Add Reverse Proxy directives, GeoIP, Certificates managementmaster
@@ -25,6 +25,11 @@ Installs the Apache package and starts the service. | |||
Configures apache based on os_family | |||
``apache.certificates`` | |||
----------------- | |||
Deploy SSL certificates from pillars | |||
``apache.mod_mpm`` | |||
------------------ | |||
@@ -75,6 +80,11 @@ Installs and Enables the mod_pagespeed module. (Debian and RedHat Only) | |||
Installs and enables the mod_perl2 module (Debian and FreeBSD only) | |||
``apache.mod_geoip`` | |||
------------------- | |||
Installs and enables the mod_geoIP (RedHat only) | |||
``apache.mod_php5`` | |||
------------------- | |||
@@ -0,0 +1,51 @@ | |||
{% from "apache/map.jinja" import apache with context %} | |||
include: | |||
- apache | |||
{%- for site, confcert in salt['pillar.get']('apache:sites', {}).iteritems() %} | |||
{% if confcert.SSLCertificateKeyFile is defined and confcert.SSLCertificateKeyFile_content is defined %} | |||
# Deploy {{ site }} key file | |||
apache_cert_config_{{ site }}_key_file: | |||
file.managed: | |||
- name: {{ confcert.SSLCertificateKeyFile }} | |||
- contents_pillar: apache:sites:{{ site }}:SSLCertificateKeyFile_content | |||
- makedirs: True | |||
- mode: 600 | |||
- user: root | |||
- group: root | |||
- watch_in: | |||
- module: apache-reload | |||
{% endif %} | |||
{% if confcert.SSLCertificateFile is defined and confcert.SSLCertificateFile_content is defined %} | |||
# Deploy {{ site }} cert file | |||
apache_cert_config_{{ site }}_cert_file: | |||
file.managed: | |||
- name: {{ confcert.SSLCertificateFile }} | |||
- contents_pillar: apache:sites:{{ site }}:SSLCertificateFile_content | |||
- makedirs: True | |||
- mode: 600 | |||
- user: root | |||
- group: root | |||
- watch_in: | |||
- module: apache-reload | |||
{% endif %} | |||
{% if confcert.SSLCertificateChainFile is defined and confcert.SSLCertificateChainFile_content is defined %} | |||
# Deploy {{ site }} bundle file | |||
apache_cert_config_{{ site }}_bundle_file: | |||
file.managed: | |||
- name: {{ confcert.SSLCertificateChainFile }} | |||
- contents_pillar: apache:sites:{{ site }}:SSLCertificateChainFile_content | |||
- makedirs: True | |||
- mode: 600 | |||
- user: root | |||
- group: root | |||
- watch_in: | |||
- module: apache-reload | |||
{% endif %} | |||
{%- endfor %} | |||
@@ -393,3 +393,7 @@ IncludeOptional {{ apache.confdir }}/*.conf | |||
IncludeOptional {{ apache.vhostdir }}/*.conf | |||
{% endif %} | |||
# Added for security enhancements | |||
TraceEnable off | |||
ServerSignature off | |||
ServerTokens Prod |
@@ -0,0 +1,4 @@ | |||
<IfModule mod_geoip.c> | |||
GeoIPEnable On | |||
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat | |||
</IfModule> |
@@ -0,0 +1,210 @@ | |||
## | |||
## SSL Global Context | |||
## | |||
## All SSL configuration in this context applies both to | |||
## the main server and all SSL-enabled virtual hosts. | |||
## | |||
# Pass Phrase Dialog: | |||
# Configure the pass phrase gathering process. | |||
# The filtering dialog program (`builtin' is a internal | |||
# terminal dialog) has to provide the pass phrase on stdout. | |||
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog | |||
# Inter-Process Session Cache: | |||
# Configure the SSL Session Cache: First the mechanism | |||
# to use and second the expiring timeout (in seconds). | |||
SSLSessionCache shmcb:/run/httpd/sslcache(512000) | |||
SSLSessionCacheTimeout 300 | |||
# Pseudo Random Number Generator (PRNG): | |||
# Configure one or more sources to seed the PRNG of the | |||
# SSL library. The seed data should be of good random quality. | |||
# WARNING! On some platforms /dev/random blocks if not enough entropy | |||
# is available. This means you then cannot use the /dev/random device | |||
# because it would lead to very long connection times (as long as | |||
# it requires to make more entropy available). But usually those | |||
# platforms additionally provide a /dev/urandom device which doesn't | |||
# block. So, if available, use this one instead. Read the mod_ssl User | |||
# Manual for more details. | |||
SSLRandomSeed startup file:/dev/urandom 256 | |||
SSLRandomSeed connect builtin | |||
#SSLRandomSeed startup file:/dev/random 512 | |||
#SSLRandomSeed connect file:/dev/random 512 | |||
#SSLRandomSeed connect file:/dev/urandom 512 | |||
# | |||
# Use "SSLCryptoDevice" to enable any supported hardware | |||
# accelerators. Use "openssl engine -v" to list supported | |||
# engine names. NOTE: If you enable an accelerator and the | |||
# server does not start, consult the error logs and ensure | |||
# your accelerator is functioning properly. | |||
# | |||
SSLCryptoDevice builtin | |||
#SSLCryptoDevice ubsec | |||
## | |||
## SSL Virtual Host Context | |||
## | |||
<VirtualHost _default_:443> | |||
# General setup for the virtual host, inherited from global configuration | |||
#DocumentRoot "/var/www/html" | |||
#ServerName www.example.com:443 | |||
# Use separate log files for the SSL virtual host; note that LogLevel | |||
# is not inherited from httpd.conf. | |||
ErrorLog logs/ssl_error_log | |||
TransferLog logs/ssl_access_log | |||
LogLevel warn | |||
# SSL Engine Switch: | |||
# Enable/Disable SSL for this virtual host. | |||
SSLEngine on | |||
# SSL Protocol support: | |||
# List the enable protocol levels with which clients will be able to | |||
# connect. Disable SSLv2 access by default: | |||
SSLProtocol all -SSLv2 -SSLv3 | |||
# SSL Cipher Suite: | |||
# List the ciphers that the client is permitted to negotiate. | |||
# See the mod_ssl documentation for a complete list. | |||
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA | |||
# Speed-optimized SSL Cipher configuration: | |||
# If speed is your main concern (on busy HTTPS servers e.g.), | |||
# you might want to force clients to specific, performance | |||
# optimized ciphers. In this case, prepend those ciphers | |||
# to the SSLCipherSuite list, and enable SSLHonorCipherOrder. | |||
# Caveat: by giving precedence to RC4-SHA and AES128-SHA | |||
# (as in the example below), most connections will no longer | |||
# have perfect forward secrecy - if the server's key is | |||
# compromised, captures of past or future traffic must be | |||
# considered compromised, too. | |||
#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 | |||
#SSLHonorCipherOrder on | |||
# Server Certificate: | |||
# Point SSLCertificateFile at a PEM encoded certificate. If | |||
# the certificate is encrypted, then you will be prompted for a | |||
# pass phrase. Note that a kill -HUP will prompt again. A new | |||
# certificate can be generated using the genkey(1) command. | |||
SSLCertificateFile /etc/pki/tls/certs/localhost.crt | |||
# Server Private Key: | |||
# If the key is not combined with the certificate, use this | |||
# directive to point at the key file. Keep in mind that if | |||
# you've both a RSA and a DSA private key you can configure | |||
# both in parallel (to also allow the use of DSA ciphers, etc.) | |||
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key | |||
# Server Certificate Chain: | |||
# Point SSLCertificateChainFile at a file containing the | |||
# concatenation of PEM encoded CA certificates which form the | |||
# certificate chain for the server certificate. Alternatively | |||
# the referenced file can be the same as SSLCertificateFile | |||
# when the CA certificates are directly appended to the server | |||
# certificate for convinience. | |||
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt | |||
# Certificate Authority (CA): | |||
# Set the CA certificate verification path where to find CA | |||
# certificates for client authentication or alternatively one | |||
# huge file containing all of them (file must be PEM encoded) | |||
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt | |||
# Client Authentication (Type): | |||
# Client certificate verification type and depth. Types are | |||
# none, optional, require and optional_no_ca. Depth is a | |||
# number which specifies how deeply to verify the certificate | |||
# issuer chain before deciding the certificate is not valid. | |||
#SSLVerifyClient require | |||
#SSLVerifyDepth 10 | |||
# Access Control: | |||
# With SSLRequire you can do per-directory access control based | |||
# on arbitrary complex boolean expressions containing server | |||
# variable checks and other lookup directives. The syntax is a | |||
# mixture between C and Perl. See the mod_ssl documentation | |||
# for more details. | |||
#<Location /> | |||
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ | |||
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ | |||
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ | |||
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ | |||
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ | |||
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ | |||
#</Location> | |||
# SSL Engine Options: | |||
# Set various options for the SSL engine. | |||
# o FakeBasicAuth: | |||
# Translate the client X.509 into a Basic Authorisation. This means that | |||
# the standard Auth/DBMAuth methods can be used for access control. The | |||
# user name is the `one line' version of the client's X.509 certificate. | |||
# Note that no password is obtained from the user. Every entry in the user | |||
# file needs this password: `xxj31ZMTZzkVA'. | |||
# o ExportCertData: | |||
# This exports two additional environment variables: SSL_CLIENT_CERT and | |||
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the | |||
# server (always existing) and the client (only existing when client | |||
# authentication is used). This can be used to import the certificates | |||
# into CGI scripts. | |||
# o StdEnvVars: | |||
# This exports the standard SSL/TLS related `SSL_*' environment variables. | |||
# Per default this exportation is switched off for performance reasons, | |||
# because the extraction step is an expensive operation and is usually | |||
# useless for serving static content. So one usually enables the | |||
# exportation for CGI and SSI requests only. | |||
# o StrictRequire: | |||
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even | |||
# under a "Satisfy any" situation, i.e. when it applies access is denied | |||
# and no other module can change it. | |||
# o OptRenegotiate: | |||
# This enables optimized SSL connection renegotiation handling when SSL | |||
# directives are used in per-directory context. | |||
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire | |||
<Files ~ "\.(cgi|shtml|phtml|php3?)$"> | |||
SSLOptions +StdEnvVars | |||
</Files> | |||
<Directory "/var/www/cgi-bin"> | |||
SSLOptions +StdEnvVars | |||
</Directory> | |||
# SSL Protocol Adjustments: | |||
# The safe and default but still SSL/TLS standard compliant shutdown | |||
# approach is that mod_ssl sends the close notify alert but doesn't wait for | |||
# the close notify alert from client. When you need a different shutdown | |||
# approach you can use one of the following variables: | |||
# o ssl-unclean-shutdown: | |||
# This forces an unclean shutdown when the connection is closed, i.e. no | |||
# SSL close notify alert is send or allowed to received. This violates | |||
# the SSL/TLS standard but is needed for some brain-dead browsers. Use | |||
# this when you receive I/O errors because of the standard approach where | |||
# mod_ssl sends the close notify alert. | |||
# o ssl-accurate-shutdown: | |||
# This forces an accurate shutdown when the connection is closed, i.e. a | |||
# SSL close notify alert is send and mod_ssl waits for the close notify | |||
# alert of the client. This is 100% SSL/TLS standard compliant, but in | |||
# practice often causes hanging connections with brain-dead browsers. Use | |||
# this only for browsers where you know that their SSL implementation | |||
# works correctly. | |||
# Notice: Most problems of broken clients are also related to the HTTP | |||
# keep-alive facility, so you usually additionally want to disable | |||
# keep-alive for those clients, too. Use variable "nokeepalive" for this. | |||
# Similarly, one has to force some clients to use HTTP/1.0 to workaround | |||
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and | |||
# "force-response-1.0" for this. | |||
BrowserMatch "MSIE [2-5]" \ | |||
nokeepalive ssl-unclean-shutdown \ | |||
downgrade-1.0 force-response-1.0 | |||
# Per-Server Logging: | |||
# The home of a custom SSL log file. Use this when you want a | |||
# compact non-error SSL logfile on a virtual host basis. | |||
CustomLog logs/ssl_request_log \ | |||
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" | |||
</VirtualHost> |
@@ -0,0 +1,38 @@ | |||
{% from "apache/map.jinja" import apache with context %} | |||
{% if grains['os_family']=="RedHat" %} | |||
include: | |||
- apache | |||
mod-geoip: | |||
pkg.installed: | |||
- pkgs: | |||
- GeoIP | |||
- mod_geoip | |||
- require: | |||
- pkg: apache | |||
- watch_in: | |||
- module: apache-restart | |||
geoip conf: | |||
file.managed: | |||
- name: {{ apache.confdir }}/geoip.conf | |||
- user: root | |||
- group: root | |||
- mode: 644 | |||
- source: | |||
- salt://apache/files/{{ salt['grains.get']('os_family') }}/geoip.conf | |||
geoip database: | |||
file.managed: | |||
- name: /usr/share/GeoIP/GeoIP.dat | |||
- user: root | |||
- group: root | |||
- mode: 644 | |||
- source: | |||
- salt://apache/files/{{ salt['grains.get']('os_family') }}/GeoIP.dat | |||
{% endif %} | |||
@@ -23,3 +23,21 @@ a2enmod remoteip: | |||
- service: apache | |||
{% endif %} | |||
{% if grains['os_family']=="RedHat" %} | |||
include: | |||
- apache | |||
/etc/httpd/conf.d/remoteip.conf: | |||
file.managed: | |||
- template: jinja | |||
- source: | |||
- salt://apache/files/{{ salt['grains.get']('os_family') }}/remoteip.conf.jinja | |||
- require: | |||
- pkg: apache | |||
- watch_in: | |||
- service: apache | |||
{% endif %} |
@@ -1,7 +1,6 @@ | |||
{# Define default values here so the template below can just focus on layout #} | |||
{% from "apache/map.jinja" import apache with context %} | |||
{% set sitename = site.get('ServerName', id) %} | |||
{% set vals = { | |||
'interfaces': site.get('interface', '*').split(), | |||
'port': site.get('port', '80'), | |||
@@ -15,38 +14,47 @@ | |||
'LogLevel': site.get('LogLevel', 'warn'), | |||
'ErrorLog': site.get('ErrorLog', '{0}/{1}-error.log'.format(map.logdir, sitename)), | |||
'LogFormat': site.get('LogFormat', '"%h %l %u %t \\\"%r\\\" %>s %O"'), | |||
'LogFormat': site.get('LogFormat', '"%a %l %u %t \\"%r\\" %>s %O \\"%{Referer}i\\" \\"%{User-Agent}i\\""'), | |||
'CustomLog': site.get('CustomLog', '{0}/{1}-access.log'.format(map.logdir, sitename)), | |||
'ProxyRequests': site.get('ProxyRequests', 'Off'), | |||
'ProxyPreserveHost': site.get('ProxyPreserveHost', 'On'), | |||
'ProxyRoute': site.get('ProxyRoute', {}), | |||
} %} | |||
'Location': { | |||
'Order': 'allow,deny', | |||
'Allow': 'from all', | |||
'Require': 'all granted', | |||
}, | |||
'LocationMatch': { | |||
'Order': 'allow,deny', | |||
'Allow': 'from all', | |||
'Require': 'all granted', | |||
}, | |||
} %} | |||
<VirtualHost {%- for intf in vals.interfaces %} {{intf}}:{{ vals.port }}{% endfor -%}> | |||
ServerName {{ vals.ServerName }} | |||
{% if site.get('ServerAlias') != False %}ServerAlias {{ vals.ServerAlias }}{% endif %} | |||
{% if site.get('ServerAdmin') != False %}ServerAdmin {{ vals.ServerAdmin }}{% endif %} | |||
{% if site.get('UseCanonicalName') %}UseCanonicalName {{ vals.UseCanonicalName }}{% endif %} | |||
{% if site.get('LogLevel') != False %}LogLevel {{ vals.LogLevel }}{% endif %} | |||
{% if site.get('ErrorLog') != False %}ErrorLog {{ vals.ErrorLog }}{% endif %} | |||
{% if site.get('CustomLog') != False %}CustomLog {{ vals.CustomLog }} {{ vals.LogFormat }}{% endif %} | |||
{% if site.get('SSLCertificateFile') %} | |||
SSLEngine on | |||
{% if site.get('SSLCertificateFile') %}SSLEngine on | |||
SSLCertificateFile {{ site.SSLCertificateFile }} | |||
{% if site.get('SSLCertificateKeyFile') %} | |||
SSLCertificateKeyFile {{ site.SSLCertificateKeyFile }} | |||
{% endif %} | |||
{% if site.get('SSLCertificateChainFile') %} | |||
SSLCertificateChainFile {{ site.SSLCertificateChainFile}} | |||
{% endif %} | |||
{% if site.get('SSLCertificateKeyFile') %}SSLCertificateKeyFile {{ site.SSLCertificateKeyFile }}{% endif %} | |||
{% if site.get('SSLCertificateChainFile') %}SSLCertificateChainFile {{ site.SSLCertificateChainFile}}{% endif %} | |||
{% endif %} | |||
{% if site.get('Rewrite') %}RewriteEngine on | |||
{{ site.Rewrite }} | |||
{% endif %} | |||
{% if site.get('SSLProxyEngine') %}SSLProxyEngine {{ site.SSLProxyEngine }}{% endif %} | |||
ProxyRequests {{ vals.ProxyRequests }} | |||
ProxyPreserveHost {{ vals.ProxyPreserveHost }} | |||
ProxyPreserveHost {{ vals.ProxyPreserveHost }} | |||
{% if site.get('ProxyErrorOverride') %}ProxyErrorOverride {{ site.ProxyErrorOverride }} {% endif %} | |||
{% if site.get('ProxyErrorDir') %}ProxyPass /{{ site.ProxyErrorDir }}/ ! {% endif %} | |||
{% for proxy, proxyargs in vals.ProxyRoute|dictsort|reverse %} | |||
{% set proxyvals = { | |||
'ProxyPassSource': proxyargs.get('ProxyPassSource', '/'), | |||
@@ -56,9 +64,62 @@ | |||
'ProxyPassReverseTarget': proxyargs.get('ProxyPassReverseTarget', proxyargs.get('ProxyPassTarget', 'https://{0}'.format(sitename))), | |||
} %} | |||
######### {{proxy}} ######### | |||
ProxyPass {{ proxyvals.ProxyPassSource }} {{ proxyvals.ProxyPassTarget }} {{ proxyvals.ProxyPassTargetOptions }} | |||
ProxyPassReverse {{ proxyvals.ProxyPassReverseSource }} {{ proxyvals.ProxyPassReverseTarget }} | |||
ProxyPass {{ proxyvals.ProxyPassSource }} {{ proxyvals.ProxyPassTarget }} {{ proxyvals.ProxyPassTargetOptions }} | |||
ProxyPassReverse {{ proxyvals.ProxyPassReverseSource }} {{ proxyvals.ProxyPassReverseTarget }} | |||
{% endfor %} | |||
{%- for path, loc in site.get('Location', {}).items() %} | |||
{%- set lvals = { | |||
'Order': loc.get('Order', vals.Location.Order), | |||
'Allow': loc.get('Allow', vals.Location.Allow), | |||
'Require': loc.get('Require', vals.Location.Require), | |||
'Dav': loc.get('Dav', False), | |||
} %} | |||
<Location "{{ path }}"> | |||
{% if apache.use_require %} | |||
{%- if lvals.get('Require') != False %}Require {{lvals.Require}}{% endif %} | |||
{% else %} | |||
{%- if lvals.get('Order') != False %}Order {{ lvals.Order }}{% endif %} | |||
{%- if lvals.get('Allow') != False %}Allow {{ lvals.Allow }}{% endif %} | |||
{% endif %} | |||
{%- if loc.get('Formula_Append') %} {{ loc.Formula_Append|indent(8) }} {% endif %} | |||
</Location> | |||
{% endfor %} | |||
{%- for regpath, locmat in site.get('LocationMatch', {}).items() %} | |||
{%- set lmvals = { | |||
'Order': locmat.get('Order', vals.LocationMatch.Order), | |||
'Allow': locmat.get('Allow', vals.LocationMatch.Allow), | |||
'Require': locmat.get('Require', vals.LocationMatch.Require), | |||
'Dav': locmat.get('Dav', False), | |||
} %} | |||
<LocationMatch "{{ regpath }}"> | |||
{% if apache.use_require %} | |||
{%- if lmvals.get('Require') != False %}Require {{lmvals.Require}}{% endif %} | |||
{% else %} | |||
{%- if lmvals.get('Order') != False %}Order {{ lmvals.Order }}{% endif %} | |||
{%- if lmvals.get('Allow') != False %}Allow {{ lmvals.Allow }}{% endif %} | |||
{% endif %} | |||
{%- if locmat.get('Formula_Append') %} {{ locmat.Formula_Append|indent(8) }} {% endif %} | |||
</LocationMatch> | |||
{% endfor %} | |||
{%- for proxypath, prox in site.get('Proxy_control', {}).items() %} | |||
{%- set proxvals = { | |||
'AllowAll': prox.get('AllowAll', vals.AllowAll), | |||
'AllowCountry': prox.get('AllowCountry', vals.AllowCountry), | |||
'AllowIP': prox.get('AllowIP', vals.AllowIP), | |||
} %} | |||
<Proxy "{{ proxypath }}"> | |||
{%- if proxvals.get('AllowAll') != False %} | |||
Require all granted | |||
{%- else %} | |||
{% if proxvals.get('AllowCountry') != False %}{% set country_list = proxvals.get('AllowCountry', {}) %}GeoIPEnable On | |||
{% for every_country in country_list %}SetEnvIf GEOIP_COUNTRY_CODE {{ every_country }} AllowCountry | |||
{% endfor %}Require env AllowCountry {% endif %} | |||
{% if proxvals.get('AllowIP') is defined %} {% set ip_list = proxvals.get('AllowIP', {}) %} | |||
Require ip {% for every_ip in ip_list %}{{ every_ip }} {% endfor %} {% endif %} | |||
{%- endif %} | |||
</Proxy> | |||
{%- endfor %} | |||
{% if site.get('Formula_Append') %} | |||
{{ site.Formula_Append|indent(4) }} | |||
{% endif %} |
@@ -61,16 +61,15 @@ | |||
{% if site.get('Timeout') != False and site.get('Timeout') != None %}Timeout {{ vals.Timeout }}{% endif %} | |||
{% if site.get('LimitRequestFields') %}LimitRequestFields {{ vals.LimitRequestFields }}{% endif %} | |||
{%- if site.get('SSLCertificateFile') %} | |||
SSLEngine on | |||
{% if site.get('SSLCertificateFile') %}SSLEngine on | |||
SSLCertificateFile {{ site.SSLCertificateFile }} | |||
{%- if site.get('SSLCertificateKeyFile') %} | |||
SSLCertificateKeyFile {{ site.SSLCertificateKeyFile }} | |||
{%- endif %} | |||
{%- if site.get('SSLCertificateChainFile') %} | |||
SSLCertificateChainFile {{ site.SSLCertificateChainFile}} | |||
{%- endif %} | |||
{%- endif %} | |||
{% if site.get('SSLCertificateKeyFile') %}SSLCertificateKeyFile {{ site.SSLCertificateKeyFile }}{% endif %} | |||
{% if site.get('SSLCertificateChainFile') %}SSLCertificateChainFile {{ site.SSLCertificateChainFile}}{% endif %} | |||
{% endif %} | |||
{% if site.get('Rewrite') %}RewriteEngine on | |||
{{ site.Rewrite }} | |||
{% endif %} | |||
{%- for loc, path in site.get('Alias', {}).items() %} | |||
Alias {{ loc }} {{ path }} |
@@ -84,20 +84,152 @@ apache: | |||
Additional config as a | |||
multi-line string here | |||
# if template is 'redirect.tmpl' | |||
# RedirectSource: '/' | |||
# RedirectTarget: 'http://www.example.net' | |||
# if template is 'proxy.tmpl' | |||
# ProxyRequests: 'On' | |||
# ProxyPreserveHost: 'On' | |||
# ProxyRoute: | |||
# my sample route: | |||
# ProxyPassSource: '/' | |||
# ProxyPassTarget: 'http://www.example.net' | |||
# ProxyPassTargetOptions: 'connectiontimeout=5 timeout=30' | |||
# ProxyPassReverseSource: '/' | |||
# ProxyPassReverseTarget: 'http://www.example.net' | |||
80-proxyexample.com: | |||
template_file: salt://apache/vhosts/redirect.tmpl | |||
ServerName: www.proxyexample.com | |||
ServerAlias: www.proxyexample.com | |||
RedirectSource: '/' | |||
RedirectTarget: 'https://www.proxyexample.com/' | |||
DocumentRoot: /var/www/proxy | |||
443-proxyexample.com: | |||
template_file: salt://apache/vhosts/proxy.tmpl | |||
ServerName: www.proxyexample.com | |||
ServerAlias: www.proxyexample.com | |||
interface: '*' | |||
port: '443' | |||
DocumentRoot: /var/www/proxy | |||
Rewrite: | | |||
RewriteRule ^/webmail$ /webmail/ [R] | |||
RewriteRule ^/webmail(.*) http://mail.example.com$1 [P,L] | |||
RewriteRule ^/vicescws(.*) http://svc.example.com:92$1 [P,L] | |||
SSLCertificateFile: /etc/httpd/ssl/example.com.crt | |||
SSLCertificateKeyFile: /etc/httpd/ssl/example.com.key | |||
SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer | |||
SSLCertificateFile_content: | | |||
-----BEGIN CERTIFICATE----- | |||
MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL | |||
MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC | |||
VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx | |||
NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD | |||
TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu | |||
ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j | |||
V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj | |||
gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA | |||
FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE | |||
CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS | |||
BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE | |||
BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju | |||
Wm7DCfrPNGVwFWUQOmsPue9rZBgO | |||
-----END CERTIFICATE----- | |||
SSLCertificateKeyFile_content: | | |||
-----BEGIN PRIVATE KEY----- | |||
MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL | |||
MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC | |||
VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx | |||
NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD | |||
TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu | |||
ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j | |||
V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj | |||
gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA | |||
FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE | |||
CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS | |||
BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE | |||
BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju | |||
Wm7DCfrPNGVwFWUQOmsPue9rZBgO | |||
-----END PRIVATE KEY----- | |||
SSLCertificateChainFile_content: | | |||
-----BEGIN CERTIFICATE----- | |||
MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL | |||
MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC | |||
VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx | |||
NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD | |||
TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu | |||
ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j | |||
V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj | |||
gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA | |||
FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE | |||
CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS | |||
BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE | |||
BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju | |||
Wm7DCfrPNGVwFWUQOmsPue9rZBgO | |||
-----END CERTIFICATE----- | |||
-----BEGIN CERTIFICATE----- | |||
MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL | |||
MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC | |||
VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx | |||
NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD | |||
TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu | |||
ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j | |||
V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj | |||
gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA | |||
FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE | |||
CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS | |||
BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE | |||
BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju | |||
Wm7DCfrPNGVwFWUQOmsPue9rZBgO | |||
-----END CERTIFICATE----- | |||
ProxyRequests: 'Off' | |||
ProxyPreserveHost: 'On' | |||
ProxyRoute: | |||
example prod proxy route: | |||
ProxyPassSource: '/' | |||
ProxyPassTarget: 'http://prod.example.com:85/' | |||
ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90' | |||
ProxyPassReverseSource: '/' | |||
ProxyPassReverseTarget: 'http://prod.example.com:85/' | |||
example webmail proxy route: | |||
ProxyPassSource: '/webmail/' | |||
ProxyPassTarget: 'http://mail.example.com/' | |||
ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90' | |||
ProxyPassReverseSource: '/webmail/' | |||
ProxyPassReverseTarget: 'http://mail.example.com/' | |||
example service proxy route: | |||
ProxyPassSource: '/svc/' | |||
ProxyPassTarget: 'http://svc.example.com:92/' | |||
ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90' | |||
ProxyPassReverseSource: '/svc/' | |||
ProxyPassReverseTarget: 'http://svc.example.com:92/' | |||
Location: | |||
/: | |||
Require: False | |||
Formula_Append: | | |||
SecRuleRemoveById 981231 | |||
SecRuleRemoveById 981173 | |||
/error: | |||
Require: 'all granted' | |||
LocationMatch: | |||
'^[.\\/]+([Ww][Ee][Bb][Mm][Aa][Ii][Ll])[.\\/]': | |||
Require: False | |||
Formula_Append: | | |||
RequestHeader set Host mail.example.com | |||
'^[.\\/]+([Ss][Vv][Cc])[.\\/]': | |||
Require: False | |||
Formula_Append: | | |||
Require ip 123.123.13.6 84.24.25.74 | |||
Proxy_control: | |||
'*': | |||
AllowAll: False | |||
AllowCountry: | |||
- DE | |||
AllowIP: | |||
- 12.5.25.32 | |||
- 12.5.25.33 | |||
Alias: | |||
/docs: /usr/share/docs |