* Feature (rhel7/httpd 2.4) : hardening apache and code refactoring
* remove hard returns
* Add default Listen 80 in httpd.conf
In case there no vhosts defined in pillar httpd will listen on port 80.
Without this default it will not start
* empty file autoindex.conf instead of deleting it
* explicit hardening items and references from CIS
* add #3.5 hardening rule
* explain CIS recommendations categories
* add dependencies before start service
* add recommendation #7.1 Install mod_ssl
* link in readme to hardening doc
Templates already fallback to SiteName before site id.
This attemps to be consistent with them, and avoid having to explicitly specify
the DocumentRoot, when the template already does the proper inference.
with salt-ssh-2016.11.3 it errored out with
TemplateNotFound: apache/map.jinja
and we were already passing in the 'apache' data as 'map'
from standard.sls
According to the pillar.example file there is no site.ProxyPassTarget,
so ProxyPassReverseTarget should default to proxyargs.ProxyPassTarget
(ie. site.ProxyRoute.ProxyPassTarget)
In 4d04d95b02 (#113)
apache/vhosts/standard.sls has been modified by @genuss to include
apache.config on the basis that apache.config was now able to retrieve the
interfaces/ports from pillar data in apache:sites.
I use apache:sites to register virtual hosts with non-standard
"template_file" (they contain the desired configuration directly)
and the "interface/port" keys are thus not meaningful.
apache:
sites:
example.com:
template_file: salt://vm/example/apache-vhost.conf
DocumentRoot: False
The generated ports.conf ends up containing only "*:80" while
my virtual host configuration files need ports 80 and 443. The
situation was perfectly fine up to now because the default configuration
file handles both of those ports if you have mod_ssl installed.
People who want to use apache.config should just explicitly include
that state, we should not force its usage to all apache.vhosts.standard
users.
* Add ProxyRequests directive
This allows or prevents Apache httpd from functioning as a forward proxy server.
[See](https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxyrequests).
The default action is off so I've set this a the default for this formula so it does not change the default behaviour.
* Add example pillar usage
This is done by split the interface pillar value instead of using a proper
list so it behaves exactly the same as before for simple 1 interface cases
(no need to refactor one's pillar files).
The resulting is something like:
Listen 1.2.3.4:80
Listen [2001:abc:def:100::3]:80
<VirtualHost 1.2.3.4:80 [2001:abc:def:100::3]:80>
...
Apache2 docs state this is global, but vhost overrides it even when not specified.
additionally, this directive is defaulted differently across distributions (eg. CentOS is default 'On')
this change allows control of the directive.
DocumentRoot is useless for a plain redirect or proxy vhost, no need to
force creating the directory.
Signed-off-by: Julien Cristau <julien.cristau@logilab.fr>