Saltstack Official Apache Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

542 lines
21KB

  1. # -*- coding: utf-8 -*-
  2. # vim: ft=yaml
  3. ---
  4. apache:
  5. lookup:
  6. master: template-master
  7. # apache version (generally '2.2' or '2.4')
  8. # version: '2.2'
  9. # Default value for AddDefaultCharset in RedHat configuration
  10. default_charset: 'UTF-8'
  11. # Should we enforce DocumentRoot user/group?
  12. document_root_user: null # Defaults to: apache.user
  13. document_root_group: null # Defaults to: apache.group
  14. # Just for testing purposes
  15. winner: lookup
  16. added_in_lookup: lookup_value
  17. # Using bash package and udev service as an example. This allows us to
  18. # test the template formula itself. You should set these parameters to
  19. # examples that make sense in the contexto of the formula you're writing.
  20. # pkg:
  21. # deps:
  22. # mod_ssl # redhat
  23. # mod_security # redhat
  24. # mod_geoip # redhat
  25. # GeoIP # redhat
  26. # libapache2-mod-security2 # Debian
  27. global:
  28. # global apache directives
  29. AllowEncodedSlashes: 'On'
  30. name_virtual_hosts:
  31. - interface: '*'
  32. port: 80
  33. - interface: '*'
  34. port: 443
  35. # ``apache.vhosts`` formula additional configuration:
  36. # fqdn should be added to /etc/hosts i.e. ##
  37. # $ tail -3 /etc/hosts
  38. # 127.0.0.1 example.com
  39. # 127.0.0.1 www.redirectmatch.com
  40. # 127.0.0.1 www.proxyexample.com
  41. sites:
  42. example.net:
  43. template_file: salt://apache/config/vhosts/minimal.tmpl
  44. port: '8081'
  45. example.com: # must be unique; used as an ID declaration in Salt.
  46. enabled: true
  47. # or minimal.tmpl or redirect.tmpl or proxy.tmpl
  48. template_file: salt://apache/config/vhosts/standard.tmpl
  49. ####################### DEFAULT VALUES BELOW ############################
  50. # NOTE: the values below are simply default settings that *can* be
  51. # overridden and are not required in order to use this formula to create
  52. # vhost entries.
  53. #
  54. # Do not copy the values below into your Pillar unless you intend to
  55. # modify these vaules.
  56. ####################### DEFAULT VALUES BELOW ############################
  57. template_engine: jinja
  58. interface: '*'
  59. port: '443'
  60. exclude_listen_directive: true # Do not add a Listen directive in httpd.conf
  61. ServerName: example.com # uses the unique ID above unless specified
  62. # ServerAlias: www.example.com # Do not add ServerAlias unless defined
  63. ServerAdmin: webmaster@example.com
  64. LogLevel: warn
  65. # E.g.: /var/log/apache2/example.com-error.log
  66. # ErrorLog: /path/to/logs/example.com-error.log
  67. # E.g.: /var/log/apache2/example.com-access.log
  68. # CustomLog: /path/to/logs/example.com-access.log
  69. # E.g., /var/www/example.com
  70. DocumentRoot: /path/to/www/dir/example.com
  71. # do not enforce user, defaults to lookup:document_root_user or apache.user
  72. DocumentRootUser: null
  73. # Force group, defaults to lookup:document_root_group or apache.user
  74. DocumentRootGroup: null
  75. {%- if grains.os_family in ('Debian', 'Suse', 'Gentoo') %}
  76. SSLCertificateFile: /etc/apache2/conf/server.crt
  77. SSLCertificateKeyFile: /etc/apache2/conf/server.key
  78. {%- else %}
  79. SSLCertificateFile: /etc/httpd/conf/server.crt
  80. SSLCertificateKeyFile: /etc/httpd/conf/server.key
  81. {%- endif %}
  82. # SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer
  83. SSLCertificateFile_content: |
  84. -----BEGIN CERTIFICATE-----
  85. MIIDYTCCAkkCFCKCcuwB/Ze9bI5/75oRChNH8RzHMA0GCSqGSIb3DQEBCwUAMG0x
  86. CzAJBgNVBAYTAklFMREwDwYDVQQIDAhDb25uYWNodDESMBAGA1UEBwwJQ29ubWFp
  87. Y25lMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxFDASBgNVBAMM
  88. C2V4YW1wbGUuY29tMB4XDTIwMTAwMzEzMzI1N1oXDTIxMTAwMzEzMzI1N1owbTEL
  89. MAkGA1UEBhMCSUUxETAPBgNVBAgMCENvbm5hY2h0MRIwEAYDVQQHDAlDb25tYWlj
  90. bmUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEUMBIGA1UEAwwL
  91. ZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSl0qL
  92. ol+/b3R9VccpOLe5Cg1Tf1zstAzV5TvjcjSdytdwMDGy9J8Yi2EcMZ1wNdMkvf4D
  93. mr+72Za+qeHHc0ZA+fIJoV+tTcbLbV/mhv0i0i7Zldi3QuvIVBpLR2Z5s5mXZ7C8
  94. yz8VpF9enQkS3uNnbNuZNT3ElGHmlAj1yHsh0K+TbvZrygFkG0wvYwivhlt1Zcbo
  95. th4LJ+gBwNIdSJUiAa58VO5ZNeenM9DquJfZVcFc1bDFqzU0T9KY4PsxmzO1A2+m
  96. TDHoGR4nCz7B+5Ec4USyBUuKo2FhALBEtYz2hlwaf9XasSSvmzO5hhPCQ3nJ4qeY
  97. i+BLCSpiq2lApPVZAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAD9/78A4ygQWbO27
  98. jQPm+2Zg0f9Sn1tcD4tOVao0MlAfWrALjbmj82hg+givEQKAuN7ptthYoaJcOxHl
  99. aUe++y3bQiCznN73yKSJZFgG5fYR8tyMslsYRBcKSay0nvPhN/3Jry0nNehDREQ+
  100. 2H0vB595bymGNTmux13sNwOZH1i8KEgxdLcFbje87+CbhCGbFhS3lHPY2FeXnHpO
  101. W60Zchwsy06xMjo4rzbQatdJj/HAh6lIx0YmNDX/d3dCLpZlkvUBT6ENVhipi5bb
  102. 2pF/Awob8AYWbIn4N7gmIP5Sb0tugpEgrSgSyDdZNWoFDChvfHXcNUP8lblIftAl
  103. ylssbnQ=
  104. -----END CERTIFICATE-----
  105. SSLCertificateKeyFile_content: |
  106. -----BEGIN RSA PRIVATE KEY-----
  107. MIIEowIBAAKCAQEA0pdKi6Jfv290fVXHKTi3uQoNU39c7LQM1eU743I0ncrXcDAx
  108. svSfGIthHDGdcDXTJL3+A5q/u9mWvqnhx3NGQPnyCaFfrU3Gy21f5ob9ItIu2ZXY
  109. t0LryFQaS0dmebOZl2ewvMs/FaRfXp0JEt7jZ2zbmTU9xJRh5pQI9ch7IdCvk272
  110. a8oBZBtML2MIr4ZbdWXG6LYeCyfoAcDSHUiVIgGufFTuWTXnpzPQ6riX2VXBXNWw
  111. xas1NE/SmOD7MZsztQNvpkwx6BkeJws+wfuRHOFEsgVLiqNhYQCwRLWM9oZcGn/V
  112. 2rEkr5szuYYTwkN5yeKnmIvgSwkqYqtpQKT1WQIDAQABAoIBAQCI39SP1UWuQ17P
  113. Z8U+waKIHkRzFMDtCEmfbJL0TfJs7L4CKRDkY6JUbaL8lDLkD9fgdax340jja5VS
  114. 70/UNtRevxXVtJFfLsIazkgaqXo1+65/talZ06E0X5WHgCzWxSj7A2YYD3I9OszR
  115. zfdr0Hq1akeA2N4AuwC2wVjhhyCg5Lg4xY0l+kRFLrPU4RctsjCAaveVIm3wmJVd
  116. vmHO9hKcR3nxuIx0/cPYe20WgGSqbYJQburE1uXp26uz/Jek/u8FNFIEjWCWB+vj
  117. eRQOcxngebyWCh0dyoxb3nL28Yty9O1MlLP2b0YMmep1ZfEFtwn4M2d8FdW1WCmJ
  118. viOGFx4BAoGBAPTYSIpyxea1qaeNmT97e4YgPwV3rajhdPRYSQKyCsjKHk7Q/uxk
  119. Phddo0ymiGKLCRAUwg9py900slY8mZKbdrVxXV4EEhngrWrr2gpfzxkEF1i0d4bS
  120. 2OuRCbkfE23glxqtVjvnTlrRANaXgk5mUQCL1YDUf+hrpEvF0pTbDRYpAoGBANwv
  121. ffy+Sk+e0v+NlthhNHUDcXisIoW7b/DoT0H8DtbJV/QVexaGln7Ts6EgaH2NdpC+
  122. dyLKa+l7oIeKgXeHm2Tgm879di/ChQCkoAHIUu5Nm0c5D2Vst26JrfCA7vZb9ddI
  123. FMFt5bsDgRqFzTXFe0k9TEIBiF0Pp5xfHVwNWeuxAoGAGNY3xZOO77BN3WlHumDU
  124. Tu7Gdc+GFjOIoaCzB0r4PRYDrQsWUPR6N/SPtB7Qhu6DpNX2OYoJ3A6UaJsNGQoc
  125. KJuvVPIkw+s+rDHwlEzTvT3lAGKOHWcWCg9UZSr51ZOKwHIE5V65XA0HgL0twrYu
  126. UVfd+IuVzgXdTLJsgh0WXsECgYApcgcU+/yg4BR3Zf9u2100aWGChWQ6J/36KsBA
  127. e2GPrHaRyzlQFCVf2hmFysPgXjBjLnbeZZvKZyrgWIHmLfBiHKU3YR5N/x9p75Lu
  128. wvZZROJllagAP2aHuAK1so9IcCbmTvsZLcaAXTh/9Y+a/4ElWBRymDdCzR+Pn5e3
  129. LAwxAQKBgBHH42ri6pHbRptINzJ9sw3PhwewQZtGu3sfvrOknBs3togptCrjBWDF
  130. eOGuFmjHO9vnhWs2yWQYETL1jt+CWgzRc4o4akB3qH5sXar5F7h06y16RFV9u6UJ
  131. qaGqPFcy/l/5H6uNPLZt4Ufg3T0Mz0Az+Dti99KqVLKeqWQvXVc4
  132. -----END RSA PRIVATE KEY-----
  133. Directory:
  134. # "default" is a special case; uses DocumentRoot value
  135. # E.g.: /var/www/example.com
  136. default:
  137. Options: -Indexes +FollowSymLinks
  138. Order: allow,deny # For Apache < 2.4
  139. Allow: from all # For apache < 2.4
  140. Require: all granted # For apache > 2.4.
  141. AllowOverride: None
  142. # Formula_Append: |
  143. # Additional config as a
  144. # multi-line string here
  145. # Force SSL: Redirect from 80 to 443
  146. example2.com:
  147. port: 80
  148. template_file: salt://apache/vhosts/redirect.tmpl
  149. RedirectSource: 'permanent /'
  150. # Trailing slash is important
  151. RedirectTarget: 'https://example.com/'
  152. example2.com_ssl:
  153. port: 443
  154. ServerName: example.com
  155. SSLCertificateFile: /path/to/ssl.crt
  156. SSLCertificateKeyFile: /path/to/ssl.key
  157. SSLCertificateChainFile: /path/to/ssl.ca.crt
  158. # Use RedirectMatch Directive
  159. redirectmatch.com:
  160. # - https://httpd.apache.org/docs/2.4/fr/mod/mod_alias.html#redirectmatch
  161. # Require module mod_alias
  162. enabled: true
  163. template_file: salt://apache/config/vhosts/redirect.tmpl
  164. ServerName: www.redirectmatch.com
  165. ServerAlias: www.redirectmatch.com
  166. RedirectMatch: true
  167. RedirectSource: '^/$'
  168. RedirectTarget: '/subdirectory'
  169. DocumentRoot: /var/www/html/
  170. port: '8083'
  171. 8084-proxyexample.com:
  172. template_file: salt://apache/config/vhosts/redirect.tmpl
  173. ServerName: www.proxyexample.com
  174. ServerAlias: www.proxyexample.com
  175. RedirectSource: '/'
  176. RedirectTarget: 'https://www.proxyexample.com/'
  177. DocumentRoot: /var/www/proxy
  178. port: '8084'
  179. 8443-proxyexample.com:
  180. template_file: salt://apache/config/vhosts/proxy.tmpl
  181. ServerName: www.proxyexample.com
  182. ServerAlias: www.proxyexample.com
  183. interface: '*'
  184. port: '8443'
  185. DocumentRoot: /var/www/proxy
  186. Rewrite: |
  187. RewriteRule ^/webmail$ /webmail/ [R]
  188. RewriteRule ^/webmail(.*) http://mail.example.com$1 [P,L]
  189. RewriteRule ^/vicescws(.*) http://svc.example.com:92$1 [P,L]
  190. SSLCertificateFile: /etc/httpd/conf/server.crt
  191. SSLCertificateKeyFile: /etc/httpd/conf/server.key
  192. # SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer
  193. SSLCertificateFile_content: |
  194. -----BEGIN CERTIFICATE-----
  195. MIIDYTCCAkkCFCKCcuwB/Ze9bI5/75oRChNH8RzHMA0GCSqGSIb3DQEBCwUAMG0x
  196. CzAJBgNVBAYTAklFMREwDwYDVQQIDAhDb25uYWNodDESMBAGA1UEBwwJQ29ubWFp
  197. Y25lMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxFDASBgNVBAMM
  198. C2V4YW1wbGUuY29tMB4XDTIwMTAwMzEzMzI1N1oXDTIxMTAwMzEzMzI1N1owbTEL
  199. MAkGA1UEBhMCSUUxETAPBgNVBAgMCENvbm5hY2h0MRIwEAYDVQQHDAlDb25tYWlj
  200. bmUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEUMBIGA1UEAwwL
  201. ZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSl0qL
  202. ol+/b3R9VccpOLe5Cg1Tf1zstAzV5TvjcjSdytdwMDGy9J8Yi2EcMZ1wNdMkvf4D
  203. mr+72Za+qeHHc0ZA+fIJoV+tTcbLbV/mhv0i0i7Zldi3QuvIVBpLR2Z5s5mXZ7C8
  204. yz8VpF9enQkS3uNnbNuZNT3ElGHmlAj1yHsh0K+TbvZrygFkG0wvYwivhlt1Zcbo
  205. th4LJ+gBwNIdSJUiAa58VO5ZNeenM9DquJfZVcFc1bDFqzU0T9KY4PsxmzO1A2+m
  206. TDHoGR4nCz7B+5Ec4USyBUuKo2FhALBEtYz2hlwaf9XasSSvmzO5hhPCQ3nJ4qeY
  207. i+BLCSpiq2lApPVZAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAD9/78A4ygQWbO27
  208. jQPm+2Zg0f9Sn1tcD4tOVao0MlAfWrALjbmj82hg+givEQKAuN7ptthYoaJcOxHl
  209. aUe++y3bQiCznN73yKSJZFgG5fYR8tyMslsYRBcKSay0nvPhN/3Jry0nNehDREQ+
  210. 2H0vB595bymGNTmux13sNwOZH1i8KEgxdLcFbje87+CbhCGbFhS3lHPY2FeXnHpO
  211. W60Zchwsy06xMjo4rzbQatdJj/HAh6lIx0YmNDX/d3dCLpZlkvUBT6ENVhipi5bb
  212. 2pF/Awob8AYWbIn4N7gmIP5Sb0tugpEgrSgSyDdZNWoFDChvfHXcNUP8lblIftAl
  213. ylssbnQ=
  214. -----END CERTIFICATE-----
  215. SSLCertificateKeyFile_content: |
  216. -----BEGIN RSA PRIVATE KEY-----
  217. MIIEowIBAAKCAQEA0pdKi6Jfv290fVXHKTi3uQoNU39c7LQM1eU743I0ncrXcDAx
  218. svSfGIthHDGdcDXTJL3+A5q/u9mWvqnhx3NGQPnyCaFfrU3Gy21f5ob9ItIu2ZXY
  219. t0LryFQaS0dmebOZl2ewvMs/FaRfXp0JEt7jZ2zbmTU9xJRh5pQI9ch7IdCvk272
  220. a8oBZBtML2MIr4ZbdWXG6LYeCyfoAcDSHUiVIgGufFTuWTXnpzPQ6riX2VXBXNWw
  221. xas1NE/SmOD7MZsztQNvpkwx6BkeJws+wfuRHOFEsgVLiqNhYQCwRLWM9oZcGn/V
  222. 2rEkr5szuYYTwkN5yeKnmIvgSwkqYqtpQKT1WQIDAQABAoIBAQCI39SP1UWuQ17P
  223. Z8U+waKIHkRzFMDtCEmfbJL0TfJs7L4CKRDkY6JUbaL8lDLkD9fgdax340jja5VS
  224. 70/UNtRevxXVtJFfLsIazkgaqXo1+65/talZ06E0X5WHgCzWxSj7A2YYD3I9OszR
  225. zfdr0Hq1akeA2N4AuwC2wVjhhyCg5Lg4xY0l+kRFLrPU4RctsjCAaveVIm3wmJVd
  226. vmHO9hKcR3nxuIx0/cPYe20WgGSqbYJQburE1uXp26uz/Jek/u8FNFIEjWCWB+vj
  227. eRQOcxngebyWCh0dyoxb3nL28Yty9O1MlLP2b0YMmep1ZfEFtwn4M2d8FdW1WCmJ
  228. viOGFx4BAoGBAPTYSIpyxea1qaeNmT97e4YgPwV3rajhdPRYSQKyCsjKHk7Q/uxk
  229. Phddo0ymiGKLCRAUwg9py900slY8mZKbdrVxXV4EEhngrWrr2gpfzxkEF1i0d4bS
  230. 2OuRCbkfE23glxqtVjvnTlrRANaXgk5mUQCL1YDUf+hrpEvF0pTbDRYpAoGBANwv
  231. ffy+Sk+e0v+NlthhNHUDcXisIoW7b/DoT0H8DtbJV/QVexaGln7Ts6EgaH2NdpC+
  232. dyLKa+l7oIeKgXeHm2Tgm879di/ChQCkoAHIUu5Nm0c5D2Vst26JrfCA7vZb9ddI
  233. FMFt5bsDgRqFzTXFe0k9TEIBiF0Pp5xfHVwNWeuxAoGAGNY3xZOO77BN3WlHumDU
  234. Tu7Gdc+GFjOIoaCzB0r4PRYDrQsWUPR6N/SPtB7Qhu6DpNX2OYoJ3A6UaJsNGQoc
  235. KJuvVPIkw+s+rDHwlEzTvT3lAGKOHWcWCg9UZSr51ZOKwHIE5V65XA0HgL0twrYu
  236. UVfd+IuVzgXdTLJsgh0WXsECgYApcgcU+/yg4BR3Zf9u2100aWGChWQ6J/36KsBA
  237. e2GPrHaRyzlQFCVf2hmFysPgXjBjLnbeZZvKZyrgWIHmLfBiHKU3YR5N/x9p75Lu
  238. wvZZROJllagAP2aHuAK1so9IcCbmTvsZLcaAXTh/9Y+a/4ElWBRymDdCzR+Pn5e3
  239. LAwxAQKBgBHH42ri6pHbRptINzJ9sw3PhwewQZtGu3sfvrOknBs3togptCrjBWDF
  240. eOGuFmjHO9vnhWs2yWQYETL1jt+CWgzRc4o4akB3qH5sXar5F7h06y16RFV9u6UJ
  241. qaGqPFcy/l/5H6uNPLZt4Ufg3T0Mz0Az+Dti99KqVLKeqWQvXVc4
  242. -----END RSA PRIVATE KEY-----
  243. SSLCertificateChainFile_content: |
  244. -----BEGIN CERTIFICATE-----
  245. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  246. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  247. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  248. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  249. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  250. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  251. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  252. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  253. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  254. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  255. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  256. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  257. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  258. -----END CERTIFICATE-----
  259. -----BEGIN CERTIFICATE-----
  260. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  261. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  262. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  263. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  264. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  265. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  266. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  267. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  268. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  269. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  270. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  271. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  272. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  273. -----END CERTIFICATE-----
  274. ProxyRequests: 'Off'
  275. ProxyPreserveHost: 'On'
  276. ProxyRoute:
  277. example prod proxy route:
  278. ProxyPassSource: '/'
  279. ProxyPassTarget: 'http://prod.example.com:85/'
  280. ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
  281. ProxyPassReverseSource: '/'
  282. ProxyPassReverseTarget: 'http://prod.example.com:85/'
  283. example webmail proxy route:
  284. ProxyPassSource: '/webmail/'
  285. ProxyPassTarget: 'http://mail.example.com/'
  286. ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
  287. ProxyPassReverseSource: '/webmail/'
  288. ProxyPassReverseTarget: 'http://mail.example.com/'
  289. example service proxy route:
  290. ProxyPassSource: '/svc/'
  291. ProxyPassTarget: 'http://svc.example.com:92/'
  292. ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
  293. ProxyPassReverseSource: '/svc/'
  294. ProxyPassReverseTarget: 'http://svc.example.com:92/'
  295. Location:
  296. /:
  297. Require: false
  298. # Formula_Append: |
  299. # SecRuleRemoveById 981231
  300. # SecRuleRemoveById 981173
  301. /error:
  302. Require: 'all granted'
  303. /docs:
  304. Order: allow,deny # For Apache < 2.4
  305. Allow: from all # For apache < 2.4
  306. Require: all granted # For apache > 2.4.
  307. # Formula_Append: |
  308. # Additional config as a
  309. # multi-line string here
  310. LocationMatch:
  311. '^[.\\/]+([Ww][Ee][Bb][Mm][Aa][Ii][Ll])[.\\/]':
  312. Require: false
  313. Formula_Append: |
  314. RequestHeader set Host mail.example.com
  315. '^[.\\/]+([Ss][Vv][Cc])[.\\/]':
  316. Require: false
  317. Formula_Append: |
  318. Require ip 123.123.13.6 84.24.25.74
  319. Proxy_control:
  320. '*':
  321. AllowAll: false
  322. AllowCountry: false
  323. # - DE
  324. AllowIP:
  325. - 12.5.25.32
  326. - 12.5.25.33
  327. Alias:
  328. /docs: /usr/share/docs
  329. ScriptAlias:
  330. /cgi-bin/: /var/www/cgi-bin/
  331. # Formula_Append: |
  332. # \#Additional config as a
  333. # \#multi-line string here
  334. # ``apache.debian_full`` formula additional configuration:
  335. register-site:
  336. # any name as an array index, and you can duplicate this section
  337. unique_value_here:
  338. name: 'myname'
  339. path: 'salt://apache/files/myname.conf'
  340. state: 'enabled'
  341. # Optional - use managed file as Jinja Template
  342. # template: true
  343. # defaults:
  344. # custom_var: "default value"
  345. modules:
  346. enabled: # List modules to enable
  347. - ssl
  348. - prefork
  349. - rewrite
  350. - proxy
  351. - proxy_ajp
  352. - proxy_html
  353. - headers
  354. # geoip
  355. - status
  356. - logio
  357. - dav
  358. - dav_fs
  359. - dav_lock
  360. - auth_digest
  361. - socache_shmcb
  362. - watchdog
  363. - xml2enc
  364. - ldap
  365. disabled: # List modules to disable
  366. - geoip
  367. flags:
  368. enabled: # List server flags to enable
  369. - SSL
  370. disabled: # List server flags to disable
  371. - status
  372. # KeepAlive: Whether or not to allow persistent connections (more than
  373. # one request per connection). Set to "Off" to deactivate.
  374. keepalive: 'On'
  375. TimeOut: 60 # software default is 60 seconds
  376. security:
  377. # can be Full | OS | Minimal | Minor | Major | Prod
  378. # where Full conveys the most information, and Prod the least.
  379. ServerTokens: Prod
  380. # [debian only] configure mod_ssl
  381. ssl:
  382. SSLCipherSuite: 'HIGH:!aNULL'
  383. SSLHonorCipherOrder: 'Off'
  384. SSLProtocol: 'all -SSLv3'
  385. SSLUseStapling: 'Off'
  386. SSLStaplingResponderTimeout: '5'
  387. SSLStaplingReturnResponderErrors: 'Off'
  388. SSLStaplingCache: 'shmcb:/var/run/ocsp(128000)'
  389. # ``apache.mod_remoteip`` formula additional configuration:
  390. mod_remoteip:
  391. RemoteIPHeader: X-Forwarded-For
  392. RemoteIPTrustedProxy:
  393. - 10.0.8.0/24
  394. - 127.0.0.1
  395. # ``apache.mod_security`` formula additional configuration:
  396. mod_security:
  397. crs_install: false
  398. # If not set, default distro's configuration is installed as is
  399. manage_config: true
  400. sec_rule_engine: 'On'
  401. sec_request_body_access: 'On'
  402. sec_request_body_limit: '14000000'
  403. sec_request_body_no_files_limit: '114002'
  404. sec_request_body_in_memory_limit: '114002'
  405. sec_request_body_limit_action: 'Reject'
  406. sec_pcre_match_limit: '15000'
  407. sec_pcre_match_limit_recursion: '15000'
  408. sec_debug_log_level: '3'
  409. rules:
  410. enabled: ~
  411. modsecurity_crs_10_setup.conf:
  412. rule_set: ''
  413. enabled: true
  414. modsecurity_crs_20_protocol_violations.conf:
  415. rule_set: 'base_rules'
  416. enabled: false
  417. custom_rule_files:
  418. # any name as an array index, and you can duplicate this section
  419. UNIQUE_VALUE_HERE:
  420. file: 'myname'
  421. # path/to/modsecurity/custom/file
  422. path: 'salt://apache/files/dummy.conf'
  423. enabled: false
  424. mod_ssl:
  425. # set this to true if you want to override your distributions default TLS
  426. # configuration
  427. manage_tls_defaults: false
  428. # This stuff is deliberately not configured via map.jinja resp.
  429. # apache:lookup. We're unable to know sane defaults for each release of
  430. # every distribution.
  431. # See https://github.com/saltstack-formulas/openssh-formula/issues/102 for
  432. # a related discussion Have a look at bettercrypto.org for up-to-date
  433. # settings.
  434. # These are default values:
  435. # yamllint disable-line rule:line-length
  436. SSLCipherSuite: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
  437. # Mitigate the CRIME attack
  438. SSLCompression: 'Off'
  439. SSLProtocol: all -SSLv2 -SSLv3 -TLSv1
  440. SSLHonorCipherOrder: 'On'
  441. SSLOptions: "+StrictRequire"
  442. server_status_require:
  443. ip:
  444. - 10.8.8.0/24
  445. host:
  446. - foo.example.com
  447. tofs:
  448. # The files_switch key serves as a selector for alternative
  449. # directories under the formula files directory. See TOFS pattern
  450. # doc for more info.
  451. # Note: Any value not evaluated by `config.get` will be used literally.
  452. # This can be used to set custom paths, as many levels deep as required.
  453. files_switch:
  454. - any/path/can/be/used/here
  455. - id
  456. - roles
  457. - osfinger
  458. - os
  459. - os_family
  460. # All aspects of path/file resolution are customisable using the options below.
  461. # This is unnecessary in most cases; there are sensible defaults.
  462. # Default path: salt://< path_prefix >/< dirs.files >/< dirs.default >
  463. # I.e.: salt://apache/files/default
  464. # path_prefix: template_alt
  465. # dirs:
  466. # files: files_alt
  467. # default: default_alt
  468. # The entries under `source_files` are prepended to the default source files
  469. # given for the state
  470. # source_files:
  471. # apache-config-file-file-managed:
  472. # - 'example_alt.tmpl'
  473. # - 'example_alt.tmpl.jinja'
  474. # For testing purposes
  475. source_files:
  476. apache-config-file-file-managed:
  477. - 'example.tmpl.jinja'
  478. apache-subcomponent-config-file-file-managed:
  479. - 'subcomponent-example.tmpl.jinja'
  480. # Just for testing purposes
  481. winner: pillar
  482. added_in_pillar: pillar_value