "apache/map.jinja" import apache with context %}

include:
- apache

{% for id, site in salt['pillar.get']('apache:sites', {}).items() %}
{% set documentroot = site.get('DocumentRoot', '{0}/{1}'.format(apache.wwwdir, site.get('ServerName', id))) %}

apache_vhosts_{{ id }}:
file.managed:
- name: {{ apache.vhostdir }}/{{ id }}{{ apache.confext }}
- source: {{ site.get('template_file', 'salt://apache/vhosts/standard.tmpl') }}
- template: {{ site.get('template_engine', 'jinja') }}
- context:
id: {{ id|json }}
site: {{ site|json }}
map: {{ apache|json }}
- require:
- pkg: apache
- watch_in:
- module: apache-reload
- require_in:
- module: apache-restart
- module: apache-reload
- service: apache

{% if site.get('DocumentRoot') != False %}
{{ id }}-documentroot:
file.directory:
- name: {{ documentroot }}
- makedirs: True
- user: {{ site.get('DocumentRootUser', apache.get('document_root_user'))|json }}
- group: {{ site.get('DocumentRootGroup', apache.get('document_root_group'))|json }}
- allow_symlink: True
{% endif %}

{% if grains.os_family == 'Debian' %}
{% if site.get('enabled', True) %}
a2ensite {{ id }}{{ apache.confext }}:
cmd.run:
- unless: test -f /etc/apache2/sites-enabled/{{ id }}{{ apache.confext }}
- require:
- file: /etc/apache2/sites-available/{{ id }}{{ apache.confext }}
- watch_in:
- module: apache-reload
- require_in:
- module: apache-restart
- module: apache-reload
- service: apache
{% else %}
a2dissite {{ id }}{{ apache.confext }}:
cmd.run:
- onlyif: test -f /etc/apache2/sites-enabled/{{ id }}{{ apache.confext }}
- require:
- file: /etc/apache2/sites-available/{{ id }}{{ apache.confext }}
- watch_in:
- module: apache-reload
- require_in:
- module: apache-restart
- module: apache-reload
- service: apache
{% endif %}
{% endif %}

{% endfor %}

+ 0
- 136
apache/vhosts/standard.tmpl Zobrazit soubor

@@ -1,136 +0,0 @@
#
# This file is managed by Salt! Do not edit by hand!
#
{# Define default values here so the template below can just focus on layout #}
{%- set sitename = site.get('ServerName', id) -%}

{%- set vals = {
'interfaces': site.get('interface', '*').split(),
'port': site.get('port', '80'),

'ServerName': sitename,
'ServerAlias': site.get('ServerAlias', ''),

'ServerAdmin': site.get('ServerAdmin', 'webmaster@{0}'.format(sitename)),

'DirectoryIndex': site.get('DirectoryIndex'),
'UseCanonicalName': site.get('UseCanonicalName'),
'AllowEncodedSlashes': site.get('AllowEncodedSlashes', 'Off'),

'LogLevel': site.get('LogLevel', 'warn'),
'ErrorLog': site.get('ErrorLog', '{0}/{1}-error.log'.format(map.logdir, sitename)),
'LogFormat': site.get('LogFormat', '"%h %l %u %t \\\"%r\\\" %>s"'),
'CustomLog': site.get('CustomLog', '{0}/{1}-access.log'.format(map.logdir, sitename)),

'DocumentRoot': site.get('DocumentRoot', '{0}/{1}'.format(map.wwwdir, sitename)),
'VirtualDocumentRoot': site.get('VirtualDocumentRoot'),

'Timeout': site.get('Timeout'),
'LimitRequestFields': site.get('LimitRequestFields'),

'Directory_default': site.get('DocumentRoot', '{0}/{1}'.format(map.wwwdir, sitename)),
'Directory': {
'Options': '-Indexes +FollowSymLinks',
'Order': 'allow,deny',
'Allow': 'from all',
'Require': 'all granted',
'AllowOverride': 'None',
},
'Location': {
'Order': 'allow,deny',
'Allow': 'from all',
'Require': 'all granted',
},
} -%}

<VirtualHost {% for intf in vals.interfaces %} {{intf}}:{{ vals.port }}{% endfor -%}>
ServerName {{ vals.ServerName }}
{% if site.get('ServerAlias') != False %}ServerAlias {{ vals.ServerAlias }}{% endif %}

{% if site.get('ServerAdmin') != False %}ServerAdmin {{ vals.ServerAdmin }}{% endif %}

{% if site.get('DirectoryIndex') -%}DirectoryIndex {{ vals.DirectoryIndex }}{% endif %}
{% if site.get('UseCanonicalName') -%}UseCanonicalName {{ vals.UseCanonicalName }}{% endif %}
{% if site.get('AllowEncodedSlashes') != False -%}AllowEncodedSlashes {{ vals.AllowEncodedSlashes }}{% endif %}

{% if site.get('LogLevel') != False -%}LogLevel {{ vals.LogLevel }}{% endif %}
{% if site.get('ErrorLog') != False -%}ErrorLog {{ vals.ErrorLog }}{% endif %}
{% if site.get('LogFormat') != False -%}LogFormat {{ vals.LogFormat }}{% endif %}
{% if site.get('CustomLog') != False -%}CustomLog {{ vals.CustomLog }} {{ vals.LogFormat }}{% endif %}

{% if site.get('DocumentRoot') != False -%}DocumentRoot {{ vals.DocumentRoot }}{% endif %}
{% if site.get('VirtualDocumentRoot') -%}VirtualDocumentRoot {{ vals.VirtualDocumentRoot }}{% endif %}

{% if site.get('Timeout') != False and site.get('Timeout') != None %}Timeout {{ vals.Timeout }}{% endif %}
{% if site.get('LimitRequestFields') %}LimitRequestFields {{ vals.LimitRequestFields }}{% endif %}

{% if site.get('SSLCertificateFile') %}SSLEngine on
SSLCertificateFile {{ site.SSLCertificateFile }}
{% if site.get('SSLCertificateKeyFile') %}SSLCertificateKeyFile {{ site.SSLCertificateKeyFile }}{% endif %}
{% if site.get('SSLCertificateChainFile') %}SSLCertificateChainFile {{ site.SSLCertificateChainFile}}{% endif %}
{% endif %}
{% if site.get('Rewrite') %}RewriteEngine on
{{ site.Rewrite }}
{% endif %}

{%- for loc, path in site.get('Alias', {}).items() %}
Alias {{ loc }} {{ path }}
{%- endfor %}

{%- for path, dir in site.get('Directory', {}).items() -%}
{%- set dvals = {
'Options': dir.get('Options', vals.Directory.Options),
'Order': dir.get('Order', vals.Directory.Order),
'Allow': dir.get('Allow', vals.Directory.Allow),
'Require': dir.get('Require', vals.Directory.Require),
'AllowOverride': dir.get('AllowOverride', vals.Directory.AllowOverride),
'Dav': dir.get('Dav', False),
} %}

{%- if path == 'default' %}{% set path = vals.Directory_default %}{% endif %}

<Directory "{{ path }}">
{% if dvals.get('Options') != False %}Options {{ dvals.Options }}{% endif %}
{% if map.version == '2.4' %}
{% if dvals.get('Require') != False %}Require {{dvals.Require}}{% endif %}
{% else %}
{% if dvals.get('Order') != False %}Order {{ dvals.Order }}{% endif %}
{% if dvals.get('Allow') != False %}Allow {{ dvals.Allow }}{% endif %}
{% endif %}
{% if dvals.get('AllowOverride') != False %}AllowOverride {{ dvals.AllowOverride }}{% endif %}
{% if dvals.get('Dav') != False %}Dav On{% endif %}

{% if dir.get('Formula_Append') %}
{{ dir.Formula_Append|indent(8) }}
{% endif %}
</Directory>
{%- endfor %}

{%- for path, loc in site.get('Location', {}).items() %}
{%- set lvals = {
'Order': loc.get('Order', vals.Location.Order),
'Allow': loc.get('Allow', vals.Location.Allow),
'Require': loc.get('Require', vals.Location.Require),
'Dav': loc.get('Dav', False),
} %}

<Location "{{ path }}">
{% if map.version == '2.4' %}
{%- if lvals.get('Require') != False %}Require {{lvals.Require}}{% endif %}
{% else %}
{%- if lvals.get('Order') != False %}Order {{ lvals.Order }}{% endif %}
{%- if lvals.get('Allow') != False %}Allow {{ lvals.Allow }}{% endif %}
{% endif %}
{%- if lvals.get('Dav') != False %}Dav On{% endif %}

{%- if loc.get('Formula_Append') %}
{{ loc.Formula_Append|indent(8) }}
{% endif %}
</Location>
{% endfor %}

{%- if site.get('Formula_Append') %}
{{ site.Formula_Append|indent(4) }}
{% endif %}
</VirtualHost>

apache/vhosts/vhost-ng.conf.jinja → apache/vhosts/vhost.conf.jinja Zobrazit soubor

@@ -1,6 +1,6 @@
{% from "apache/lib.sls" import container_output with context %}
#
# This file is managed by Salt! Do not edit by hand!
#
{{ container_output('VirtualHost', vhost_data, col=0, default_directives = []) }}
{% from "apache/lib.sls" import container_output with context %}
#
# This file is managed by Salt! Do not edit by hand!
#
{{ container_output('VirtualHost', vhost_data, col=0, default_directives = []) }}

apache/vhosts/vhost-ng.sls → apache/vhosts/vhost.sls Zobrazit soubor

@@ -1,110 +1,110 @@
{% from "apache/map.jinja" import apache with context %}
{% import_yaml "apache/hardening-values.yaml" as hardening_values %}
include:
- apache
{% set vhosts = salt['pillar.get']('apache:VirtualHost', {}) %}
{% for virtual_name, vhost in vhosts.items() %}
{% set vhost_server_name = salt['apache_directives.get_directive_single_value'](
'ServerName',
vhost.get('directives'),
default=virtual_name) %}
{% set vhost = salt['apache_directives.enforce_directive_value'](directive='ServerName',
enforced_directive_data={'value': vhost_server_name,
'add_if_absent': True},
container_name='VirtualHost',
container_data=vhost) %}
{% set default_documentroot = '{0}/{1}'.format(apache.wwwdir, vhost_server_name) %}
{% set documentroot = salt['apache_directives.get_directive_single_value'](
'DocumentRoot',
vhost.get('directives'),
default=default_documentroot) %}
{% set vhost = salt['apache_directives.set_vhost_logging_directives'](vhost,
vhost_server_name,
apache.logdir) %}
# enforce directives values #
{% for directive, directive_data in hardening_values.enforced_directives.items() %}
{% if 'add_if_absent' in directive_data %}
{% do directive_data.update({'add_if_absent': False}) %}
{% endif %}
{% set vhost = salt['apache_directives.enforce_directive_value'](directive,
directive_data,
container_name='VirtualHost',
container_data=vhost) %}
{% endfor %}
# merge vhost config with hardened sections #
{% set vhost = salt['apache_directives.enforce_security_directives_into_containers'](
vhost,
hardening_values.enforced_containers,
add_container=False ) %}
# remove containers #
{% for container_name_to_remove, items_names in hardening_values.containers_to_remove.items() %}
{% for item_name in items_names %}
{% set vhost = salt['apache_directives.remove_container'](
vhost,
container_name_to_remove,
item_name) %}
{% endfor %}
{% endfor %}
# add supplemental security directives in vhost configuration #
{% for d_directive in hardening_values.vhost_supplemental_directives %}
{% for directive, value in d_directive.items() %}
{% set vhost = salt['apache_directives.append_to_container_directives'](
directive,
value,
vhost) %}
{% endfor %}
{% endfor %}
{% if vhost.get('absent', False) %}
{{ vhost_server_name }}:
file.absent:
- name: {{ apache.vhostdir_ng }}/{{ vhost_server_name }}{{ apache.confext }}
- require:
- pkg: apache
- watch_in:
- module: apache-reload
- require_in:
- module: apache-restart
- module: apache-reload
- service: apache
{% else %}
{{ vhost_server_name }}:
file.managed:
- name: {{ apache.vhostdir_ng }}/{{ vhost_server_name }}{{ apache.confext }}
- source: 'salt://apache/vhosts/vhost-ng.conf.jinja'
- template: 'jinja'
- user: root
- group: root
- mode: 644
- context:
vhost_data: {{ vhost|json }}
- require:
- pkg: apache
- watch_in:
- module: apache-reload
- require_in:
- module: apache-restart
- module: apache-reload
- service: apache
{{ documentroot }}-documentroot:
file.directory:
- name: {{ documentroot }}
- makedirs: True
- allow_symlink: True
{% endif %}
{% endfor %}
{% from "apache/map.jinja" import apache with context %}
{% import_yaml "apache/hardening-values.yaml" as hardening_values %}
include:
- apache
{% set vhosts = salt['pillar.get']('apache:VirtualHost', {}) %}
{% for virtual_name, vhost in vhosts.items() %}
{% set vhost_server_name = salt['apache_directives.get_directive_single_value'](
'ServerName',
vhost.get('directives'),
default=virtual_name) %}
{% set vhost = salt['apache_directives.enforce_directive_value'](directive='ServerName',
enforced_directive_data={'value': vhost_server_name,
'add_if_absent': True},
container_name='VirtualHost',
container_data=vhost) %}
{% set default_documentroot = '{0}/{1}'.format(apache.wwwdir, vhost_server_name) %}
{% set documentroot = salt['apache_directives.get_directive_single_value'](
'DocumentRoot',
vhost.get('directives'),
default=default_documentroot) %}
{% set vhost = salt['apache_directives.set_vhost_logging_directives'](vhost,
vhost_server_name,
apache.logdir) %}
# enforce directives values #
{% for directive, directive_data in hardening_values.enforced_directives.items() %}
{% if 'add_if_absent' in directive_data %}
{% do directive_data.update({'add_if_absent': False}) %}
{% endif %}
{% set vhost = salt['apache_directives.enforce_directive_value'](directive,
directive_data,
container_name='VirtualHost',
container_data=vhost) %}
{% endfor %}
# merge vhost config with hardened sections #
{% set vhost = salt['apache_directives.enforce_security_directives_into_containers'](
vhost,
hardening_values.enforced_containers,
add_container=False ) %}
# remove containers #
{% for container_name_to_remove, items_names in hardening_values.containers_to_remove.items() %}
{% for item_name in items_names %}
{% set vhost = salt['apache_directives.remove_container'](
vhost,
container_name_to_remove,
item_name) %}
{% endfor %}
{% endfor %}
# add supplemental security directives in vhost configuration #
{% for d_directive in hardening_values.vhost_supplemental_directives %}
{% for directive, value in d_directive.items() %}
{% set vhost = salt['apache_directives.append_to_container_directives'](
directive,
value,
vhost) %}
{% endfor %}
{% endfor %}
{% if vhost.get('absent', False) %}
{{ vhost_server_name }}:
file.absent:
- name: {{ apache.vhostdir }}/{{ vhost_server_name }}{{ apache.confext }}
- require:
- pkg: apache
- watch_in:
- module: apache-reload
- require_in:
- module: apache-restart
- module: apache-reload
- service: apache
{% else %}
{{ vhost_server_name }}:
file.managed:
- name: {{ apache.vhostdir }}/{{ vhost_server_name }}{{ apache.confext }}
- source: 'salt://apache/vhosts/vhost.conf.jinja'
- template: 'jinja'
- user: root
- group: root
- mode: 644
- context:
vhost_data: {{ vhost|json }}
- require:
- pkg: apache
- watch_in:
- module: apache-reload
- require_in:
- module: apache-restart
- module: apache-reload
- service: apache
{{ documentroot }}-documentroot:
file.directory:
- name: {{ documentroot }}
- makedirs: True
- allow_symlink: True
{% endif %}
{% endfor %}

+ 0
- 372
pillar.example Zobrazit soubor

@@ -1,372 +0,0 @@
# see ``pillar-ng.example.yaml`` for new gen pillar

# ``apache`` formula configuration:
apache:

# By default apache restart/reload states run (false skips)
manage_service_states: True

# lookup section overrides ``map.jinja`` values
lookup:
server: apache2
service: apache2
user: some_system_user
group: some_system_group

vhostdir: /etc/apache2/sites-available
confdir: /etc/apache2/conf.d
confext: .conf
logdir: /var/log/apache2
wwwdir: /srv/apache2

# apache version (generally '2.2' or '2.4')
version: '2.2'

# ``apache.mod_wsgi`` formula additional configuration:
mod_wsgi: mod_wsgi

# Default value for AddDefaultCharset in RedHat configuration
default_charset: 'UTF-8'

# Should we enforce DocumentRoot user/group?
# Default: do not enforce
document_root_user: www-data # Force user if specified, leave it default if not
document_root_group: null # Do not enforce group

global:
# global apache directives
AllowEncodedSlashes: 'On'


name_virtual_hosts:
- interface: '*'
port: 80
- interface: '*'
port: 443

# ``apache.vhosts`` formula additional configuration:
sites:
example.net:
template_file: salt://apache/vhosts/minimal.tmpl

example.com: # must be unique; used as an ID declaration in Salt.
enabled: True
template_file: salt://apache/vhosts/standard.tmpl # or minimal.tmpl or redirect.tmpl or proxy.tmpl

####################### DEFAULT VALUES BELOW ############################
# NOTE: the values below are simply default settings that *can* be
# overridden and are not required in order to use this formula to create
# vhost entries.
#
# Do not copy the values below into your Pillar unless you intend to
# modify these vaules.
####################### DEFAULT VALUES BELOW ############################
template_engine: jinja

interface: '*'
port: '80'

exclude_listen_directive: True # Do not add a Listen directive in httpd.conf

ServerName: example.com # uses the unique ID above unless specified
#ServerAlias: www.example.com # Do not add ServerAlias unless defined

ServerAdmin: webmaster@example.com

LogLevel: warn
ErrorLog: /path/to/logs/example.com-error.log # E.g.: /var/log/apache2/example.com-error.log
CustomLog: /path/to/logs/example.com-access.log # E.g.: /var/log/apache2/example.com-access.log

DocumentRoot: /path/to/www/dir/example.com # E.g., /var/www/example.com
DocumentRootUser: null # do not enforce user, defaults to lookup:document_root_user
DocumentRootGroup: www-data # Force group, defaults to lookup:document_root_group

SSLCertificateFile: /etc/ssl/mycert.pem # if ssl is desired
SSLCertificateKeyFile: /etc/ssl/mycert.pem.key # if key for cert is needed or in an extra file
SSLCertificateChainFile: /etc/ssl/mycert.chain.pem # if you require a chain of server certificates file

Directory:
# "default" is a special case; uses DocumentRoot value
# E.g.: /var/www/example.com
default:
Options: -Indexes +FollowSymLinks
Order: allow,deny # For Apache < 2.4
Allow: from all # For apache < 2.4
Require: all granted # For apache > 2.4.
AllowOverride: None
Formula_Append: |
Additional config as a
multi-line string here

redirectmatch.com:
# Use RedirectMatch Directive https://httpd.apache.org/docs/2.4/fr/mod/mod_alias.html#redirectmatch
# Require module mod_alias
enabled: True
template_file: salt://apache/vhosts/redirect.tmpl
ServerName: www.redirectmatch.com
ServerAlias: www.redirectmatch.com
RedirectMatch: true
RedirectSource: '^/$'
RedirectTarget: '/subdirectory'
DocumentRoot: /var/www/html/
ErrorLog: ${APACHE_LOG_DIR}/error.log
CustomLog: ${APACHE_LOG_DIR}/access.log

80-proxyexample.com:
template_file: salt://apache/vhosts/redirect.tmpl
ServerName: www.proxyexample.com
ServerAlias: www.proxyexample.com
RedirectSource: '/'
RedirectTarget: 'https://www.proxyexample.com/'
DocumentRoot: /var/www/proxy

443-proxyexample.com:
template_file: salt://apache/vhosts/proxy.tmpl
ServerName: www.proxyexample.com
ServerAlias: www.proxyexample.com
interface: '*'
port: '443'
DocumentRoot: /var/www/proxy

Rewrite: |
RewriteRule ^/webmail$ /webmail/ [R]
RewriteRule ^/webmail(.*) http://mail.example.com$1 [P,L]
RewriteRule ^/vicescws(.*) http://svc.example.com:92$1 [P,L]

SSLCertificateFile: /etc/httpd/ssl/example.com.crt
SSLCertificateKeyFile: /etc/httpd/ssl/example.com.key
SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer

SSLCertificateFile_content: |
-----BEGIN CERTIFICATE-----
MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
Wm7DCfrPNGVwFWUQOmsPue9rZBgO
-----END CERTIFICATE-----

SSLCertificateKeyFile_content: |
-----BEGIN PRIVATE KEY-----
MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
Wm7DCfrPNGVwFWUQOmsPue9rZBgO
-----END PRIVATE KEY-----

SSLCertificateChainFile_content: |
-----BEGIN CERTIFICATE-----
MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
Wm7DCfrPNGVwFWUQOmsPue9rZBgO
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
Wm7DCfrPNGVwFWUQOmsPue9rZBgO
-----END CERTIFICATE-----

ProxyRequests: 'Off'
ProxyPreserveHost: 'On'

ProxyRoute:
example prod proxy route:
ProxyPassSource: '/'
ProxyPassTarget: 'http://prod.example.com:85/'
ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
ProxyPassReverseSource: '/'
ProxyPassReverseTarget: 'http://prod.example.com:85/'

example webmail proxy route:
ProxyPassSource: '/webmail/'
ProxyPassTarget: 'http://mail.example.com/'
ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
ProxyPassReverseSource: '/webmail/'
ProxyPassReverseTarget: 'http://mail.example.com/'

example service proxy route:
ProxyPassSource: '/svc/'
ProxyPassTarget: 'http://svc.example.com:92/'
ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
ProxyPassReverseSource: '/svc/'
ProxyPassReverseTarget: 'http://svc.example.com:92/'

Location:
/:
Require: False
Formula_Append: |
SecRuleRemoveById 981231
SecRuleRemoveById 981173

/error:
Require: 'all granted'

/docs:
Order: allow,deny # For Apache < 2.4
Allow: from all # For apache < 2.4
Require: all granted # For apache > 2.4.
Formula_Append: |
Additional config as a
multi-line string here

LocationMatch:
'^[.\\/]+([Ww][Ee][Bb][Mm][Aa][Ii][Ll])[.\\/]':
Require: False
Formula_Append: |
RequestHeader set Host mail.example.com

'^[.\\/]+([Ss][Vv][Cc])[.\\/]':
Require: False
Formula_Append: |
Require ip 123.123.13.6 84.24.25.74

Proxy_control:
'*':
AllowAll: False
AllowCountry:
- DE
AllowIP:
- 12.5.25.32
- 12.5.25.33


Alias:
/docs: /usr/share/docs

Formula_Append: |
Additional config as a
multi-line string here

# ``apache.debian_full`` formula additional configuration:
register-site:
# any name as an array index, and you can duplicate this section
UNIQUE_VALUE_HERE:
name: 'my name'
path: 'salt://path/to/sites-available/conf/file'
state: 'enabled'
# Optional - use managed file as Jinja Template
#template: true
#defaults:
# custom_var: "default value"

modules:
enabled: # List modules to enable
- ldap
- ssl
disabled: # List modules to disable
- rewrite

flags:
enabled: # List server flags to enable
- SSL
disabled: # List server flags to disable
- status

# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
keepalive: 'On'

security:
# can be Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
ServerTokens: Prod

# [debian only] configure mod_ssl
ssl:
SSLCipherSuite: 'HIGH:!aNULL'
SSLHonorCipherOrder: 'Off'
SSLProtocol: 'all -SSLv3'
SSLUseStapling: 'Off'
SSLStaplingResponderTimeout: '5'
SSLStaplingReturnResponderErrors: 'Off'
SSLStaplingCache: 'shmcb:/var/run/ocsp(128000)'

# ``apache.mod_remoteip`` formula additional configuration:
mod_remoteip:
RemoteIPHeader: X-Forwarded-For
RemoteIPTrustedProxy:
- 10.0.8.0/24
- 127.0.0.1

# ``apache.mod_security`` formula additional configuration:
mod_security:
crs_install: True
# If not set, default distro's configuration is installed as is
manage_config: True
sec_rule_engine: 'On'
sec_request_body_access: 'On'
sec_request_body_limit: '14000000'
sec_request_body_no_files_limit: '114002'
sec_request_body_in_memory_limit: '114002'
sec_request_body_limit_action: 'Reject'
sec_pcre_match_limit: '15000'
sec_pcre_match_limit_recursion: '15000'
sec_debug_log_level: '3'

rules:
enabled:
modsecurity_crs_10_setup.conf:
rule_set: ''
enabled: True
modsecurity_crs_20_protocol_violations.conf:
rule_set: 'base_rules'
enabled: False

custom_rule_files:
# any name as an array index, and you can duplicate this section
UNIQUE_VALUE_HERE:
file: 'my name'
path: 'salt://path/to/modsecurity/custom/file'
enabled: True

mod_ssl:
# set this to True if you want to override your distributions default TLS configuration
manage_tls_defaults: False
# This stuff is deliberately not configured via map.jinja resp. apache:lookup.
# We're unable to know sane defaults for each release of every distribution.
# See https://github.com/saltstack-formulas/openssh-formula/issues/102 for a related discussion
# Have a look at bettercrypto.org for up-to-date settings.
# These are default values:
SSLCipherSuite: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
# Mitigate the CRIME attack
SSLCompression: Off
SSLProtocol: all -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder: On
SSLOptions: "+StrictRequire"

pillar-ng.example.yaml → pillar.example.yaml Zobrazit soubor

@@ -1,122 +1,122 @@
# server configuration and any vhost configuration have the same data structure
# This data structure is similar to below :
#
# directives: # list of top level directives/values
# - directive_1: value_1
# - directive_2: value_2
# - directive_3: value_3
# containers: # any type of httpd container
# container_name_1: # Files|Directory|DirectoryMatch|Proxy|location|locationMatch ...
# -
# item: 'path/to/1' # label, path or whatever that container applies to
# directives: # list of directives into this container
# - directive_1: value_1
# ...
# -
# item: '/path/to/2'
# direcives:
# - ...
# containers: # nested containers in /path/to/2
# nested_c_1:
# - item: '...'
# directives:
# - ...
# container_name_2:
# -
# item: '...'
# ...
# ``apache`` formula configuration:
apache:
# By default apache restart/reload states run (false skips)
manage_service_states: True
# lookup section overrides ``map.jinja`` values
lookup:
server: apache2
service: apache2
user: some_system_user
group: some_system_group
vhostdir: /etc/apache2/sites-available
confdir: /etc/apache2/conf.d
confext: .conf
logdir: /var/log/apache2
wwwdir: /srv/apache2
# apache version (generally '2.2' or '2.4')
version: '2.2'
# ``apache.mod_wsgi`` formula additional configuration:
mod_wsgi: mod_wsgi
# global (server) apache directives
server_apache_config: # this content will populate httpd.conf
directives:
- AllowEncodedSlashes: 'On'
- Timeout: 5
containers:
IfModule:
-
item: 'mime_module'
directives:
- AddType: 'application/x-font-ttf ttc ttf'
- AddType: 'application/x-font-opentype otf'
- AddType: 'application/x-font-woff woff2'
# ``apache.vhosts.vhost-ng`` formula additional configuration:
VirtualHost:
example.com: # <-- site_name : can be the real ServerName or a virtual name
item: '*:8080' # simple example
directives:
- ServerName: 'example.com' # if not defined default is site_name
- ServerAdmin: 'webmaster@example.com'
- DocumentRoot: '/path/to/www/dir/example.com'
- LogLevel: 'warn'
containers:
Location:
-
item: '/test.html'
directives:
- Require: 'all granted'
my_reverse_proxy: # example with a virtual site_name
item: '*:80' # vhost with proxypass
directives:
- ServerName: 'rp-example.com'
- ServerAdmin: 'webmaster@example.com'
- DocumentRoot: '/path/to/www/dir/rp-example.com'
- LogLevel: 'warn'
- ProxyPass: '/ balancer://cluster_1'
- ProxyPassReverse: '/ balancer://cluster_1'
- ProxyPreserveHost: 'On'
containers:
Proxy:
-
item: 'balancer://cluster_1'
directives:
- BalancerMember: 'http://my_backend_1:8081 route=backend-1-8081 timeout=240 retry=120'
- BalancerMember: 'http://my_backend_2:8081 route=backend-2-8081 timeout=240 retry=120'
- ProxySet: 'stickysession=JSESSIONID|jsessionid nofailover=off maxattempts=1'
unused_vhost:
item: '*:80'
absent: True # Delete this vhost
directives:
- ServerName: 'to-delete-example.com'
- ServerAdmin: 'webmaster@example.com'
- DocumentRoot: '/path/to/www/dir/to-delete-example.com'
- LogLevel: 'warn'
containers:
Location:
-
item: '/test.html'
directives:
- Require: 'all granted'
modules:
enabled: # List modules to enable
- ldap
- ssl
disabled: # List modules to disable
- rewrite
# server configuration and any vhost configuration have the same data structure
# This data structure is similar to below :
#
# directives: # list of top level directives/values
# - directive_1: value_1
# - directive_2: value_2
# - directive_3: value_3
# containers: # any type of httpd container
# container_name_1: # Files|Directory|DirectoryMatch|Proxy|location|locationMatch ...
# -
# item: 'path/to/1' # label, path or whatever that container applies to
# directives: # list of directives into this container
# - directive_1: value_1
# ...
# -
# item: '/path/to/2'
# direcives:
# - ...
# containers: # nested containers in /path/to/2
# nested_c_1:
# - item: '...'
# directives:
# - ...
# container_name_2:
# -
# item: '...'
# ...
# ``apache`` formula configuration:
apache:
# By default apache restart/reload states run (false skips)
manage_service_states: True
# lookup section overrides ``map.jinja`` values
lookup:
server: apache2
service: apache2
user: some_system_user
group: some_system_group
vhostdir: /etc/apache2/sites-available
confdir: /etc/apache2/conf.d
confext: .conf
logdir: /var/log/apache2
wwwdir: /srv/apache2
# apache version (generally '2.2' or '2.4')
version: '2.2'
# ``apache.mod_wsgi`` formula additional configuration:
mod_wsgi: mod_wsgi
# global (server) apache directives
server_apache_config: # this content will populate httpd.conf
directives:
- AllowEncodedSlashes: 'On'
- Timeout: 5
containers:
IfModule:
-
item: 'mime_module'
directives:
- AddType: 'application/x-font-ttf ttc ttf'
- AddType: 'application/x-font-opentype otf'
- AddType: 'application/x-font-woff woff2'
# ``apache.vhosts.vhost-ng`` formula additional configuration:
VirtualHost:
example.com: # <-- site_name : can be the real ServerName or a virtual name
item: '*:8080' # simple example
directives:
- ServerName: 'example.com' # if not defined default is site_name
- ServerAdmin: 'webmaster@example.com'
- DocumentRoot: '/path/to/www/dir/example.com'
- LogLevel: 'warn'
containers:
Location:
-
item: '/test.html'
directives:
- Require: 'all granted'
my_reverse_proxy: # example with a virtual site_name
item: '*:80' # vhost with proxypass
directives:
- ServerName: 'rp-example.com'
- ServerAdmin: 'webmaster@example.com'
- DocumentRoot: '/path/to/www/dir/rp-example.com'
- LogLevel: 'warn'
- ProxyPass: '/ balancer://cluster_1'
- ProxyPassReverse: '/ balancer://cluster_1'
- ProxyPreserveHost: 'On'
containers:
Proxy:
-
item: 'balancer://cluster_1'
directives:
- BalancerMember: 'http://my_backend_1:8081 route=backend-1-8081 timeout=240 retry=120'
- BalancerMember: 'http://my_backend_2:8081 route=backend-2-8081 timeout=240 retry=120'
- ProxySet: 'stickysession=JSESSIONID|jsessionid nofailover=off maxattempts=1'
unused_vhost:
item: '*:80'
absent: True # Delete this vhost
directives:
- ServerName: 'to-delete-example.com'
- ServerAdmin: 'webmaster@example.com'
- DocumentRoot: '/path/to/www/dir/to-delete-example.com'
- LogLevel: 'warn'
containers:
Location:
-
item: '/test.html'
directives:
- Require: 'all granted'
modules:
enabled: # List modules to enable
- ldap
- ssl
disabled: # List modules to disable
- rewrite

Načítá se…
Zrušit
Uložit