Saltstack Official Apache Formula

404 行
13KB

  1. #
  2. # This file is managed by Salt! Do not edit by hand!
  3. #
  4. #
  5. # This is the main Apache HTTP server configuration file. It contains the
  6. # configuration directives that give the server its instructions.
  7. # See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
  8. # In particular, see
  9. # <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
  10. # for a discussion of each configuration directive.
  11. #
  12. # Do NOT simply read the instructions in here without understanding
  13. # what they do. They're here only as hints or reminders. If you are unsure
  14. # consult the online docs. You have been warned.
  15. #
  16. # Configuration and logfile names: If the filenames you specify for many
  17. # of the server's control files begin with "/" (or "drive:/" for Win32), the
  18. # server will use that explicit path. If the filenames do *not* begin
  19. # with "/", the value of ServerRoot is prepended -- so 'log/access_log'
  20. # with ServerRoot set to '/www' will be interpreted by the
  21. # server as '/www/log/access_log', where as '/log/access_log' will be
  22. # interpreted as '/log/access_log'.
  23. #
  24. # ServerRoot: The top of the directory tree under which the server's
  25. # configuration, error, and log files are kept.
  26. #
  27. # Do not add a slash at the end of the directory path. If you point
  28. # ServerRoot at a non-local disk, be sure to specify a local disk on the
  29. # Mutex directive, if file-based mutexes are used. If you wish to share the
  30. # same ServerRoot for multiple httpd daemons, you will need to change at
  31. # least PidFile.
  32. #
  33. ServerRoot "{{ apache.get('serverroot', '/etc/httpd') }}"
  34. #
  35. # Listen: Allows you to bind Apache to specific IP addresses and/or
  36. # ports, instead of the default. See also the <VirtualHost>
  37. # directive.
  38. #
  39. # Change this to Listen on specific IP addresses as shown below to
  40. # prevent Apache from glomming onto all bound IP addresses.
  41. #
  42. #Listen 12.34.56.78:80
  43. {% if salt['pillar.get']('apache:sites') is mapping %}
  44. {%- set listen_directives = [] %}
  45. {%- for id, site in salt['pillar.get']('apache:sites').items() %}
  46. {%- set interfaces = site.get('interface', '*').split() %}
  47. {%- set port = site.get('port', 80) %}
  48. {%- for interface in interfaces %}
  49. {%- if not site.get('exclude_listen_directive', False) and not port == '*' %}
  50. {%- set listen_directive = interface ~ ':' ~ port %}
  51. {%- if listen_directive not in listen_directives %}
  52. {%- do listen_directives.append(listen_directive) %}
  53. {%- endif %}
  54. {%- endif %}
  55. {%- endfor %}
  56. {%- endfor %}
  57. {%- for listen in listen_directives %}
  58. Listen {{ listen }}
  59. {%- endfor %}
  60. {%- else %}
  61. Listen 80
  62. <IfModule mod_ssl.c>
  63. Listen 443
  64. </IfModule>
  65. <IfModule mod_gnutls.c>
  66. Listen 443
  67. </IfModule>
  68. {%- endif %}
  69. #
  70. # Dynamic Shared Object (DSO) Support
  71. #
  72. # To be able to use the functionality of a module which was built as a DSO you
  73. # have to place corresponding `LoadModule' lines at this location so the
  74. # directives contained in it are actually available _before_ they are used.
  75. # Statically compiled modules (those listed by `httpd -l') do not need
  76. # to be loaded here.
  77. #
  78. # Example:
  79. # LoadModule foo_module modules/mod_foo.so
  80. #
  81. Include conf.modules.d/*.conf
  82. #
  83. # If you wish httpd to run as a different user or group, you must run
  84. # httpd as root initially and it will switch.
  85. #
  86. # User/Group: The name (or #number) of the user/group to run httpd as.
  87. # It is usually good practice to create a dedicated user and group for
  88. # running httpd, as with most system services.
  89. #
  90. User {{ apache.user }}
  91. Group {{ apache.group }}
  92. # 'Main' server configuration
  93. #
  94. # The directives in this section set up the values used by the 'main'
  95. # server, which responds to any requests that aren't handled by a
  96. # <VirtualHost> definition. These values also provide defaults for
  97. # any <VirtualHost> containers you may define later in the file.
  98. #
  99. # All of these directives may appear inside <VirtualHost> containers,
  100. # in which case these default settings will be overridden for the
  101. # virtual host being defined.
  102. #
  103. #
  104. # ServerAdmin: Your address, where problems with the server should be
  105. # e-mailed. This address appears on some server-generated pages, such
  106. # as error documents. e.g. admin@your-domain.com
  107. #
  108. ServerAdmin root@localhost
  109. #
  110. # ServerName gives the name and port that the server uses to identify itself.
  111. # This can often be determined automatically, but we recommend you specify
  112. # it explicitly to prevent problems during startup.
  113. #
  114. # If your host doesn't have a registered DNS name, enter its IP address here.
  115. #
  116. #ServerName www.example.com:80
  117. #
  118. # Deny access to the entirety of your server's filesystem. You must
  119. # explicitly permit access to web content directories in other
  120. # <Directory> blocks below.
  121. #
  122. <Directory />
  123. AllowOverride none
  124. Require all denied
  125. </Directory>
  126. #
  127. # Note that from this point forward you must specifically allow
  128. # particular features to be enabled - so if something's not working as
  129. # you might expect, make sure that you have specifically enabled it
  130. # below.
  131. #
  132. #
  133. # DocumentRoot: The directory out of which you will serve your
  134. # documents. By default, all requests are taken from this directory, but
  135. # symbolic links and aliases may be used to point to other locations.
  136. #
  137. DocumentRoot "{{ apache.get('docroot', apache.wwwdir + '/html') }}"
  138. #
  139. # Relax access to content within {{ apache.wwwdir }}.
  140. #
  141. <Directory "{{ apache.wwwdir }}">
  142. AllowOverride None
  143. # Allow open access:
  144. Require all granted
  145. </Directory>
  146. # Further relax access to the default document root:
  147. <Directory "{{ apache.get('docroot', apache.wwwdir + '/html') }}">
  148. #
  149. # Possible values for the Options directive are "None", "All",
  150. # or any combination of:
  151. # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
  152. #
  153. # Note that "MultiViews" must be named *explicitly* --- "Options All"
  154. # doesn't give it to you.
  155. #
  156. # The Options directive is both complicated and important. Please see
  157. # http://httpd.apache.org/docs/2.4/mod/core.html#options
  158. # for more information.
  159. #
  160. Options Indexes FollowSymLinks
  161. #
  162. # AllowOverride controls what directives may be placed in .htaccess files.
  163. # It can be "All", "None", or any combination of the keywords:
  164. # Options FileInfo AuthConfig Limit
  165. #
  166. AllowOverride None
  167. #
  168. # Controls who can get stuff from this server.
  169. #
  170. Require all granted
  171. </Directory>
  172. #
  173. # DirectoryIndex: sets the file that Apache will serve if a directory
  174. # is requested.
  175. #
  176. <IfModule dir_module>
  177. DirectoryIndex index.html
  178. </IfModule>
  179. #
  180. # The following lines prevent .htaccess and .htpasswd files from being
  181. # viewed by Web clients.
  182. #
  183. <Files ".ht*">
  184. Require all denied
  185. </Files>
  186. #
  187. # ErrorLog: The location of the error log file.
  188. # If you do not specify an ErrorLog directive within a <VirtualHost>
  189. # container, error messages relating to that virtual host will be
  190. # logged here. If you *do* define an error logfile for a <VirtualHost>
  191. # container, that host's errors will be logged there and not here.
  192. #
  193. ErrorLog "{{ apache.logdir }}/error_log"
  194. #
  195. # LogLevel: Control the number of messages logged to the error_log.
  196. # Possible values include: debug, info, notice, warn, error, crit,
  197. # alert, emerg.
  198. #
  199. LogLevel warn
  200. <IfModule log_config_module>
  201. #
  202. # The following directives define some format nicknames for use with
  203. # a CustomLog directive (see below).
  204. #
  205. LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
  206. LogFormat "%h %l %u %t \"%r\" %>s %b" common
  207. {%- for log_format in salt['pillar.get']('apache:log_formats', []) %}
  208. LogFormat {{ log_format }}
  209. {%- endfor %}
  210. <IfModule logio_module>
  211. # You need to enable mod_logio.c to use %I and %O
  212. LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
  213. </IfModule>
  214. #
  215. # The location and format of the access logfile (Common Logfile Format).
  216. # If you do not define any access logfiles within a <VirtualHost>
  217. # container, they will be logged here. Contrariwise, if you *do*
  218. # define per-<VirtualHost> access logfiles, transactions will be
  219. # logged therein and *not* in this file.
  220. #
  221. #CustomLog "logs/access_log" common
  222. #
  223. # If you prefer a logfile with access, agent, and referer information
  224. # (Combined Logfile Format) you can use the following directive.
  225. #
  226. CustomLog "{{ apache.logdir }}/access_log" combined
  227. </IfModule>
  228. <IfModule alias_module>
  229. #
  230. # Redirect: Allows you to tell clients about documents that used to
  231. # exist in your server's namespace, but do not anymore. The client
  232. # will make a new request for the document at its new location.
  233. # Example:
  234. # Redirect permanent /foo http://www.example.com/bar
  235. #
  236. # Alias: Maps web paths into filesystem paths and is used to
  237. # access content that does not live under the DocumentRoot.
  238. # Example:
  239. # Alias /webpath /full/filesystem/path
  240. #
  241. # If you include a trailing / on /webpath then the server will
  242. # require it to be present in the URL. You will also likely
  243. # need to provide a <Directory> section to allow access to
  244. # the filesystem path.
  245. #
  246. # ScriptAlias: This controls which directories contain server scripts.
  247. # ScriptAliases are essentially the same as Aliases, except that
  248. # documents in the target directory are treated as applications and
  249. # run by the server when requested rather than as documents sent to the
  250. # client. The same rules about trailing "/" apply to ScriptAlias
  251. # directives as to Alias.
  252. #
  253. ScriptAlias /cgi-bin/ "{{ apache.wwwdir }}/cgi-bin/"
  254. </IfModule>
  255. #
  256. # "{{ apache.wwwdir }}/cgi-bin/" should be changed to whatever your ScriptAliased
  257. # CGI directory exists, if you have that configured.
  258. #
  259. <Directory "{{ apache.wwwdir }}/cgi-bin/">
  260. AllowOverride None
  261. Options None
  262. Require all granted
  263. </Directory>
  264. <IfModule mime_module>
  265. #
  266. # TypesConfig points to the file containing the list of mappings from
  267. # filename extension to MIME-type.
  268. #
  269. TypesConfig /etc/mime.types
  270. #
  271. # AddType allows you to add to or override the MIME configuration
  272. # file specified in TypesConfig for specific file types.
  273. #
  274. #AddType application/x-gzip .tgz
  275. #
  276. # AddEncoding allows you to have certain browsers uncompress
  277. # information on the fly. Note: Not all browsers support this.
  278. #
  279. #AddEncoding x-compress .Z
  280. #AddEncoding x-gzip .gz .tgz
  281. #
  282. # If the AddEncoding directives above are commented-out, then you
  283. # probably should define those extensions to indicate media types:
  284. #
  285. AddType application/x-compress .Z
  286. AddType application/x-gzip .gz .tgz
  287. #
  288. # AddHandler allows you to map certain file extensions to "handlers":
  289. # actions unrelated to filetype. These can be either built into the server
  290. # or added with the Action directive (see below)
  291. #
  292. # To use CGI scripts outside of ScriptAliased directories:
  293. # (You will also need to add "ExecCGI" to the "Options" directive.)
  294. #
  295. #AddHandler cgi-script .cgi
  296. # For type maps (negotiated resources):
  297. #AddHandler type-map var
  298. #
  299. # Filters allow you to process content before it is sent to the client.
  300. #
  301. # To parse .shtml files for server-side includes (SSI):
  302. # (You will also need to add "Includes" to the "Options" directive.)
  303. #
  304. AddType text/html .shtml
  305. AddOutputFilter INCLUDES .shtml
  306. </IfModule>
  307. #
  308. # Specify a default charset for all content served; this enables
  309. # interpretation of all content as UTF-8 by default. To use the
  310. # default browser choice (ISO-8859-1), or to allow the META tags
  311. # in HTML content to override this choice, comment out this
  312. # directive:
  313. #
  314. {%- if apache.get('default_charset', False) is none %}
  315. # AddDefaultCharset UTF-8
  316. {%- else %}
  317. AddDefaultCharset {{ apache.get('default_charset', 'UTF-8') }}
  318. {%- endif %}
  319. <IfModule mime_magic_module>
  320. #
  321. # The mod_mime_magic module allows the server to use various hints from the
  322. # contents of the file itself to determine its type. The MIMEMagicFile
  323. # directive tells the module where the hint definitions are located.
  324. #
  325. MIMEMagicFile conf/magic
  326. </IfModule>
  327. #
  328. # Customizable error responses come in three flavors:
  329. # 1) plain text 2) local redirects 3) external redirects
  330. #
  331. # Some examples:
  332. #ErrorDocument 500 "The server made a boo boo."
  333. #ErrorDocument 404 /missing.html
  334. #ErrorDocument 404 "/cgi-bin/missing_handler.pl"
  335. #ErrorDocument 402 http://www.example.com/subscription_info.html
  336. #
  337. #
  338. # EnableMMAP and EnableSendfile: On systems that support it,
  339. # memory-mapping or the sendfile syscall may be used to deliver
  340. # files. This usually improves server performance, but must
  341. # be turned off when serving from networked-mounted
  342. # filesystems or if support for these functions is otherwise
  343. # broken on your system.
  344. # Defaults if commented: EnableMMAP On, EnableSendfile Off
  345. #
  346. #EnableMMAP off
  347. EnableSendfile on
  348. {%- for directive, dvalue in salt['pillar.get']('apache:global', {}).items() %}
  349. {{ directive }} {{ dvalue }}
  350. {%- endfor %}
  351. # Supplemental configuration
  352. #
  353. # Load config files in the "/etc/httpd/conf.d" directory, if any.
  354. IncludeOptional {{ apache.confdir }}/*.conf
  355. {% if apache.vhostdir != apache.confdir %}
  356. IncludeOptional {{ apache.vhostdir }}/*.conf
  357. {% endif %}
  358. # Added for security enhancements
  359. TraceEnable off
  360. ServerSignature off
  361. ServerTokens Prod