ExternalMirrors
/
apache-formula
mirror of https://github.com/saltstack-formulas/apache-formula.git
Watch 1
Star 0
Fork 1
Code Issues 0 Releases 31 Wiki Activity
Saltstack Official Apache Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
541 Commits
5 Branches
Tree: 5532ed7a5b
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '5532ed7a5b'
${ noResults }
apache-formula/pillar.example

399 lines
14KB
Raw Blame History 

  1. # -*- coding: utf-8 -*-

  2. # vim: ft=yaml

  3. ---

  4. # ``apache`` formula configuration:

  5. apache:

  6. 

  7.   # By default apache restart/reload states run (false skips)

  8.   manage_service_states: true

  9. 

  10.   # lookup section overrides ``map.jinja`` values

  11.   lookup:

  12.     server: apache2

  13.     service: apache2

  14.     user: some_system_user

  15.     group: some_system_group

  16. 

  17.     vhostdir: /etc/apache2/sites-available

  18.     confdir: /etc/apache2/conf.d

  19.     confext: .conf

  20.     logdir: /var/log/apache2

  21.     wwwdir: /srv/apache2

  22. 

  23.     # apache version (generally '2.2' or '2.4')

  24.     version: '2.2'

  25. 

  26.     # mod_ssl package name

  27.     mod_ssl_pkg: mod_ssl

  28. 

  29.     # ``apache.mod_wsgi`` formula additional configuration:

  30.     mod_wsgi: mod_wsgi

  31. 

  32.     # Default value for AddDefaultCharset in RedHat configuration

  33.     default_charset: 'UTF-8'

  34. 

  35.     # Should we enforce DocumentRoot user/group?

  36.     # Default: do not enforce

  37.     document_root_user: www-data   # Force user if specified, leave it default if not

  38.     document_root_group: null      # Do not enforce group

  39. 

  40.   global:

  41.     # global apache directives

  42.     AllowEncodedSlashes: 'On'

  43. 

  44. 

  45.   name_virtual_hosts:

  46.     - interface: '*'

  47.       port: 80

  48.     - interface: '*'

  49.       port: 443

  50. 

  51.   # ``apache.vhosts`` formula additional configuration:

  52.   sites:

  53.     example.net:

  54.       template_file: salt://apache/vhosts/minimal.tmpl

  55. 

  56.     example.com:  # must be unique; used as an ID declaration in Salt.

  57.       enabled: true

  58.       # or minimal.tmpl or redirect.tmpl or proxy.tmpl

  59.       template_file: salt://apache/vhosts/standard.tmpl

  60. 

  61.       ####################### DEFAULT VALUES BELOW ############################

  62.       # NOTE: the values below are simply default settings that *can* be

  63.       # overridden and are not required in order to use this formula to create

  64.       # vhost entries.

  65.       #

  66.       # Do not copy the values below into your Pillar unless you intend to

  67.       # modify these vaules.

  68.       ####################### DEFAULT VALUES BELOW ############################

  69.       template_engine: jinja

  70. 

  71.       interface: '*'

  72.       port: '80'

  73. 

  74.       exclude_listen_directive: true  # Do not add a Listen directive in httpd.conf

  75. 

  76.       ServerName: example.com  # uses the unique ID above unless specified

  77.       # ServerAlias: www.example.com  # Do not add ServerAlias unless defined

  78. 

  79.       ServerAdmin: webmaster@example.com

  80. 

  81.       LogLevel: warn

  82.       # E.g.: /var/log/apache2/example.com-error.log

  83.       ErrorLog: /path/to/logs/example.com-error.log

  84.       # E.g.: /var/log/apache2/example.com-access.log

  85.       CustomLog: /path/to/logs/example.com-access.log

  86. 

  87.       # E.g., /var/www/example.com

  88.       DocumentRoot: /path/to/www/dir/example.com

  89.       # do not enforce user, defaults to lookup:document_root_user

  90.       DocumentRootUser: null

  91.       # Force group, defaults to lookup:document_root_group

  92.       DocumentRootGroup: www-data

  93. 

  94.       # if ssl is desired

  95.       SSLCertificateFile: /etc/ssl/mycert.pem

  96.       # if key for cert is needed or in an extra file

  97.       SSLCertificateKeyFile: /etc/ssl/mycert.pem.key

  98.       # if you require a chain of server certificates file

  99.       SSLCertificateChainFile: /etc/ssl/mycert.chain.pem

  100. 

  101.       Directory:

  102.         # "default" is a special case; uses DocumentRoot value

  103.         # E.g.: /var/www/example.com

  104.         default:

  105.           Options: -Indexes +FollowSymLinks

  106.           Order: allow,deny     # For Apache < 2.4

  107.           Allow: from all       # For apache < 2.4

  108.           Require: all granted  # For apache > 2.4.

  109.           AllowOverride: None

  110.           Formula_Append: |

  111.             Additional config as a

  112.             multi-line string here

  113. 

  114.     redirectmatch.com:

  115.       # Use RedirectMatch Directive

  116.       # - https://httpd.apache.org/docs/2.4/fr/mod/mod_alias.html#redirectmatch

  117.       # Require module mod_alias

  118.       enabled: true

  119.       template_file: salt://apache/vhosts/redirect.tmpl

  120.       ServerName: www.redirectmatch.com

  121.       ServerAlias: www.redirectmatch.com

  122.       RedirectMatch: true

  123.       RedirectSource: '^/$'

  124.       RedirectTarget: '/subdirectory'

  125.       DocumentRoot: /var/www/html/

  126.       ErrorLog: ${APACHE_LOG_DIR}/error.log

  127.       CustomLog: ${APACHE_LOG_DIR}/access.log

  128. 

  129.     80-proxyexample.com:

  130.       template_file: salt://apache/vhosts/redirect.tmpl

  131.       ServerName: www.proxyexample.com

  132.       ServerAlias: www.proxyexample.com

  133.       RedirectSource: '/'

  134.       RedirectTarget: 'https://www.proxyexample.com/'

  135.       DocumentRoot: /var/www/proxy

  136. 

  137.     443-proxyexample.com:

  138.       template_file: salt://apache/vhosts/proxy.tmpl

  139.       ServerName: www.proxyexample.com

  140.       ServerAlias: www.proxyexample.com

  141.       interface: '*'

  142.       port: '443'

  143.       DocumentRoot: /var/www/proxy

  144. 

  145.       Rewrite: |

  146.         RewriteRule ^/webmail$ /webmail/ [R]

  147.         RewriteRule ^/webmail(.*) http://mail.example.com$1 [P,L]

  148.         RewriteRule ^/vicescws(.*) http://svc.example.com:92$1 [P,L]

  149. 

  150.       SSLCertificateFile: /etc/httpd/ssl/example.com.crt

  151.       SSLCertificateKeyFile: /etc/httpd/ssl/example.com.key

  152.       SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer

  153. 

  154.       SSLCertificateFile_content: |

  155.         -----BEGIN CERTIFICATE-----

  156.         MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL

  157.         MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC

  158.         VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx

  159.         NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD

  160.         TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu

  161.         ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j

  162.         V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj

  163.         gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA

  164.         FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE

  165.         CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS

  166.         BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE

  167.         BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju

  168.         Wm7DCfrPNGVwFWUQOmsPue9rZBgO

  169.         -----END CERTIFICATE-----

  170. 

  171.       SSLCertificateKeyFile_content: |

  172.         -----BEGIN PRIVATE KEY-----

  173.         MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL

  174.         MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC

  175.         VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx

  176.         NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD

  177.         TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu

  178.         ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j

  179.         V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj

  180.         gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA

  181.         FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE

  182.         CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS

  183.         BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE

  184.         BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju

  185.         Wm7DCfrPNGVwFWUQOmsPue9rZBgO

  186.         -----END PRIVATE KEY-----

  187. 

  188.       SSLCertificateChainFile_content: |

  189.         -----BEGIN CERTIFICATE-----

  190.         MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL

  191.         MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC

  192.         VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx

  193.         NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD

  194.         TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu

  195.         ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j

  196.         V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj

  197.         gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA

  198.         FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE

  199.         CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS

  200.         BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE

  201.         BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju

  202.         Wm7DCfrPNGVwFWUQOmsPue9rZBgO

  203.         -----END CERTIFICATE-----

  204.         -----BEGIN CERTIFICATE-----

  205.         MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL

  206.         MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC

  207.         VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx

  208.         NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD

  209.         TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu

  210.         ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j

  211.         V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj

  212.         gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA

  213.         FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE

  214.         CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS

  215.         BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE

  216.         BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju

  217.         Wm7DCfrPNGVwFWUQOmsPue9rZBgO

  218.         -----END CERTIFICATE-----

  219. 

  220.       ProxyRequests: 'Off'

  221.       ProxyPreserveHost: 'On'

  222. 

  223.       ProxyRoute:

  224.         example prod proxy route:

  225.           ProxyPassSource: '/'

  226.           ProxyPassTarget: 'http://prod.example.com:85/'

  227.           ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'

  228.           ProxyPassReverseSource: '/'

  229.           ProxyPassReverseTarget: 'http://prod.example.com:85/'

  230. 

  231.         example webmail proxy route:

  232.           ProxyPassSource: '/webmail/'

  233.           ProxyPassTarget: 'http://mail.example.com/'

  234.           ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'

  235.           ProxyPassReverseSource: '/webmail/'

  236.           ProxyPassReverseTarget: 'http://mail.example.com/'

  237. 

  238.         example service proxy route:

  239.           ProxyPassSource: '/svc/'

  240.           ProxyPassTarget: 'http://svc.example.com:92/'

  241.           ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'

  242.           ProxyPassReverseSource: '/svc/'

  243.           ProxyPassReverseTarget: 'http://svc.example.com:92/'

  244. 

  245.       Location:

  246.         /:

  247.           Require: false

  248.           Formula_Append: |

  249.             SecRuleRemoveById 981231

  250.             SecRuleRemoveById 981173

  251. 

  252.         /error:

  253.           Require: 'all granted'

  254. 

  255.         /docs:

  256.           Order: allow,deny     # For Apache < 2.4

  257.           Allow: from all       # For apache < 2.4

  258.           Require: all granted  # For apache > 2.4.

  259.           Formula_Append: |

  260.             Additional config as a

  261.             multi-line string here

  262. 

  263.       LocationMatch:

  264.         '^[.\\/]+([Ww][Ee][Bb][Mm][Aa][Ii][Ll])[.\\/]':

  265.           Require: false

  266.           Formula_Append: |

  267.             RequestHeader  set  Host  mail.example.com

  268. 

  269.         '^[.\\/]+([Ss][Vv][Cc])[.\\/]':

  270.           Require: false

  271.           Formula_Append: |

  272.             Require ip 123.123.13.6 84.24.25.74

  273. 

  274.       Proxy_control:

  275.         '*':

  276.           AllowAll: false

  277.           AllowCountry:

  278.             - DE

  279.           AllowIP:

  280.             - 12.5.25.32

  281.             - 12.5.25.33

  282. 

  283. 

  284.       Alias:

  285.         /docs: /usr/share/docs

  286. 

  287.       ScriptAlias:

  288.         /cgi-bin/: /var/www/cgi-bin/

  289. 

  290.       Formula_Append: |

  291.         Additional config as a

  292.         multi-line string here

  293. 

  294.   # ``apache.debian_full`` formula additional configuration:

  295.   register-site:

  296.     # any name as an array index, and you can duplicate this section

  297.     UNIQUE_VALUE_HERE:

  298.       name: 'my name'

  299.       path: 'salt://path/to/sites-available/conf/file'

  300.       state: 'enabled'

  301.       # Optional - use managed file as Jinja Template

  302.       # template: true

  303.       # defaults:

  304.       #   custom_var: "default value"

  305. 

  306.   modules:

  307.     enabled:   # List modules to enable

  308.       - ldap

  309.       - ssl

  310.     disabled:  # List modules to disable

  311.       - rewrite

  312. 

  313.   flags:

  314.     enabled:   # List server flags to enable

  315.       - SSL

  316.     disabled:  # List server flags to disable

  317.       - status

  318. 

  319.   # KeepAlive: Whether or not to allow persistent connections (more than

  320.   # one request per connection). Set to "Off" to deactivate.

  321.   keepalive: 'On'

  322. 

  323.   security:

  324.     # can be Full | OS | Minimal | Minor | Major | Prod

  325.     # where Full conveys the most information, and Prod the least.

  326.     ServerTokens: Prod

  327. 

  328.   # [debian only] configure mod_ssl

  329.   ssl:

  330.     SSLCipherSuite: 'HIGH:!aNULL'

  331.     SSLHonorCipherOrder: 'Off'

  332.     SSLProtocol: 'all -SSLv3'

  333.     SSLUseStapling: 'Off'

  334.     SSLStaplingResponderTimeout: '5'

  335.     SSLStaplingReturnResponderErrors: 'Off'

  336.     SSLStaplingCache: 'shmcb:/var/run/ocsp(128000)'

  337. 

  338.   # ``apache.mod_remoteip`` formula additional configuration:

  339.   mod_remoteip:

  340.     RemoteIPHeader: X-Forwarded-For

  341.     RemoteIPTrustedProxy:

  342.       - 10.0.8.0/24

  343.       - 127.0.0.1

  344. 

  345.   # ``apache.mod_security`` formula additional configuration:

  346.   mod_security:

  347.     crs_install: true

  348.     # If not set, default distro's configuration is installed as is

  349.     manage_config: true

  350.     sec_rule_engine: 'On'

  351.     sec_request_body_access: 'On'

  352.     sec_request_body_limit: '14000000'

  353.     sec_request_body_no_files_limit: '114002'

  354.     sec_request_body_in_memory_limit: '114002'

  355.     sec_request_body_limit_action: 'Reject'

  356.     sec_pcre_match_limit: '15000'

  357.     sec_pcre_match_limit_recursion: '15000'

  358.     sec_debug_log_level: '3'

  359. 

  360.     rules:

  361.       enabled: ~

  362.       modsecurity_crs_10_setup.conf:

  363.         rule_set: ''

  364.         enabled: true

  365.       modsecurity_crs_20_protocol_violations.conf:

  366.         rule_set: 'base_rules'

  367.         enabled: false

  368. 

  369.     custom_rule_files:

  370.       # any name as an array index, and you can duplicate this section

  371.       UNIQUE_VALUE_HERE:

  372.         file: 'my name'

  373.         path: 'salt://path/to/modsecurity/custom/file'

  374.         enabled: true

  375. 

  376.   mod_ssl:

  377.     # set this to true if you want to override your distributions default TLS

  378.     # configuration

  379.     manage_tls_defaults: false

  380.     # This stuff is deliberately not configured via map.jinja resp.

  381.     # apache:lookup.  We're unable to know sane defaults for each release of

  382.     # every distribution.

  383.     # See https://github.com/saltstack-formulas/openssh-formula/issues/102 for

  384.     # a related discussion Have a look at bettercrypto.org for up-to-date

  385.     # settings.

  386.     # These are default values:

  387.     # yamllint disable-line rule:line-length

  388.     SSLCipherSuite: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

  389.     # Mitigate the CRIME attack

  390.     SSLCompression: 'Off'

  391.     SSLProtocol: all -SSLv2 -SSLv3 -TLSv1

  392.     SSLHonorCipherOrder: 'On'

  393.     SSLOptions: "+StrictRequire"

  394.   server_status_require:

  395.     ip:

  396.       - 10.8.8.0/24

  397.     host:

  398.       - foo.example.com