apache-formula/pillar.example

# ``apache`` formula configuration:
apache:

  # lookup section overrides ``map.jinja`` values
  lookup:
    server: apache2
    service: apache2
    user: some_system_user
    group: some_system_group

    vhostdir: /etc/apache2/sites-available
    confdir: /etc/apache2/conf.d
    confext: .conf
    logdir: /var/log/apache2
    wwwdir: /srv/apache2

    # apache version (generally '2.2' or '2.4')
    version: '2.2'

    # ``apache.mod_wsgi`` formula additional configuration:
    mod_wsgi: mod_wsgi

    # Default value for AddDefaultCharset in RedHat configuration
    default_charset: 'UTF-8'

  global:
    # global apache directives
    AllowEncodedSlashes: 'On'


  name_virtual_hosts:
    - interface: '*'
      port: 80
    - interface: '*'
      port: 443

  # ``apache.vhosts`` formula additional configuration:
  sites:
    example.net:
      template_file: salt://apache/vhosts/minimal.tmpl

    example.com: # must be unique; used as an ID declaration in Salt.
      enabled: True
      template_file: salt://apache/vhosts/standard.tmpl # or minimal.tmpl or redirect.tmpl or proxy.tmpl

      ####################### DEFAULT VALUES BELOW ############################
      # NOTE: the values below are simply default settings that *can* be
      # overridden and are not required in order to use this formula to create
      # vhost entries.
      #
      # Do not copy the values below into your Pillar unless you intend to
      # modify these vaules.
      ####################### DEFAULT VALUES BELOW ############################
      template_engine: jinja

      interface: '*'
      port: '80'

      exclude_listen_directive: True # Do not add a Listen directive in httpd.conf

      ServerName: example.com # uses the unique ID above unless specified
      ServerAlias: www.example.com

      ServerAdmin: webmaster@example.com

      LogLevel: warn
      ErrorLog: /path/to/logs/example.com-error.log # E.g.: /var/log/apache2/example.com-error.log
      CustomLog: /path/to/logs/example.com-access.log # E.g.: /var/log/apache2/example.com-access.log

      DocumentRoot: /path/to/www/dir/example.com # E.g., /var/www/example.com

      SSLCertificateFile: /etc/ssl/mycert.pem # if ssl is desired
      SSLCertificateKeyFile: /etc/ssl/mycert.pem.key # if key for cert is needed or in an extra file
      SSLCertificateChainFile: /etc/ssl/mycert.chain.pem # if you require a chain of server certificates file

      Directory:
        # "default" is a special case; Adds ``/path/to/www/dir/example.com``
        # E.g.: /var/www/example.com
        default:
          Options: -Indexes +FollowSymLinks
          Order: allow,deny    # For Apache < 2.4
          Allow: from all      # For apache < 2.4
          Require: all granted # For apache > 2.4.
          AllowOverride: None
          Formula_Append: |
            Additional config as a
            multi-line string here

    80-proxyexample.com:
      template_file: salt://apache/vhosts/redirect.tmpl
      ServerName: www.proxyexample.com
      ServerAlias: www.proxyexample.com
      RedirectSource: '/'
      RedirectTarget: 'https://www.proxyexample.com/'
      DocumentRoot: /var/www/proxy

    443-proxyexample.com:
      template_file: salt://apache/vhosts/proxy.tmpl
      ServerName: www.proxyexample.com
      ServerAlias: www.proxyexample.com
      interface: '*'
      port: '443'
      DocumentRoot: /var/www/proxy

      Rewrite: |
        RewriteRule ^/webmail$ /webmail/ [R]
        RewriteRule ^/webmail(.*) http://mail.example.com$1 [P,L]
        RewriteRule ^/vicescws(.*) http://svc.example.com:92$1 [P,L]

      SSLCertificateFile: /etc/httpd/ssl/example.com.crt
      SSLCertificateKeyFile: /etc/httpd/ssl/example.com.key
      SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer

      SSLCertificateFile_content: |
        -----BEGIN CERTIFICATE-----
        MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
        MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
        VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
        NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
        TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
        ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
        V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
        gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
        FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
        CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
        BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
        BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
        Wm7DCfrPNGVwFWUQOmsPue9rZBgO
        -----END CERTIFICATE-----

      SSLCertificateKeyFile_content: |
        -----BEGIN PRIVATE KEY-----
        MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
        MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
        VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
        NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
        TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
        ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
        V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
        gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
        FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
        CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
        BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
        BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
        Wm7DCfrPNGVwFWUQOmsPue9rZBgO
        -----END PRIVATE KEY-----

      SSLCertificateChainFile_content: |
        -----BEGIN CERTIFICATE-----
        MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
        MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
        VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
        NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
        TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
        ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
        V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
        gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
        FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
        CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
        BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
        BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
        Wm7DCfrPNGVwFWUQOmsPue9rZBgO
        -----END CERTIFICATE-----
        -----BEGIN CERTIFICATE-----
        MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
        MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
        VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
        NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
        TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
        ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
        V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
        gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
        FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
        CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
        BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
        BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
        Wm7DCfrPNGVwFWUQOmsPue9rZBgO
        -----END CERTIFICATE-----

      ProxyRequests: 'Off'
      ProxyPreserveHost: 'On'

      ProxyRoute:
        example prod proxy route:
          ProxyPassSource: '/'
          ProxyPassTarget: 'http://prod.example.com:85/'
          ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
          ProxyPassReverseSource: '/'
          ProxyPassReverseTarget: 'http://prod.example.com:85/'

        example webmail proxy route:
          ProxyPassSource: '/webmail/'
          ProxyPassTarget: 'http://mail.example.com/'
          ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
          ProxyPassReverseSource: '/webmail/'
          ProxyPassReverseTarget: 'http://mail.example.com/'

        example service proxy route:
          ProxyPassSource: '/svc/'
          ProxyPassTarget: 'http://svc.example.com:92/'
          ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
          ProxyPassReverseSource: '/svc/'
          ProxyPassReverseTarget: 'http://svc.example.com:92/'

      Location:
        /:
          Require: False
          Formula_Append: |
            SecRuleRemoveById 981231
            SecRuleRemoveById 981173

        /error:
          Require: 'all granted'

        /docs:
          Order: allow,deny    # For Apache < 2.4
          Allow: from all      # For apache < 2.4
          Require: all granted # For apache > 2.4.
          Formula_Append: |
            Additional config as a
            multi-line string here

      LocationMatch:
        '^[.\\/]+([Ww][Ee][Bb][Mm][Aa][Ii][Ll])[.\\/]':
          Require: False
          Formula_Append: |
            RequestHeader  set  Host  mail.example.com

        '^[.\\/]+([Ss][Vv][Cc])[.\\/]':
          Require: False
          Formula_Append: |
            Require ip 123.123.13.6 84.24.25.74

      Proxy_control:
        '*':
          AllowAll: False
          AllowCountry:
            - DE
          AllowIP:
            - 12.5.25.32
            - 12.5.25.33


      Alias:
        /docs: /usr/share/docs

      Formula_Append: |
        Additional config as a
        multi-line string here

  # ``apache.debian_full`` formula additional configuration:
  register-site:
    # any name as an array index, and you can duplicate this section
    UNIQUE_VALUE_HERE:
      name: 'my name'
      path: 'salt://path/to/sites-available/conf/file'
      state: 'enabled'
      # Optional - use managed file as Jinja Template
      #template: true
      #defaults:
      #  custom_var: "default value"

  modules:
    enabled:  # List modules to enable
      - ldap
      - ssl
    disabled:  # List modules to disable
      - rewrite

  # KeepAlive: Whether or not to allow persistent connections (more than
  # one request per connection). Set to "Off" to deactivate.
  keepalive: 'On'

  security:
    # can be Full | OS | Minimal | Minor | Major | Prod
    # where Full conveys the most information, and Prod the least.
    ServerTokens: Prod

  # ``apache.mod_remoteip`` formula additional configuration:
  mod_remoteip:
    RemoteIPHeader: X-Forwarded-For
    RemoteIPTrustedProxy:
      - 10.0.8.0/24
      - 127.0.0.1

  # ``apache.mod_security`` formula additional configuration:
  mod_security:
    crs_install: True
    # If not set, default distro's configuration is installed as is
    manage_config: True
    sec_rule_engine: 'On'
    sec_request_body_access: 'On'
    sec_request_body_limit: '14000000'
    sec_request_body_no_files_limit: '114002'
    sec_request_body_in_memory_limit: '114002'
    sec_request_body_limit_action: 'Reject'
    sec_pcre_match_limit: '15000'
    sec_pcre_match_limit_recursion: '15000'
    sec_debug_log_level: '3'

    rules:
      enabled:
      modsecurity_crs_10_setup.conf:
        rule_set: ''
        enabled: True
      modsecurity_crs_20_protocol_violations.conf:
        rule_set: 'base_rules'
        enabled: False

    custom_rule_files:
      # any name as an array index, and you can duplicate this section
      UNIQUE_VALUE_HERE:
        file: 'my name'
        path: 'salt://path/to/modsecurity/custom/file'
        enabled: True

  mod_ssl:
    # set this to True if you want to override your distributions default TLS configuration
    manage_tls_defaults: False
    # This stuff is deliberately not configured via map.jinja resp. apache:lookup.
    # We're unable to know sane defaults for each release of every distribution.
    # See https://github.com/saltstack-formulas/openssh-formula/issues/102 for a related discussion
    # Have a look at bettercrypto.org for up-to-date settings.
    # These are default values:
    SSLCipherSuite: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
    # Mitigate the CRIME attack
    SSLCompression: Off
    SSLProtocol: all -SSLv2 -SSLv3 -TLSv1
    SSLHonorCipherOrder: On
    SSLOptions: "+StrictRequire"
Added package-map.jinja 2013-08-23 05:14:28 +02:00			# ``apache`` formula configuration:
			`apache:`
Added apache.vhost formula 2013-08-28 00:27:01 +02:00
add lookup section to pillar.example 2015-08-26 14:05:25 +02:00			# lookup section overrides ``map.jinja`` values
			`lookup:`
			`server: apache2`
			`service: apache2`
Add default user/group attributes as required by some states 2017-03-29 12:32:18 +02:00			`user: some_system_user`
			`group: some_system_group`
Added apache.vhost formula 2013-08-28 00:27:01 +02:00
add lookup section to pillar.example 2015-08-26 14:05:25 +02:00			`vhostdir: /etc/apache2/sites-available`
			`confdir: /etc/apache2/conf.d`
			`confext: .conf`
			`logdir: /var/log/apache2`
			`wwwdir: /srv/apache2`
fix Options in pillar.example 2016-04-12 15:01:07 +02:00
This branch is foundational for further version-specific work to come. * Add apache version (2.2, 2.4) detection based on osfinger (defaults to 2.4). * Version can be overridden in pillar (for Apache 2.4 on RHEL 6 for example) 2015-08-25 21:38:16 +02:00			`# apache version (generally '2.2' or '2.4')`
			`version: '2.2'`
add lookup section to pillar.example 2015-08-26 14:05:25 +02:00
			# ``apache.mod_wsgi`` formula additional configuration:
			`mod_wsgi: mod_wsgi`
Updated README with these changes moved Pillar examples into pillar file 2013-08-13 23:12:57 +02:00
RedHat: Made AddDefaultCharset Directive configurable (#147) * RedHat: Made AddDefaultCharset Directive configurable * Added description of apache:lookup:default_charset to pillar.example, sane default equals former hardcoded UTF-8 2016-06-29 18:18:30 +02:00			`# Default value for AddDefaultCharset in RedHat configuration`
			`default_charset: 'UTF-8'`
Add mod_security management Add gitignore, kitchen-ci files Add some tests and documentation 2016-05-11 03:48:26 +02:00
Allow global directives to be added to apache config 2016-01-19 10:02:31 +01:00			`global:`
			`# global apache directives`
Add mod_security management Add gitignore, kitchen-ci files Add some tests and documentation 2016-05-11 03:48:26 +02:00			`AllowEncodedSlashes: 'On'`
Allow global directives to be added to apache config 2016-01-19 10:02:31 +01:00

Add support for NameVirtualHost on Debian 2016-04-14 11:26:24 +02:00			`name_virtual_hosts:`
Add mod_security management Add gitignore, kitchen-ci files Add some tests and documentation 2016-05-11 03:48:26 +02:00			`- interface: '*'`
Add support for NameVirtualHost on Debian 2016-04-14 11:26:24 +02:00			`port: 80`
Add mod_security management Add gitignore, kitchen-ci files Add some tests and documentation 2016-05-11 03:48:26 +02:00			`- interface: '*'`
Add support for NameVirtualHost on Debian 2016-04-14 11:26:24 +02:00			`port: 443`

Moved all Pillar examples under the same dictionary key Having multiple different examples in the same file was causing confusion. 2014-06-18 21:38:02 +02:00			# ``apache.vhosts`` formula additional configuration:
Added apache.vhost formula 2013-08-28 00:27:01 +02:00			`sites:`
Removed Jinja-esque placeholders from example Pillar; added instructions The structure of this example file was quite confusing. Most of these values are not required and should be denoted as such. Jinja notiation to denote re-used Pillar values was also a bad and confusing choice. Closes #8 2014-06-18 21:48:28 +02:00			`example.net:`
			`template_file: salt://apache/vhosts/minimal.tmpl`

			`example.com: # must be unique; used as an ID declaration in Salt.`
add an 'enabled' attribute for a site in pillar 2015-08-25 07:50:58 +02:00			`enabled: True`
Added minimal template (fixes #34) 2017-04-23 19:38:17 +02:00			`template_file: salt://apache/vhosts/standard.tmpl # or minimal.tmpl or redirect.tmpl or proxy.tmpl`
Removed Jinja-esque placeholders from example Pillar; added instructions The structure of this example file was quite confusing. Most of these values are not required and should be denoted as such. Jinja notiation to denote re-used Pillar values was also a bad and confusing choice. Closes #8 2014-06-18 21:48:28 +02:00
			`####################### DEFAULT VALUES BELOW ############################`
			`# NOTE: the values below are simply default settings that can be`
			`# overridden and are not required in order to use this formula to create`
			`# vhost entries.`
			`#`
			`# Do not copy the values below into your Pillar unless you intend to`
			`# modify these vaules.`
			`####################### DEFAULT VALUES BELOW ############################`
Added apache.vhost formula 2013-08-28 00:27:01 +02:00			`template_engine: jinja`

			`interface: '*'`
			`port: '80'`

Adding exclude_listen_directive option (#151) * Adding exclude_listen_directive option * Updating Debian config 2016-07-21 04:19:39 +02:00			`exclude_listen_directive: True # Do not add a Listen directive in httpd.conf`

Removed Jinja-esque placeholders from example Pillar; added instructions The structure of this example file was quite confusing. Most of these values are not required and should be denoted as such. Jinja notiation to denote re-used Pillar values was also a bad and confusing choice. Closes #8 2014-06-18 21:48:28 +02:00			`ServerName: example.com # uses the unique ID above unless specified`
			`ServerAlias: www.example.com`
Added apache.vhost formula 2013-08-28 00:27:01 +02:00
Removed Jinja-esque placeholders from example Pillar; added instructions The structure of this example file was quite confusing. Most of these values are not required and should be denoted as such. Jinja notiation to denote re-used Pillar values was also a bad and confusing choice. Closes #8 2014-06-18 21:48:28 +02:00			`ServerAdmin: webmaster@example.com`
Added apache.vhost formula 2013-08-28 00:27:01 +02:00
			`LogLevel: warn`
Removed Jinja-esque placeholders from example Pillar; added instructions The structure of this example file was quite confusing. Most of these values are not required and should be denoted as such. Jinja notiation to denote re-used Pillar values was also a bad and confusing choice. Closes #8 2014-06-18 21:48:28 +02:00			`ErrorLog: /path/to/logs/example.com-error.log # E.g.: /var/log/apache2/example.com-error.log`
			`CustomLog: /path/to/logs/example.com-access.log # E.g.: /var/log/apache2/example.com-access.log`
Added apache.vhost formula 2013-08-28 00:27:01 +02:00
Removed Jinja-esque placeholders from example Pillar; added instructions The structure of this example file was quite confusing. Most of these values are not required and should be denoted as such. Jinja notiation to denote re-used Pillar values was also a bad and confusing choice. Closes #8 2014-06-18 21:48:28 +02:00			`DocumentRoot: /path/to/www/dir/example.com # E.g., /var/www/example.com`
Added apache.vhost formula 2013-08-28 00:27:01 +02:00
Fix incorrect syntax in pillar example for SSLCertificateFile, SSLCertificateKeyFile Fix check for SSLCertificateFile, SSLCertificateKeyFile variables in vhosts/standard.tmpl, now using dict.get() 2015-05-14 04:38:27 +02:00			`SSLCertificateFile: /etc/ssl/mycert.pem # if ssl is desired`
			`SSLCertificateKeyFile: /etc/ssl/mycert.pem.key # if key for cert is needed or in an extra file`
ssl: also support the SSLCertificateChainFile required by some providers 2015-06-09 11:54:07 +02:00			`SSLCertificateChainFile: /etc/ssl/mycert.chain.pem # if you require a chain of server certificates file`
Add basic SSL functionality. 2015-04-02 14:23:21 +02:00
Added apache.vhost formula 2013-08-28 00:27:01 +02:00			`Directory:`
Removed Jinja-esque placeholders from example Pillar; added instructions The structure of this example file was quite confusing. Most of these values are not required and should be denoted as such. Jinja notiation to denote re-used Pillar values was also a bad and confusing choice. Closes #8 2014-06-18 21:48:28 +02:00			# "default" is a special case; Adds ``/path/to/www/dir/example.com``
			`# E.g.: /var/www/example.com`
			`default:`
fix Options in pillar.example 2016-04-12 15:01:07 +02:00			`Options: -Indexes +FollowSymLinks`
Adding support for Apache 2.4 on Ubuntu 14.04 - Adding confext to virtualhost names. - Renaming the default config file for Ubuntu (000-default.conf). - Adding ability to use "Require all granted". 2014-10-01 10:35:53 +02:00			`Order: allow,deny # For Apache < 2.4`
			`Allow: from all # For apache < 2.4`
			`Require: all granted # For apache > 2.4.`
Added apache.vhost formula 2013-08-28 00:27:01 +02:00			`AllowOverride: None`
			`Formula_Append: \|`
			`Additional config as a`
			`multi-line string here`

Add Reverse Proxy directives, GeoIP, Certificates management, mostly for RedHat 2017-03-09 12:44:32 +01:00			`80-proxyexample.com:`
			`template_file: salt://apache/vhosts/redirect.tmpl`
			`ServerName: www.proxyexample.com`
			`ServerAlias: www.proxyexample.com`
			`RedirectSource: '/'`
			`RedirectTarget: 'https://www.proxyexample.com/'`
			`DocumentRoot: /var/www/proxy`

			`443-proxyexample.com:`
			`template_file: salt://apache/vhosts/proxy.tmpl`
			`ServerName: www.proxyexample.com`
			`ServerAlias: www.proxyexample.com`
			`interface: '*'`
			`port: '443'`
			`DocumentRoot: /var/www/proxy`

			`Rewrite: \|`
			`RewriteRule ^/webmail$ /webmail/ [R]`
			`RewriteRule ^/webmail(.*) http://mail.example.com$1 [P,L]`
			`RewriteRule ^/vicescws(.*) http://svc.example.com:92$1 [P,L]`

			`SSLCertificateFile: /etc/httpd/ssl/example.com.crt`
			`SSLCertificateKeyFile: /etc/httpd/ssl/example.com.key`
			`SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer`

			`SSLCertificateFile_content: \|`
			`-----BEGIN CERTIFICATE-----`
			`MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL`
			`MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC`
			`VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx`
			`NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD`
			`TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu`
			`ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j`
			`V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj`
			`gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA`
			`FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE`
			`CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS`
			`BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE`
			`BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju`
			`Wm7DCfrPNGVwFWUQOmsPue9rZBgO`
			`-----END CERTIFICATE-----`

			`SSLCertificateKeyFile_content: \|`
			`-----BEGIN PRIVATE KEY-----`
			`MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL`
			`MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC`
			`VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx`
			`NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD`
			`TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu`
			`ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j`
			`V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj`
			`gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA`
			`FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE`
			`CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS`
			`BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE`
			`BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju`
			`Wm7DCfrPNGVwFWUQOmsPue9rZBgO`
			`-----END PRIVATE KEY-----`

			`SSLCertificateChainFile_content: \|`
			`-----BEGIN CERTIFICATE-----`
			`MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL`
			`MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC`
			`VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx`
			`NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD`
			`TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu`
			`ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j`
			`V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj`
			`gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA`
			`FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE`
			`CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS`
			`BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE`
			`BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju`
			`Wm7DCfrPNGVwFWUQOmsPue9rZBgO`
			`-----END CERTIFICATE-----`
			`-----BEGIN CERTIFICATE-----`
			`MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL`
			`MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC`
			`VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx`
			`NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD`
			`TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu`
			`ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j`
			`V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj`
			`gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA`
			`FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE`
			`CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS`
			`BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE`
			`BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju`
			`Wm7DCfrPNGVwFWUQOmsPue9rZBgO`
			`-----END CERTIFICATE-----`

			`ProxyRequests: 'Off'`
			`ProxyPreserveHost: 'On'`

			`ProxyRoute:`
			`example prod proxy route:`
			`ProxyPassSource: '/'`
			`ProxyPassTarget: 'http://prod.example.com:85/'`
			`ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'`
			`ProxyPassReverseSource: '/'`
			`ProxyPassReverseTarget: 'http://prod.example.com:85/'`

			`example webmail proxy route:`
			`ProxyPassSource: '/webmail/'`
			`ProxyPassTarget: 'http://mail.example.com/'`
			`ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'`
			`ProxyPassReverseSource: '/webmail/'`
			`ProxyPassReverseTarget: 'http://mail.example.com/'`

			`example service proxy route:`
			`ProxyPassSource: '/svc/'`
			`ProxyPassTarget: 'http://svc.example.com:92/'`
			`ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'`
			`ProxyPassReverseSource: '/svc/'`
			`ProxyPassReverseTarget: 'http://svc.example.com:92/'`

			`Location:`
			`/:`
			`Require: False`
			`Formula_Append: \|`
			`SecRuleRemoveById 981231`
			`SecRuleRemoveById 981173`

			`/error:`
			`Require: 'all granted'`

Consolidate duplicate 'Location' stanzas in pillar.example; SLS Rendering Error fix 2017-08-24 21:58:37 +02:00			`/docs:`
			`Order: allow,deny # For Apache < 2.4`
			`Allow: from all # For apache < 2.4`
			`Require: all granted # For apache > 2.4.`
			`Formula_Append: \|`
			`Additional config as a`
			`multi-line string here`

Add Reverse Proxy directives, GeoIP, Certificates management, mostly for RedHat 2017-03-09 12:44:32 +01:00			`LocationMatch:`
			`'^[.\\/]+([Ww][Ee][Bb][Mm][Aa][Ii][Ll])[.\\/]':`
			`Require: False`
			`Formula_Append: \|`
			`RequestHeader set Host mail.example.com`

			`'^[.\\/]+([Ss][Vv][Cc])[.\\/]':`
			`Require: False`
			`Formula_Append: \|`
			`Require ip 123.123.13.6 84.24.25.74`

			`Proxy_control:`
			`'*':`
			`AllowAll: False`
			`AllowCountry:`
			`- DE`
			`AllowIP:`
			`- 12.5.25.32`
			`- 12.5.25.33`

Add example code for new templates 'redirect.tmpl' and 'proxy.tmpl'. 2015-02-15 00:12:13 +01:00
Added support for Alias and Locations, as well as enabling Dav 2015-12-09 06:48:08 +01:00			`Alias:`
			`/docs: /usr/share/docs`

Added apache.vhost formula 2013-08-28 00:27:01 +02:00			`Formula_Append: \|`
			`Additional config as a`
			`multi-line string here`

Moved all Pillar examples under the same dictionary key Having multiple different examples in the same file was causing confusion. 2014-06-18 21:38:02 +02:00			# ``apache.debian_full`` formula additional configuration:
Updated README with these changes moved Pillar examples into pillar file 2013-08-13 23:12:57 +02:00			`register-site:`
			`# any name as an array index, and you can duplicate this section`
Removed Jinja-esque placeholders from example Pillar; added instructions The structure of this example file was quite confusing. Most of these values are not required and should be denoted as such. Jinja notiation to denote re-used Pillar values was also a bad and confusing choice. Closes #8 2014-06-18 21:48:28 +02:00			`UNIQUE_VALUE_HERE:`
Updated README with these changes moved Pillar examples into pillar file 2013-08-13 23:12:57 +02:00			`name: 'my name'`
			`path: 'salt://path/to/sites-available/conf/file'`
			`state: 'enabled'`
Add optional templating to register_site Add optional templating for the register site aspect of a pillar. User can specify keys to be included as defaults, otherwise it is treated as a normal managed file. 2015-03-18 18:36:19 +01:00			`# Optional - use managed file as Jinja Template`
			`#template: true`
			`#defaults:`
			`# custom_var: "default value"`
Add ability to specify modules in pillar 2014-11-21 00:37:14 +01:00
			`modules:`
			`enabled: # List modules to enable`
			`- ldap`
			`- ssl`
			`disabled: # List modules to disable`
			`- rewrite`
Added ability to manage security settings By reassigning options with `blockreplace` at `/etc/apache2/conf-available/security.conf`, which is linked as conf-enabled by default on Debian packages 2015-12-14 15:12:20 +01:00
Added ability to configure KeepAlive option Sometimes it's necessary optimization in nginx+apache2 environment 2015-12-17 00:40:48 +01:00			`# KeepAlive: Whether or not to allow persistent connections (more than`
			`# one request per connection). Set to "Off" to deactivate.`
Fixed YAML parsing On/Off as True/False True and False are not correct values for apache config 2015-12-17 00:50:37 +01:00			`keepalive: 'On'`
Added ability to configure KeepAlive option Sometimes it's necessary optimization in nginx+apache2 environment 2015-12-17 00:40:48 +01:00
Added ability to manage security settings By reassigning options with `blockreplace` at `/etc/apache2/conf-available/security.conf`, which is linked as conf-enabled by default on Debian packages 2015-12-14 15:12:20 +01:00			`security:`
			`# can be Full \| OS \| Minimal \| Minor \| Major \| Prod`
			`# where Full conveys the most information, and Prod the least.`
			`ServerTokens: Prod`
Follow-up to 8f2308b98 2015-12-16 01:09:48 +01:00
			# ``apache.mod_remoteip`` formula additional configuration:
			`mod_remoteip:`
			`RemoteIPHeader: X-Forwarded-For`
			`RemoteIPTrustedProxy:`
			`- 10.0.8.0/24`
Added newlines to recent files 2015-12-16 14:42:59 +01:00			`- 127.0.0.1`
Add mod_security management Add gitignore, kitchen-ci files Add some tests and documentation 2016-05-11 03:48:26 +02:00
			# ``apache.mod_security`` formula additional configuration:
			`mod_security:`
			`crs_install: True`
			`# If not set, default distro's configuration is installed as is`
			`manage_config: True`
			`sec_rule_engine: 'On'`
			`sec_request_body_access: 'On'`
			`sec_request_body_limit: '14000000'`
			`sec_request_body_no_files_limit: '114002'`
			`sec_request_body_in_memory_limit: '114002'`
			`sec_request_body_limit_action: 'Reject'`
			`sec_pcre_match_limit: '15000'`
			`sec_pcre_match_limit_recursion: '15000'`
			`sec_debug_log_level: '3'`

add modsecurity rules state 2016-09-23 11:12:37 +02:00			`rules:`
			`enabled:`
			`modsecurity_crs_10_setup.conf:`
			`rule_set: ''`
			`enabled: True`
			`modsecurity_crs_20_protocol_violations.conf:`
			`rule_set: 'base_rules'`
			`enabled: False`

			`custom_rule_files:`
			`# any name as an array index, and you can duplicate this section`
			`UNIQUE_VALUE_HERE:`
			`file: 'my name'`
			`path: 'salt://path/to/modsecurity/custom/file'`
			`enabled: True`
Manage TLS defaults 2018-01-10 01:24:17 +01:00
			`mod_ssl:`
			`# set this to True if you want to override your distributions default TLS configuration`
			`manage_tls_defaults: False`
			`# This stuff is deliberately not configured via map.jinja resp. apache:lookup.`
			`# We're unable to know sane defaults for each release of every distribution.`
			`# See https://github.com/saltstack-formulas/openssh-formula/issues/102 for a related discussion`
			`# Have a look at bettercrypto.org for up-to-date settings.`
			`# These are default values:`
			`SSLCipherSuite: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA`
			`# Mitigate the CRIME attack`
			`SSLCompression: Off`
			`SSLProtocol: all -SSLv2 -SSLv3 -TLSv1`
			`SSLHonorCipherOrder: On`
			`SSLOptions: "+StrictRequire"`