Saltstack Official Apache Formula
Ви не можете вибрати більше 25 тем Теми мають розпочинатися з літери або цифри, можуть містити дефіси (-) і не повинні перевищувати 35 символів.

11 роки тому
11 роки тому
11 роки тому
11 роки тому
11 роки тому
11 роки тому
11 роки тому
11 роки тому
11 роки тому
11 роки тому
11 роки тому
11 роки тому
9 роки тому
8 роки тому
7 роки тому
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348
  1. # ``apache`` formula configuration:
  2. apache:
  3. # By default apache restart/reload states run (false skips)
  4. manage_service_states: True
  5. # lookup section overrides ``map.jinja`` values
  6. lookup:
  7. server: apache2
  8. service: apache2
  9. user: some_system_user
  10. group: some_system_group
  11. vhostdir: /etc/apache2/sites-available
  12. confdir: /etc/apache2/conf.d
  13. confext: .conf
  14. logdir: /var/log/apache2
  15. wwwdir: /srv/apache2
  16. # apache version (generally '2.2' or '2.4')
  17. version: '2.2'
  18. # ``apache.mod_wsgi`` formula additional configuration:
  19. mod_wsgi: mod_wsgi
  20. # Default value for AddDefaultCharset in RedHat configuration
  21. default_charset: 'UTF-8'
  22. global:
  23. # global apache directives
  24. AllowEncodedSlashes: 'On'
  25. name_virtual_hosts:
  26. - interface: '*'
  27. port: 80
  28. - interface: '*'
  29. port: 443
  30. # ``apache.vhosts`` formula additional configuration:
  31. sites:
  32. example.net:
  33. template_file: salt://apache/vhosts/minimal.tmpl
  34. example.com: # must be unique; used as an ID declaration in Salt.
  35. enabled: True
  36. template_file: salt://apache/vhosts/standard.tmpl # or minimal.tmpl or redirect.tmpl or proxy.tmpl
  37. ####################### DEFAULT VALUES BELOW ############################
  38. # NOTE: the values below are simply default settings that *can* be
  39. # overridden and are not required in order to use this formula to create
  40. # vhost entries.
  41. #
  42. # Do not copy the values below into your Pillar unless you intend to
  43. # modify these vaules.
  44. ####################### DEFAULT VALUES BELOW ############################
  45. template_engine: jinja
  46. interface: '*'
  47. port: '80'
  48. exclude_listen_directive: True # Do not add a Listen directive in httpd.conf
  49. ServerName: example.com # uses the unique ID above unless specified
  50. #ServerAlias: www.example.com # Do not add ServerAlias unless defined
  51. ServerAdmin: webmaster@example.com
  52. LogLevel: warn
  53. ErrorLog: /path/to/logs/example.com-error.log # E.g.: /var/log/apache2/example.com-error.log
  54. CustomLog: /path/to/logs/example.com-access.log # E.g.: /var/log/apache2/example.com-access.log
  55. DocumentRoot: /path/to/www/dir/example.com # E.g., /var/www/example.com
  56. SSLCertificateFile: /etc/ssl/mycert.pem # if ssl is desired
  57. SSLCertificateKeyFile: /etc/ssl/mycert.pem.key # if key for cert is needed or in an extra file
  58. SSLCertificateChainFile: /etc/ssl/mycert.chain.pem # if you require a chain of server certificates file
  59. Directory:
  60. # "default" is a special case; Adds ``/path/to/www/dir/example.com``
  61. # E.g.: /var/www/example.com
  62. default:
  63. Options: -Indexes +FollowSymLinks
  64. Order: allow,deny # For Apache < 2.4
  65. Allow: from all # For apache < 2.4
  66. Require: all granted # For apache > 2.4.
  67. AllowOverride: None
  68. Formula_Append: |
  69. Additional config as a
  70. multi-line string here
  71. redirectmatch.com:
  72. # Use RedirectMatch Directive https://httpd.apache.org/docs/2.4/fr/mod/mod_alias.html#redirectmatch
  73. # Require module mod_alias
  74. enabled: True
  75. template_file: salt://apache/vhosts/redirect.tmpl
  76. ServerName: www.redirectmatch.com
  77. ServerAlias: www.redirectmatch.com
  78. RedirectMatch: true
  79. RedirectSource: '^/$'
  80. RedirectTarget: '/subdirectory'
  81. DocumentRoot: /var/www/html/
  82. ErrorLog: ${APACHE_LOG_DIR}/error.log
  83. CustomLog: ${APACHE_LOG_DIR}/access.log
  84. 80-proxyexample.com:
  85. template_file: salt://apache/vhosts/redirect.tmpl
  86. ServerName: www.proxyexample.com
  87. ServerAlias: www.proxyexample.com
  88. RedirectSource: '/'
  89. RedirectTarget: 'https://www.proxyexample.com/'
  90. DocumentRoot: /var/www/proxy
  91. 443-proxyexample.com:
  92. template_file: salt://apache/vhosts/proxy.tmpl
  93. ServerName: www.proxyexample.com
  94. ServerAlias: www.proxyexample.com
  95. interface: '*'
  96. port: '443'
  97. DocumentRoot: /var/www/proxy
  98. Rewrite: |
  99. RewriteRule ^/webmail$ /webmail/ [R]
  100. RewriteRule ^/webmail(.*) http://mail.example.com$1 [P,L]
  101. RewriteRule ^/vicescws(.*) http://svc.example.com:92$1 [P,L]
  102. SSLCertificateFile: /etc/httpd/ssl/example.com.crt
  103. SSLCertificateKeyFile: /etc/httpd/ssl/example.com.key
  104. SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer
  105. SSLCertificateFile_content: |
  106. -----BEGIN CERTIFICATE-----
  107. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  108. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  109. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  110. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  111. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  112. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  113. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  114. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  115. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  116. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  117. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  118. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  119. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  120. -----END CERTIFICATE-----
  121. SSLCertificateKeyFile_content: |
  122. -----BEGIN PRIVATE KEY-----
  123. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  124. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  125. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  126. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  127. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  128. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  129. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  130. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  131. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  132. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  133. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  134. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  135. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  136. -----END PRIVATE KEY-----
  137. SSLCertificateChainFile_content: |
  138. -----BEGIN CERTIFICATE-----
  139. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  140. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  141. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  142. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  143. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  144. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  145. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  146. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  147. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  148. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  149. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  150. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  151. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  152. -----END CERTIFICATE-----
  153. -----BEGIN CERTIFICATE-----
  154. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  155. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  156. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  157. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  158. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  159. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  160. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  161. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  162. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  163. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  164. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  165. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  166. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  167. -----END CERTIFICATE-----
  168. ProxyRequests: 'Off'
  169. ProxyPreserveHost: 'On'
  170. ProxyRoute:
  171. example prod proxy route:
  172. ProxyPassSource: '/'
  173. ProxyPassTarget: 'http://prod.example.com:85/'
  174. ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
  175. ProxyPassReverseSource: '/'
  176. ProxyPassReverseTarget: 'http://prod.example.com:85/'
  177. example webmail proxy route:
  178. ProxyPassSource: '/webmail/'
  179. ProxyPassTarget: 'http://mail.example.com/'
  180. ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
  181. ProxyPassReverseSource: '/webmail/'
  182. ProxyPassReverseTarget: 'http://mail.example.com/'
  183. example service proxy route:
  184. ProxyPassSource: '/svc/'
  185. ProxyPassTarget: 'http://svc.example.com:92/'
  186. ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
  187. ProxyPassReverseSource: '/svc/'
  188. ProxyPassReverseTarget: 'http://svc.example.com:92/'
  189. Location:
  190. /:
  191. Require: False
  192. Formula_Append: |
  193. SecRuleRemoveById 981231
  194. SecRuleRemoveById 981173
  195. /error:
  196. Require: 'all granted'
  197. /docs:
  198. Order: allow,deny # For Apache < 2.4
  199. Allow: from all # For apache < 2.4
  200. Require: all granted # For apache > 2.4.
  201. Formula_Append: |
  202. Additional config as a
  203. multi-line string here
  204. LocationMatch:
  205. '^[.\\/]+([Ww][Ee][Bb][Mm][Aa][Ii][Ll])[.\\/]':
  206. Require: False
  207. Formula_Append: |
  208. RequestHeader set Host mail.example.com
  209. '^[.\\/]+([Ss][Vv][Cc])[.\\/]':
  210. Require: False
  211. Formula_Append: |
  212. Require ip 123.123.13.6 84.24.25.74
  213. Proxy_control:
  214. '*':
  215. AllowAll: False
  216. AllowCountry:
  217. - DE
  218. AllowIP:
  219. - 12.5.25.32
  220. - 12.5.25.33
  221. Alias:
  222. /docs: /usr/share/docs
  223. Formula_Append: |
  224. Additional config as a
  225. multi-line string here
  226. # ``apache.debian_full`` formula additional configuration:
  227. register-site:
  228. # any name as an array index, and you can duplicate this section
  229. UNIQUE_VALUE_HERE:
  230. name: 'my name'
  231. path: 'salt://path/to/sites-available/conf/file'
  232. state: 'enabled'
  233. # Optional - use managed file as Jinja Template
  234. #template: true
  235. #defaults:
  236. # custom_var: "default value"
  237. modules:
  238. enabled: # List modules to enable
  239. - ldap
  240. - ssl
  241. disabled: # List modules to disable
  242. - rewrite
  243. # KeepAlive: Whether or not to allow persistent connections (more than
  244. # one request per connection). Set to "Off" to deactivate.
  245. keepalive: 'On'
  246. security:
  247. # can be Full | OS | Minimal | Minor | Major | Prod
  248. # where Full conveys the most information, and Prod the least.
  249. ServerTokens: Prod
  250. # ``apache.mod_remoteip`` formula additional configuration:
  251. mod_remoteip:
  252. RemoteIPHeader: X-Forwarded-For
  253. RemoteIPTrustedProxy:
  254. - 10.0.8.0/24
  255. - 127.0.0.1
  256. # ``apache.mod_security`` formula additional configuration:
  257. mod_security:
  258. crs_install: True
  259. # If not set, default distro's configuration is installed as is
  260. manage_config: True
  261. sec_rule_engine: 'On'
  262. sec_request_body_access: 'On'
  263. sec_request_body_limit: '14000000'
  264. sec_request_body_no_files_limit: '114002'
  265. sec_request_body_in_memory_limit: '114002'
  266. sec_request_body_limit_action: 'Reject'
  267. sec_pcre_match_limit: '15000'
  268. sec_pcre_match_limit_recursion: '15000'
  269. sec_debug_log_level: '3'
  270. rules:
  271. enabled:
  272. modsecurity_crs_10_setup.conf:
  273. rule_set: ''
  274. enabled: True
  275. modsecurity_crs_20_protocol_violations.conf:
  276. rule_set: 'base_rules'
  277. enabled: False
  278. custom_rule_files:
  279. # any name as an array index, and you can duplicate this section
  280. UNIQUE_VALUE_HERE:
  281. file: 'my name'
  282. path: 'salt://path/to/modsecurity/custom/file'
  283. enabled: True
  284. mod_ssl:
  285. # set this to True if you want to override your distributions default TLS configuration
  286. manage_tls_defaults: False
  287. # This stuff is deliberately not configured via map.jinja resp. apache:lookup.
  288. # We're unable to know sane defaults for each release of every distribution.
  289. # See https://github.com/saltstack-formulas/openssh-formula/issues/102 for a related discussion
  290. # Have a look at bettercrypto.org for up-to-date settings.
  291. # These are default values:
  292. SSLCipherSuite: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
  293. # Mitigate the CRIME attack
  294. SSLCompression: Off
  295. SSLProtocol: all -SSLv2 -SSLv3 -TLSv1
  296. SSLHonorCipherOrder: On
  297. SSLOptions: "+StrictRequire"