@@ -526,5 +526,9 @@ TraceEnable Off | |||
# Well, IncludeOptional behaved lile Include | |||
IncludeOptional etc/apache24/extra/security.con[f] | |||
{% if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) -%} | |||
Include etc/apache24/extra/tls-defaults.conf | |||
{%- endif %} | |||
Include etc/apache24/Includes/*.conf | |||
@@ -163,6 +163,10 @@ Include /etc/apache2/errors.conf | |||
# any virtual host | |||
Include /etc/apache2/ssl-global.conf | |||
{% if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) -%} | |||
Include /etc/apache24/conf.d/tls-defaults.conf | |||
{%- %} | |||
# global (server-wide) protocol configuration, that is not specific | |||
# to any virtual host | |||
Include /etc/apache2/protocols.conf |
@@ -0,0 +1,18 @@ | |||
# Managed by saltstack | |||
{% set data = { | |||
'SSLCipherSuite': 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA', | |||
'SSLCompression': 'Off', | |||
'SSLProtocol': 'all -SSLv2 -SSLv3 -TLSv1', | |||
'SSLHonorCipherOrder': 'On', | |||
'SSLOptions': '+StrictRequire', | |||
} -%} | |||
{%- do data.update(salt['pillar.get']('apache:mod_ssl', {})) %} | |||
<IfModule mod_ssl.c> | |||
{%- for key, value in data.items() %} | |||
{%- if not key == 'manage_tls_defaults' %} | |||
{{ key }} {{ value }} | |||
{%- endif %} | |||
{%- endfor %} | |||
</IfModule> |
@@ -38,7 +38,7 @@ | |||
'mod_fastcgi': 'libapache2-mod-fastcgi', | |||
'vhostdir': '/etc/apache2/sites-available', | |||
'confdir': '/etc/apache2/conf.d', | |||
'confdir': '/etc/apache2/conf-available', | |||
'confext': '.conf', | |||
'default_site': 'default', | |||
'default_site_ssl': 'default-ssl', | |||
@@ -89,27 +89,27 @@ | |||
'wwwdir': '/srv/www', | |||
}, | |||
'FreeBSD': { | |||
'server': 'apache22', | |||
'service': 'apache22', | |||
'server': 'apache24', | |||
'service': 'apache24', | |||
'user': 'www', | |||
'group': 'www', | |||
'configfile': '/usr/local/etc/apache22/httpd.conf', | |||
'portsfile': '/usr/local/etc/apache22/ports.conf', | |||
'configfile': '/usr/local/etc/apache24/httpd.conf', | |||
'portsfile': '/usr/local/etc/apache24/ports.conf', | |||
'mod_php5': 'mod_php56', | |||
'mod_perl2': 'ap22-mod_perl2', | |||
'mod_wsgi': 'ap22-mod_wsgi3', | |||
'mod_perl2': 'ap24-mod_perl2', | |||
'mod_wsgi': 'ap24-mod_wsgi3', | |||
'vhostdir': '/usr/local/etc/apache22/Includes', | |||
'confdir': '/usr/local/etc/apache22/extra', | |||
'modulesdir': '/usr/local/etc/apache22/modules.d', | |||
'global_document_root': '/usr/local/www/apache22/data', | |||
'vhostdir': '/usr/local/etc/apache24/Includes', | |||
'confdir': '/usr/local/etc/apache24/extra', | |||
'modulesdir': '/usr/local/etc/apache24/modules.d', | |||
'global_document_root': '/usr/local/www/apache24/data', | |||
'confext': '', | |||
'default_site': 'default', | |||
'default_site_ssl': 'default-ssl', | |||
'logdir': '/var/log/', | |||
'wwwdir': '/usr/local/www/apache22/', | |||
'wwwdir': '/usr/local/www/apache24/', | |||
}, | |||
'Arch': { | |||
'server': 'apache', |
@@ -42,3 +42,35 @@ include: | |||
- module: apache-restart | |||
{% endif %} | |||
{{ apache.confdir }}/tls-defaults.conf: | |||
{% if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) %} | |||
file.managed: | |||
- source: salt://apache/files/tls-defaults.conf.jinja | |||
- mode: 644 | |||
- template: jinja | |||
{% else %} | |||
file.absent: | |||
{% endif %} | |||
- require: | |||
- pkg: apache | |||
- watch_in: | |||
- module: apache-restart | |||
{% if grains['os_family']=="Debian" %} | |||
a2endisconf tls-defaults: | |||
cmd.run: | |||
{% if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) %} | |||
- name: a2enconf tls-defaults | |||
- unless: test -L /etc/apache2/conf-enabled/tls-defaults.conf | |||
{% else %} | |||
- name: a2disconf tls-defaults | |||
- onlyif: test -L /etc/apache2/conf-enabled/tls-defaults.conf | |||
{% endif %} | |||
- order: 225 | |||
- require: | |||
- pkg: apache | |||
- file: {{ apache.confdir }}/tls-defaults.conf | |||
- watch_in: | |||
- module: apache-restart | |||
{% endif %} |
@@ -313,4 +313,19 @@ apache: | |||
file: 'my name' | |||
path: 'salt://path/to/modsecurity/custom/file' | |||
enabled: True | |||
mod_ssl: | |||
# set this to True if you want to override your distributions default TLS configuration | |||
manage_tls_defaults: False | |||
# This stuff is deliberately not configured via map.jinja resp. apache:lookup. | |||
# We're unable to know sane defaults for each release of every distribution. | |||
# See https://github.com/saltstack-formulas/openssh-formula/issues/102 for a related discussion | |||
# Have a look at bettercrypto.org for up-to-date settings. | |||
# These are default values: | |||
SSLCipherSuite: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA | |||
# Mitigate the CRIME attack | |||
SSLCompression: Off | |||
SSLProtocol: all -SSLv2 -SSLv3 -TLSv1 | |||
SSLHonorCipherOrder: On | |||
SSLOptions: "+StrictRequire" | |||