ExternalMirrors
/
apache-formula
mirror of https://github.com/saltstack-formulas/apache-formula.git


			
							# -*- coding: utf-8 -*-
# vim: ft=yaml
---
apache:
  lookup:
    master: template-master

    # apache version (generally '2.2' or '2.4')
    # version: '2.2'

    # Default value for AddDefaultCharset in RedHat configuration
    default_charset: 'UTF-8'

    # Should we enforce DocumentRoot user/group?
    document_root_user: null   # Defaults to: apache.user
    document_root_group: null  # Defaults to: apache.group

    # Just for testing purposes
    winner: lookup
    added_in_lookup: lookup_value

  # Using bash package and udev service as an example. This allows us to
  # test the template formula itself. You should set these parameters to
  # examples that make sense in the contexto of the formula you're writing.
  # pkg:
  #   deps:
  #     mod_ssl   # redhat
  #     mod_security  # redhat
  #     mod_geoip     # redhat
  #     GeoIP  # redhat
  #     libapache2-mod-security2  # Debian

  global:
    # global apache directives
    AllowEncodedSlashes: 'On'

  name_virtual_hosts:
    - interface: '*'
      port: 80
    - interface: '*'
      port: 443

  # ``apache.vhosts`` formula additional configuration:
  # fqdn should be added to /etc/hosts i.e. ##
  # $ tail -3 /etc/hosts
  # 127.0.0.1   example.com
  # 127.0.0.1   www.redirectmatch.com
  # 127.0.0.1   www.proxyexample.com

  sites:
    example.net:
      template_file: salt://apache/config/vhosts/minimal.tmpl
      port: '8081'

    example.com:  # must be unique; used as an ID declaration in Salt.
      enabled: true
      # or minimal.tmpl or redirect.tmpl or proxy.tmpl
      template_file: salt://apache/config/vhosts/standard.tmpl

      ####################### DEFAULT VALUES BELOW ############################
      # NOTE: the values below are simply default settings that *can* be
      # overridden and are not required in order to use this formula to create
      # vhost entries.
      #
      # Do not copy the values below into your Pillar unless you intend to
      # modify these vaules.
      ####################### DEFAULT VALUES BELOW ############################
      template_engine: jinja

      interface: '*'
      port: '443'

      exclude_listen_directive: true  # Do not add a Listen directive in httpd.conf

      ServerName: example.com  # uses the unique ID above unless specified
      # ServerAlias: www.example.com  # Do not add ServerAlias unless defined

      ServerAdmin: webmaster@example.com

      LogLevel: warn
      # E.g.: /var/log/apache2/example.com-error.log
      # ErrorLog: /path/to/logs/example.com-error.log
      # E.g.: /var/log/apache2/example.com-access.log
      # CustomLog: /path/to/logs/example.com-access.log

      # E.g., /var/www/example.com
      DocumentRoot: /path/to/www/dir/example.com
      # do not enforce user, defaults to lookup:document_root_user or apache.user
      DocumentRootUser: null
      # Force group, defaults to lookup:document_root_group or apache.user
      DocumentRootGroup: null

      {# {%- if grains.os_family in ('Debian', 'Suse', 'Gentoo') %} #}
      {# SSLCertificateFile: /etc/apache2/conf/server.crt #}
      {# SSLCertificateKeyFile: /etc/apache2/conf/server.key #}
      {# {%- else %} #}
      {# SSLCertificateFile: /etc/httpd/conf/server.crt #}
      {# SSLCertificateKeyFile: /etc/httpd/conf/server.key #}
      {# {%- endif %} #}
      {# # SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer #}
      {#  #}
      {# SSLCertificateFile_content: | #}
      {#   -----BEGIN CERTIFICATE----- #}
      {#   MIIDYTCCAkkCFCKCcuwB/Ze9bI5/75oRChNH8RzHMA0GCSqGSIb3DQEBCwUAMG0x #}
      {#   CzAJBgNVBAYTAklFMREwDwYDVQQIDAhDb25uYWNodDESMBAGA1UEBwwJQ29ubWFp #}
      {#   Y25lMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxFDASBgNVBAMM #}
      {#   C2V4YW1wbGUuY29tMB4XDTIwMTAwMzEzMzI1N1oXDTIxMTAwMzEzMzI1N1owbTEL #}
      {#   MAkGA1UEBhMCSUUxETAPBgNVBAgMCENvbm5hY2h0MRIwEAYDVQQHDAlDb25tYWlj #}
      {#   bmUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEUMBIGA1UEAwwL #}
      {#   ZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSl0qL #}
      {#   ol+/b3R9VccpOLe5Cg1Tf1zstAzV5TvjcjSdytdwMDGy9J8Yi2EcMZ1wNdMkvf4D #}
      {#   mr+72Za+qeHHc0ZA+fIJoV+tTcbLbV/mhv0i0i7Zldi3QuvIVBpLR2Z5s5mXZ7C8 #}
      {#   yz8VpF9enQkS3uNnbNuZNT3ElGHmlAj1yHsh0K+TbvZrygFkG0wvYwivhlt1Zcbo #}
      {#   th4LJ+gBwNIdSJUiAa58VO5ZNeenM9DquJfZVcFc1bDFqzU0T9KY4PsxmzO1A2+m #}
      {#   TDHoGR4nCz7B+5Ec4USyBUuKo2FhALBEtYz2hlwaf9XasSSvmzO5hhPCQ3nJ4qeY #}
      {#   i+BLCSpiq2lApPVZAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAD9/78A4ygQWbO27 #}
      {#   jQPm+2Zg0f9Sn1tcD4tOVao0MlAfWrALjbmj82hg+givEQKAuN7ptthYoaJcOxHl #}
      {#   aUe++y3bQiCznN73yKSJZFgG5fYR8tyMslsYRBcKSay0nvPhN/3Jry0nNehDREQ+ #}
      {#   2H0vB595bymGNTmux13sNwOZH1i8KEgxdLcFbje87+CbhCGbFhS3lHPY2FeXnHpO #}
      {#   W60Zchwsy06xMjo4rzbQatdJj/HAh6lIx0YmNDX/d3dCLpZlkvUBT6ENVhipi5bb #}
      {#   2pF/Awob8AYWbIn4N7gmIP5Sb0tugpEgrSgSyDdZNWoFDChvfHXcNUP8lblIftAl #}
      {#   ylssbnQ= #}
      {#   -----END CERTIFICATE----- #}
      {#  #}
      {# SSLCertificateKeyFile_content: | #}
      {#   -----BEGIN RSA PRIVATE KEY----- #}
      {#   MIIEowIBAAKCAQEA0pdKi6Jfv290fVXHKTi3uQoNU39c7LQM1eU743I0ncrXcDAx #}
      {#   svSfGIthHDGdcDXTJL3+A5q/u9mWvqnhx3NGQPnyCaFfrU3Gy21f5ob9ItIu2ZXY #}
      {#   t0LryFQaS0dmebOZl2ewvMs/FaRfXp0JEt7jZ2zbmTU9xJRh5pQI9ch7IdCvk272 #}
      {#   a8oBZBtML2MIr4ZbdWXG6LYeCyfoAcDSHUiVIgGufFTuWTXnpzPQ6riX2VXBXNWw #}
      {#   xas1NE/SmOD7MZsztQNvpkwx6BkeJws+wfuRHOFEsgVLiqNhYQCwRLWM9oZcGn/V #}
      {#   2rEkr5szuYYTwkN5yeKnmIvgSwkqYqtpQKT1WQIDAQABAoIBAQCI39SP1UWuQ17P #}
      {#   Z8U+waKIHkRzFMDtCEmfbJL0TfJs7L4CKRDkY6JUbaL8lDLkD9fgdax340jja5VS #}
      {#   70/UNtRevxXVtJFfLsIazkgaqXo1+65/talZ06E0X5WHgCzWxSj7A2YYD3I9OszR #}
      {#   zfdr0Hq1akeA2N4AuwC2wVjhhyCg5Lg4xY0l+kRFLrPU4RctsjCAaveVIm3wmJVd #}
      {#   vmHO9hKcR3nxuIx0/cPYe20WgGSqbYJQburE1uXp26uz/Jek/u8FNFIEjWCWB+vj #}
      {#   eRQOcxngebyWCh0dyoxb3nL28Yty9O1MlLP2b0YMmep1ZfEFtwn4M2d8FdW1WCmJ #}
      {#   viOGFx4BAoGBAPTYSIpyxea1qaeNmT97e4YgPwV3rajhdPRYSQKyCsjKHk7Q/uxk #}
      {#   Phddo0ymiGKLCRAUwg9py900slY8mZKbdrVxXV4EEhngrWrr2gpfzxkEF1i0d4bS #}
      {#   2OuRCbkfE23glxqtVjvnTlrRANaXgk5mUQCL1YDUf+hrpEvF0pTbDRYpAoGBANwv #}
      {#   ffy+Sk+e0v+NlthhNHUDcXisIoW7b/DoT0H8DtbJV/QVexaGln7Ts6EgaH2NdpC+ #}
      {#   dyLKa+l7oIeKgXeHm2Tgm879di/ChQCkoAHIUu5Nm0c5D2Vst26JrfCA7vZb9ddI #}
      {#   FMFt5bsDgRqFzTXFe0k9TEIBiF0Pp5xfHVwNWeuxAoGAGNY3xZOO77BN3WlHumDU #}
      {#   Tu7Gdc+GFjOIoaCzB0r4PRYDrQsWUPR6N/SPtB7Qhu6DpNX2OYoJ3A6UaJsNGQoc #}
      {#   KJuvVPIkw+s+rDHwlEzTvT3lAGKOHWcWCg9UZSr51ZOKwHIE5V65XA0HgL0twrYu #}
      {#   UVfd+IuVzgXdTLJsgh0WXsECgYApcgcU+/yg4BR3Zf9u2100aWGChWQ6J/36KsBA #}
      {#   e2GPrHaRyzlQFCVf2hmFysPgXjBjLnbeZZvKZyrgWIHmLfBiHKU3YR5N/x9p75Lu #}
      {#   wvZZROJllagAP2aHuAK1so9IcCbmTvsZLcaAXTh/9Y+a/4ElWBRymDdCzR+Pn5e3 #}
      {#   LAwxAQKBgBHH42ri6pHbRptINzJ9sw3PhwewQZtGu3sfvrOknBs3togptCrjBWDF #}
      {#   eOGuFmjHO9vnhWs2yWQYETL1jt+CWgzRc4o4akB3qH5sXar5F7h06y16RFV9u6UJ #}
      {#   qaGqPFcy/l/5H6uNPLZt4Ufg3T0Mz0Az+Dti99KqVLKeqWQvXVc4 #}
      {#   -----END RSA PRIVATE KEY----- #}


      Directory:
        # "default" is a special case; uses DocumentRoot value
        # E.g.: /var/www/example.com
        default:
          Options: -Indexes +FollowSymLinks
          Order: allow,deny     # For Apache < 2.4
          Allow: from all       # For apache < 2.4
          Require: all granted  # For apache > 2.4.
          AllowOverride: None
          # Formula_Append: |
          #   Additional config as a
          #   multi-line string here

    # Force SSL: Redirect from 80 to 443
    example2.com:
      port: 80
      template_file: salt://apache/vhosts/redirect.tmpl
      RedirectSource: 'permanent /'
      # Trailing slash is important
      RedirectTarget: 'https://example.com/'
    example2.com_ssl:
      port: 443
      ServerName: example.com
      # SSLCertificateFile: /path/to/ssl.crt
      # SSLCertificateKeyFile: /path/to/ssl.key
      # SSLCertificateChainFile: /path/to/ssl.ca.crt

    # Use RedirectMatch Directive
    redirectmatch.com:
      # - https://httpd.apache.org/docs/2.4/fr/mod/mod_alias.html#redirectmatch
      # Require module mod_alias
      enabled: true
      template_file: salt://apache/config/vhosts/redirect.tmpl
      ServerName: www.redirectmatch.com
      ServerAlias: www.redirectmatch.com
      RedirectMatch: true
      RedirectSource: '^/$'
      RedirectTarget: '/subdirectory'
      DocumentRoot: /var/www/html/
      port: '8083'

    8084-proxyexample.com:
      template_file: salt://apache/config/vhosts/redirect.tmpl
      ServerName: www.proxyexample.com
      ServerAlias: www.proxyexample.com
      RedirectSource: '/'
      RedirectTarget: 'https://www.proxyexample.com/'
      DocumentRoot: /var/www/proxy
      port: '8084'

    # 8443-proxyexample.com:
    #   template_file: salt://apache/config/vhosts/proxy.tmpl
    #   ServerName: www.proxyexample.com
    #   ServerAlias: www.proxyexample.com
    #   interface: '*'
    #   port: '8443'
    #   DocumentRoot: /var/www/proxy
    #
    #   Rewrite: |
    #     RewriteRule ^/webmail$ /webmail/ [R]
    #     RewriteRule ^/webmail(.*) http://mail.example.com$1 [P,L]
    #     RewriteRule ^/vicescws(.*) http://svc.example.com:92$1 [P,L]
    #
    #   SSLCertificateFile: /etc/httpd/conf/server.crt
    #   SSLCertificateKeyFile: /etc/httpd/conf/server.key
    #   # SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer
    #
    #   SSLCertificateFile_content: |
    #     -----BEGIN CERTIFICATE-----
    #     MIIDYTCCAkkCFCKCcuwB/Ze9bI5/75oRChNH8RzHMA0GCSqGSIb3DQEBCwUAMG0x
    #     CzAJBgNVBAYTAklFMREwDwYDVQQIDAhDb25uYWNodDESMBAGA1UEBwwJQ29ubWFp
    #     Y25lMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxFDASBgNVBAMM
    #     C2V4YW1wbGUuY29tMB4XDTIwMTAwMzEzMzI1N1oXDTIxMTAwMzEzMzI1N1owbTEL
    #     MAkGA1UEBhMCSUUxETAPBgNVBAgMCENvbm5hY2h0MRIwEAYDVQQHDAlDb25tYWlj
    #     bmUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEUMBIGA1UEAwwL
    #     ZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSl0qL
    #     ol+/b3R9VccpOLe5Cg1Tf1zstAzV5TvjcjSdytdwMDGy9J8Yi2EcMZ1wNdMkvf4D
    #     mr+72Za+qeHHc0ZA+fIJoV+tTcbLbV/mhv0i0i7Zldi3QuvIVBpLR2Z5s5mXZ7C8
    #     yz8VpF9enQkS3uNnbNuZNT3ElGHmlAj1yHsh0K+TbvZrygFkG0wvYwivhlt1Zcbo
    #     th4LJ+gBwNIdSJUiAa58VO5ZNeenM9DquJfZVcFc1bDFqzU0T9KY4PsxmzO1A2+m
    #     TDHoGR4nCz7B+5Ec4USyBUuKo2FhALBEtYz2hlwaf9XasSSvmzO5hhPCQ3nJ4qeY
    #     i+BLCSpiq2lApPVZAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAD9/78A4ygQWbO27
    #     jQPm+2Zg0f9Sn1tcD4tOVao0MlAfWrALjbmj82hg+givEQKAuN7ptthYoaJcOxHl
    #     aUe++y3bQiCznN73yKSJZFgG5fYR8tyMslsYRBcKSay0nvPhN/3Jry0nNehDREQ+
    #     2H0vB595bymGNTmux13sNwOZH1i8KEgxdLcFbje87+CbhCGbFhS3lHPY2FeXnHpO
    #     W60Zchwsy06xMjo4rzbQatdJj/HAh6lIx0YmNDX/d3dCLpZlkvUBT6ENVhipi5bb
    #     2pF/Awob8AYWbIn4N7gmIP5Sb0tugpEgrSgSyDdZNWoFDChvfHXcNUP8lblIftAl
    #     ylssbnQ=
    #     -----END CERTIFICATE-----
    #
    #   SSLCertificateKeyFile_content: |
    #     -----BEGIN RSA PRIVATE KEY-----
    #     MIIEowIBAAKCAQEA0pdKi6Jfv290fVXHKTi3uQoNU39c7LQM1eU743I0ncrXcDAx
    #     svSfGIthHDGdcDXTJL3+A5q/u9mWvqnhx3NGQPnyCaFfrU3Gy21f5ob9ItIu2ZXY
    #     t0LryFQaS0dmebOZl2ewvMs/FaRfXp0JEt7jZ2zbmTU9xJRh5pQI9ch7IdCvk272
    #     a8oBZBtML2MIr4ZbdWXG6LYeCyfoAcDSHUiVIgGufFTuWTXnpzPQ6riX2VXBXNWw
    #     xas1NE/SmOD7MZsztQNvpkwx6BkeJws+wfuRHOFEsgVLiqNhYQCwRLWM9oZcGn/V
    #     2rEkr5szuYYTwkN5yeKnmIvgSwkqYqtpQKT1WQIDAQABAoIBAQCI39SP1UWuQ17P
    #     Z8U+waKIHkRzFMDtCEmfbJL0TfJs7L4CKRDkY6JUbaL8lDLkD9fgdax340jja5VS
    #     70/UNtRevxXVtJFfLsIazkgaqXo1+65/talZ06E0X5WHgCzWxSj7A2YYD3I9OszR
    #     zfdr0Hq1akeA2N4AuwC2wVjhhyCg5Lg4xY0l+kRFLrPU4RctsjCAaveVIm3wmJVd
    #     vmHO9hKcR3nxuIx0/cPYe20WgGSqbYJQburE1uXp26uz/Jek/u8FNFIEjWCWB+vj
    #     eRQOcxngebyWCh0dyoxb3nL28Yty9O1MlLP2b0YMmep1ZfEFtwn4M2d8FdW1WCmJ
    #     viOGFx4BAoGBAPTYSIpyxea1qaeNmT97e4YgPwV3rajhdPRYSQKyCsjKHk7Q/uxk
    #     Phddo0ymiGKLCRAUwg9py900slY8mZKbdrVxXV4EEhngrWrr2gpfzxkEF1i0d4bS
    #     2OuRCbkfE23glxqtVjvnTlrRANaXgk5mUQCL1YDUf+hrpEvF0pTbDRYpAoGBANwv
    #     ffy+Sk+e0v+NlthhNHUDcXisIoW7b/DoT0H8DtbJV/QVexaGln7Ts6EgaH2NdpC+
    #     dyLKa+l7oIeKgXeHm2Tgm879di/ChQCkoAHIUu5Nm0c5D2Vst26JrfCA7vZb9ddI
    #     FMFt5bsDgRqFzTXFe0k9TEIBiF0Pp5xfHVwNWeuxAoGAGNY3xZOO77BN3WlHumDU
    #     Tu7Gdc+GFjOIoaCzB0r4PRYDrQsWUPR6N/SPtB7Qhu6DpNX2OYoJ3A6UaJsNGQoc
    #     KJuvVPIkw+s+rDHwlEzTvT3lAGKOHWcWCg9UZSr51ZOKwHIE5V65XA0HgL0twrYu
    #     UVfd+IuVzgXdTLJsgh0WXsECgYApcgcU+/yg4BR3Zf9u2100aWGChWQ6J/36KsBA
    #     e2GPrHaRyzlQFCVf2hmFysPgXjBjLnbeZZvKZyrgWIHmLfBiHKU3YR5N/x9p75Lu
    #     wvZZROJllagAP2aHuAK1so9IcCbmTvsZLcaAXTh/9Y+a/4ElWBRymDdCzR+Pn5e3
    #     LAwxAQKBgBHH42ri6pHbRptINzJ9sw3PhwewQZtGu3sfvrOknBs3togptCrjBWDF
    #     eOGuFmjHO9vnhWs2yWQYETL1jt+CWgzRc4o4akB3qH5sXar5F7h06y16RFV9u6UJ
    #     qaGqPFcy/l/5H6uNPLZt4Ufg3T0Mz0Az+Dti99KqVLKeqWQvXVc4
    #     -----END RSA PRIVATE KEY-----
    #
    #   SSLCertificateChainFile_content: |
    #     -----BEGIN CERTIFICATE-----
    #     MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
    #     MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
    #     VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
    #     NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
    #     TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
    #     ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
    #     V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
    #     gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
    #     FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
    #     CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
    #     BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
    #     BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
    #     Wm7DCfrPNGVwFWUQOmsPue9rZBgO
    #     -----END CERTIFICATE-----
    #     -----BEGIN CERTIFICATE-----
    #     MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
    #     MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
    #     VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
    #     NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
    #     TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
    #     ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
    #     V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
    #     gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
    #     FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
    #     CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
    #     BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
    #     BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
    #     Wm7DCfrPNGVwFWUQOmsPue9rZBgO
    #     -----END CERTIFICATE-----
    #
    #   ProxyRequests: 'Off'
    #   ProxyPreserveHost: 'On'
    #
    #   ProxyRoute:
    #     example prod proxy route:
    #       ProxyPassSource: '/'
    #       ProxyPassTarget: 'http://prod.example.com:85/'
    #       ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
    #       ProxyPassReverseSource: '/'
    #       ProxyPassReverseTarget: 'http://prod.example.com:85/'
    #
    #     example webmail proxy route:
    #       ProxyPassSource: '/webmail/'
    #       ProxyPassTarget: 'http://mail.example.com/'
    #       ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
    #       ProxyPassReverseSource: '/webmail/'
    #       ProxyPassReverseTarget: 'http://mail.example.com/'
    #
    #     example service proxy route:
    #       ProxyPassSource: '/svc/'
    #       ProxyPassTarget: 'http://svc.example.com:92/'
    #       ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
    #       ProxyPassReverseSource: '/svc/'
    #       ProxyPassReverseTarget: 'http://svc.example.com:92/'
    #
    #   Location:
    #     /:
    #       Require: false
    #       # Formula_Append: |
    #       #   SecRuleRemoveById 981231
    #       #   SecRuleRemoveById 981173
    #
    #     /error:
    #       Require: 'all granted'
    #
    #     /docs:
    #       Order: allow,deny     # For Apache < 2.4
    #       Allow: from all       # For apache < 2.4
    #       Require: all granted  # For apache > 2.4.
    #       # Formula_Append: |
    #       #   Additional config as a
    #       #   multi-line string here
    #
    #   LocationMatch:
    #     '^[.\\/]+([Ww][Ee][Bb][Mm][Aa][Ii][Ll])[.\\/]':
    #       Require: false
    #       Formula_Append: |
    #         RequestHeader  set  Host  mail.example.com
    #
    #     '^[.\\/]+([Ss][Vv][Cc])[.\\/]':
    #       Require: false
    #       Formula_Append: |
    #         Require ip 123.123.13.6 84.24.25.74
    #
    #   Proxy_control:
    #     '*':
    #       AllowAll: false
    #       AllowCountry: false
    #       #   - DE
    #       AllowIP:
    #         - 12.5.25.32
    #         - 12.5.25.33
    #
    #   Alias:
    #     /docs: /usr/share/docs
    #
    #   ScriptAlias:
    #     /cgi-bin/: /var/www/cgi-bin/

        # Formula_Append: |
        #   \#Additional config as a
        #   \#multi-line string here

  # ``apache.debian_full`` formula additional configuration:
  register-site:
    # any name as an array index, and you can duplicate this section
    unique_value_here:
      name: 'myname'
      path: 'salt://apache/files/myname.conf'
      state: 'enabled'
      # Optional - use managed file as Jinja Template
      # template: true
      # defaults:
      #   custom_var: "default value"

  modules:
    enabled:   # List modules to enable
      - ssl
      # - prefork
      - rewrite
      - proxy
      - proxy_ajp
      - proxy_html
      - headers
      # geoip
      - status
      # - logio
      - dav
      - dav_fs
      - dav_lock
      - auth_digest
      - socache_shmcb
      # - watchdog
      - xml2enc
      - ldap
    disabled:  # List modules to disable
      - geoip

  flags:
    enabled:   # List server flags to enable
      - SSL
    disabled:  # List server flags to disable
      - status

  # KeepAlive: Whether or not to allow persistent connections (more than
  # one request per connection). Set to "Off" to deactivate.
  keepalive: 'On'

  TimeOut: 60  # software default is 60 seconds

  security:
    # can be Full | OS | Minimal | Minor | Major | Prod
    # where Full conveys the most information, and Prod the least.
    ServerTokens: Prod

  # [debian only] configure mod_ssl
  ssl:
    SSLCipherSuite: 'HIGH:!aNULL'
    SSLHonorCipherOrder: 'Off'
    SSLProtocol: 'all -SSLv3'
    SSLUseStapling: 'Off'
    SSLStaplingResponderTimeout: '5'
    SSLStaplingReturnResponderErrors: 'Off'
    SSLStaplingCache: 'shmcb:/var/run/ocsp(128000)'

  # ``apache.mod_remoteip`` formula additional configuration:
  mod_remoteip:
    RemoteIPHeader: X-Forwarded-For
    RemoteIPTrustedProxy:
      - 10.0.8.0/24
      - 127.0.0.1
    RemoteIPInternalProxy:
      - 10.10.8.0/24
      - 127.0.0.1

  # ``apache.mod_security`` formula additional configuration:
  mod_security:
    crs_install: false
    # If not set, default distro's configuration is installed as is
    manage_config: true
    sec_rule_engine: 'On'
    sec_request_body_access: 'On'
    sec_request_body_limit: '14000000'
    sec_request_body_no_files_limit: '114002'
    sec_request_body_in_memory_limit: '114002'
    sec_request_body_limit_action: 'Reject'
    sec_pcre_match_limit: '15000'
    sec_pcre_match_limit_recursion: '15000'
    sec_debug_log_level: '3'

    rules:
      # enabled: ~
      modsecurity_crs_10_setup.conf:
        rule_set: ''
        enabled: true
      modsecurity_crs_20_protocol_violations.conf:
        rule_set: 'base_rules'
        enabled: false

    custom_rule_files:
      # any name as an array index, and you can duplicate this section
      UNIQUE_VALUE_HERE:
        file: 'myname'
        # path/to/modsecurity/custom/file
        path: 'salt://apache/files/dummy.conf'
        enabled: false

  mod_ssl:
    # set this to true if you want to override your distributions default TLS
    # configuration
    manage_tls_defaults: false
    # This stuff is deliberately not configured via map.jinja resp.
    # apache:lookup.  We're unable to know sane defaults for each release of
    # every distribution.
    # See https://github.com/saltstack-formulas/openssh-formula/issues/102 for
    # a related discussion Have a look at bettercrypto.org for up-to-date
    # settings.
    # These are default values:
    # yamllint disable-line rule:line-length
    SSLCipherSuite: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
    # Mitigate the CRIME attack
    SSLCompression: 'Off'
    SSLProtocol: all -SSLv2 -SSLv3 -TLSv1
    SSLHonorCipherOrder: 'On'
    SSLOptions: "+StrictRequire"
  server_status_require:
    ip:
      - 10.8.8.0/24
    host:
      - foo.example.com

  tofs:
    # The files_switch key serves as a selector for alternative
    # directories under the formula files directory. See TOFS pattern
    # doc for more info.
    # Note: Any value not evaluated by `config.get` will be used literally.
    # This can be used to set custom paths, as many levels deep as required.
    files_switch:
      - any/path/can/be/used/here
      - id
      - roles
      - osfinger
      - os
      - os_family
    # All aspects of path/file resolution are customisable using the options below.
    # This is unnecessary in most cases; there are sensible defaults.
    # Default path: salt://< path_prefix >/< dirs.files >/< dirs.default >
    #         I.e.: salt://apache/files/default
    # path_prefix: template_alt
    # dirs:
    #   files: files_alt
    #   default: default_alt
    # The entries under `source_files` are prepended to the default source files
    # given for the state
    # source_files:
    #   apache-config-file-file-managed:
    #     - 'example_alt.tmpl'
    #     - 'example_alt.tmpl.jinja'

    # For testing purposes
    source_files:
      apache-config-file-file-managed:
        - 'example.tmpl.jinja'
      apache-subcomponent-config-file-file-managed:
        - 'subcomponent-example.tmpl.jinja'

  # Just for testing purposes
  winner: pillar
  added_in_pillar: pillar_value

  retry_option:
    # https://docs.saltstack.com/en/latest/ref/states/requisites.html#retrying-states
    attempts: 1
    until: true
    interval: 1
    splay: 1