Saltstack Official Apache Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

346 line
13KB

  1. # ``apache`` formula configuration:
  2. apache:
  3. # lookup section overrides ``map.jinja`` values
  4. lookup:
  5. server: apache2
  6. service: apache2
  7. user: some_system_user
  8. group: some_system_group
  9. vhostdir: /etc/apache2/sites-available
  10. confdir: /etc/apache2/conf.d
  11. confext: .conf
  12. logdir: /var/log/apache2
  13. wwwdir: /srv/apache2
  14. # apache version (generally '2.2' or '2.4')
  15. version: '2.2'
  16. # ``apache.mod_wsgi`` formula additional configuration:
  17. mod_wsgi: mod_wsgi
  18. # Default value for AddDefaultCharset in RedHat configuration
  19. default_charset: 'UTF-8'
  20. global:
  21. # global apache directives
  22. AllowEncodedSlashes: 'On'
  23. name_virtual_hosts:
  24. - interface: '*'
  25. port: 80
  26. - interface: '*'
  27. port: 443
  28. # ``apache.vhosts`` formula additional configuration:
  29. sites:
  30. example.net:
  31. template_file: salt://apache/vhosts/minimal.tmpl
  32. example.com: # must be unique; used as an ID declaration in Salt.
  33. enabled: True
  34. template_file: salt://apache/vhosts/standard.tmpl # or minimal.tmpl or redirect.tmpl or proxy.tmpl
  35. ####################### DEFAULT VALUES BELOW ############################
  36. # NOTE: the values below are simply default settings that *can* be
  37. # overridden and are not required in order to use this formula to create
  38. # vhost entries.
  39. #
  40. # Do not copy the values below into your Pillar unless you intend to
  41. # modify these vaules.
  42. ####################### DEFAULT VALUES BELOW ############################
  43. template_engine: jinja
  44. interface: '*'
  45. port: '80'
  46. exclude_listen_directive: True # Do not add a Listen directive in httpd.conf
  47. ServerName: example.com # uses the unique ID above unless specified
  48. ServerAlias: www.example.com
  49. ServerAdmin: webmaster@example.com
  50. LogLevel: warn
  51. ErrorLog: /path/to/logs/example.com-error.log # E.g.: /var/log/apache2/example.com-error.log
  52. CustomLog: /path/to/logs/example.com-access.log # E.g.: /var/log/apache2/example.com-access.log
  53. DocumentRoot: /path/to/www/dir/example.com # E.g., /var/www/example.com
  54. SSLCertificateFile: /etc/ssl/mycert.pem # if ssl is desired
  55. SSLCertificateKeyFile: /etc/ssl/mycert.pem.key # if key for cert is needed or in an extra file
  56. SSLCertificateChainFile: /etc/ssl/mycert.chain.pem # if you require a chain of server certificates file
  57. Directory:
  58. # "default" is a special case; Adds ``/path/to/www/dir/example.com``
  59. # E.g.: /var/www/example.com
  60. default:
  61. Options: -Indexes +FollowSymLinks
  62. Order: allow,deny # For Apache < 2.4
  63. Allow: from all # For apache < 2.4
  64. Require: all granted # For apache > 2.4.
  65. AllowOverride: None
  66. Formula_Append: |
  67. Additional config as a
  68. multi-line string here
  69. redirectmatch.com:
  70. # Use RedirectMatch Directive https://httpd.apache.org/docs/2.4/fr/mod/mod_alias.html#redirectmatch
  71. # Require module mod_alias
  72. enabled: True
  73. template_file: salt://apache/vhosts/redirect.tmpl
  74. ServerName: www.redirectmatch.com
  75. ServerAlias: www.redirectmatch.com
  76. RedirectMatch: true
  77. RedirectSource: '^/$'
  78. RedirectTarget: '/subdirectory'
  79. DocumentRoot: /var/www/html/
  80. ErrorLog: ${APACHE_LOG_DIR}/error.log
  81. CustomLog: ${APACHE_LOG_DIR}/access.log
  82. 80-proxyexample.com:
  83. template_file: salt://apache/vhosts/redirect.tmpl
  84. ServerName: www.proxyexample.com
  85. ServerAlias: www.proxyexample.com
  86. RedirectSource: '/'
  87. RedirectTarget: 'https://www.proxyexample.com/'
  88. DocumentRoot: /var/www/proxy
  89. 443-proxyexample.com:
  90. template_file: salt://apache/vhosts/proxy.tmpl
  91. ServerName: www.proxyexample.com
  92. ServerAlias: www.proxyexample.com
  93. interface: '*'
  94. port: '443'
  95. DocumentRoot: /var/www/proxy
  96. Rewrite: |
  97. RewriteRule ^/webmail$ /webmail/ [R]
  98. RewriteRule ^/webmail(.*) http://mail.example.com$1 [P,L]
  99. RewriteRule ^/vicescws(.*) http://svc.example.com:92$1 [P,L]
  100. SSLCertificateFile: /etc/httpd/ssl/example.com.crt
  101. SSLCertificateKeyFile: /etc/httpd/ssl/example.com.key
  102. SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer
  103. SSLCertificateFile_content: |
  104. -----BEGIN CERTIFICATE-----
  105. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  106. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  107. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  108. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  109. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  110. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  111. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  112. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  113. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  114. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  115. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  116. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  117. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  118. -----END CERTIFICATE-----
  119. SSLCertificateKeyFile_content: |
  120. -----BEGIN PRIVATE KEY-----
  121. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  122. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  123. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  124. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  125. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  126. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  127. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  128. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  129. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  130. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  131. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  132. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  133. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  134. -----END PRIVATE KEY-----
  135. SSLCertificateChainFile_content: |
  136. -----BEGIN CERTIFICATE-----
  137. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  138. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  139. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  140. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  141. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  142. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  143. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  144. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  145. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  146. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  147. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  148. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  149. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  150. -----END CERTIFICATE-----
  151. -----BEGIN CERTIFICATE-----
  152. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  153. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  154. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  155. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  156. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  157. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  158. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  159. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  160. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  161. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  162. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  163. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  164. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  165. -----END CERTIFICATE-----
  166. ProxyRequests: 'Off'
  167. ProxyPreserveHost: 'On'
  168. ProxyRoute:
  169. example prod proxy route:
  170. ProxyPassSource: '/'
  171. ProxyPassTarget: 'http://prod.example.com:85/'
  172. ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
  173. ProxyPassReverseSource: '/'
  174. ProxyPassReverseTarget: 'http://prod.example.com:85/'
  175. example webmail proxy route:
  176. ProxyPassSource: '/webmail/'
  177. ProxyPassTarget: 'http://mail.example.com/'
  178. ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
  179. ProxyPassReverseSource: '/webmail/'
  180. ProxyPassReverseTarget: 'http://mail.example.com/'
  181. example service proxy route:
  182. ProxyPassSource: '/svc/'
  183. ProxyPassTarget: 'http://svc.example.com:92/'
  184. ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
  185. ProxyPassReverseSource: '/svc/'
  186. ProxyPassReverseTarget: 'http://svc.example.com:92/'
  187. Location:
  188. /:
  189. Require: False
  190. Formula_Append: |
  191. SecRuleRemoveById 981231
  192. SecRuleRemoveById 981173
  193. /error:
  194. Require: 'all granted'
  195. /docs:
  196. Order: allow,deny # For Apache < 2.4
  197. Allow: from all # For apache < 2.4
  198. Require: all granted # For apache > 2.4.
  199. Formula_Append: |
  200. Additional config as a
  201. multi-line string here
  202. LocationMatch:
  203. '^[.\\/]+([Ww][Ee][Bb][Mm][Aa][Ii][Ll])[.\\/]':
  204. Require: False
  205. Formula_Append: |
  206. RequestHeader set Host mail.example.com
  207. '^[.\\/]+([Ss][Vv][Cc])[.\\/]':
  208. Require: False
  209. Formula_Append: |
  210. Require ip 123.123.13.6 84.24.25.74
  211. Proxy_control:
  212. '*':
  213. AllowAll: False
  214. AllowCountry:
  215. - DE
  216. AllowIP:
  217. - 12.5.25.32
  218. - 12.5.25.33
  219. Alias:
  220. /docs: /usr/share/docs
  221. Formula_Append: |
  222. Additional config as a
  223. multi-line string here
  224. # ``apache.debian_full`` formula additional configuration:
  225. register-site:
  226. # any name as an array index, and you can duplicate this section
  227. UNIQUE_VALUE_HERE:
  228. name: 'my name'
  229. path: 'salt://path/to/sites-available/conf/file'
  230. state: 'enabled'
  231. # Optional - use managed file as Jinja Template
  232. #template: true
  233. #defaults:
  234. # custom_var: "default value"
  235. modules:
  236. enabled: # List modules to enable
  237. - ldap
  238. - ssl
  239. disabled: # List modules to disable
  240. - rewrite
  241. # KeepAlive: Whether or not to allow persistent connections (more than
  242. # one request per connection). Set to "Off" to deactivate.
  243. keepalive: 'On'
  244. security:
  245. # can be Full | OS | Minimal | Minor | Major | Prod
  246. # where Full conveys the most information, and Prod the least.
  247. ServerTokens: Prod
  248. # ``apache.mod_remoteip`` formula additional configuration:
  249. mod_remoteip:
  250. RemoteIPHeader: X-Forwarded-For
  251. RemoteIPTrustedProxy:
  252. - 10.0.8.0/24
  253. - 127.0.0.1
  254. # ``apache.mod_security`` formula additional configuration:
  255. mod_security:
  256. crs_install: True
  257. # If not set, default distro's configuration is installed as is
  258. manage_config: True
  259. sec_rule_engine: 'On'
  260. sec_request_body_access: 'On'
  261. sec_request_body_limit: '14000000'
  262. sec_request_body_no_files_limit: '114002'
  263. sec_request_body_in_memory_limit: '114002'
  264. sec_request_body_limit_action: 'Reject'
  265. sec_pcre_match_limit: '15000'
  266. sec_pcre_match_limit_recursion: '15000'
  267. sec_debug_log_level: '3'
  268. rules:
  269. enabled:
  270. modsecurity_crs_10_setup.conf:
  271. rule_set: ''
  272. enabled: True
  273. modsecurity_crs_20_protocol_violations.conf:
  274. rule_set: 'base_rules'
  275. enabled: False
  276. custom_rule_files:
  277. # any name as an array index, and you can duplicate this section
  278. UNIQUE_VALUE_HERE:
  279. file: 'my name'
  280. path: 'salt://path/to/modsecurity/custom/file'
  281. enabled: True
  282. mod_ssl:
  283. # set this to True if you want to override your distributions default TLS configuration
  284. manage_tls_defaults: False
  285. # This stuff is deliberately not configured via map.jinja resp. apache:lookup.
  286. # We're unable to know sane defaults for each release of every distribution.
  287. # See https://github.com/saltstack-formulas/openssh-formula/issues/102 for a related discussion
  288. # Have a look at bettercrypto.org for up-to-date settings.
  289. # These are default values:
  290. SSLCipherSuite: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
  291. # Mitigate the CRIME attack
  292. SSLCompression: Off
  293. SSLProtocol: all -SSLv2 -SSLv3 -TLSv1
  294. SSLHonorCipherOrder: On
  295. SSLOptions: "+StrictRequire"