apache-formula/pillar.example

# ``apache`` formula configuration:
apache:

  # By default apache restart/reload states run (false skips)
  manage_service_states: True

  # lookup section overrides ``map.jinja`` values
  lookup:
    server: apache2
    service: apache2
    user: some_system_user
    group: some_system_group

    vhostdir: /etc/apache2/sites-available
    confdir: /etc/apache2/conf.d
    confext: .conf
    logdir: /var/log/apache2
    wwwdir: /srv/apache2

    # apache version (generally '2.2' or '2.4')
    version: '2.2'

    # ``apache.mod_wsgi`` formula additional configuration:
    mod_wsgi: mod_wsgi

    # Default value for AddDefaultCharset in RedHat configuration
    default_charset: 'UTF-8'

    # Should we enforce DocumentRoot user/group?
    # Default: do not enforce
    document_root_user: www-data   # Force user if specified, leave it default if not
    document_root_group: null      # Do not enforce group

  global:
    # global apache directives
    AllowEncodedSlashes: 'On'


  name_virtual_hosts:
    - interface: '*'
      port: 80
    - interface: '*'
      port: 443

  # ``apache.vhosts`` formula additional configuration:
  sites:
    example.net:
      template_file: salt://apache/vhosts/minimal.tmpl

    example.com: # must be unique; used as an ID declaration in Salt.
      enabled: True
      template_file: salt://apache/vhosts/standard.tmpl # or minimal.tmpl or redirect.tmpl or proxy.tmpl

      ####################### DEFAULT VALUES BELOW ############################
      # NOTE: the values below are simply default settings that *can* be
      # overridden and are not required in order to use this formula to create
      # vhost entries.
      #
      # Do not copy the values below into your Pillar unless you intend to
      # modify these vaules.
      ####################### DEFAULT VALUES BELOW ############################
      template_engine: jinja

      interface: '*'
      port: '80'

      exclude_listen_directive: True # Do not add a Listen directive in httpd.conf

      ServerName: example.com # uses the unique ID above unless specified
      #ServerAlias: www.example.com # Do not add ServerAlias unless defined

      ServerAdmin: webmaster@example.com

      LogLevel: warn
      ErrorLog: /path/to/logs/example.com-error.log # E.g.: /var/log/apache2/example.com-error.log
      CustomLog: /path/to/logs/example.com-access.log # E.g.: /var/log/apache2/example.com-access.log

      DocumentRoot: /path/to/www/dir/example.com # E.g., /var/www/example.com
      DocumentRootUser: null       # do not enforce user, defaults to lookup:document_root_user
      DocumentRootGroup: www-data  # Force group, defaults to lookup:document_root_group

      SSLCertificateFile: /etc/ssl/mycert.pem # if ssl is desired
      SSLCertificateKeyFile: /etc/ssl/mycert.pem.key # if key for cert is needed or in an extra file
      SSLCertificateChainFile: /etc/ssl/mycert.chain.pem # if you require a chain of server certificates file

      Directory:
        # "default" is a special case; uses DocumentRoot value
        # E.g.: /var/www/example.com
        default:
          Options: -Indexes +FollowSymLinks
          Order: allow,deny    # For Apache < 2.4
          Allow: from all      # For apache < 2.4
          Require: all granted # For apache > 2.4.
          AllowOverride: None
          Formula_Append: |
            Additional config as a
            multi-line string here

    redirectmatch.com:
      # Use RedirectMatch Directive https://httpd.apache.org/docs/2.4/fr/mod/mod_alias.html#redirectmatch
      # Require module mod_alias 
      enabled: True
      template_file: salt://apache/vhosts/redirect.tmpl
      ServerName: www.redirectmatch.com
      ServerAlias: www.redirectmatch.com
      RedirectMatch: true
      RedirectSource: '^/$'
      RedirectTarget: '/subdirectory'
      DocumentRoot: /var/www/html/
      ErrorLog: ${APACHE_LOG_DIR}/error.log
      CustomLog: ${APACHE_LOG_DIR}/access.log

    80-proxyexample.com:
      template_file: salt://apache/vhosts/redirect.tmpl
      ServerName: www.proxyexample.com
      ServerAlias: www.proxyexample.com
      RedirectSource: '/'
      RedirectTarget: 'https://www.proxyexample.com/'
      DocumentRoot: /var/www/proxy

    443-proxyexample.com:
      template_file: salt://apache/vhosts/proxy.tmpl
      ServerName: www.proxyexample.com
      ServerAlias: www.proxyexample.com
      interface: '*'
      port: '443'
      DocumentRoot: /var/www/proxy

      Rewrite: |
        RewriteRule ^/webmail$ /webmail/ [R]
        RewriteRule ^/webmail(.*) http://mail.example.com$1 [P,L]
        RewriteRule ^/vicescws(.*) http://svc.example.com:92$1 [P,L]

      SSLCertificateFile: /etc/httpd/ssl/example.com.crt
      SSLCertificateKeyFile: /etc/httpd/ssl/example.com.key
      SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer

      SSLCertificateFile_content: |
        -----BEGIN CERTIFICATE-----
        MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
        MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
        VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
        NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
        TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
        ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
        V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
        gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
        FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
        CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
        BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
        BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
        Wm7DCfrPNGVwFWUQOmsPue9rZBgO
        -----END CERTIFICATE-----

      SSLCertificateKeyFile_content: |
        -----BEGIN PRIVATE KEY-----
        MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
        MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
        VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
        NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
        TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
        ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
        V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
        gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
        FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
        CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
        BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
        BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
        Wm7DCfrPNGVwFWUQOmsPue9rZBgO
        -----END PRIVATE KEY-----

      SSLCertificateChainFile_content: |
        -----BEGIN CERTIFICATE-----
        MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
        MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
        VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
        NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
        TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
        ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
        V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
        gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
        FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
        CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
        BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
        BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
        Wm7DCfrPNGVwFWUQOmsPue9rZBgO
        -----END CERTIFICATE-----
        -----BEGIN CERTIFICATE-----
        MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
        MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
        VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
        NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
        TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
        ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
        V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
        gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
        FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
        CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
        BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
        BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
        Wm7DCfrPNGVwFWUQOmsPue9rZBgO
        -----END CERTIFICATE-----

      ProxyRequests: 'Off'
      ProxyPreserveHost: 'On'

      ProxyRoute:
        example prod proxy route:
          ProxyPassSource: '/'
          ProxyPassTarget: 'http://prod.example.com:85/'
          ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
          ProxyPassReverseSource: '/'
          ProxyPassReverseTarget: 'http://prod.example.com:85/'

        example webmail proxy route:
          ProxyPassSource: '/webmail/'
          ProxyPassTarget: 'http://mail.example.com/'
          ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
          ProxyPassReverseSource: '/webmail/'
          ProxyPassReverseTarget: 'http://mail.example.com/'

        example service proxy route:
          ProxyPassSource: '/svc/'
          ProxyPassTarget: 'http://svc.example.com:92/'
          ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
          ProxyPassReverseSource: '/svc/'
          ProxyPassReverseTarget: 'http://svc.example.com:92/'

      Location:
        /:
          Require: False
          Formula_Append: |
            SecRuleRemoveById 981231
            SecRuleRemoveById 981173

        /error:
          Require: 'all granted'

        /docs:
          Order: allow,deny    # For Apache < 2.4
          Allow: from all      # For apache < 2.4
          Require: all granted # For apache > 2.4.
          Formula_Append: |
            Additional config as a
            multi-line string here

      LocationMatch:
        '^[.\\/]+([Ww][Ee][Bb][Mm][Aa][Ii][Ll])[.\\/]':
          Require: False
          Formula_Append: |
            RequestHeader  set  Host  mail.example.com

        '^[.\\/]+([Ss][Vv][Cc])[.\\/]':
          Require: False
          Formula_Append: |
            Require ip 123.123.13.6 84.24.25.74

      Proxy_control:
        '*':
          AllowAll: False
          AllowCountry:
            - DE
          AllowIP:
            - 12.5.25.32
            - 12.5.25.33


      Alias:
        /docs: /usr/share/docs

      Formula_Append: |
        Additional config as a
        multi-line string here

  # ``apache.debian_full`` formula additional configuration:
  register-site:
    # any name as an array index, and you can duplicate this section
    UNIQUE_VALUE_HERE:
      name: 'my name'
      path: 'salt://path/to/sites-available/conf/file'
      state: 'enabled'
      # Optional - use managed file as Jinja Template
      #template: true
      #defaults:
      #  custom_var: "default value"

  modules:
    enabled:  # List modules to enable
      - ldap
      - ssl
    disabled:  # List modules to disable
      - rewrite

  flags:
    enabled:  # List server flags to enable
      - SSL
    disabled: # List server flags to disable
      - status

  # KeepAlive: Whether or not to allow persistent connections (more than
  # one request per connection). Set to "Off" to deactivate.
  keepalive: 'On'

  security:
    # can be Full | OS | Minimal | Minor | Major | Prod
    # where Full conveys the most information, and Prod the least.
    ServerTokens: Prod

  # [debian only] configure mod_ssl
  ssl:
    SSLCipherSuite: 'HIGH:!aNULL'
    SSLHonorCipherOrder: 'Off'
    SSLProtocol: 'all -SSLv3'
    SSLUseStapling: 'Off'
    SSLStaplingResponderTimeout: '5'
    SSLStaplingReturnResponderErrors: 'Off'
    SSLStaplingCache: 'shmcb:/var/run/ocsp(128000)'

  # ``apache.mod_remoteip`` formula additional configuration:
  mod_remoteip:
    RemoteIPHeader: X-Forwarded-For
    RemoteIPTrustedProxy:
      - 10.0.8.0/24
      - 127.0.0.1

  # ``apache.mod_security`` formula additional configuration:
  mod_security:
    crs_install: True
    # If not set, default distro's configuration is installed as is
    manage_config: True
    sec_rule_engine: 'On'
    sec_request_body_access: 'On'
    sec_request_body_limit: '14000000'
    sec_request_body_no_files_limit: '114002'
    sec_request_body_in_memory_limit: '114002'
    sec_request_body_limit_action: 'Reject'
    sec_pcre_match_limit: '15000'
    sec_pcre_match_limit_recursion: '15000'
    sec_debug_log_level: '3'

    rules:
      enabled:
      modsecurity_crs_10_setup.conf:
        rule_set: ''
        enabled: True
      modsecurity_crs_20_protocol_violations.conf:
        rule_set: 'base_rules'
        enabled: False

    custom_rule_files:
      # any name as an array index, and you can duplicate this section
      UNIQUE_VALUE_HERE:
        file: 'my name'
        path: 'salt://path/to/modsecurity/custom/file'
        enabled: True

  mod_ssl:
    # set this to True if you want to override your distributions default TLS configuration
    manage_tls_defaults: False
    # This stuff is deliberately not configured via map.jinja resp. apache:lookup.
    # We're unable to know sane defaults for each release of every distribution.
    # See https://github.com/saltstack-formulas/openssh-formula/issues/102 for a related discussion
    # Have a look at bettercrypto.org for up-to-date settings.
    # These are default values:
    SSLCipherSuite: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
    # Mitigate the CRIME attack
    SSLCompression: Off
    SSLProtocol: all -SSLv2 -SSLv3 -TLSv1
    SSLHonorCipherOrder: On
    SSLOptions: "+StrictRequire"