Saltstack Official Apache Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

368 line
14KB

  1. # ``apache`` formula configuration:
  2. apache:
  3. # By default apache restart/reload states run (false skips)
  4. manage_service_states: True
  5. # lookup section overrides ``map.jinja`` values
  6. lookup:
  7. server: apache2
  8. service: apache2
  9. user: some_system_user
  10. group: some_system_group
  11. vhostdir: /etc/apache2/sites-available
  12. confdir: /etc/apache2/conf.d
  13. confext: .conf
  14. logdir: /var/log/apache2
  15. wwwdir: /srv/apache2
  16. # apache version (generally '2.2' or '2.4')
  17. version: '2.2'
  18. # ``apache.mod_wsgi`` formula additional configuration:
  19. mod_wsgi: mod_wsgi
  20. # Default value for AddDefaultCharset in RedHat configuration
  21. default_charset: 'UTF-8'
  22. # Should we enforce DocumentRoot user/group?
  23. # Default: do not enforce
  24. document_root_user: www-data # Force user if specified, leave it default if not
  25. document_root_group: null # Do not enforce group
  26. global:
  27. # global apache directives
  28. AllowEncodedSlashes: 'On'
  29. name_virtual_hosts:
  30. - interface: '*'
  31. port: 80
  32. - interface: '*'
  33. port: 443
  34. # ``apache.vhosts`` formula additional configuration:
  35. sites:
  36. example.net:
  37. template_file: salt://apache/vhosts/minimal.tmpl
  38. example.com: # must be unique; used as an ID declaration in Salt.
  39. enabled: True
  40. template_file: salt://apache/vhosts/standard.tmpl # or minimal.tmpl or redirect.tmpl or proxy.tmpl
  41. ####################### DEFAULT VALUES BELOW ############################
  42. # NOTE: the values below are simply default settings that *can* be
  43. # overridden and are not required in order to use this formula to create
  44. # vhost entries.
  45. #
  46. # Do not copy the values below into your Pillar unless you intend to
  47. # modify these vaules.
  48. ####################### DEFAULT VALUES BELOW ############################
  49. template_engine: jinja
  50. interface: '*'
  51. port: '80'
  52. exclude_listen_directive: True # Do not add a Listen directive in httpd.conf
  53. ServerName: example.com # uses the unique ID above unless specified
  54. #ServerAlias: www.example.com # Do not add ServerAlias unless defined
  55. ServerAdmin: webmaster@example.com
  56. LogLevel: warn
  57. ErrorLog: /path/to/logs/example.com-error.log # E.g.: /var/log/apache2/example.com-error.log
  58. CustomLog: /path/to/logs/example.com-access.log # E.g.: /var/log/apache2/example.com-access.log
  59. DocumentRoot: /path/to/www/dir/example.com # E.g., /var/www/example.com
  60. DocumentRootUser: null # do not enforce user, defaults to lookup:document_root_user
  61. DocumentRootGroup: www-data # Force group, defaults to lookup:document_root_group
  62. SSLCertificateFile: /etc/ssl/mycert.pem # if ssl is desired
  63. SSLCertificateKeyFile: /etc/ssl/mycert.pem.key # if key for cert is needed or in an extra file
  64. SSLCertificateChainFile: /etc/ssl/mycert.chain.pem # if you require a chain of server certificates file
  65. Directory:
  66. # "default" is a special case; uses DocumentRoot value
  67. # E.g.: /var/www/example.com
  68. default:
  69. Options: -Indexes +FollowSymLinks
  70. Order: allow,deny # For Apache < 2.4
  71. Allow: from all # For apache < 2.4
  72. Require: all granted # For apache > 2.4.
  73. AllowOverride: None
  74. Formula_Append: |
  75. Additional config as a
  76. multi-line string here
  77. redirectmatch.com:
  78. # Use RedirectMatch Directive https://httpd.apache.org/docs/2.4/fr/mod/mod_alias.html#redirectmatch
  79. # Require module mod_alias
  80. enabled: True
  81. template_file: salt://apache/vhosts/redirect.tmpl
  82. ServerName: www.redirectmatch.com
  83. ServerAlias: www.redirectmatch.com
  84. RedirectMatch: true
  85. RedirectSource: '^/$'
  86. RedirectTarget: '/subdirectory'
  87. DocumentRoot: /var/www/html/
  88. ErrorLog: ${APACHE_LOG_DIR}/error.log
  89. CustomLog: ${APACHE_LOG_DIR}/access.log
  90. 80-proxyexample.com:
  91. template_file: salt://apache/vhosts/redirect.tmpl
  92. ServerName: www.proxyexample.com
  93. ServerAlias: www.proxyexample.com
  94. RedirectSource: '/'
  95. RedirectTarget: 'https://www.proxyexample.com/'
  96. DocumentRoot: /var/www/proxy
  97. 443-proxyexample.com:
  98. template_file: salt://apache/vhosts/proxy.tmpl
  99. ServerName: www.proxyexample.com
  100. ServerAlias: www.proxyexample.com
  101. interface: '*'
  102. port: '443'
  103. DocumentRoot: /var/www/proxy
  104. Rewrite: |
  105. RewriteRule ^/webmail$ /webmail/ [R]
  106. RewriteRule ^/webmail(.*) http://mail.example.com$1 [P,L]
  107. RewriteRule ^/vicescws(.*) http://svc.example.com:92$1 [P,L]
  108. SSLCertificateFile: /etc/httpd/ssl/example.com.crt
  109. SSLCertificateKeyFile: /etc/httpd/ssl/example.com.key
  110. SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer
  111. SSLCertificateFile_content: |
  112. -----BEGIN CERTIFICATE-----
  113. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  114. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  115. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  116. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  117. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  118. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  119. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  120. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  121. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  122. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  123. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  124. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  125. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  126. -----END CERTIFICATE-----
  127. SSLCertificateKeyFile_content: |
  128. -----BEGIN PRIVATE KEY-----
  129. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  130. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  131. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  132. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  133. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  134. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  135. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  136. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  137. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  138. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  139. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  140. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  141. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  142. -----END PRIVATE KEY-----
  143. SSLCertificateChainFile_content: |
  144. -----BEGIN CERTIFICATE-----
  145. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  146. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  147. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  148. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  149. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  150. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  151. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  152. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  153. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  154. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  155. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  156. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  157. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  158. -----END CERTIFICATE-----
  159. -----BEGIN CERTIFICATE-----
  160. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  161. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  162. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  163. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  164. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  165. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  166. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  167. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  168. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  169. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  170. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  171. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  172. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  173. -----END CERTIFICATE-----
  174. ProxyRequests: 'Off'
  175. ProxyPreserveHost: 'On'
  176. ProxyRoute:
  177. example prod proxy route:
  178. ProxyPassSource: '/'
  179. ProxyPassTarget: 'http://prod.example.com:85/'
  180. ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
  181. ProxyPassReverseSource: '/'
  182. ProxyPassReverseTarget: 'http://prod.example.com:85/'
  183. example webmail proxy route:
  184. ProxyPassSource: '/webmail/'
  185. ProxyPassTarget: 'http://mail.example.com/'
  186. ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
  187. ProxyPassReverseSource: '/webmail/'
  188. ProxyPassReverseTarget: 'http://mail.example.com/'
  189. example service proxy route:
  190. ProxyPassSource: '/svc/'
  191. ProxyPassTarget: 'http://svc.example.com:92/'
  192. ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
  193. ProxyPassReverseSource: '/svc/'
  194. ProxyPassReverseTarget: 'http://svc.example.com:92/'
  195. Location:
  196. /:
  197. Require: False
  198. Formula_Append: |
  199. SecRuleRemoveById 981231
  200. SecRuleRemoveById 981173
  201. /error:
  202. Require: 'all granted'
  203. /docs:
  204. Order: allow,deny # For Apache < 2.4
  205. Allow: from all # For apache < 2.4
  206. Require: all granted # For apache > 2.4.
  207. Formula_Append: |
  208. Additional config as a
  209. multi-line string here
  210. LocationMatch:
  211. '^[.\\/]+([Ww][Ee][Bb][Mm][Aa][Ii][Ll])[.\\/]':
  212. Require: False
  213. Formula_Append: |
  214. RequestHeader set Host mail.example.com
  215. '^[.\\/]+([Ss][Vv][Cc])[.\\/]':
  216. Require: False
  217. Formula_Append: |
  218. Require ip 123.123.13.6 84.24.25.74
  219. Proxy_control:
  220. '*':
  221. AllowAll: False
  222. AllowCountry:
  223. - DE
  224. AllowIP:
  225. - 12.5.25.32
  226. - 12.5.25.33
  227. Alias:
  228. /docs: /usr/share/docs
  229. Formula_Append: |
  230. Additional config as a
  231. multi-line string here
  232. # ``apache.debian_full`` formula additional configuration:
  233. register-site:
  234. # any name as an array index, and you can duplicate this section
  235. UNIQUE_VALUE_HERE:
  236. name: 'my name'
  237. path: 'salt://path/to/sites-available/conf/file'
  238. state: 'enabled'
  239. # Optional - use managed file as Jinja Template
  240. #template: true
  241. #defaults:
  242. # custom_var: "default value"
  243. modules:
  244. enabled: # List modules to enable
  245. - ldap
  246. - ssl
  247. disabled: # List modules to disable
  248. - rewrite
  249. flags:
  250. enabled: # List server flags to enable
  251. - SSL
  252. disabled: # List server flags to disable
  253. - status
  254. # KeepAlive: Whether or not to allow persistent connections (more than
  255. # one request per connection). Set to "Off" to deactivate.
  256. keepalive: 'On'
  257. security:
  258. # can be Full | OS | Minimal | Minor | Major | Prod
  259. # where Full conveys the most information, and Prod the least.
  260. ServerTokens: Prod
  261. # [debian only] configure mod_ssl
  262. ssl:
  263. SSLCipherSuite: 'HIGH:!aNULL'
  264. SSLHonorCipherOrder: 'Off'
  265. SSLProtocol: 'all -SSLv3'
  266. # ``apache.mod_remoteip`` formula additional configuration:
  267. mod_remoteip:
  268. RemoteIPHeader: X-Forwarded-For
  269. RemoteIPTrustedProxy:
  270. - 10.0.8.0/24
  271. - 127.0.0.1
  272. # ``apache.mod_security`` formula additional configuration:
  273. mod_security:
  274. crs_install: True
  275. # If not set, default distro's configuration is installed as is
  276. manage_config: True
  277. sec_rule_engine: 'On'
  278. sec_request_body_access: 'On'
  279. sec_request_body_limit: '14000000'
  280. sec_request_body_no_files_limit: '114002'
  281. sec_request_body_in_memory_limit: '114002'
  282. sec_request_body_limit_action: 'Reject'
  283. sec_pcre_match_limit: '15000'
  284. sec_pcre_match_limit_recursion: '15000'
  285. sec_debug_log_level: '3'
  286. rules:
  287. enabled:
  288. modsecurity_crs_10_setup.conf:
  289. rule_set: ''
  290. enabled: True
  291. modsecurity_crs_20_protocol_violations.conf:
  292. rule_set: 'base_rules'
  293. enabled: False
  294. custom_rule_files:
  295. # any name as an array index, and you can duplicate this section
  296. UNIQUE_VALUE_HERE:
  297. file: 'my name'
  298. path: 'salt://path/to/modsecurity/custom/file'
  299. enabled: True
  300. mod_ssl:
  301. # set this to True if you want to override your distributions default TLS configuration
  302. manage_tls_defaults: False
  303. # This stuff is deliberately not configured via map.jinja resp. apache:lookup.
  304. # We're unable to know sane defaults for each release of every distribution.
  305. # See https://github.com/saltstack-formulas/openssh-formula/issues/102 for a related discussion
  306. # Have a look at bettercrypto.org for up-to-date settings.
  307. # These are default values:
  308. SSLCipherSuite: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
  309. # Mitigate the CRIME attack
  310. SSLCompression: Off
  311. SSLProtocol: all -SSLv2 -SSLv3 -TLSv1
  312. SSLHonorCipherOrder: On
  313. SSLOptions: "+StrictRequire"