saltstack-formulas/apache-formula
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
06b1606f33
apache-formula/pillar.example

372 lines
14 KiB
Plaintext
Raw Normal View History

Added package-map.jinja
2013-08-23 05:14:28 +02:00
# ``apache`` formula configuration:
apache:
Added apache.vhost formula
2013-08-28 00:27:01 +02:00
Allow Skipping of service manipulation via pillar (+PR comments)
2017-11-03 17:59:12 +01:00
# By default apache restart/reload states run (false skips)
manage_service_states: True
add lookup section to pillar.example
2015-08-26 14:05:25 +02:00
# lookup section overrides ``map.jinja`` values
lookup:
server: apache2
service: apache2
Add default user/group attributes as required by some states
2017-03-29 12:32:18 +02:00
user: some_system_user
group: some_system_group
Added apache.vhost formula
2013-08-28 00:27:01 +02:00
add lookup section to pillar.example
2015-08-26 14:05:25 +02:00
vhostdir: /etc/apache2/sites-available
confdir: /etc/apache2/conf.d
confext: .conf
logdir: /var/log/apache2
wwwdir: /srv/apache2
fix Options in pillar.example
2016-04-12 15:01:07 +02:00
This branch is foundational for further version-specific work to come. * Add apache version (2.2, 2.4) detection based on osfinger (defaults to 2.4). * Version can be overridden in pillar (for Apache 2.4 on RHEL 6 for example)
2015-08-25 21:38:16 +02:00
# apache version (generally '2.2' or '2.4')
version: '2.2'
add lookup section to pillar.example
2015-08-26 14:05:25 +02:00
# ``apache.mod_wsgi`` formula additional configuration:
mod_wsgi: mod_wsgi
Updated README with these changes moved Pillar examples into pillar file
2013-08-13 23:12:57 +02:00
RedHat: Made AddDefaultCharset Directive configurable (#147) * RedHat: Made AddDefaultCharset Directive configurable * Added description of apache:lookup:default_charset to pillar.example, sane default equals former hardcoded UTF-8
2016-06-29 18:18:30 +02:00
# Default value for AddDefaultCharset in RedHat configuration
default_charset: 'UTF-8'
Add mod_security management Add gitignore, kitchen-ci files Add some tests and documentation
2016-05-11 03:48:26 +02:00
vhosts/standard: rewrite, simplify code * No more if. * Allow lookup to set default value for all docroot * updated pillar.example
2018-06-28 15:26:01 +02:00
# Should we enforce DocumentRoot user/group?
# Default: do not enforce
document_root_user: www-data # Force user if specified, leave it default if not
document_root_group: null # Do not enforce group
Allow global directives to be added to apache config
2016-01-19 10:02:31 +01:00
global:
# global apache directives
Add mod_security management Add gitignore, kitchen-ci files Add some tests and documentation
2016-05-11 03:48:26 +02:00
AllowEncodedSlashes: 'On'
Allow global directives to be added to apache config
2016-01-19 10:02:31 +01:00
Add support for NameVirtualHost on Debian
2016-04-14 11:26:24 +02:00
name_virtual_hosts:
Add mod_security management Add gitignore, kitchen-ci files Add some tests and documentation
2016-05-11 03:48:26 +02:00
- interface: '*'
Add support for NameVirtualHost on Debian
2016-04-14 11:26:24 +02:00
port: 80
Add mod_security management Add gitignore, kitchen-ci files Add some tests and documentation
2016-05-11 03:48:26 +02:00
- interface: '*'
Add support for NameVirtualHost on Debian
2016-04-14 11:26:24 +02:00
port: 443
Moved all Pillar examples under the same dictionary key Having multiple different examples in the same file was causing confusion.
2014-06-18 21:38:02 +02:00
# ``apache.vhosts`` formula additional configuration:
Added apache.vhost formula
2013-08-28 00:27:01 +02:00
sites:
Removed Jinja-esque placeholders from example Pillar; added instructions The structure of this example file was quite confusing. Most of these values are not required and should be denoted as such. Jinja notiation to denote re-used Pillar values was also a bad and confusing choice. Closes #8
2014-06-18 21:48:28 +02:00
example.net:
template_file: salt://apache/vhosts/minimal.tmpl
example.com: # must be unique; used as an ID declaration in Salt.
add an 'enabled' attribute for a site in pillar
2015-08-25 07:50:58 +02:00
enabled: True
Added minimal template (fixes #34)
2017-04-23 19:38:17 +02:00
template_file: salt://apache/vhosts/standard.tmpl # or minimal.tmpl or redirect.tmpl or proxy.tmpl
Removed Jinja-esque placeholders from example Pillar; added instructions The structure of this example file was quite confusing. Most of these values are not required and should be denoted as such. Jinja notiation to denote re-used Pillar values was also a bad and confusing choice. Closes #8
2014-06-18 21:48:28 +02:00
####################### DEFAULT VALUES BELOW ############################
# NOTE: the values below are simply default settings that *can* be
# overridden and are not required in order to use this formula to create
# vhost entries.
#
# Do not copy the values below into your Pillar unless you intend to
# modify these vaules.
####################### DEFAULT VALUES BELOW ############################
Added apache.vhost formula
2013-08-28 00:27:01 +02:00
template_engine: jinja
interface: '*'
port: '80'
Adding exclude_listen_directive option (#151) * Adding exclude_listen_directive option * Updating Debian config
2016-07-21 04:19:39 +02:00
exclude_listen_directive: True # Do not add a Listen directive in httpd.conf
Removed Jinja-esque placeholders from example Pillar; added instructions The structure of this example file was quite confusing. Most of these values are not required and should be denoted as such. Jinja notiation to denote re-used Pillar values was also a bad and confusing choice. Closes #8
2014-06-18 21:48:28 +02:00
ServerName: example.com # uses the unique ID above unless specified
Do not add ServerAlias unless defined
2018-01-31 00:20:25 +01:00
#ServerAlias: www.example.com # Do not add ServerAlias unless defined
Added apache.vhost formula
2013-08-28 00:27:01 +02:00
Removed Jinja-esque placeholders from example Pillar; added instructions The structure of this example file was quite confusing. Most of these values are not required and should be denoted as such. Jinja notiation to denote re-used Pillar values was also a bad and confusing choice. Closes #8
2014-06-18 21:48:28 +02:00
ServerAdmin: webmaster@example.com
Added apache.vhost formula
2013-08-28 00:27:01 +02:00
LogLevel: warn
Removed Jinja-esque placeholders from example Pillar; added instructions The structure of this example file was quite confusing. Most of these values are not required and should be denoted as such. Jinja notiation to denote re-used Pillar values was also a bad and confusing choice. Closes #8
2014-06-18 21:48:28 +02:00
ErrorLog: /path/to/logs/example.com-error.log # E.g.: /var/log/apache2/example.com-error.log
CustomLog: /path/to/logs/example.com-access.log # E.g.: /var/log/apache2/example.com-access.log
Added apache.vhost formula
2013-08-28 00:27:01 +02:00
Removed Jinja-esque placeholders from example Pillar; added instructions The structure of this example file was quite confusing. Most of these values are not required and should be denoted as such. Jinja notiation to denote re-used Pillar values was also a bad and confusing choice. Closes #8
2014-06-18 21:48:28 +02:00
DocumentRoot: /path/to/www/dir/example.com # E.g., /var/www/example.com
vhosts/standard: rewrite, simplify code * No more if. * Allow lookup to set default value for all docroot * updated pillar.example
2018-06-28 15:26:01 +02:00
DocumentRootUser: null # do not enforce user, defaults to lookup:document_root_user
DocumentRootGroup: www-data # Force group, defaults to lookup:document_root_group
Added apache.vhost formula
2013-08-28 00:27:01 +02:00
Fix incorrect syntax in pillar example for SSLCertificateFile, SSLCertificateKeyFile Fix check for SSLCertificateFile, SSLCertificateKeyFile variables in vhosts/standard.tmpl, now using dict.get()
2015-05-14 04:38:27 +02:00
SSLCertificateFile: /etc/ssl/mycert.pem # if ssl is desired
SSLCertificateKeyFile: /etc/ssl/mycert.pem.key # if key for cert is needed or in an extra file
ssl: also support the SSLCertificateChainFile required by some providers
2015-06-09 11:54:07 +02:00
SSLCertificateChainFile: /etc/ssl/mycert.chain.pem # if you require a chain of server certificates file
Add basic SSL functionality.
2015-04-02 14:23:21 +02:00
Added apache.vhost formula
2013-08-28 00:27:01 +02:00
Directory:
directory.default: update pillar.example New behavior properly explained in pillar.example Warning: changes directory.default when used with non-standard documentroot. Now uses documentroot, instead of previously "default" documentroot path.
2018-08-29 12:19:43 +02:00
# "default" is a special case; uses DocumentRoot value
Removed Jinja-esque placeholders from example Pillar; added instructions The structure of this example file was quite confusing. Most of these values are not required and should be denoted as such. Jinja notiation to denote re-used Pillar values was also a bad and confusing choice. Closes #8
2014-06-18 21:48:28 +02:00
# E.g.: /var/www/example.com
default:
fix Options in pillar.example
2016-04-12 15:01:07 +02:00
Options: -Indexes +FollowSymLinks
Adding support for Apache 2.4 on Ubuntu 14.04 - Adding confext to virtualhost names. - Renaming the default config file for Ubuntu (000-default.conf). - Adding ability to use "Require all granted".
2014-10-01 10:35:53 +02:00
Order: allow,deny # For Apache < 2.4
Allow: from all # For apache < 2.4
Require: all granted # For apache > 2.4.
Added apache.vhost formula
2013-08-28 00:27:01 +02:00
AllowOverride: None
Formula_Append: |
Additional config as a
multi-line string here
pillar exemple for RedirectMatch directive
2018-01-17 08:36:03 +01:00
redirectmatch.com:
# Use RedirectMatch Directive https://httpd.apache.org/docs/2.4/fr/mod/mod_alias.html#redirectmatch
# Require module mod_alias
enabled: True
template_file: salt://apache/vhosts/redirect.tmpl
ServerName: www.redirectmatch.com
ServerAlias: www.redirectmatch.com
RedirectMatch: true
RedirectSource: '^/$'
RedirectTarget: '/subdirectory'
DocumentRoot: /var/www/html/
ErrorLog: ${APACHE_LOG_DIR}/error.log
CustomLog: ${APACHE_LOG_DIR}/access.log
Add Reverse Proxy directives, GeoIP, Certificates management, mostly for RedHat
2017-03-09 12:44:32 +01:00
80-proxyexample.com:
template_file: salt://apache/vhosts/redirect.tmpl
ServerName: www.proxyexample.com
ServerAlias: www.proxyexample.com
RedirectSource: '/'
RedirectTarget: 'https://www.proxyexample.com/'
DocumentRoot: /var/www/proxy
443-proxyexample.com:
template_file: salt://apache/vhosts/proxy.tmpl
ServerName: www.proxyexample.com
ServerAlias: www.proxyexample.com
interface: '*'
port: '443'
DocumentRoot: /var/www/proxy
Rewrite: |
RewriteRule ^/webmail$ /webmail/ [R]
RewriteRule ^/webmail(.*) http://mail.example.com$1 [P,L]
RewriteRule ^/vicescws(.*) http://svc.example.com:92$1 [P,L]
SSLCertificateFile: /etc/httpd/ssl/example.com.crt
SSLCertificateKeyFile: /etc/httpd/ssl/example.com.key
SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer
SSLCertificateFile_content: |
-----BEGIN CERTIFICATE-----
MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
Wm7DCfrPNGVwFWUQOmsPue9rZBgO
-----END CERTIFICATE-----
SSLCertificateKeyFile_content: |
-----BEGIN PRIVATE KEY-----
MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
Wm7DCfrPNGVwFWUQOmsPue9rZBgO
-----END PRIVATE KEY-----
SSLCertificateChainFile_content: |
-----BEGIN CERTIFICATE-----
MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
Wm7DCfrPNGVwFWUQOmsPue9rZBgO
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
Wm7DCfrPNGVwFWUQOmsPue9rZBgO
-----END CERTIFICATE-----
ProxyRequests: 'Off'
ProxyPreserveHost: 'On'
ProxyRoute:
example prod proxy route:
ProxyPassSource: '/'
ProxyPassTarget: 'http://prod.example.com:85/'
ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
ProxyPassReverseSource: '/'
ProxyPassReverseTarget: 'http://prod.example.com:85/'
example webmail proxy route:
ProxyPassSource: '/webmail/'
ProxyPassTarget: 'http://mail.example.com/'
ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
ProxyPassReverseSource: '/webmail/'
ProxyPassReverseTarget: 'http://mail.example.com/'
example service proxy route:
ProxyPassSource: '/svc/'
ProxyPassTarget: 'http://svc.example.com:92/'
ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
ProxyPassReverseSource: '/svc/'
ProxyPassReverseTarget: 'http://svc.example.com:92/'
Location:
/:
Require: False
Formula_Append: |
SecRuleRemoveById 981231
SecRuleRemoveById 981173
/error:
Require: 'all granted'
Consolidate duplicate 'Location' stanzas in pillar.example; SLS Rendering Error fix
2017-08-24 21:58:37 +02:00
/docs:
Order: allow,deny # For Apache < 2.4
Allow: from all # For apache < 2.4
Require: all granted # For apache > 2.4.
Formula_Append: |
Additional config as a
multi-line string here
Add Reverse Proxy directives, GeoIP, Certificates management, mostly for RedHat
2017-03-09 12:44:32 +01:00
LocationMatch:
'^[.\\/]+([Ww][Ee][Bb][Mm][Aa][Ii][Ll])[.\\/]':
Require: False
Formula_Append: |
RequestHeader set Host mail.example.com
'^[.\\/]+([Ss][Vv][Cc])[.\\/]':
Require: False
Formula_Append: |
Require ip 123.123.13.6 84.24.25.74
Proxy_control:
'*':
AllowAll: False
AllowCountry:
- DE
AllowIP:
- 12.5.25.32
- 12.5.25.33
Add example code for new templates 'redirect.tmpl' and 'proxy.tmpl'.
2015-02-15 00:12:13 +01:00
Added support for Alias and Locations, as well as enabling Dav
2015-12-09 06:48:08 +01:00
Alias:
/docs: /usr/share/docs
Added apache.vhost formula
2013-08-28 00:27:01 +02:00
Formula_Append: |
Additional config as a
multi-line string here
Moved all Pillar examples under the same dictionary key Having multiple different examples in the same file was causing confusion.
2014-06-18 21:38:02 +02:00
# ``apache.debian_full`` formula additional configuration:
Updated README with these changes moved Pillar examples into pillar file
2013-08-13 23:12:57 +02:00
register-site:
# any name as an array index, and you can duplicate this section
Removed Jinja-esque placeholders from example Pillar; added instructions The structure of this example file was quite confusing. Most of these values are not required and should be denoted as such. Jinja notiation to denote re-used Pillar values was also a bad and confusing choice. Closes #8
2014-06-18 21:48:28 +02:00
UNIQUE_VALUE_HERE:
Updated README with these changes moved Pillar examples into pillar file
2013-08-13 23:12:57 +02:00
name: 'my name'
path: 'salt://path/to/sites-available/conf/file'
state: 'enabled'
Add optional templating to register_site Add optional templating for the register site aspect of a pillar. User can specify keys to be included as defaults, otherwise it is treated as a normal managed file.
2015-03-18 18:36:19 +01:00
# Optional - use managed file as Jinja Template
#template: true
#defaults:
# custom_var: "default value"
Add ability to specify modules in pillar
2014-11-21 00:37:14 +01:00
modules:
enabled: # List modules to enable
- ldap
- ssl
disabled: # List modules to disable
- rewrite
Added ability to manage security settings By reassigning options with `blockreplace` at `/etc/apache2/conf-available/security.conf`, which is linked as conf-enabled by default on Debian packages
2015-12-14 15:12:20 +01:00
Allow setting APACHE_SERVER_FLAGS on Suse (#234) SUSE reads additional FLAGS that are used on the server start. They are read from the APACHE_SERVER_FLAGS key, so we use a2enflag/a2disflag to set those as we do with modules.
2018-08-30 22:22:55 +02:00
flags:
enabled: # List server flags to enable
- SSL
disabled: # List server flags to disable
- status
Added ability to configure KeepAlive option Sometimes it's necessary optimization in nginx+apache2 environment
2015-12-17 00:40:48 +01:00
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
Fixed YAML parsing On/Off as True/False True and False are not correct values for apache config
2015-12-17 00:50:37 +01:00
keepalive: 'On'
Added ability to configure KeepAlive option Sometimes it's necessary optimization in nginx+apache2 environment
2015-12-17 00:40:48 +01:00
Added ability to manage security settings By reassigning options with `blockreplace` at `/etc/apache2/conf-available/security.conf`, which is linked as conf-enabled by default on Debian packages
2015-12-14 15:12:20 +01:00
security:
# can be Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
ServerTokens: Prod
Follow-up to 8f2308b98
2015-12-16 01:09:48 +01:00
207 configure ssl (#218) * [ssl] [debian] manage ssl.conf with pillars * [apache] make cyphersuite a list * [apache/ssl] switch back to strings, lists merge is not good
2018-08-17 19:41:40 +02:00
# [debian only] configure mod_ssl
ssl:
SSLCipherSuite: 'HIGH:!aNULL'
SSLHonorCipherOrder: 'Off'
SSLProtocol: 'all -SSLv3'
Add OCSP Stapling configuration capabilities to Debian Document Stapling options in pillar.example
2018-11-04 19:02:55 +01:00
SSLUseStapling: 'Off'
SSLStaplingResponderTimeout: '5'
SSLStaplingReturnResponderErrors: 'Off'
SSLStaplingCache: 'shmcb:/var/run/ocsp(128000)'
207 configure ssl (#218) * [ssl] [debian] manage ssl.conf with pillars * [apache] make cyphersuite a list * [apache/ssl] switch back to strings, lists merge is not good
2018-08-17 19:41:40 +02:00
Follow-up to 8f2308b98
2015-12-16 01:09:48 +01:00
# ``apache.mod_remoteip`` formula additional configuration:
mod_remoteip:
RemoteIPHeader: X-Forwarded-For
RemoteIPTrustedProxy:
- 10.0.8.0/24
Added newlines to recent files
2015-12-16 14:42:59 +01:00
- 127.0.0.1
Add mod_security management Add gitignore, kitchen-ci files Add some tests and documentation
2016-05-11 03:48:26 +02:00
# ``apache.mod_security`` formula additional configuration:
mod_security:
crs_install: True
# If not set, default distro's configuration is installed as is
manage_config: True
sec_rule_engine: 'On'
sec_request_body_access: 'On'
sec_request_body_limit: '14000000'
sec_request_body_no_files_limit: '114002'
sec_request_body_in_memory_limit: '114002'
sec_request_body_limit_action: 'Reject'
sec_pcre_match_limit: '15000'
sec_pcre_match_limit_recursion: '15000'
sec_debug_log_level: '3'
add modsecurity rules state
2016-09-23 11:12:37 +02:00
rules:
enabled:
modsecurity_crs_10_setup.conf:
rule_set: ''
enabled: True
modsecurity_crs_20_protocol_violations.conf:
rule_set: 'base_rules'
enabled: False
custom_rule_files:
# any name as an array index, and you can duplicate this section
UNIQUE_VALUE_HERE:
file: 'my name'
path: 'salt://path/to/modsecurity/custom/file'
enabled: True
Manage TLS defaults
2018-01-10 01:24:17 +01:00
mod_ssl:
# set this to True if you want to override your distributions default TLS configuration
manage_tls_defaults: False
# This stuff is deliberately not configured via map.jinja resp. apache:lookup.
# We're unable to know sane defaults for each release of every distribution.
# See https://github.com/saltstack-formulas/openssh-formula/issues/102 for a related discussion
# Have a look at bettercrypto.org for up-to-date settings.
# These are default values:
SSLCipherSuite: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
# Mitigate the CRIME attack
SSLCompression: Off
SSLProtocol: all -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder: On
SSLOptions: "+StrictRequire"
Reference in New Issue Copy Permalink