ExternalMirrors
/
apache-formula
mirror of https://github.com/saltstack-formulas/apache-formula.git
Watch 1
Star 0
Fork 1
Code Issues 0 Releases 31 Wiki Activity
Saltstack Official Apache Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
316 Commits
5 Branches
Tree: b003b82249
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'b003b82249'
${ noResults }
apache-formula/pillar.example

316 lines
12KB
Raw Blame History 

  1. # ``apache`` formula configuration:

  2. apache:

  3. 

  4.   # lookup section overrides ``map.jinja`` values

  5.   lookup:

  6.     server: apache2

  7.     service: apache2

  8. 

  9.     vhostdir: /etc/apache2/sites-available

  10.     confdir: /etc/apache2/conf.d

  11.     confext: .conf

  12.     logdir: /var/log/apache2

  13.     wwwdir: /srv/apache2

  14. 

  15.     # apache version (generally '2.2' or '2.4')

  16.     version: '2.2'

  17. 

  18.     # ``apache.mod_wsgi`` formula additional configuration:

  19.     mod_wsgi: mod_wsgi

  20. 

  21.     # Default value for AddDefaultCharset in RedHat configuration

  22.     default_charset: 'UTF-8'

  23. 

  24.   global:

  25.     # global apache directives

  26.     AllowEncodedSlashes: 'On'

  27. 

  28. 

  29.   name_virtual_hosts:

  30.     - interface: '*'

  31.       port: 80

  32.     - interface: '*'

  33.       port: 443

  34. 

  35.   # ``apache.vhosts`` formula additional configuration:

  36.   sites:

  37.     example.net:

  38.       template_file: salt://apache/vhosts/minimal.tmpl

  39. 

  40.     example.com: # must be unique; used as an ID declaration in Salt.

  41.       enabled: True

  42.       template_file: salt://apache/vhosts/standard.tmpl # or redirect.tmpl or proxy.tmpl

  43. 

  44.       ####################### DEFAULT VALUES BELOW ############################

  45.       # NOTE: the values below are simply default settings that *can* be

  46.       # overridden and are not required in order to use this formula to create

  47.       # vhost entries.

  48.       #

  49.       # Do not copy the values below into your Pillar unless you intend to

  50.       # modify these vaules.

  51.       ####################### DEFAULT VALUES BELOW ############################

  52.       template_engine: jinja

  53. 

  54.       interface: '*'

  55.       port: '80'

  56. 

  57.       exclude_listen_directive: True # Do not add a Listen directive in httpd.conf

  58. 

  59.       ServerName: example.com # uses the unique ID above unless specified

  60.       ServerAlias: www.example.com

  61. 

  62.       ServerAdmin: webmaster@example.com

  63. 

  64.       LogLevel: warn

  65.       ErrorLog: /path/to/logs/example.com-error.log # E.g.: /var/log/apache2/example.com-error.log

  66.       CustomLog: /path/to/logs/example.com-access.log # E.g.: /var/log/apache2/example.com-access.log

  67. 

  68.       DocumentRoot: /path/to/www/dir/example.com # E.g., /var/www/example.com

  69. 

  70.       SSLCertificateFile: /etc/ssl/mycert.pem # if ssl is desired

  71.       SSLCertificateKeyFile: /etc/ssl/mycert.pem.key # if key for cert is needed or in an extra file

  72.       SSLCertificateChainFile: /etc/ssl/mycert.chain.pem # if you require a chain of server certificates file

  73. 

  74.       Directory:

  75.         # "default" is a special case; Adds ``/path/to/www/dir/example.com``

  76.         # E.g.: /var/www/example.com

  77.         default:

  78.           Options: -Indexes +FollowSymLinks

  79.           Order: allow,deny    # For Apache < 2.4

  80.           Allow: from all      # For apache < 2.4

  81.           Require: all granted # For apache > 2.4.

  82.           AllowOverride: None

  83.           Formula_Append: |

  84.             Additional config as a

  85.             multi-line string here

  86. 

  87.     80-proxyexample.com:

  88.       template_file: salt://apache/vhosts/redirect.tmpl

  89.       ServerName: www.proxyexample.com

  90.       ServerAlias: www.proxyexample.com

  91.       RedirectSource: '/'

  92.       RedirectTarget: 'https://www.proxyexample.com/'

  93.       DocumentRoot: /var/www/proxy

  94. 

  95.     443-proxyexample.com:

  96.       template_file: salt://apache/vhosts/proxy.tmpl

  97.       ServerName: www.proxyexample.com

  98.       ServerAlias: www.proxyexample.com

  99.       interface: '*'

  100.       port: '443'

  101.       DocumentRoot: /var/www/proxy

  102. 

  103.       Rewrite: |

  104.         RewriteRule ^/webmail$ /webmail/ [R]

  105.         RewriteRule ^/webmail(.*) http://mail.example.com$1 [P,L]

  106.         RewriteRule ^/vicescws(.*) http://svc.example.com:92$1 [P,L]

  107. 

  108.       SSLCertificateFile: /etc/httpd/ssl/example.com.crt

  109.       SSLCertificateKeyFile: /etc/httpd/ssl/example.com.key

  110.       SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer

  111. 

  112.       SSLCertificateFile_content: |

  113.         -----BEGIN CERTIFICATE-----

  114.         MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL

  115.         MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC

  116.         VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx

  117.         NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD

  118.         TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu

  119.         ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j

  120.         V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj

  121.         gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA

  122.         FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE

  123.         CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS

  124.         BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE

  125.         BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju

  126.         Wm7DCfrPNGVwFWUQOmsPue9rZBgO

  127.         -----END CERTIFICATE-----

  128. 

  129.       SSLCertificateKeyFile_content: |

  130.         -----BEGIN PRIVATE KEY-----

  131.         MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL

  132.         MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC

  133.         VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx

  134.         NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD

  135.         TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu

  136.         ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j

  137.         V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj

  138.         gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA

  139.         FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE

  140.         CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS

  141.         BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE

  142.         BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju

  143.         Wm7DCfrPNGVwFWUQOmsPue9rZBgO

  144.         -----END PRIVATE KEY-----

  145. 

  146.       SSLCertificateChainFile_content: |

  147.         -----BEGIN CERTIFICATE-----

  148.         MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL

  149.         MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC

  150.         VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx

  151.         NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD

  152.         TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu

  153.         ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j

  154.         V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj

  155.         gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA

  156.         FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE

  157.         CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS

  158.         BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE

  159.         BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju

  160.         Wm7DCfrPNGVwFWUQOmsPue9rZBgO

  161.         -----END CERTIFICATE-----

  162.         -----BEGIN CERTIFICATE-----

  163.         MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL

  164.         MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC

  165.         VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx

  166.         NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD

  167.         TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu

  168.         ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j

  169.         V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj

  170.         gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA

  171.         FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE

  172.         CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS

  173.         BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE

  174.         BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju

  175.         Wm7DCfrPNGVwFWUQOmsPue9rZBgO

  176.         -----END CERTIFICATE-----

  177. 

  178.       ProxyRequests: 'Off'

  179.       ProxyPreserveHost: 'On'

  180. 

  181.       ProxyRoute:

  182.         example prod proxy route:

  183.           ProxyPassSource: '/'

  184.           ProxyPassTarget: 'http://prod.example.com:85/'

  185.           ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'

  186.           ProxyPassReverseSource: '/'

  187.           ProxyPassReverseTarget: 'http://prod.example.com:85/'

  188. 

  189.         example webmail proxy route:

  190.           ProxyPassSource: '/webmail/'

  191.           ProxyPassTarget: 'http://mail.example.com/'

  192.           ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'

  193.           ProxyPassReverseSource: '/webmail/'

  194.           ProxyPassReverseTarget: 'http://mail.example.com/'

  195. 

  196.         example service proxy route:

  197.           ProxyPassSource: '/svc/'

  198.           ProxyPassTarget: 'http://svc.example.com:92/'

  199.           ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'

  200.           ProxyPassReverseSource: '/svc/'

  201.           ProxyPassReverseTarget: 'http://svc.example.com:92/'

  202. 

  203.       Location:

  204.         /:

  205.           Require: False

  206.           Formula_Append: |

  207.             SecRuleRemoveById 981231

  208.             SecRuleRemoveById 981173

  209. 

  210.         /error:

  211.           Require: 'all granted'

  212. 

  213.       LocationMatch:

  214.         '^[.\\/]+([Ww][Ee][Bb][Mm][Aa][Ii][Ll])[.\\/]':

  215.           Require: False

  216.           Formula_Append: |

  217.             RequestHeader  set  Host  mail.example.com

  218. 

  219.         '^[.\\/]+([Ss][Vv][Cc])[.\\/]':

  220.           Require: False

  221.           Formula_Append: |

  222.             Require ip 123.123.13.6 84.24.25.74

  223. 

  224.       Proxy_control:

  225.         '*':

  226.           AllowAll: False

  227.           AllowCountry:

  228.             - DE

  229.           AllowIP:

  230.             - 12.5.25.32

  231.             - 12.5.25.33

  232. 

  233. 

  234.       Alias:

  235.         /docs: /usr/share/docs

  236. 

  237.       Location:

  238.         /docs:

  239.           Order: allow,deny    # For Apache < 2.4

  240.           Allow: from all      # For apache < 2.4

  241.           Require: all granted # For apache > 2.4.

  242.           Formula_Append: |

  243.             Additional config as a

  244.             multi-line string here

  245. 

  246.       Formula_Append: |

  247.         Additional config as a

  248.         multi-line string here

  249. 

  250.   # ``apache.debian_full`` formula additional configuration:

  251.   register-site:

  252.     # any name as an array index, and you can duplicate this section

  253.     UNIQUE_VALUE_HERE:

  254.       name: 'my name'

  255.       path: 'salt://path/to/sites-available/conf/file'

  256.       state: 'enabled'

  257.       # Optional - use managed file as Jinja Template

  258.       #template: true

  259.       #defaults:

  260.       #  custom_var: "default value"

  261. 

  262.   modules:

  263.     enabled:  # List modules to enable

  264.       - ldap

  265.       - ssl

  266.     disabled:  # List modules to disable

  267.       - rewrite

  268. 

  269.   # KeepAlive: Whether or not to allow persistent connections (more than

  270.   # one request per connection). Set to "Off" to deactivate.

  271.   keepalive: 'On'

  272. 

  273.   security:

  274.     # can be Full | OS | Minimal | Minor | Major | Prod

  275.     # where Full conveys the most information, and Prod the least.

  276.     ServerTokens: Prod

  277. 

  278.   # ``apache.mod_remoteip`` formula additional configuration:

  279.   mod_remoteip:

  280.     RemoteIPHeader: X-Forwarded-For

  281.     RemoteIPTrustedProxy:

  282.       - 10.0.8.0/24

  283.       - 127.0.0.1

  284. 

  285.   # ``apache.mod_security`` formula additional configuration:

  286.   mod_security:

  287.     crs_install: True

  288.     # If not set, default distro's configuration is installed as is

  289.     manage_config: True

  290.     sec_rule_engine: 'On'

  291.     sec_request_body_access: 'On'

  292.     sec_request_body_limit: '14000000'

  293.     sec_request_body_no_files_limit: '114002'

  294.     sec_request_body_in_memory_limit: '114002'

  295.     sec_request_body_limit_action: 'Reject'

  296.     sec_pcre_match_limit: '15000'

  297.     sec_pcre_match_limit_recursion: '15000'

  298.     sec_debug_log_level: '3'

  299. 

  300.     rules:

  301.       enabled:

  302.       modsecurity_crs_10_setup.conf:

  303.         rule_set: ''

  304.         enabled: True

  305.       modsecurity_crs_20_protocol_violations.conf:

  306.         rule_set: 'base_rules'

  307.         enabled: False

  308. 

  309.     custom_rule_files:

  310.       # any name as an array index, and you can duplicate this section

  311.       UNIQUE_VALUE_HERE:

  312.         file: 'my name'

  313.         path: 'salt://path/to/modsecurity/custom/file'

  314.         enabled: True

  315.