ExternalMirrors
/
apache-formula
镜像自地址 https://github.com/saltstack-formulas/apache-formula.git
关注 1
点赞 0
派生 1
代码 工单 0 版本发布 31 百科 动态
Saltstack Official Apache Formula
您最多选择25个主题 主题必须以字母或数字开头,可以包含连字符 (-),并且长度不得超过35个字符
471 提交
5 分支
目录树: b0bbd0b91d
分支列表 标签列表
${ item.name }
创建分支 ${ searchTerm }
从 'b0bbd0b91d'
${ noResults }
apache-formula/pillar.example

388 行
14KB
原始文件 Blame 文件历史 

  1. # -*- coding: utf-8 -*-

  2. # vim: ft=yaml

  3. ---

  4. # ``apache`` formula configuration:

  5. apache:

  6. 

  7.   # By default apache restart/reload states run (false skips)

  8.   manage_service_states: true

  9. 

  10.   # lookup section overrides ``map.jinja`` values

  11.   lookup:

  12.     server: apache2

  13.     service: apache2

  14.     user: some_system_user

  15.     group: some_system_group

  16. 

  17.     vhostdir: /etc/apache2/sites-available

  18.     confdir: /etc/apache2/conf.d

  19.     confext: .conf

  20.     logdir: /var/log/apache2

  21.     wwwdir: /srv/apache2

  22. 

  23.     # apache version (generally '2.2' or '2.4')

  24.     version: '2.2'

  25. 

  26.     # ``apache.mod_wsgi`` formula additional configuration:

  27.     mod_wsgi: mod_wsgi

  28. 

  29.     # Default value for AddDefaultCharset in RedHat configuration

  30.     default_charset: 'UTF-8'

  31. 

  32.     # Should we enforce DocumentRoot user/group?

  33.     # Default: do not enforce

  34.     document_root_user: www-data   # Force user if specified, leave it default if not

  35.     document_root_group: null      # Do not enforce group

  36. 

  37.   global:

  38.     # global apache directives

  39.     AllowEncodedSlashes: 'On'

  40. 

  41. 

  42.   name_virtual_hosts:

  43.     - interface: '*'

  44.       port: 80

  45.     - interface: '*'

  46.       port: 443

  47. 

  48.   # ``apache.vhosts`` formula additional configuration:

  49.   sites:

  50.     example.net:

  51.       template_file: salt://apache/vhosts/minimal.tmpl

  52. 

  53.     example.com:  # must be unique; used as an ID declaration in Salt.

  54.       enabled: true

  55.       # or minimal.tmpl or redirect.tmpl or proxy.tmpl

  56.       template_file: salt://apache/vhosts/standard.tmpl

  57. 

  58.       ####################### DEFAULT VALUES BELOW ############################

  59.       # NOTE: the values below are simply default settings that *can* be

  60.       # overridden and are not required in order to use this formula to create

  61.       # vhost entries.

  62.       #

  63.       # Do not copy the values below into your Pillar unless you intend to

  64.       # modify these vaules.

  65.       ####################### DEFAULT VALUES BELOW ############################

  66.       template_engine: jinja

  67. 

  68.       interface: '*'

  69.       port: '80'

  70. 

  71.       exclude_listen_directive: true  # Do not add a Listen directive in httpd.conf

  72. 

  73.       ServerName: example.com  # uses the unique ID above unless specified

  74.       # ServerAlias: www.example.com  # Do not add ServerAlias unless defined

  75. 

  76.       ServerAdmin: webmaster@example.com

  77. 

  78.       LogLevel: warn

  79.       # E.g.: /var/log/apache2/example.com-error.log

  80.       ErrorLog: /path/to/logs/example.com-error.log

  81.       # E.g.: /var/log/apache2/example.com-access.log

  82.       CustomLog: /path/to/logs/example.com-access.log

  83. 

  84.       # E.g., /var/www/example.com

  85.       DocumentRoot: /path/to/www/dir/example.com

  86.       # do not enforce user, defaults to lookup:document_root_user

  87.       DocumentRootUser: null

  88.       # Force group, defaults to lookup:document_root_group

  89.       DocumentRootGroup: www-data

  90. 

  91.       # if ssl is desired

  92.       SSLCertificateFile: /etc/ssl/mycert.pem

  93.       # if key for cert is needed or in an extra file

  94.       SSLCertificateKeyFile: /etc/ssl/mycert.pem.key

  95.       # if you require a chain of server certificates file

  96.       SSLCertificateChainFile: /etc/ssl/mycert.chain.pem

  97. 

  98.       Directory:

  99.         # "default" is a special case; uses DocumentRoot value

  100.         # E.g.: /var/www/example.com

  101.         default:

  102.           Options: -Indexes +FollowSymLinks

  103.           Order: allow,deny     # For Apache < 2.4

  104.           Allow: from all       # For apache < 2.4

  105.           Require: all granted  # For apache > 2.4.

  106.           AllowOverride: None

  107.           Formula_Append: |

  108.             Additional config as a

  109.             multi-line string here

  110. 

  111.     redirectmatch.com:

  112.       # Use RedirectMatch Directive

  113.       # - https://httpd.apache.org/docs/2.4/fr/mod/mod_alias.html#redirectmatch

  114.       # Require module mod_alias

  115.       enabled: true

  116.       template_file: salt://apache/vhosts/redirect.tmpl

  117.       ServerName: www.redirectmatch.com

  118.       ServerAlias: www.redirectmatch.com

  119.       RedirectMatch: true

  120.       RedirectSource: '^/$'

  121.       RedirectTarget: '/subdirectory'

  122.       DocumentRoot: /var/www/html/

  123.       ErrorLog: ${APACHE_LOG_DIR}/error.log

  124.       CustomLog: ${APACHE_LOG_DIR}/access.log

  125. 

  126.     80-proxyexample.com:

  127.       template_file: salt://apache/vhosts/redirect.tmpl

  128.       ServerName: www.proxyexample.com

  129.       ServerAlias: www.proxyexample.com

  130.       RedirectSource: '/'

  131.       RedirectTarget: 'https://www.proxyexample.com/'

  132.       DocumentRoot: /var/www/proxy

  133. 

  134.     443-proxyexample.com:

  135.       template_file: salt://apache/vhosts/proxy.tmpl

  136.       ServerName: www.proxyexample.com

  137.       ServerAlias: www.proxyexample.com

  138.       interface: '*'

  139.       port: '443'

  140.       DocumentRoot: /var/www/proxy

  141. 

  142.       Rewrite: |

  143.         RewriteRule ^/webmail$ /webmail/ [R]

  144.         RewriteRule ^/webmail(.*) http://mail.example.com$1 [P,L]

  145.         RewriteRule ^/vicescws(.*) http://svc.example.com:92$1 [P,L]

  146. 

  147.       SSLCertificateFile: /etc/httpd/ssl/example.com.crt

  148.       SSLCertificateKeyFile: /etc/httpd/ssl/example.com.key

  149.       SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer

  150. 

  151.       SSLCertificateFile_content: |

  152.         -----BEGIN CERTIFICATE-----

  153.         MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL

  154.         MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC

  155.         VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx

  156.         NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD

  157.         TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu

  158.         ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j

  159.         V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj

  160.         gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA

  161.         FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE

  162.         CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS

  163.         BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE

  164.         BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju

  165.         Wm7DCfrPNGVwFWUQOmsPue9rZBgO

  166.         -----END CERTIFICATE-----

  167. 

  168.       SSLCertificateKeyFile_content: |

  169.         -----BEGIN PRIVATE KEY-----

  170.         MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL

  171.         MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC

  172.         VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx

  173.         NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD

  174.         TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu

  175.         ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j

  176.         V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj

  177.         gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA

  178.         FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE

  179.         CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS

  180.         BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE

  181.         BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju

  182.         Wm7DCfrPNGVwFWUQOmsPue9rZBgO

  183.         -----END PRIVATE KEY-----

  184. 

  185.       SSLCertificateChainFile_content: |

  186.         -----BEGIN CERTIFICATE-----

  187.         MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL

  188.         MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC

  189.         VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx

  190.         NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD

  191.         TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu

  192.         ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j

  193.         V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj

  194.         gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA

  195.         FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE

  196.         CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS

  197.         BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE

  198.         BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju

  199.         Wm7DCfrPNGVwFWUQOmsPue9rZBgO

  200.         -----END CERTIFICATE-----

  201.         -----BEGIN CERTIFICATE-----

  202.         MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL

  203.         MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC

  204.         VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx

  205.         NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD

  206.         TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu

  207.         ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j

  208.         V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj

  209.         gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA

  210.         FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE

  211.         CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS

  212.         BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE

  213.         BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju

  214.         Wm7DCfrPNGVwFWUQOmsPue9rZBgO

  215.         -----END CERTIFICATE-----

  216. 

  217.       ProxyRequests: 'Off'

  218.       ProxyPreserveHost: 'On'

  219. 

  220.       ProxyRoute:

  221.         example prod proxy route:

  222.           ProxyPassSource: '/'

  223.           ProxyPassTarget: 'http://prod.example.com:85/'

  224.           ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'

  225.           ProxyPassReverseSource: '/'

  226.           ProxyPassReverseTarget: 'http://prod.example.com:85/'

  227. 

  228.         example webmail proxy route:

  229.           ProxyPassSource: '/webmail/'

  230.           ProxyPassTarget: 'http://mail.example.com/'

  231.           ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'

  232.           ProxyPassReverseSource: '/webmail/'

  233.           ProxyPassReverseTarget: 'http://mail.example.com/'

  234. 

  235.         example service proxy route:

  236.           ProxyPassSource: '/svc/'

  237.           ProxyPassTarget: 'http://svc.example.com:92/'

  238.           ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'

  239.           ProxyPassReverseSource: '/svc/'

  240.           ProxyPassReverseTarget: 'http://svc.example.com:92/'

  241. 

  242.       Location:

  243.         /:

  244.           Require: false

  245.           Formula_Append: |

  246.             SecRuleRemoveById 981231

  247.             SecRuleRemoveById 981173

  248. 

  249.         /error:

  250.           Require: 'all granted'

  251. 

  252.         /docs:

  253.           Order: allow,deny     # For Apache < 2.4

  254.           Allow: from all       # For apache < 2.4

  255.           Require: all granted  # For apache > 2.4.

  256.           Formula_Append: |

  257.             Additional config as a

  258.             multi-line string here

  259. 

  260.       LocationMatch:

  261.         '^[.\\/]+([Ww][Ee][Bb][Mm][Aa][Ii][Ll])[.\\/]':

  262.           Require: false

  263.           Formula_Append: |

  264.             RequestHeader  set  Host  mail.example.com

  265. 

  266.         '^[.\\/]+([Ss][Vv][Cc])[.\\/]':

  267.           Require: false

  268.           Formula_Append: |

  269.             Require ip 123.123.13.6 84.24.25.74

  270. 

  271.       Proxy_control:

  272.         '*':

  273.           AllowAll: false

  274.           AllowCountry:

  275.             - DE

  276.           AllowIP:

  277.             - 12.5.25.32

  278.             - 12.5.25.33

  279. 

  280. 

  281.       Alias:

  282.         /docs: /usr/share/docs

  283. 

  284.       Formula_Append: |

  285.         Additional config as a

  286.         multi-line string here

  287. 

  288.   # ``apache.debian_full`` formula additional configuration:

  289.   register-site:

  290.     # any name as an array index, and you can duplicate this section

  291.     UNIQUE_VALUE_HERE:

  292.       name: 'my name'

  293.       path: 'salt://path/to/sites-available/conf/file'

  294.       state: 'enabled'

  295.       # Optional - use managed file as Jinja Template

  296.       # template: true

  297.       # defaults:

  298.       #   custom_var: "default value"

  299. 

  300.   modules:

  301.     enabled:   # List modules to enable

  302.       - ldap

  303.       - ssl

  304.     disabled:  # List modules to disable

  305.       - rewrite

  306. 

  307.   flags:

  308.     enabled:   # List server flags to enable

  309.       - SSL

  310.     disabled:  # List server flags to disable

  311.       - status

  312. 

  313.   # KeepAlive: Whether or not to allow persistent connections (more than

  314.   # one request per connection). Set to "Off" to deactivate.

  315.   keepalive: 'On'

  316. 

  317.   security:

  318.     # can be Full | OS | Minimal | Minor | Major | Prod

  319.     # where Full conveys the most information, and Prod the least.

  320.     ServerTokens: Prod

  321. 

  322.   # [debian only] configure mod_ssl

  323.   ssl:

  324.     SSLCipherSuite: 'HIGH:!aNULL'

  325.     SSLHonorCipherOrder: 'Off'

  326.     SSLProtocol: 'all -SSLv3'

  327.     SSLUseStapling: 'Off'

  328.     SSLStaplingResponderTimeout: '5'

  329.     SSLStaplingReturnResponderErrors: 'Off'

  330.     SSLStaplingCache: 'shmcb:/var/run/ocsp(128000)'

  331. 

  332.   # ``apache.mod_remoteip`` formula additional configuration:

  333.   mod_remoteip:

  334.     RemoteIPHeader: X-Forwarded-For

  335.     RemoteIPTrustedProxy:

  336.       - 10.0.8.0/24

  337.       - 127.0.0.1

  338. 

  339.   # ``apache.mod_security`` formula additional configuration:

  340.   mod_security:

  341.     crs_install: true

  342.     # If not set, default distro's configuration is installed as is

  343.     manage_config: true

  344.     sec_rule_engine: 'On'

  345.     sec_request_body_access: 'On'

  346.     sec_request_body_limit: '14000000'

  347.     sec_request_body_no_files_limit: '114002'

  348.     sec_request_body_in_memory_limit: '114002'

  349.     sec_request_body_limit_action: 'Reject'

  350.     sec_pcre_match_limit: '15000'

  351.     sec_pcre_match_limit_recursion: '15000'

  352.     sec_debug_log_level: '3'

  353. 

  354.     rules:

  355.       enabled: ~

  356.       modsecurity_crs_10_setup.conf:

  357.         rule_set: ''

  358.         enabled: true

  359.       modsecurity_crs_20_protocol_violations.conf:

  360.         rule_set: 'base_rules'

  361.         enabled: false

  362. 

  363.     custom_rule_files:

  364.       # any name as an array index, and you can duplicate this section

  365.       UNIQUE_VALUE_HERE:

  366.         file: 'my name'

  367.         path: 'salt://path/to/modsecurity/custom/file'

  368.         enabled: true

  369. 

  370.   mod_ssl:

  371.     # set this to true if you want to override your distributions default TLS

  372.     # configuration

  373.     manage_tls_defaults: false

  374.     # This stuff is deliberately not configured via map.jinja resp.

  375.     # apache:lookup.  We're unable to know sane defaults for each release of

  376.     # every distribution.

  377.     # See https://github.com/saltstack-formulas/openssh-formula/issues/102 for

  378.     # a related discussion Have a look at bettercrypto.org for up-to-date

  379.     # settings.

  380.     # These are default values:

  381.     # yamllint disable-line rule:line-length

  382.     SSLCipherSuite: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

  383.     # Mitigate the CRIME attack

  384.     SSLCompression: 'Off'

  385.     SSLProtocol: all -SSLv2 -SSLv3 -TLSv1

  386.     SSLHonorCipherOrder: 'On'

  387.     SSLOptions: "+StrictRequire"