Saltstack Official Apache Formula

316 line
12KB

  1. # ``apache`` formula configuration:
  2. apache:
  3. # lookup section overrides ``map.jinja`` values
  4. lookup:
  5. server: apache2
  6. service: apache2
  7. vhostdir: /etc/apache2/sites-available
  8. confdir: /etc/apache2/conf.d
  9. confext: .conf
  10. logdir: /var/log/apache2
  11. wwwdir: /srv/apache2
  12. # apache version (generally '2.2' or '2.4')
  13. version: '2.2'
  14. # ``apache.mod_wsgi`` formula additional configuration:
  15. mod_wsgi: mod_wsgi
  16. # Default value for AddDefaultCharset in RedHat configuration
  17. default_charset: 'UTF-8'
  18. global:
  19. # global apache directives
  20. AllowEncodedSlashes: 'On'
  21. name_virtual_hosts:
  22. - interface: '*'
  23. port: 80
  24. - interface: '*'
  25. port: 443
  26. # ``apache.vhosts`` formula additional configuration:
  27. sites:
  28. example.net:
  29. template_file: salt://apache/vhosts/minimal.tmpl
  30. example.com: # must be unique; used as an ID declaration in Salt.
  31. enabled: True
  32. template_file: salt://apache/vhosts/standard.tmpl # or redirect.tmpl or proxy.tmpl
  33. ####################### DEFAULT VALUES BELOW ############################
  34. # NOTE: the values below are simply default settings that *can* be
  35. # overridden and are not required in order to use this formula to create
  36. # vhost entries.
  37. #
  38. # Do not copy the values below into your Pillar unless you intend to
  39. # modify these vaules.
  40. ####################### DEFAULT VALUES BELOW ############################
  41. template_engine: jinja
  42. interface: '*'
  43. port: '80'
  44. exclude_listen_directive: True # Do not add a Listen directive in httpd.conf
  45. ServerName: example.com # uses the unique ID above unless specified
  46. ServerAlias: www.example.com
  47. ServerAdmin: webmaster@example.com
  48. LogLevel: warn
  49. ErrorLog: /path/to/logs/example.com-error.log # E.g.: /var/log/apache2/example.com-error.log
  50. CustomLog: /path/to/logs/example.com-access.log # E.g.: /var/log/apache2/example.com-access.log
  51. DocumentRoot: /path/to/www/dir/example.com # E.g., /var/www/example.com
  52. SSLCertificateFile: /etc/ssl/mycert.pem # if ssl is desired
  53. SSLCertificateKeyFile: /etc/ssl/mycert.pem.key # if key for cert is needed or in an extra file
  54. SSLCertificateChainFile: /etc/ssl/mycert.chain.pem # if you require a chain of server certificates file
  55. Directory:
  56. # "default" is a special case; Adds ``/path/to/www/dir/example.com``
  57. # E.g.: /var/www/example.com
  58. default:
  59. Options: -Indexes +FollowSymLinks
  60. Order: allow,deny # For Apache < 2.4
  61. Allow: from all # For apache < 2.4
  62. Require: all granted # For apache > 2.4.
  63. AllowOverride: None
  64. Formula_Append: |
  65. Additional config as a
  66. multi-line string here
  67. 80-proxyexample.com:
  68. template_file: salt://apache/vhosts/redirect.tmpl
  69. ServerName: www.proxyexample.com
  70. ServerAlias: www.proxyexample.com
  71. RedirectSource: '/'
  72. RedirectTarget: 'https://www.proxyexample.com/'
  73. DocumentRoot: /var/www/proxy
  74. 443-proxyexample.com:
  75. template_file: salt://apache/vhosts/proxy.tmpl
  76. ServerName: www.proxyexample.com
  77. ServerAlias: www.proxyexample.com
  78. interface: '*'
  79. port: '443'
  80. DocumentRoot: /var/www/proxy
  81. Rewrite: |
  82. RewriteRule ^/webmail$ /webmail/ [R]
  83. RewriteRule ^/webmail(.*) http://mail.example.com$1 [P,L]
  84. RewriteRule ^/vicescws(.*) http://svc.example.com:92$1 [P,L]
  85. SSLCertificateFile: /etc/httpd/ssl/example.com.crt
  86. SSLCertificateKeyFile: /etc/httpd/ssl/example.com.key
  87. SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer
  88. SSLCertificateFile_content: |
  89. -----BEGIN CERTIFICATE-----
  90. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  91. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  92. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  93. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  94. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  95. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  96. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  97. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  98. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  99. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  100. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  101. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  102. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  103. -----END CERTIFICATE-----
  104. SSLCertificateKeyFile_content: |
  105. -----BEGIN PRIVATE KEY-----
  106. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  107. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  108. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  109. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  110. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  111. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  112. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  113. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  114. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  115. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  116. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  117. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  118. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  119. -----END PRIVATE KEY-----
  120. SSLCertificateChainFile_content: |
  121. -----BEGIN CERTIFICATE-----
  122. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  123. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  124. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  125. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  126. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  127. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  128. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  129. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  130. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  131. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  132. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  133. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  134. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  135. -----END CERTIFICATE-----
  136. -----BEGIN CERTIFICATE-----
  137. MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
  138. MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
  139. VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
  140. NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
  141. TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
  142. ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
  143. V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
  144. gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
  145. FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
  146. CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
  147. BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  148. BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
  149. Wm7DCfrPNGVwFWUQOmsPue9rZBgO
  150. -----END CERTIFICATE-----
  151. ProxyRequests: 'Off'
  152. ProxyPreserveHost: 'On'
  153. ProxyRoute:
  154. example prod proxy route:
  155. ProxyPassSource: '/'
  156. ProxyPassTarget: 'http://prod.example.com:85/'
  157. ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
  158. ProxyPassReverseSource: '/'
  159. ProxyPassReverseTarget: 'http://prod.example.com:85/'
  160. example webmail proxy route:
  161. ProxyPassSource: '/webmail/'
  162. ProxyPassTarget: 'http://mail.example.com/'
  163. ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
  164. ProxyPassReverseSource: '/webmail/'
  165. ProxyPassReverseTarget: 'http://mail.example.com/'
  166. example service proxy route:
  167. ProxyPassSource: '/svc/'
  168. ProxyPassTarget: 'http://svc.example.com:92/'
  169. ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
  170. ProxyPassReverseSource: '/svc/'
  171. ProxyPassReverseTarget: 'http://svc.example.com:92/'
  172. Location:
  173. /:
  174. Require: False
  175. Formula_Append: |
  176. SecRuleRemoveById 981231
  177. SecRuleRemoveById 981173
  178. /error:
  179. Require: 'all granted'
  180. LocationMatch:
  181. '^[.\\/]+([Ww][Ee][Bb][Mm][Aa][Ii][Ll])[.\\/]':
  182. Require: False
  183. Formula_Append: |
  184. RequestHeader set Host mail.example.com
  185. '^[.\\/]+([Ss][Vv][Cc])[.\\/]':
  186. Require: False
  187. Formula_Append: |
  188. Require ip 123.123.13.6 84.24.25.74
  189. Proxy_control:
  190. '*':
  191. AllowAll: False
  192. AllowCountry:
  193. - DE
  194. AllowIP:
  195. - 12.5.25.32
  196. - 12.5.25.33
  197. Alias:
  198. /docs: /usr/share/docs
  199. Location:
  200. /docs:
  201. Order: allow,deny # For Apache < 2.4
  202. Allow: from all # For apache < 2.4
  203. Require: all granted # For apache > 2.4.
  204. Formula_Append: |
  205. Additional config as a
  206. multi-line string here
  207. Formula_Append: |
  208. Additional config as a
  209. multi-line string here
  210. # ``apache.debian_full`` formula additional configuration:
  211. register-site:
  212. # any name as an array index, and you can duplicate this section
  213. UNIQUE_VALUE_HERE:
  214. name: 'my name'
  215. path: 'salt://path/to/sites-available/conf/file'
  216. state: 'enabled'
  217. # Optional - use managed file as Jinja Template
  218. #template: true
  219. #defaults:
  220. # custom_var: "default value"
  221. modules:
  222. enabled: # List modules to enable
  223. - ldap
  224. - ssl
  225. disabled: # List modules to disable
  226. - rewrite
  227. # KeepAlive: Whether or not to allow persistent connections (more than
  228. # one request per connection). Set to "Off" to deactivate.
  229. keepalive: 'On'
  230. security:
  231. # can be Full | OS | Minimal | Minor | Major | Prod
  232. # where Full conveys the most information, and Prod the least.
  233. ServerTokens: Prod
  234. # ``apache.mod_remoteip`` formula additional configuration:
  235. mod_remoteip:
  236. RemoteIPHeader: X-Forwarded-For
  237. RemoteIPTrustedProxy:
  238. - 10.0.8.0/24
  239. - 127.0.0.1
  240. # ``apache.mod_security`` formula additional configuration:
  241. mod_security:
  242. crs_install: True
  243. # If not set, default distro's configuration is installed as is
  244. manage_config: True
  245. sec_rule_engine: 'On'
  246. sec_request_body_access: 'On'
  247. sec_request_body_limit: '14000000'
  248. sec_request_body_no_files_limit: '114002'
  249. sec_request_body_in_memory_limit: '114002'
  250. sec_request_body_limit_action: 'Reject'
  251. sec_pcre_match_limit: '15000'
  252. sec_pcre_match_limit_recursion: '15000'
  253. sec_debug_log_level: '3'
  254. rules:
  255. enabled:
  256. modsecurity_crs_10_setup.conf:
  257. rule_set: ''
  258. enabled: True
  259. modsecurity_crs_20_protocol_violations.conf:
  260. rule_set: 'base_rules'
  261. enabled: False
  262. custom_rule_files:
  263. # any name as an array index, and you can duplicate this section
  264. UNIQUE_VALUE_HERE:
  265. file: 'my name'
  266. path: 'salt://path/to/modsecurity/custom/file'
  267. enabled: True