|
-
-
- ---
-
- apache:
-
-
- manage_service_states: true
-
-
- lookup:
- server: apache2
- service: apache2
- user: some_system_user
- group: some_system_group
-
- vhostdir: /etc/apache2/sites-available
- confdir: /etc/apache2/conf.d
- confext: .conf
- logdir: /var/log/apache2
- wwwdir: /srv/apache2
-
-
- version: '2.2'
-
-
- mod_ssl_pkg: mod_ssl
-
-
- mod_wsgi: mod_wsgi
-
-
- default_charset: 'UTF-8'
-
-
-
- document_root_user: www-data
- document_root_group: null
-
- global:
-
- AllowEncodedSlashes: 'On'
-
-
- name_virtual_hosts:
- - interface: '*'
- port: 80
- - interface: '*'
- port: 443
-
-
- sites:
- example.net:
- template_file: salt://apache/vhosts/minimal.tmpl
-
- example.com:
- enabled: true
-
- template_file: salt://apache/vhosts/standard.tmpl
-
-
-
-
-
-
-
-
-
- template_engine: jinja
-
- interface: '*'
- port: '80'
-
- exclude_listen_directive: true
-
- ServerName: example.com
-
-
- ServerAdmin: webmaster@example.com
-
- LogLevel: warn
-
- ErrorLog: /path/to/logs/example.com-error.log
-
- CustomLog: /path/to/logs/example.com-access.log
-
-
- DocumentRoot: /path/to/www/dir/example.com
-
- DocumentRootUser: null
-
- DocumentRootGroup: www-data
-
-
- SSLCertificateFile: /etc/ssl/mycert.pem
-
- SSLCertificateKeyFile: /etc/ssl/mycert.pem.key
-
- SSLCertificateChainFile: /etc/ssl/mycert.chain.pem
-
- Directory:
-
-
- default:
- Options: -Indexes +FollowSymLinks
- Order: allow,deny
- Allow: from all
- Require: all granted
- AllowOverride: None
- Formula_Append: |
- Additional config as a
- multi-line string here
-
- redirectmatch.com:
- # Use RedirectMatch Directive
- # - https://httpd.apache.org/docs/2.4/fr/mod/mod_alias.html#redirectmatch
- # Require module mod_alias
- enabled: true
- template_file: salt://apache/vhosts/redirect.tmpl
- ServerName: www.redirectmatch.com
- ServerAlias: www.redirectmatch.com
- RedirectMatch: true
- RedirectSource: '^/$'
- RedirectTarget: '/subdirectory'
- DocumentRoot: /var/www/html/
- ErrorLog: ${APACHE_LOG_DIR}/error.log
- CustomLog: ${APACHE_LOG_DIR}/access.log
-
- 80-proxyexample.com:
- template_file: salt://apache/vhosts/redirect.tmpl
- ServerName: www.proxyexample.com
- ServerAlias: www.proxyexample.com
- RedirectSource: '/'
- RedirectTarget: 'https://www.proxyexample.com/'
- DocumentRoot: /var/www/proxy
-
- 443-proxyexample.com:
- template_file: salt://apache/vhosts/proxy.tmpl
- ServerName: www.proxyexample.com
- ServerAlias: www.proxyexample.com
- interface: '*'
- port: '443'
- DocumentRoot: /var/www/proxy
-
- Rewrite: |
- RewriteRule ^/webmail$ /webmail/ [R]
- RewriteRule ^/webmail(.*) http://mail.example.com$1 [P,L]
- RewriteRule ^/vicescws(.*) http://svc.example.com:92$1 [P,L]
-
- SSLCertificateFile: /etc/httpd/ssl/example.com.crt
- SSLCertificateKeyFile: /etc/httpd/ssl/example.com.key
- SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer
-
- SSLCertificateFile_content: |
- -----BEGIN CERTIFICATE-----
- MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
- MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
- VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
- NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
- TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
- ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
- V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
- gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
- FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
- CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
- BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
- BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
- Wm7DCfrPNGVwFWUQOmsPue9rZBgO
- -----END CERTIFICATE-----
-
- SSLCertificateKeyFile_content: |
- -----BEGIN PRIVATE KEY-----
- MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
- MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
- VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
- NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
- TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
- ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
- V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
- gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
- FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
- CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
- BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
- BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
- Wm7DCfrPNGVwFWUQOmsPue9rZBgO
- -----END PRIVATE KEY-----
-
- SSLCertificateChainFile_content: |
- -----BEGIN CERTIFICATE-----
- MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
- MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
- VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
- NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
- TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
- ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
- V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
- gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
- FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
- CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
- BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
- BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
- Wm7DCfrPNGVwFWUQOmsPue9rZBgO
- -----END CERTIFICATE-----
- -----BEGIN CERTIFICATE-----
- MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
- MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
- VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
- NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
- TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
- ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
- V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
- gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
- FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
- CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
- BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
- BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
- Wm7DCfrPNGVwFWUQOmsPue9rZBgO
- -----END CERTIFICATE-----
-
- ProxyRequests: 'Off'
- ProxyPreserveHost: 'On'
-
- ProxyRoute:
- example prod proxy route:
- ProxyPassSource: '/'
- ProxyPassTarget: 'http://prod.example.com:85/'
- ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
- ProxyPassReverseSource: '/'
- ProxyPassReverseTarget: 'http://prod.example.com:85/'
-
- example webmail proxy route:
- ProxyPassSource: '/webmail/'
- ProxyPassTarget: 'http://mail.example.com/'
- ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
- ProxyPassReverseSource: '/webmail/'
- ProxyPassReverseTarget: 'http://mail.example.com/'
-
- example service proxy route:
- ProxyPassSource: '/svc/'
- ProxyPassTarget: 'http://svc.example.com:92/'
- ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
- ProxyPassReverseSource: '/svc/'
- ProxyPassReverseTarget: 'http://svc.example.com:92/'
-
- Location:
- /:
- Require: false
- Formula_Append: |
- SecRuleRemoveById 981231
- SecRuleRemoveById 981173
-
- /error:
- Require: 'all granted'
-
- /docs:
- Order: allow,deny
- Allow: from all
- Require: all granted
- Formula_Append: |
- Additional config as a
- multi-line string here
-
- LocationMatch:
- '^[.\\/]+([Ww][Ee][Bb][Mm][Aa][Ii][Ll])[.\\/]':
- Require: false
- Formula_Append: |
- RequestHeader set Host mail.example.com
-
- '^[.\\/]+([Ss][Vv][Cc])[.\\/]':
- Require: false
- Formula_Append: |
- Require ip 123.123.13.6 84.24.25.74
-
- Proxy_control:
- '*':
- AllowAll: false
- AllowCountry:
- - DE
- AllowIP:
- - 12.5.25.32
- - 12.5.25.33
-
-
- Alias:
- /docs: /usr/share/docs
-
- ScriptAlias:
- /cgi-bin/: /var/www/cgi-bin/
-
- Formula_Append: |
- Additional config as a
- multi-line string here
-
- # ``apache.debian_full`` formula additional configuration:
- register-site:
-
- UNIQUE_VALUE_HERE:
- name: 'my name'
- path: 'salt://path/to/sites-available/conf/file'
- state: 'enabled'
-
-
-
-
-
- modules:
- enabled:
- - ldap
- - ssl
- disabled:
- - rewrite
-
- flags:
- enabled:
- - SSL
- disabled:
- - status
-
-
-
- keepalive: 'On'
-
- security:
-
-
- ServerTokens: Prod
-
-
- ssl:
- SSLCipherSuite: 'HIGH:!aNULL'
- SSLHonorCipherOrder: 'Off'
- SSLProtocol: 'all -SSLv3'
- SSLUseStapling: 'Off'
- SSLStaplingResponderTimeout: '5'
- SSLStaplingReturnResponderErrors: 'Off'
- SSLStaplingCache: 'shmcb:/var/run/ocsp(128000)'
-
-
- mod_remoteip:
- RemoteIPHeader: X-Forwarded-For
- RemoteIPTrustedProxy:
- - 10.0.8.0/24
- - 127.0.0.1
-
-
- mod_security:
- crs_install: true
-
- manage_config: true
- sec_rule_engine: 'On'
- sec_request_body_access: 'On'
- sec_request_body_limit: '14000000'
- sec_request_body_no_files_limit: '114002'
- sec_request_body_in_memory_limit: '114002'
- sec_request_body_limit_action: 'Reject'
- sec_pcre_match_limit: '15000'
- sec_pcre_match_limit_recursion: '15000'
- sec_debug_log_level: '3'
-
- rules:
- enabled: ~
- modsecurity_crs_10_setup.conf:
- rule_set: ''
- enabled: true
- modsecurity_crs_20_protocol_violations.conf:
- rule_set: 'base_rules'
- enabled: false
-
- custom_rule_files:
-
- UNIQUE_VALUE_HERE:
- file: 'my name'
- path: 'salt://path/to/modsecurity/custom/file'
- enabled: true
-
- mod_ssl:
-
-
- manage_tls_defaults: false
-
-
-
-
-
-
-
-
- SSLCipherSuite: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
-
- SSLCompression: 'Off'
- SSLProtocol: all -SSLv2 -SSLv3 -TLSv1
- SSLHonorCipherOrder: 'On'
- SSLOptions: "+StrictRequire"
- server_status_require:
- ip:
- - 10.8.8.0/24
- host:
- - foo.example.com
|