salt
/
apache-formula
forked from ExternalMirrors/apache-formula
Watch 1
Star 0
Fork 0
Code Releases 0 Activity
Saltstack Official Apache Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
385 Commits
1 Branch
Tree: c6018aeac1
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'c6018aeac1'
${ noResults }
apache-formula/pillar.example

332 lines
13KB
Raw Blame History 

  1. # ``apache`` formula configuration:

  2. apache:

  3. 

  4.   # lookup section overrides ``map.jinja`` values

  5.   lookup:

  6.     server: apache2

  7.     service: apache2

  8.     user: some_system_user

  9.     group: some_system_group

  10. 

  11.     vhostdir: /etc/apache2/sites-available

  12.     confdir: /etc/apache2/conf.d

  13.     confext: .conf

  14.     logdir: /var/log/apache2

  15.     wwwdir: /srv/apache2

  16. 

  17.     # apache version (generally '2.2' or '2.4')

  18.     version: '2.2'

  19. 

  20.     # ``apache.mod_wsgi`` formula additional configuration:

  21.     mod_wsgi: mod_wsgi

  22. 

  23.     # Default value for AddDefaultCharset in RedHat configuration

  24.     default_charset: 'UTF-8'

  25. 

  26.   global:

  27.     # global apache directives

  28.     AllowEncodedSlashes: 'On'

  29. 

  30. 

  31.   name_virtual_hosts:

  32.     - interface: '*'

  33.       port: 80

  34.     - interface: '*'

  35.       port: 443

  36. 

  37.   # ``apache.vhosts`` formula additional configuration:

  38.   sites:

  39.     example.net:

  40.       template_file: salt://apache/vhosts/minimal.tmpl

  41. 

  42.     example.com: # must be unique; used as an ID declaration in Salt.

  43.       enabled: True

  44.       template_file: salt://apache/vhosts/standard.tmpl # or minimal.tmpl or redirect.tmpl or proxy.tmpl

  45. 

  46.       ####################### DEFAULT VALUES BELOW ############################

  47.       # NOTE: the values below are simply default settings that *can* be

  48.       # overridden and are not required in order to use this formula to create

  49.       # vhost entries.

  50.       #

  51.       # Do not copy the values below into your Pillar unless you intend to

  52.       # modify these vaules.

  53.       ####################### DEFAULT VALUES BELOW ############################

  54.       template_engine: jinja

  55. 

  56.       interface: '*'

  57.       port: '80'

  58. 

  59.       exclude_listen_directive: True # Do not add a Listen directive in httpd.conf

  60. 

  61.       ServerName: example.com # uses the unique ID above unless specified

  62.       ServerAlias: www.example.com

  63. 

  64.       ServerAdmin: webmaster@example.com

  65. 

  66.       LogLevel: warn

  67.       ErrorLog: /path/to/logs/example.com-error.log # E.g.: /var/log/apache2/example.com-error.log

  68.       CustomLog: /path/to/logs/example.com-access.log # E.g.: /var/log/apache2/example.com-access.log

  69. 

  70.       DocumentRoot: /path/to/www/dir/example.com # E.g., /var/www/example.com

  71. 

  72.       SSLCertificateFile: /etc/ssl/mycert.pem # if ssl is desired

  73.       SSLCertificateKeyFile: /etc/ssl/mycert.pem.key # if key for cert is needed or in an extra file

  74.       SSLCertificateChainFile: /etc/ssl/mycert.chain.pem # if you require a chain of server certificates file

  75. 

  76.       Directory:

  77.         # "default" is a special case; Adds ``/path/to/www/dir/example.com``

  78.         # E.g.: /var/www/example.com

  79.         default:

  80.           Options: -Indexes +FollowSymLinks

  81.           Order: allow,deny    # For Apache < 2.4

  82.           Allow: from all      # For apache < 2.4

  83.           Require: all granted # For apache > 2.4.

  84.           AllowOverride: None

  85.           Formula_Append: |

  86.             Additional config as a

  87.             multi-line string here

  88. 

  89.     80-proxyexample.com:

  90.       template_file: salt://apache/vhosts/redirect.tmpl

  91.       ServerName: www.proxyexample.com

  92.       ServerAlias: www.proxyexample.com

  93.       RedirectSource: '/'

  94.       RedirectTarget: 'https://www.proxyexample.com/'

  95.       DocumentRoot: /var/www/proxy

  96. 

  97.     443-proxyexample.com:

  98.       template_file: salt://apache/vhosts/proxy.tmpl

  99.       ServerName: www.proxyexample.com

  100.       ServerAlias: www.proxyexample.com

  101.       interface: '*'

  102.       port: '443'

  103.       DocumentRoot: /var/www/proxy

  104. 

  105.       Rewrite: |

  106.         RewriteRule ^/webmail$ /webmail/ [R]

  107.         RewriteRule ^/webmail(.*) http://mail.example.com$1 [P,L]

  108.         RewriteRule ^/vicescws(.*) http://svc.example.com:92$1 [P,L]

  109. 

  110.       SSLCertificateFile: /etc/httpd/ssl/example.com.crt

  111.       SSLCertificateKeyFile: /etc/httpd/ssl/example.com.key

  112.       SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer

  113. 

  114.       SSLCertificateFile_content: |

  115.         -----BEGIN CERTIFICATE-----

  116.         MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL

  117.         MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC

  118.         VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx

  119.         NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD

  120.         TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu

  121.         ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j

  122.         V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj

  123.         gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA

  124.         FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE

  125.         CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS

  126.         BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE

  127.         BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju

  128.         Wm7DCfrPNGVwFWUQOmsPue9rZBgO

  129.         -----END CERTIFICATE-----

  130. 

  131.       SSLCertificateKeyFile_content: |

  132.         -----BEGIN PRIVATE KEY-----

  133.         MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL

  134.         MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC

  135.         VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx

  136.         NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD

  137.         TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu

  138.         ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j

  139.         V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj

  140.         gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA

  141.         FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE

  142.         CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS

  143.         BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE

  144.         BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju

  145.         Wm7DCfrPNGVwFWUQOmsPue9rZBgO

  146.         -----END PRIVATE KEY-----

  147. 

  148.       SSLCertificateChainFile_content: |

  149.         -----BEGIN CERTIFICATE-----

  150.         MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL

  151.         MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC

  152.         VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx

  153.         NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD

  154.         TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu

  155.         ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j

  156.         V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj

  157.         gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA

  158.         FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE

  159.         CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS

  160.         BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE

  161.         BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju

  162.         Wm7DCfrPNGVwFWUQOmsPue9rZBgO

  163.         -----END CERTIFICATE-----

  164.         -----BEGIN CERTIFICATE-----

  165.         MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL

  166.         MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC

  167.         VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx

  168.         NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD

  169.         TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu

  170.         ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j

  171.         V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj

  172.         gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA

  173.         FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE

  174.         CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS

  175.         BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE

  176.         BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju

  177.         Wm7DCfrPNGVwFWUQOmsPue9rZBgO

  178.         -----END CERTIFICATE-----

  179. 

  180.       ProxyRequests: 'Off'

  181.       ProxyPreserveHost: 'On'

  182. 

  183.       ProxyRoute:

  184.         example prod proxy route:

  185.           ProxyPassSource: '/'

  186.           ProxyPassTarget: 'http://prod.example.com:85/'

  187.           ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'

  188.           ProxyPassReverseSource: '/'

  189.           ProxyPassReverseTarget: 'http://prod.example.com:85/'

  190. 

  191.         example webmail proxy route:

  192.           ProxyPassSource: '/webmail/'

  193.           ProxyPassTarget: 'http://mail.example.com/'

  194.           ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'

  195.           ProxyPassReverseSource: '/webmail/'

  196.           ProxyPassReverseTarget: 'http://mail.example.com/'

  197. 

  198.         example service proxy route:

  199.           ProxyPassSource: '/svc/'

  200.           ProxyPassTarget: 'http://svc.example.com:92/'

  201.           ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'

  202.           ProxyPassReverseSource: '/svc/'

  203.           ProxyPassReverseTarget: 'http://svc.example.com:92/'

  204. 

  205.       Location:

  206.         /:

  207.           Require: False

  208.           Formula_Append: |

  209.             SecRuleRemoveById 981231

  210.             SecRuleRemoveById 981173

  211. 

  212.         /error:

  213.           Require: 'all granted'

  214. 

  215.         /docs:

  216.           Order: allow,deny    # For Apache < 2.4

  217.           Allow: from all      # For apache < 2.4

  218.           Require: all granted # For apache > 2.4.

  219.           Formula_Append: |

  220.             Additional config as a

  221.             multi-line string here

  222. 

  223.       LocationMatch:

  224.         '^[.\\/]+([Ww][Ee][Bb][Mm][Aa][Ii][Ll])[.\\/]':

  225.           Require: False

  226.           Formula_Append: |

  227.             RequestHeader  set  Host  mail.example.com

  228. 

  229.         '^[.\\/]+([Ss][Vv][Cc])[.\\/]':

  230.           Require: False

  231.           Formula_Append: |

  232.             Require ip 123.123.13.6 84.24.25.74

  233. 

  234.       Proxy_control:

  235.         '*':

  236.           AllowAll: False

  237.           AllowCountry:

  238.             - DE

  239.           AllowIP:

  240.             - 12.5.25.32

  241.             - 12.5.25.33

  242. 

  243. 

  244.       Alias:

  245.         /docs: /usr/share/docs

  246. 

  247.       Formula_Append: |

  248.         Additional config as a

  249.         multi-line string here

  250. 

  251.   # ``apache.debian_full`` formula additional configuration:

  252.   register-site:

  253.     # any name as an array index, and you can duplicate this section

  254.     UNIQUE_VALUE_HERE:

  255.       name: 'my name'

  256.       path: 'salt://path/to/sites-available/conf/file'

  257.       state: 'enabled'

  258.       # Optional - use managed file as Jinja Template

  259.       #template: true

  260.       #defaults:

  261.       #  custom_var: "default value"

  262. 

  263.   modules:

  264.     enabled:  # List modules to enable

  265.       - ldap

  266.       - ssl

  267.     disabled:  # List modules to disable

  268.       - rewrite

  269. 

  270.   # KeepAlive: Whether or not to allow persistent connections (more than

  271.   # one request per connection). Set to "Off" to deactivate.

  272.   keepalive: 'On'

  273. 

  274.   security:

  275.     # can be Full | OS | Minimal | Minor | Major | Prod

  276.     # where Full conveys the most information, and Prod the least.

  277.     ServerTokens: Prod

  278. 

  279.   # ``apache.mod_remoteip`` formula additional configuration:

  280.   mod_remoteip:

  281.     RemoteIPHeader: X-Forwarded-For

  282.     RemoteIPTrustedProxy:

  283.       - 10.0.8.0/24

  284.       - 127.0.0.1

  285. 

  286.   # ``apache.mod_security`` formula additional configuration:

  287.   mod_security:

  288.     crs_install: True

  289.     # If not set, default distro's configuration is installed as is

  290.     manage_config: True

  291.     sec_rule_engine: 'On'

  292.     sec_request_body_access: 'On'

  293.     sec_request_body_limit: '14000000'

  294.     sec_request_body_no_files_limit: '114002'

  295.     sec_request_body_in_memory_limit: '114002'

  296.     sec_request_body_limit_action: 'Reject'

  297.     sec_pcre_match_limit: '15000'

  298.     sec_pcre_match_limit_recursion: '15000'

  299.     sec_debug_log_level: '3'

  300. 

  301.     rules:

  302.       enabled:

  303.       modsecurity_crs_10_setup.conf:

  304.         rule_set: ''

  305.         enabled: True

  306.       modsecurity_crs_20_protocol_violations.conf:

  307.         rule_set: 'base_rules'

  308.         enabled: False

  309. 

  310.     custom_rule_files:

  311.       # any name as an array index, and you can duplicate this section

  312.       UNIQUE_VALUE_HERE:

  313.         file: 'my name'

  314.         path: 'salt://path/to/modsecurity/custom/file'

  315.         enabled: True

  316. 

  317.   mod_ssl:

  318.     # set this to True if you want to override your distributions default TLS configuration

  319.     manage_tls_defaults: False

  320.     # This stuff is deliberately not configured via map.jinja resp. apache:lookup.

  321.     # We're unable to know sane defaults for each release of every distribution.

  322.     # See https://github.com/saltstack-formulas/openssh-formula/issues/102 for a related discussion

  323.     # Have a look at bettercrypto.org for up-to-date settings.

  324.     # These are default values:

  325.     SSLCipherSuite: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

  326.     # Mitigate the CRIME attack

  327.     SSLCompression: Off

  328.     SSLProtocol: all -SSLv2 -SSLv3 -TLSv1

  329.     SSLHonorCipherOrder: On

  330.     SSLOptions: "+StrictRequire"