Skip to content
Snippets Groups Projects
Select Git revision
  • 98e8a9221885ea8d2086bd62ffcd1c48bed7ae33
  • master default
  • json_fix
  • puneetk-patch-1
4 results

AUTHORS.md

Blame
  • pillar.example 13.72 KiB
    # ``apache`` formula configuration:
    apache:
    
      # By default apache restart/reload states run (false skips)
      manage_service_states: True
    
      # lookup section overrides ``map.jinja`` values
      lookup:
        server: apache2
        service: apache2
        user: some_system_user
        group: some_system_group
    
        vhostdir: /etc/apache2/sites-available
        confdir: /etc/apache2/conf.d
        confext: .conf
        logdir: /var/log/apache2
        wwwdir: /srv/apache2
    
        # apache version (generally '2.2' or '2.4')
        version: '2.2'
    
        # ``apache.mod_wsgi`` formula additional configuration:
        mod_wsgi: mod_wsgi
    
        # Default value for AddDefaultCharset in RedHat configuration
        default_charset: 'UTF-8'
    
        # Should we enforce DocumentRoot user/group?
        # Default: do not enforce
        document_root_user: www-data   # Force user if specified, leave it default if not
        document_root_group: null      # Do not enforce group
    
      global:
        # global apache directives
        AllowEncodedSlashes: 'On'
    
    
      name_virtual_hosts:
        - interface: '*'
          port: 80
        - interface: '*'
          port: 443
    
      # ``apache.vhosts`` formula additional configuration:
      sites:
        example.net:
          template_file: salt://apache/vhosts/minimal.tmpl
    
        example.com: # must be unique; used as an ID declaration in Salt.
          enabled: True
          template_file: salt://apache/vhosts/standard.tmpl # or minimal.tmpl or redirect.tmpl or proxy.tmpl
    
          ####################### DEFAULT VALUES BELOW ############################
          # NOTE: the values below are simply default settings that *can* be
          # overridden and are not required in order to use this formula to create
          # vhost entries.
          #
          # Do not copy the values below into your Pillar unless you intend to
          # modify these vaules.
          ####################### DEFAULT VALUES BELOW ############################
          template_engine: jinja
    
          interface: '*'
          port: '80'
    
          exclude_listen_directive: True # Do not add a Listen directive in httpd.conf
    
          ServerName: example.com # uses the unique ID above unless specified
          #ServerAlias: www.example.com # Do not add ServerAlias unless defined
    
          ServerAdmin: webmaster@example.com
    
          LogLevel: warn
          ErrorLog: /path/to/logs/example.com-error.log # E.g.: /var/log/apache2/example.com-error.log
          CustomLog: /path/to/logs/example.com-access.log # E.g.: /var/log/apache2/example.com-access.log
    
          DocumentRoot: /path/to/www/dir/example.com # E.g., /var/www/example.com
          DocumentRootUser: null       # do not enforce user, defaults to lookup:document_root_user
          DocumentRootGroup: www-data  # Force group, defaults to lookup:document_root_group
    
          SSLCertificateFile: /etc/ssl/mycert.pem # if ssl is desired
          SSLCertificateKeyFile: /etc/ssl/mycert.pem.key # if key for cert is needed or in an extra file
          SSLCertificateChainFile: /etc/ssl/mycert.chain.pem # if you require a chain of server certificates file
    
          Directory:
            # "default" is a special case; uses DocumentRoot value
            # E.g.: /var/www/example.com
            default:
              Options: -Indexes +FollowSymLinks
              Order: allow,deny    # For Apache < 2.4
              Allow: from all      # For apache < 2.4
              Require: all granted # For apache > 2.4.
              AllowOverride: None
              Formula_Append: |
                Additional config as a
                multi-line string here
    
        redirectmatch.com:
          # Use RedirectMatch Directive https://httpd.apache.org/docs/2.4/fr/mod/mod_alias.html#redirectmatch
          # Require module mod_alias 
          enabled: True
          template_file: salt://apache/vhosts/redirect.tmpl
          ServerName: www.redirectmatch.com
          ServerAlias: www.redirectmatch.com
          RedirectMatch: true
          RedirectSource: '^/$'
          RedirectTarget: '/subdirectory'
          DocumentRoot: /var/www/html/
          ErrorLog: ${APACHE_LOG_DIR}/error.log
          CustomLog: ${APACHE_LOG_DIR}/access.log
    
        80-proxyexample.com:
          template_file: salt://apache/vhosts/redirect.tmpl
          ServerName: www.proxyexample.com
          ServerAlias: www.proxyexample.com
          RedirectSource: '/'
          RedirectTarget: 'https://www.proxyexample.com/'
          DocumentRoot: /var/www/proxy
    
        443-proxyexample.com:
          template_file: salt://apache/vhosts/proxy.tmpl
          ServerName: www.proxyexample.com
          ServerAlias: www.proxyexample.com
          interface: '*'
          port: '443'
          DocumentRoot: /var/www/proxy
    
          Rewrite: |
            RewriteRule ^/webmail$ /webmail/ [R]
            RewriteRule ^/webmail(.*) http://mail.example.com$1 [P,L]
            RewriteRule ^/vicescws(.*) http://svc.example.com:92$1 [P,L]
    
          SSLCertificateFile: /etc/httpd/ssl/example.com.crt
          SSLCertificateKeyFile: /etc/httpd/ssl/example.com.key
          SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer
    
          SSLCertificateFile_content: |
            -----BEGIN CERTIFICATE-----
            MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
            MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
            VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
            NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
            TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
            ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
            V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
            gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
            FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
            CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
            BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
            BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
            Wm7DCfrPNGVwFWUQOmsPue9rZBgO
            -----END CERTIFICATE-----
    
          SSLCertificateKeyFile_content: |
            -----BEGIN PRIVATE KEY-----
            MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
            MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
            VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
            NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
            TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
            ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
            V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
            gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
            FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
            CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
            BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
            BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
            Wm7DCfrPNGVwFWUQOmsPue9rZBgO
            -----END PRIVATE KEY-----
    
          SSLCertificateChainFile_content: |
            -----BEGIN CERTIFICATE-----
            MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
            MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
            VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
            NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
            TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
            ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
            V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
            gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
            FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
            CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
            BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
            BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
            Wm7DCfrPNGVwFWUQOmsPue9rZBgO
            -----END CERTIFICATE-----
            -----BEGIN CERTIFICATE-----
            MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
            MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
            VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
            NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
            TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
            ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
            V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
            gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
            FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
            CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
            BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
            BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
            Wm7DCfrPNGVwFWUQOmsPue9rZBgO
            -----END CERTIFICATE-----
    
          ProxyRequests: 'Off'
          ProxyPreserveHost: 'On'
    
          ProxyRoute:
            example prod proxy route:
              ProxyPassSource: '/'
              ProxyPassTarget: 'http://prod.example.com:85/'
              ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
              ProxyPassReverseSource: '/'
              ProxyPassReverseTarget: 'http://prod.example.com:85/'
    
            example webmail proxy route:
              ProxyPassSource: '/webmail/'
              ProxyPassTarget: 'http://mail.example.com/'
              ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
              ProxyPassReverseSource: '/webmail/'
              ProxyPassReverseTarget: 'http://mail.example.com/'
    
            example service proxy route:
              ProxyPassSource: '/svc/'
              ProxyPassTarget: 'http://svc.example.com:92/'
              ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
              ProxyPassReverseSource: '/svc/'
              ProxyPassReverseTarget: 'http://svc.example.com:92/'
    
          Location:
            /:
              Require: False
              Formula_Append: |
                SecRuleRemoveById 981231
                SecRuleRemoveById 981173
    
            /error:
              Require: 'all granted'
    
            /docs:
              Order: allow,deny    # For Apache < 2.4
              Allow: from all      # For apache < 2.4
              Require: all granted # For apache > 2.4.
              Formula_Append: |
                Additional config as a
                multi-line string here
    
          LocationMatch:
            '^[.\\/]+([Ww][Ee][Bb][Mm][Aa][Ii][Ll])[.\\/]':
              Require: False
              Formula_Append: |
                RequestHeader  set  Host  mail.example.com
    
            '^[.\\/]+([Ss][Vv][Cc])[.\\/]':
              Require: False
              Formula_Append: |
                Require ip 123.123.13.6 84.24.25.74
    
          Proxy_control:
            '*':
              AllowAll: False
              AllowCountry:
                - DE
              AllowIP:
                - 12.5.25.32
                - 12.5.25.33
    
    
          Alias:
            /docs: /usr/share/docs
    
          Formula_Append: |
            Additional config as a
            multi-line string here
    
      # ``apache.debian_full`` formula additional configuration:
      register-site:
        # any name as an array index, and you can duplicate this section
        UNIQUE_VALUE_HERE:
          name: 'my name'
          path: 'salt://path/to/sites-available/conf/file'
          state: 'enabled'
          # Optional - use managed file as Jinja Template
          #template: true
          #defaults:
          #  custom_var: "default value"
    
      modules:
        enabled:  # List modules to enable
          - ldap
          - ssl
        disabled:  # List modules to disable
          - rewrite
    
      # KeepAlive: Whether or not to allow persistent connections (more than
      # one request per connection). Set to "Off" to deactivate.
      keepalive: 'On'
    
      security:
        # can be Full | OS | Minimal | Minor | Major | Prod
        # where Full conveys the most information, and Prod the least.
        ServerTokens: Prod
    
      # [debian only] configure mod_ssl
      ssl:
        SSLCipherSuite: 'HIGH:!aNULL'
        SSLHonorCipherOrder: 'Off'
        SSLProtocol: 'all -SSLv3'
    
      # ``apache.mod_remoteip`` formula additional configuration:
      mod_remoteip:
        RemoteIPHeader: X-Forwarded-For
        RemoteIPTrustedProxy:
          - 10.0.8.0/24
          - 127.0.0.1
    
      # ``apache.mod_security`` formula additional configuration:
      mod_security:
        crs_install: True
        # If not set, default distro's configuration is installed as is
        manage_config: True
        sec_rule_engine: 'On'
        sec_request_body_access: 'On'
        sec_request_body_limit: '14000000'
        sec_request_body_no_files_limit: '114002'
        sec_request_body_in_memory_limit: '114002'
        sec_request_body_limit_action: 'Reject'
        sec_pcre_match_limit: '15000'
        sec_pcre_match_limit_recursion: '15000'
        sec_debug_log_level: '3'
    
        rules:
          enabled:
          modsecurity_crs_10_setup.conf:
            rule_set: ''
            enabled: True
          modsecurity_crs_20_protocol_violations.conf:
            rule_set: 'base_rules'
            enabled: False
    
        custom_rule_files:
          # any name as an array index, and you can duplicate this section
          UNIQUE_VALUE_HERE:
            file: 'my name'
            path: 'salt://path/to/modsecurity/custom/file'
            enabled: True
    
      mod_ssl:
        # set this to True if you want to override your distributions default TLS configuration
        manage_tls_defaults: False
        # This stuff is deliberately not configured via map.jinja resp. apache:lookup.
        # We're unable to know sane defaults for each release of every distribution.
        # See https://github.com/saltstack-formulas/openssh-formula/issues/102 for a related discussion
        # Have a look at bettercrypto.org for up-to-date settings.
        # These are default values:
        SSLCipherSuite: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
        # Mitigate the CRIME attack
        SSLCompression: Off
        SSLProtocol: all -SSLv2 -SSLv3 -TLSv1
        SSLHonorCipherOrder: On
        SSLOptions: "+StrictRequire"