Saltstack Official Apache Formula
您最多选择25个主题 主题必须以字母或数字开头,可以包含连字符 (-),并且长度不得超过35个字符

399 行
14KB

  1. # -*- coding: utf-8 -*-
  2. # vim: ft=yaml
  3. ---
  4. # ``apache`` formula configuration:
  5. apache:
  6. # By default apache restart/reload states run (false skips)
  7. manage_service_states: true
  8. # lookup section overrides ``map.jinja`` values
  9. lookup:
  10. server: apache2
  11. service: apache2
  12. user: some_system_user
  13. group: some_system_group
  14. vhostdir: /etc/apache2/sites-available
  15. confdir: /etc/apache2/conf.d
  16. confext: .conf
  17. logdir: /var/log/apache2
  18. wwwdir: /srv/apache2
  19. # apache version (generally '2.2' or '2.4')
  20. version: '2.2'
  21. # mod_ssl package name
  22. mod_ssl_pkg: mod_ssl
  23. # ``apache.mod_wsgi`` formula additional configuration:
  24. mod_wsgi: mod_wsgi
  25. # Default value for AddDefaultCharset in RedHat configuration
  26. default_charset: 'UTF-8'
  27. # Should we enforce DocumentRoot user/group?
  28. # Default: do not enforce
  29. document_root_user: www-data # Force user if specified, leave it default if not
  30. document_root_group: null # Do not enforce group
  31. global:
  32. # global apache directives
  33. AllowEncodedSlashes: 'On'
  34. name_virtual_hosts:
  35. - interface: '*'
  36. port: 80
  37. - interface: '*'
  38. port: 443
  39. # ``apache.vhosts`` formula additional configuration:
  40. sites:
  41. example.net:
  42. template_file: salt://apache/vhosts/minimal.tmpl
  43. example.com: # must be unique; used as an ID declaration in Salt.
  44. enabled: true
  45. # or minimal.tmpl or redirect.tmpl or proxy.tmpl
  46. template_file: salt://apache/vhosts/standard.tmpl
  47. ####################### DEFAULT VALUES BELOW ############################
  48. # NOTE: the values below are simply default settings that *can* be
  49. # overridden and are not required in order to use this formula to create
  50. # vhost entries.
  51. #
  52. # Do not copy the values below into your Pillar unless you intend to
  53. # modify these vaules.
  54. ####################### DEFAULT VALUES BELOW ############################
  55. template_engine: jinja
  56. interface: '*'
  57. port: '80'
  58. exclude_listen_directive: true # Do not add a Listen directive in httpd.conf
  59. ServerName: example.com # uses the unique ID above unless specified
  60. # ServerAlias: www.example.com # Do not add ServerAlias unless defined
  61. ServerAdmin: webmaster@example.com
  62. LogLevel: warn
  63. # E.g.: /var/log/apache2/example.com-error.log
  64. ErrorLog: /path/to/logs/example.com-error.log
  65. # E.g.: /var/log/apache2/example.com-access.log
  66. CustomLog: /path/to/logs/example.com-access.log
  67. # E.g., /var/www/example.com
  68. DocumentRoot: /path/to/www/dir/example.com
  69. # do not enforce user, defaults to lookup:document_root_user
  70. DocumentRootUser: null
  71. # Force group, defaults to lookup:document_root_group
  72. DocumentRootGroup: www-data
  73. # if ssl is desired
  74. SSLCertificateFile: /etc/ssl/mycert.pem
  75. # if key for cert is needed or in an extra file
  76. SSLCertificateKeyFile: /etc/ssl/mycert.pem.key
  77. # if you require a chain of server certificates file
  78. SSLCertificateChainFile: /etc/ssl/mycert.chain.pem
  79. Directory:
  80. # "default" is a special case; uses DocumentRoot value
  81. # E.g.: /var/www/example.com
  82. default:
  83. Options: -Indexes +FollowSymLinks
  84. Order: allow,deny # For Apache < 2.4
  85. Allow: from all # For apache < 2.4
  86. Require: all granted # For apache > 2.4.
  87. AllowOverride: None
  88. Formula_Append: |
  89. Additional config as a
  90. multi-line string here
  91. redirectmatch.com:
  92. # Use RedirectMatch Directive
  93. # - https://httpd.apache.org/docs/2.4/fr/mod/mod_alias.html#redirectmatch
  94. # Require module mod_alias
  95. enabled: true
  96. template_file: salt://apache/vhosts/redirect.tmpl
  97. ServerName: www.redirectmatch.com
  98. ServerAlias: www.redirectmatch.com
  99. RedirectMatch: true
  100. RedirectSource: '^/$'
  101. RedirectTarget: '/subdirectory'
  102. DocumentRoot: /var/www/html/
  103. ErrorLog: ${APACHE_LOG_DIR}/error.log
  104. CustomLog: ${APACHE_LOG_DIR}/access.log
  105. 80-proxyexample.com:
  106. template_file: salt://apache/vhosts/redirect.tmpl
  107. ServerName: www.proxyexample.com
  108. ServerAlias: www.proxyexample.com
  109. RedirectSource: '/'
  110. RedirectTarget: 'https://www.proxyexample.com/'
  111. DocumentRoot: /var/www/proxy
  112. 443-proxyexample.com:
  113. template_file: salt://apache/vhosts/proxy.tmpl
  114. ServerName: www.proxyexample.com
  115. ServerAlias: www.proxyexample.com
  116. interface: '*'
  117. port: '443'
  118. DocumentRoot: /var/www/proxy
  119. Rewrite: |
  120. RewriteRule ^/webmail$ /webmail/ [R]
  121. RewriteRule ^/webmail(.*) http://mail.example.com$1 [P,L]
  122. RewriteRule ^/vicescws(.*) http://svc.example.com:92$1 [P,L]
  123. SSLCertificateFile: /etc/httpd/ssl/example.com.crt
  124. SSLCertificateKeyFile: /etc/httpd/ssl/example.com.key
  125. SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer
  126. SSLCertificateFile_content: |
  127. -----BEGIN CERTIFICATE-----
  128. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  129. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  130. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  131. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  132. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  133. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  134. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  135. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  136. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  137. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  138. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  139. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  140. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  141. -----END CERTIFICATE-----
  142. SSLCertificateKeyFile_content: |
  143. -----BEGIN PRIVATE KEY-----
  144. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  145. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  146. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  147. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  148. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  149. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  150. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  151. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  152. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  153. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  154. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  155. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  156. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  157. -----END PRIVATE KEY-----
  158. SSLCertificateChainFile_content: |
  159. -----BEGIN CERTIFICATE-----
  160. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  161. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  162. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  163. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  164. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  165. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  166. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  167. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  168. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  169. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  170. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  171. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  172. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  173. -----END CERTIFICATE-----
  174. -----BEGIN CERTIFICATE-----
  175. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  176. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  177. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  178. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  179. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  180. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  181. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  182. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  183. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  184. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  185. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  186. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  187. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  188. -----END CERTIFICATE-----
  189. ProxyRequests: 'Off'
  190. ProxyPreserveHost: 'On'
  191. ProxyRoute:
  192. example prod proxy route:
  193. ProxyPassSource: '/'
  194. ProxyPassTarget: 'http://prod.example.com:85/'
  195. ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
  196. ProxyPassReverseSource: '/'
  197. ProxyPassReverseTarget: 'http://prod.example.com:85/'
  198. example webmail proxy route:
  199. ProxyPassSource: '/webmail/'
  200. ProxyPassTarget: 'http://mail.example.com/'
  201. ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
  202. ProxyPassReverseSource: '/webmail/'
  203. ProxyPassReverseTarget: 'http://mail.example.com/'
  204. example service proxy route:
  205. ProxyPassSource: '/svc/'
  206. ProxyPassTarget: 'http://svc.example.com:92/'
  207. ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
  208. ProxyPassReverseSource: '/svc/'
  209. ProxyPassReverseTarget: 'http://svc.example.com:92/'
  210. Location:
  211. /:
  212. Require: false
  213. Formula_Append: |
  214. SecRuleRemoveById 981231
  215. SecRuleRemoveById 981173
  216. /error:
  217. Require: 'all granted'
  218. /docs:
  219. Order: allow,deny # For Apache < 2.4
  220. Allow: from all # For apache < 2.4
  221. Require: all granted # For apache > 2.4.
  222. Formula_Append: |
  223. Additional config as a
  224. multi-line string here
  225. LocationMatch:
  226. '^[.\\/]+([Ww][Ee][Bb][Mm][Aa][Ii][Ll])[.\\/]':
  227. Require: false
  228. Formula_Append: |
  229. RequestHeader set Host mail.example.com
  230. '^[.\\/]+([Ss][Vv][Cc])[.\\/]':
  231. Require: false
  232. Formula_Append: |
  233. Require ip 123.123.13.6 84.24.25.74
  234. Proxy_control:
  235. '*':
  236. AllowAll: false
  237. AllowCountry:
  238. - DE
  239. AllowIP:
  240. - 12.5.25.32
  241. - 12.5.25.33
  242. Alias:
  243. /docs: /usr/share/docs
  244. ScriptAlias:
  245. /cgi-bin/: /var/www/cgi-bin/
  246. Formula_Append: |
  247. Additional config as a
  248. multi-line string here
  249. # ``apache.debian_full`` formula additional configuration:
  250. register-site:
  251. # any name as an array index, and you can duplicate this section
  252. UNIQUE_VALUE_HERE:
  253. name: 'my name'
  254. path: 'salt://path/to/sites-available/conf/file'
  255. state: 'enabled'
  256. # Optional - use managed file as Jinja Template
  257. # template: true
  258. # defaults:
  259. # custom_var: "default value"
  260. modules:
  261. enabled: # List modules to enable
  262. - ldap
  263. - ssl
  264. disabled: # List modules to disable
  265. - rewrite
  266. flags:
  267. enabled: # List server flags to enable
  268. - SSL
  269. disabled: # List server flags to disable
  270. - status
  271. # KeepAlive: Whether or not to allow persistent connections (more than
  272. # one request per connection). Set to "Off" to deactivate.
  273. keepalive: 'On'
  274. security:
  275. # can be Full | OS | Minimal | Minor | Major | Prod
  276. # where Full conveys the most information, and Prod the least.
  277. ServerTokens: Prod
  278. # [debian only] configure mod_ssl
  279. ssl:
  280. SSLCipherSuite: 'HIGH:!aNULL'
  281. SSLHonorCipherOrder: 'Off'
  282. SSLProtocol: 'all -SSLv3'
  283. SSLUseStapling: 'Off'
  284. SSLStaplingResponderTimeout: '5'
  285. SSLStaplingReturnResponderErrors: 'Off'
  286. SSLStaplingCache: 'shmcb:/var/run/ocsp(128000)'
  287. # ``apache.mod_remoteip`` formula additional configuration:
  288. mod_remoteip:
  289. RemoteIPHeader: X-Forwarded-For
  290. RemoteIPTrustedProxy:
  291. - 10.0.8.0/24
  292. - 127.0.0.1
  293. # ``apache.mod_security`` formula additional configuration:
  294. mod_security:
  295. crs_install: true
  296. # If not set, default distro's configuration is installed as is
  297. manage_config: true
  298. sec_rule_engine: 'On'
  299. sec_request_body_access: 'On'
  300. sec_request_body_limit: '14000000'
  301. sec_request_body_no_files_limit: '114002'
  302. sec_request_body_in_memory_limit: '114002'
  303. sec_request_body_limit_action: 'Reject'
  304. sec_pcre_match_limit: '15000'
  305. sec_pcre_match_limit_recursion: '15000'
  306. sec_debug_log_level: '3'
  307. rules:
  308. enabled: ~
  309. modsecurity_crs_10_setup.conf:
  310. rule_set: ''
  311. enabled: true
  312. modsecurity_crs_20_protocol_violations.conf:
  313. rule_set: 'base_rules'
  314. enabled: false
  315. custom_rule_files:
  316. # any name as an array index, and you can duplicate this section
  317. UNIQUE_VALUE_HERE:
  318. file: 'my name'
  319. path: 'salt://path/to/modsecurity/custom/file'
  320. enabled: true
  321. mod_ssl:
  322. # set this to true if you want to override your distributions default TLS
  323. # configuration
  324. manage_tls_defaults: false
  325. # This stuff is deliberately not configured via map.jinja resp.
  326. # apache:lookup. We're unable to know sane defaults for each release of
  327. # every distribution.
  328. # See https://github.com/saltstack-formulas/openssh-formula/issues/102 for
  329. # a related discussion Have a look at bettercrypto.org for up-to-date
  330. # settings.
  331. # These are default values:
  332. # yamllint disable-line rule:line-length
  333. SSLCipherSuite: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
  334. # Mitigate the CRIME attack
  335. SSLCompression: 'Off'
  336. SSLProtocol: all -SSLv2 -SSLv3 -TLSv1
  337. SSLHonorCipherOrder: 'On'
  338. SSLOptions: "+StrictRequire"
  339. server_status_require:
  340. ip:
  341. - 10.8.8.0/24
  342. host:
  343. - foo.example.com