|
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183 |
- # ``apache`` formula configuration:
- apache:
-
- # lookup section overrides ``map.jinja`` values
- lookup:
- server: apache2
- service: apache2
-
- vhostdir: /etc/apache2/sites-available
- confdir: /etc/apache2/conf.d
- confext: .conf
- logdir: /var/log/apache2
- wwwdir: /srv/apache2
-
- # apache version (generally '2.2' or '2.4')
- version: '2.2'
-
- # ``apache.mod_wsgi`` formula additional configuration:
- mod_wsgi: mod_wsgi
-
- # Default value for AddDefaultCharset in RedHat configuration
- default_charset: 'UTF-8'
-
- global:
- # global apache directives
- AllowEncodedSlashes: 'On'
-
-
- name_virtual_hosts:
- - interface: '*'
- port: 80
- - interface: '*'
- port: 443
-
- # ``apache.vhosts`` formula additional configuration:
- sites:
- example.net:
- template_file: salt://apache/vhosts/minimal.tmpl
-
- example.com: # must be unique; used as an ID declaration in Salt.
- enabled: True
- template_file: salt://apache/vhosts/standard.tmpl # or redirect.tmpl or proxy.tmpl
-
- ####################### DEFAULT VALUES BELOW ############################
- # NOTE: the values below are simply default settings that *can* be
- # overridden and are not required in order to use this formula to create
- # vhost entries.
- #
- # Do not copy the values below into your Pillar unless you intend to
- # modify these vaules.
- ####################### DEFAULT VALUES BELOW ############################
- template_engine: jinja
-
- interface: '*'
- port: '80'
-
- exclude_listen_directive: True # Do not add a Listen directive in httpd.conf
-
- ServerName: example.com # uses the unique ID above unless specified
- ServerAlias: www.example.com
-
- ServerAdmin: webmaster@example.com
-
- LogLevel: warn
- ErrorLog: /path/to/logs/example.com-error.log # E.g.: /var/log/apache2/example.com-error.log
- CustomLog: /path/to/logs/example.com-access.log # E.g.: /var/log/apache2/example.com-access.log
-
- DocumentRoot: /path/to/www/dir/example.com # E.g., /var/www/example.com
-
- SSLCertificateFile: /etc/ssl/mycert.pem # if ssl is desired
- SSLCertificateKeyFile: /etc/ssl/mycert.pem.key # if key for cert is needed or in an extra file
- SSLCertificateChainFile: /etc/ssl/mycert.chain.pem # if you require a chain of server certificates file
-
- Directory:
- # "default" is a special case; Adds ``/path/to/www/dir/example.com``
- # E.g.: /var/www/example.com
- default:
- Options: -Indexes +FollowSymLinks
- Order: allow,deny # For Apache < 2.4
- Allow: from all # For apache < 2.4
- Require: all granted # For apache > 2.4.
- AllowOverride: None
- Formula_Append: |
- Additional config as a
- multi-line string here
-
- # if template is 'redirect.tmpl'
- # RedirectSource: '/'
- # RedirectTarget: 'http://www.example.net'
-
- # if template is 'proxy.tmpl'
- # ProxyRequests: 'On'
- # ProxyPreserveHost: 'On'
- # ProxyRoute:
- # my sample route:
- # ProxyPassSource: '/'
- # ProxyPassTarget: 'http://www.example.net'
- # ProxyPassTargetOptions: 'connectiontimeout=5 timeout=30'
- # ProxyPassReverseSource: '/'
- # ProxyPassReverseTarget: 'http://www.example.net'
-
- Alias:
- /docs: /usr/share/docs
-
- Location:
- /docs:
- Order: allow,deny # For Apache < 2.4
- Allow: from all # For apache < 2.4
- Require: all granted # For apache > 2.4.
- Formula_Append: |
- Additional config as a
- multi-line string here
-
- Formula_Append: |
- Additional config as a
- multi-line string here
-
- # ``apache.debian_full`` formula additional configuration:
- register-site:
- # any name as an array index, and you can duplicate this section
- UNIQUE_VALUE_HERE:
- name: 'my name'
- path: 'salt://path/to/sites-available/conf/file'
- state: 'enabled'
- # Optional - use managed file as Jinja Template
- #template: true
- #defaults:
- # custom_var: "default value"
-
- modules:
- enabled: # List modules to enable
- - ldap
- - ssl
- disabled: # List modules to disable
- - rewrite
-
- # KeepAlive: Whether or not to allow persistent connections (more than
- # one request per connection). Set to "Off" to deactivate.
- keepalive: 'On'
-
- security:
- # can be Full | OS | Minimal | Minor | Major | Prod
- # where Full conveys the most information, and Prod the least.
- ServerTokens: Prod
-
- # ``apache.mod_remoteip`` formula additional configuration:
- mod_remoteip:
- RemoteIPHeader: X-Forwarded-For
- RemoteIPTrustedProxy:
- - 10.0.8.0/24
- - 127.0.0.1
-
- # ``apache.mod_security`` formula additional configuration:
- mod_security:
- crs_install: True
- # If not set, default distro's configuration is installed as is
- manage_config: True
- sec_rule_engine: 'On'
- sec_request_body_access: 'On'
- sec_request_body_limit: '14000000'
- sec_request_body_no_files_limit: '114002'
- sec_request_body_in_memory_limit: '114002'
- sec_request_body_limit_action: 'Reject'
- sec_pcre_match_limit: '15000'
- sec_pcre_match_limit_recursion: '15000'
- sec_debug_log_level: '3'
-
- rules:
- enabled:
- modsecurity_crs_10_setup.conf:
- rule_set: ''
- enabled: True
- modsecurity_crs_20_protocol_violations.conf:
- rule_set: 'base_rules'
- enabled: False
-
- custom_rule_files:
- # any name as an array index, and you can duplicate this section
- UNIQUE_VALUE_HERE:
- file: 'my name'
- path: 'salt://path/to/modsecurity/custom/file'
- enabled: True
-
|