Saltstack Official Apache Formula
Vous ne pouvez pas sélectionner plus de 25 sujets Les noms de sujets doivent commencer par une lettre ou un nombre, peuvent contenir des tirets ('-') et peuvent comporter jusqu'à 35 caractères.

pillar.example 12KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316
  1. # ``apache`` formula configuration:
  2. apache:
  3. # lookup section overrides ``map.jinja`` values
  4. lookup:
  5. server: apache2
  6. service: apache2
  7. user: some_system_user
  8. group: some_system_group
  9. vhostdir: /etc/apache2/sites-available
  10. confdir: /etc/apache2/conf.d
  11. confext: .conf
  12. logdir: /var/log/apache2
  13. wwwdir: /srv/apache2
  14. # apache version (generally '2.2' or '2.4')
  15. version: '2.2'
  16. # ``apache.mod_wsgi`` formula additional configuration:
  17. mod_wsgi: mod_wsgi
  18. # Default value for AddDefaultCharset in RedHat configuration
  19. default_charset: 'UTF-8'
  20. global:
  21. # global apache directives
  22. AllowEncodedSlashes: 'On'
  23. name_virtual_hosts:
  24. - interface: '*'
  25. port: 80
  26. - interface: '*'
  27. port: 443
  28. # ``apache.vhosts`` formula additional configuration:
  29. sites:
  30. example.net:
  31. template_file: salt://apache/vhosts/minimal.tmpl
  32. example.com: # must be unique; used as an ID declaration in Salt.
  33. enabled: True
  34. template_file: salt://apache/vhosts/standard.tmpl # or minimal.tmpl or redirect.tmpl or proxy.tmpl
  35. ####################### DEFAULT VALUES BELOW ############################
  36. # NOTE: the values below are simply default settings that *can* be
  37. # overridden and are not required in order to use this formula to create
  38. # vhost entries.
  39. #
  40. # Do not copy the values below into your Pillar unless you intend to
  41. # modify these vaules.
  42. ####################### DEFAULT VALUES BELOW ############################
  43. template_engine: jinja
  44. interface: '*'
  45. port: '80'
  46. exclude_listen_directive: True # Do not add a Listen directive in httpd.conf
  47. ServerName: example.com # uses the unique ID above unless specified
  48. ServerAlias: www.example.com
  49. ServerAdmin: webmaster@example.com
  50. LogLevel: warn
  51. ErrorLog: /path/to/logs/example.com-error.log # E.g.: /var/log/apache2/example.com-error.log
  52. CustomLog: /path/to/logs/example.com-access.log # E.g.: /var/log/apache2/example.com-access.log
  53. DocumentRoot: /path/to/www/dir/example.com # E.g., /var/www/example.com
  54. SSLCertificateFile: /etc/ssl/mycert.pem # if ssl is desired
  55. SSLCertificateKeyFile: /etc/ssl/mycert.pem.key # if key for cert is needed or in an extra file
  56. SSLCertificateChainFile: /etc/ssl/mycert.chain.pem # if you require a chain of server certificates file
  57. Directory:
  58. # "default" is a special case; Adds ``/path/to/www/dir/example.com``
  59. # E.g.: /var/www/example.com
  60. default:
  61. Options: -Indexes +FollowSymLinks
  62. Order: allow,deny # For Apache < 2.4
  63. Allow: from all # For apache < 2.4
  64. Require: all granted # For apache > 2.4.
  65. AllowOverride: None
  66. Formula_Append: |
  67. Additional config as a
  68. multi-line string here
  69. 80-proxyexample.com:
  70. template_file: salt://apache/vhosts/redirect.tmpl
  71. ServerName: www.proxyexample.com
  72. ServerAlias: www.proxyexample.com
  73. RedirectSource: '/'
  74. RedirectTarget: 'https://www.proxyexample.com/'
  75. DocumentRoot: /var/www/proxy
  76. 443-proxyexample.com:
  77. template_file: salt://apache/vhosts/proxy.tmpl
  78. ServerName: www.proxyexample.com
  79. ServerAlias: www.proxyexample.com
  80. interface: '*'
  81. port: '443'
  82. DocumentRoot: /var/www/proxy
  83. Rewrite: |
  84. RewriteRule ^/webmail$ /webmail/ [R]
  85. RewriteRule ^/webmail(.*) http://mail.example.com$1 [P,L]
  86. RewriteRule ^/vicescws(.*) http://svc.example.com:92$1 [P,L]
  87. SSLCertificateFile: /etc/httpd/ssl/example.com.crt
  88. SSLCertificateKeyFile: /etc/httpd/ssl/example.com.key
  89. SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer
  90. SSLCertificateFile_content: |
  91. -----BEGIN CERTIFICATE-----
  92. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  93. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  94. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  95. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  96. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  97. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  98. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  99. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  100. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  101. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  102. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  103. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  104. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  105. -----END CERTIFICATE-----
  106. SSLCertificateKeyFile_content: |
  107. -----BEGIN PRIVATE KEY-----
  108. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  109. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  110. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  111. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  112. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  113. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  114. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  115. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  116. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  117. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  118. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  119. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  120. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  121. -----END PRIVATE KEY-----
  122. SSLCertificateChainFile_content: |
  123. -----BEGIN CERTIFICATE-----
  124. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  125. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  126. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  127. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  128. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  129. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  130. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  131. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  132. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  133. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  134. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  135. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  136. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  137. -----END CERTIFICATE-----
  138. -----BEGIN CERTIFICATE-----
  139. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  140. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  141. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  142. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  143. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  144. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  145. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  146. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  147. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  148. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  149. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  150. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  151. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  152. -----END CERTIFICATE-----
  153. ProxyRequests: 'Off'
  154. ProxyPreserveHost: 'On'
  155. ProxyRoute:
  156. example prod proxy route:
  157. ProxyPassSource: '/'
  158. ProxyPassTarget: 'http://prod.example.com:85/'
  159. ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
  160. ProxyPassReverseSource: '/'
  161. ProxyPassReverseTarget: 'http://prod.example.com:85/'
  162. example webmail proxy route:
  163. ProxyPassSource: '/webmail/'
  164. ProxyPassTarget: 'http://mail.example.com/'
  165. ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
  166. ProxyPassReverseSource: '/webmail/'
  167. ProxyPassReverseTarget: 'http://mail.example.com/'
  168. example service proxy route:
  169. ProxyPassSource: '/svc/'
  170. ProxyPassTarget: 'http://svc.example.com:92/'
  171. ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
  172. ProxyPassReverseSource: '/svc/'
  173. ProxyPassReverseTarget: 'http://svc.example.com:92/'
  174. Location:
  175. /:
  176. Require: False
  177. Formula_Append: |
  178. SecRuleRemoveById 981231
  179. SecRuleRemoveById 981173
  180. /error:
  181. Require: 'all granted'
  182. /docs:
  183. Order: allow,deny # For Apache < 2.4
  184. Allow: from all # For apache < 2.4
  185. Require: all granted # For apache > 2.4.
  186. Formula_Append: |
  187. Additional config as a
  188. multi-line string here
  189. LocationMatch:
  190. '^[.\\/]+([Ww][Ee][Bb][Mm][Aa][Ii][Ll])[.\\/]':
  191. Require: False
  192. Formula_Append: |
  193. RequestHeader set Host mail.example.com
  194. '^[.\\/]+([Ss][Vv][Cc])[.\\/]':
  195. Require: False
  196. Formula_Append: |
  197. Require ip 123.123.13.6 84.24.25.74
  198. Proxy_control:
  199. '*':
  200. AllowAll: False
  201. AllowCountry:
  202. - DE
  203. AllowIP:
  204. - 12.5.25.32
  205. - 12.5.25.33
  206. Alias:
  207. /docs: /usr/share/docs
  208. Formula_Append: |
  209. Additional config as a
  210. multi-line string here
  211. # ``apache.debian_full`` formula additional configuration:
  212. register-site:
  213. # any name as an array index, and you can duplicate this section
  214. UNIQUE_VALUE_HERE:
  215. name: 'my name'
  216. path: 'salt://path/to/sites-available/conf/file'
  217. state: 'enabled'
  218. # Optional - use managed file as Jinja Template
  219. #template: true
  220. #defaults:
  221. # custom_var: "default value"
  222. modules:
  223. enabled: # List modules to enable
  224. - ldap
  225. - ssl
  226. disabled: # List modules to disable
  227. - rewrite
  228. # KeepAlive: Whether or not to allow persistent connections (more than
  229. # one request per connection). Set to "Off" to deactivate.
  230. keepalive: 'On'
  231. security:
  232. # can be Full | OS | Minimal | Minor | Major | Prod
  233. # where Full conveys the most information, and Prod the least.
  234. ServerTokens: Prod
  235. # ``apache.mod_remoteip`` formula additional configuration:
  236. mod_remoteip:
  237. RemoteIPHeader: X-Forwarded-For
  238. RemoteIPTrustedProxy:
  239. - 10.0.8.0/24
  240. - 127.0.0.1
  241. # ``apache.mod_security`` formula additional configuration:
  242. mod_security:
  243. crs_install: True
  244. # If not set, default distro's configuration is installed as is
  245. manage_config: True
  246. sec_rule_engine: 'On'
  247. sec_request_body_access: 'On'
  248. sec_request_body_limit: '14000000'
  249. sec_request_body_no_files_limit: '114002'
  250. sec_request_body_in_memory_limit: '114002'
  251. sec_request_body_limit_action: 'Reject'
  252. sec_pcre_match_limit: '15000'
  253. sec_pcre_match_limit_recursion: '15000'
  254. sec_debug_log_level: '3'
  255. rules:
  256. enabled:
  257. modsecurity_crs_10_setup.conf:
  258. rule_set: ''
  259. enabled: True
  260. modsecurity_crs_20_protocol_violations.conf:
  261. rule_set: 'base_rules'
  262. enabled: False
  263. custom_rule_files:
  264. # any name as an array index, and you can duplicate this section
  265. UNIQUE_VALUE_HERE:
  266. file: 'my name'
  267. path: 'salt://path/to/modsecurity/custom/file'
  268. enabled: True