From 5fa91b7b918a8cdebb5704a51944706c8679fc1c Mon Sep 17 00:00:00 2001 From: Alexander Weidinger Date: Wed, 17 May 2017 07:53:58 +0200 Subject: [PATCH 01/11] Template security.conf in Debian Including optional per-OS templates (Solves https://github.com/saltstack-formulas/apache-formula/issues/153) --- .../files/{FreeBSD => }/security.conf.jinja | 0 apache/manage_security.sls | 47 +++++++------------ 2 files changed, 16 insertions(+), 31 deletions(-) rename apache/files/{FreeBSD => }/security.conf.jinja (100%) diff --git a/apache/files/FreeBSD/security.conf.jinja b/apache/files/security.conf.jinja similarity index 100% rename from apache/files/FreeBSD/security.conf.jinja rename to apache/files/security.conf.jinja diff --git a/apache/manage_security.sls b/apache/manage_security.sls index c55a140..15adfe3 100644 --- a/apache/manage_security.sls +++ b/apache/manage_security.sls @@ -1,43 +1,28 @@ {% from "apache/map.jinja" import apache with context %} +{%- macro security_config(name) %} +{{ name }}: + file.managed: + - source: + - salt://apache/files/{{ salt['grains.get']('os_family') }}/security.conf.jinja + - salt://apache/files/security.conf.jinja + - mode: 644 + - template: jinja + - require: + - pkg: apache + - watch_in: + - module: apache-restart +{%- endmacro %} + include: - apache {% if grains['os_family']=="Debian" %} {% if salt['file.file_exists' ]('/etc/apache2/conf-available/security.conf') %} -apache_security-block: - file.blockreplace: - - name: /etc/apache2/conf-available/security.conf - - marker_start: "# START managed zone -DO-NOT-EDIT-" - - marker_end: "# END managed zone --" - - append_if_not_found: True - - show_changes: True - - require: - - pkg: apache - - watch_in: - - module: apache-reload - -{% for option, value in salt['pillar.get']('apache:security', {}).items() %} -apache_manage-security-{{ option }}: - file.accumulated: - - filename: /etc/apache2/conf-available/security.conf - - name: apache_manage-security-add-{{ option }} - - text: "{{ option }} {{ value }}" - - require_in: - - file: apache_security-block -{% endfor %} - +{{ security_config('/etc/apache2/conf-available/security.conf') }} {% endif %} {% elif grains['os_family']=="FreeBSD" %} -{{ apache.confdir }}/security.conf: - file.managed: - - source: salt://apache/files/{{ salt['grains.get']('os_family') }}/security.conf.jinja - - mode: 644 - - template: jinja - - require: - - pkg: apache - - watch_in: - - module: apache-restart +{{ security_config(apache.confdir+'/security.conf') }} {% endif %} From 429039819def9f2738fb5a39b2d420345019693b Mon Sep 17 00:00:00 2001 From: Alexander Weidinger Date: Wed, 3 Jan 2018 02:12:54 +0100 Subject: [PATCH 02/11] Fix CustomLog default values in templates --- apache/vhosts/minimal.tmpl | 3 ++- apache/vhosts/proxy.tmpl | 3 ++- apache/vhosts/redirect.tmpl | 3 ++- apache/vhosts/standard.tmpl | 3 ++- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/apache/vhosts/minimal.tmpl b/apache/vhosts/minimal.tmpl index 98fab2f..b7372f1 100644 --- a/apache/vhosts/minimal.tmpl +++ b/apache/vhosts/minimal.tmpl @@ -12,8 +12,9 @@ 'LogLevel': site.get('LogLevel', 'warn'), 'ErrorLog': site.get('ErrorLog', '{0}/{1}-error.log'.format(map.logdir, sitename)), - 'CustomLog': site.get('CustomLog', '{0}/{1}-access.log'.format(map.logdir, sitename)), + 'CustomLog': site.get('CustomLog', '{0}/{1}-access.log {1}'.format(map.logdir, sitename)), 'LogFormat': site.get('LogFormat', '"%h %l %u %t \\\"%r\\\" %>s %b"'), + 'LogFormat': site.get('LogFormat', '"%h %l %u %t \\\"%r\\\" %>s %b" {0}'.format(sitename)), 'DocumentRoot': site.get('DocumentRoot', '{0}/{1}'.format(map.wwwdir, sitename)) diff --git a/apache/vhosts/proxy.tmpl b/apache/vhosts/proxy.tmpl index af791a1..f6b79b2 100644 --- a/apache/vhosts/proxy.tmpl +++ b/apache/vhosts/proxy.tmpl @@ -15,7 +15,8 @@ 'LogLevel': site.get('LogLevel', 'warn'), 'ErrorLog': site.get('ErrorLog', '{0}/{1}-error.log'.format(map.logdir, sitename)), 'LogFormat': site.get('LogFormat', '"%a %l %u %t \\"%r\\" %>s %O \\"%{Referer}i\\" \\"%{User-Agent}i\\""'), - 'CustomLog': site.get('CustomLog', '{0}/{1}-access.log'.format(map.logdir, sitename)), + 'LogFormat': site.get('LogFormat', '"%a %l %u %t \\"%r\\" %>s %O \\"%{Referer}i\\" \\"%{User-Agent}i\\"" {0}'.format(sitename)), + 'CustomLog': site.get('CustomLog', '{0}/{1}-access.log {1}'.format(map.logdir, sitename)), 'ProxyRequests': site.get('ProxyRequests', 'Off'), 'ProxyPreserveHost': site.get('ProxyPreserveHost', 'On'), diff --git a/apache/vhosts/redirect.tmpl b/apache/vhosts/redirect.tmpl index 024cf36..d207793 100644 --- a/apache/vhosts/redirect.tmpl +++ b/apache/vhosts/redirect.tmpl @@ -16,7 +16,8 @@ 'LogLevel': site.get('LogLevel', 'warn'), 'ErrorLog': site.get('ErrorLog', '{0}/{1}-error.log'.format(map.logdir, sitename)), 'LogFormat': site.get('LogFormat', '"%h %l %u %t \\\"%r\\\" %>s %O"'), - 'CustomLog': site.get('CustomLog', '{0}/{1}-access.log'.format(map.logdir, sitename)), + 'LogFormat': site.get('LogFormat', '"%h %l %u %t \\\"%r\\\" %>s %O" {0}'.format(sitename)), + 'CustomLog': site.get('CustomLog', '{0}/{1}-access.log {1}'.format(map.logdir, sitename)), 'RedirectSource': site.get('RedirectSource', '/'), 'RedirectTarget': site.get('RedirectTarget', 'https://{0}/'.format(sitename)), diff --git a/apache/vhosts/standard.tmpl b/apache/vhosts/standard.tmpl index d37c796..880721f 100644 --- a/apache/vhosts/standard.tmpl +++ b/apache/vhosts/standard.tmpl @@ -17,7 +17,8 @@ 'LogLevel': site.get('LogLevel', 'warn'), 'ErrorLog': site.get('ErrorLog', '{0}/{1}-error.log'.format(map.logdir, sitename)), 'LogFormat': site.get('LogFormat', '"%h %l %u %t \\\"%r\\\" %>s"'), - 'CustomLog': site.get('CustomLog', '{0}/{1}-access.log'.format(map.logdir, sitename)), + 'LogFormat': site.get('LogFormat', '"%h %l %u %t \\\"%r\\\" %>s" {0}'.format(sitename)), + 'CustomLog': site.get('CustomLog', '{0}/{1}-access.log {1}'.format(map.logdir, sitename)), 'DocumentRoot': site.get('DocumentRoot', '{0}/{1}'.format(map.wwwdir, sitename)), 'VirtualDocumentRoot': site.get('VirtualDocumentRoot'), From e20189e94a72b6e634f370c4d6cfea30a38ee995 Mon Sep 17 00:00:00 2001 From: Alexander Weidinger Date: Fri, 5 Jan 2018 00:59:57 +0100 Subject: [PATCH 03/11] Revert "Fix CustomLog default values in templates" This reverts commit 429039819def9f2738fb5a39b2d420345019693b. --- apache/vhosts/minimal.tmpl | 3 +-- apache/vhosts/proxy.tmpl | 3 +-- apache/vhosts/redirect.tmpl | 3 +-- apache/vhosts/standard.tmpl | 3 +-- 4 files changed, 4 insertions(+), 8 deletions(-) diff --git a/apache/vhosts/minimal.tmpl b/apache/vhosts/minimal.tmpl index b7372f1..98fab2f 100644 --- a/apache/vhosts/minimal.tmpl +++ b/apache/vhosts/minimal.tmpl @@ -12,9 +12,8 @@ 'LogLevel': site.get('LogLevel', 'warn'), 'ErrorLog': site.get('ErrorLog', '{0}/{1}-error.log'.format(map.logdir, sitename)), - 'CustomLog': site.get('CustomLog', '{0}/{1}-access.log {1}'.format(map.logdir, sitename)), + 'CustomLog': site.get('CustomLog', '{0}/{1}-access.log'.format(map.logdir, sitename)), 'LogFormat': site.get('LogFormat', '"%h %l %u %t \\\"%r\\\" %>s %b"'), - 'LogFormat': site.get('LogFormat', '"%h %l %u %t \\\"%r\\\" %>s %b" {0}'.format(sitename)), 'DocumentRoot': site.get('DocumentRoot', '{0}/{1}'.format(map.wwwdir, sitename)) diff --git a/apache/vhosts/proxy.tmpl b/apache/vhosts/proxy.tmpl index f6b79b2..af791a1 100644 --- a/apache/vhosts/proxy.tmpl +++ b/apache/vhosts/proxy.tmpl @@ -15,8 +15,7 @@ 'LogLevel': site.get('LogLevel', 'warn'), 'ErrorLog': site.get('ErrorLog', '{0}/{1}-error.log'.format(map.logdir, sitename)), 'LogFormat': site.get('LogFormat', '"%a %l %u %t \\"%r\\" %>s %O \\"%{Referer}i\\" \\"%{User-Agent}i\\""'), - 'LogFormat': site.get('LogFormat', '"%a %l %u %t \\"%r\\" %>s %O \\"%{Referer}i\\" \\"%{User-Agent}i\\"" {0}'.format(sitename)), - 'CustomLog': site.get('CustomLog', '{0}/{1}-access.log {1}'.format(map.logdir, sitename)), + 'CustomLog': site.get('CustomLog', '{0}/{1}-access.log'.format(map.logdir, sitename)), 'ProxyRequests': site.get('ProxyRequests', 'Off'), 'ProxyPreserveHost': site.get('ProxyPreserveHost', 'On'), diff --git a/apache/vhosts/redirect.tmpl b/apache/vhosts/redirect.tmpl index d207793..024cf36 100644 --- a/apache/vhosts/redirect.tmpl +++ b/apache/vhosts/redirect.tmpl @@ -16,8 +16,7 @@ 'LogLevel': site.get('LogLevel', 'warn'), 'ErrorLog': site.get('ErrorLog', '{0}/{1}-error.log'.format(map.logdir, sitename)), 'LogFormat': site.get('LogFormat', '"%h %l %u %t \\\"%r\\\" %>s %O"'), - 'LogFormat': site.get('LogFormat', '"%h %l %u %t \\\"%r\\\" %>s %O" {0}'.format(sitename)), - 'CustomLog': site.get('CustomLog', '{0}/{1}-access.log {1}'.format(map.logdir, sitename)), + 'CustomLog': site.get('CustomLog', '{0}/{1}-access.log'.format(map.logdir, sitename)), 'RedirectSource': site.get('RedirectSource', '/'), 'RedirectTarget': site.get('RedirectTarget', 'https://{0}/'.format(sitename)), diff --git a/apache/vhosts/standard.tmpl b/apache/vhosts/standard.tmpl index 880721f..d37c796 100644 --- a/apache/vhosts/standard.tmpl +++ b/apache/vhosts/standard.tmpl @@ -17,8 +17,7 @@ 'LogLevel': site.get('LogLevel', 'warn'), 'ErrorLog': site.get('ErrorLog', '{0}/{1}-error.log'.format(map.logdir, sitename)), 'LogFormat': site.get('LogFormat', '"%h %l %u %t \\\"%r\\\" %>s"'), - 'LogFormat': site.get('LogFormat', '"%h %l %u %t \\\"%r\\\" %>s" {0}'.format(sitename)), - 'CustomLog': site.get('CustomLog', '{0}/{1}-access.log {1}'.format(map.logdir, sitename)), + 'CustomLog': site.get('CustomLog', '{0}/{1}-access.log'.format(map.logdir, sitename)), 'DocumentRoot': site.get('DocumentRoot', '{0}/{1}'.format(map.wwwdir, sitename)), 'VirtualDocumentRoot': site.get('VirtualDocumentRoot'), From 08a21edb7301d2361d27614cec9305e79922251f Mon Sep 17 00:00:00 2001 From: Alexander Weidinger Date: Fri, 5 Jan 2018 01:30:42 +0100 Subject: [PATCH 04/11] Actually fix CustomLog default values in templates --- apache/vhosts/minimal.tmpl | 4 +++- apache/vhosts/proxy.tmpl | 4 +++- apache/vhosts/redirect.tmpl | 4 +++- apache/vhosts/standard.tmpl | 3 ++- 4 files changed, 11 insertions(+), 4 deletions(-) diff --git a/apache/vhosts/minimal.tmpl b/apache/vhosts/minimal.tmpl index 98fab2f..38545cb 100644 --- a/apache/vhosts/minimal.tmpl +++ b/apache/vhosts/minimal.tmpl @@ -28,5 +28,7 @@ {% if site.get('LogLevel') != False -%}LogLevel {{ vals.LogLevel }}{% endif %} {% if site.get('ErrorLog') != False -%}ErrorLog {{ vals.ErrorLog }}{% endif %} - {% if site.get('CustomLog') != False -%}CustomLog {{ vals.CustomLog }} {{ vals.LogFormat }}{% endif %} + {% if site.get('LogFormat') != False -%}LogFormat {{ vals.LogFormat }}{% endif %} + {% if site.get('CustomLog') != False -%}LogFormat {{ vals.LogFormat }} {{ sitename }} + CustomLog {{ vals.CustomLog }} {{ sitename }}{% endif %} diff --git a/apache/vhosts/proxy.tmpl b/apache/vhosts/proxy.tmpl index af791a1..b762a9e 100644 --- a/apache/vhosts/proxy.tmpl +++ b/apache/vhosts/proxy.tmpl @@ -40,7 +40,9 @@ {% if site.get('LogLevel') != False %}LogLevel {{ vals.LogLevel }}{% endif %} {% if site.get('ErrorLog') != False %}ErrorLog {{ vals.ErrorLog }}{% endif %} - {% if site.get('CustomLog') != False %}CustomLog {{ vals.CustomLog }} {{ vals.LogFormat }}{% endif %} + {% if site.get('LogFormat') != False -%}LogFormat {{ vals.LogFormat }}{% endif %} + {% if site.get('CustomLog') != False -%}LogFormat {{ vals.LogFormat }} {{ sitename }} + CustomLog {{ vals.CustomLog }} {{ sitename }}{% endif %} {% if site.get('SSLCertificateFile') %}SSLEngine on SSLCertificateFile {{ site.SSLCertificateFile }} diff --git a/apache/vhosts/redirect.tmpl b/apache/vhosts/redirect.tmpl index 024cf36..af86ea1 100644 --- a/apache/vhosts/redirect.tmpl +++ b/apache/vhosts/redirect.tmpl @@ -32,7 +32,9 @@ {% if site.get('LogLevel') != False %}LogLevel {{ vals.LogLevel }}{% endif %} {% if site.get('ErrorLog') != False %}ErrorLog {{ vals.ErrorLog }}{% endif %} - {% if site.get('CustomLog') != False %}CustomLog {{ vals.CustomLog }} {{ vals.LogFormat }}{% endif %} + {% if site.get('LogFormat') != False -%}LogFormat {{ vals.LogFormat }}{% endif %} + {% if site.get('CustomLog') != False -%}LogFormat {{ vals.LogFormat }} {{ sitename }} + CustomLog {{ vals.CustomLog }} {{ sitename }}{% endif %} Redirect {{ vals.RedirectSource }} {{ vals.RedirectTarget }} diff --git a/apache/vhosts/standard.tmpl b/apache/vhosts/standard.tmpl index d37c796..30684b0 100644 --- a/apache/vhosts/standard.tmpl +++ b/apache/vhosts/standard.tmpl @@ -53,7 +53,8 @@ {% if site.get('LogLevel') != False -%}LogLevel {{ vals.LogLevel }}{% endif %} {% if site.get('ErrorLog') != False -%}ErrorLog {{ vals.ErrorLog }}{% endif %} {% if site.get('LogFormat') != False -%}LogFormat {{ vals.LogFormat }}{% endif %} - {% if site.get('CustomLog') != False -%}CustomLog {{ vals.CustomLog }} {% endif %} + {% if site.get('CustomLog') != False -%}LogFormat {{ vals.LogFormat }} {{ sitename }} + CustomLog {{ vals.CustomLog }} {{ sitename }}{% endif %} {% if site.get('DocumentRoot') != False -%}DocumentRoot {{ vals.DocumentRoot }}{% endif %} {% if site.get('VirtualDocumentRoot') -%}VirtualDocumentRoot {{ vals.VirtualDocumentRoot }}{% endif %} From ac071586e02e97549c600c8f994b5ef887bd914c Mon Sep 17 00:00:00 2001 From: Louis Haddrell Date: Fri, 5 Jan 2018 13:26:06 +0000 Subject: [PATCH 05/11] Replace apache.conf_mod_wsgi if statement syntax (fixes #209) --- apache/mod_wsgi.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apache/mod_wsgi.sls b/apache/mod_wsgi.sls index aa3fd21..fd00ac6 100644 --- a/apache/mod_wsgi.sls +++ b/apache/mod_wsgi.sls @@ -9,7 +9,7 @@ mod_wsgi: - require: - pkg: apache -{% if apache.conf_mod_wsgi %} +{% if 'conf_mod_wsgi' in apache %} {{ apache.conf_mod_wsgi }}: file.uncomment: - regex: LoadModule From cbc9ad29dcebfa3e1c5d9971a562dd39c1218b24 Mon Sep 17 00:00:00 2001 From: Alexander Weidinger Date: Tue, 9 Jan 2018 22:11:19 +0100 Subject: [PATCH 06/11] map.jinja: corrected FreeBSD defaults (We were only supporting 2.4 anyway.) --- apache/map.jinja | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/apache/map.jinja b/apache/map.jinja index 38b10c1..4a34f58 100644 --- a/apache/map.jinja +++ b/apache/map.jinja @@ -89,27 +89,27 @@ 'wwwdir': '/srv/www', }, 'FreeBSD': { - 'server': 'apache22', - 'service': 'apache22', + 'server': 'apache24', + 'service': 'apache24', 'user': 'www', 'group': 'www', - 'configfile': '/usr/local/etc/apache22/httpd.conf', - 'portsfile': '/usr/local/etc/apache22/ports.conf', + 'configfile': '/usr/local/etc/apache24/httpd.conf', + 'portsfile': '/usr/local/etc/apache24/ports.conf', 'mod_php5': 'mod_php56', - 'mod_perl2': 'ap22-mod_perl2', - 'mod_wsgi': 'ap22-mod_wsgi3', + 'mod_perl2': 'ap24-mod_perl2', + 'mod_wsgi': 'ap24-mod_wsgi3', - 'vhostdir': '/usr/local/etc/apache22/Includes', - 'confdir': '/usr/local/etc/apache22/extra', - 'modulesdir': '/usr/local/etc/apache22/modules.d', - 'global_document_root': '/usr/local/www/apache22/data', + 'vhostdir': '/usr/local/etc/apache24/Includes', + 'confdir': '/usr/local/etc/apache24/extra', + 'modulesdir': '/usr/local/etc/apache24/modules.d', + 'global_document_root': '/usr/local/www/apache24/data', 'confext': '', 'default_site': 'default', 'default_site_ssl': 'default-ssl', 'logdir': '/var/log/', - 'wwwdir': '/usr/local/www/apache22/', + 'wwwdir': '/usr/local/www/apache24/', }, 'Arch': { 'server': 'apache', From 9de23727890dc1cab64462613b16600710effab7 Mon Sep 17 00:00:00 2001 From: Alexander Weidinger Date: Tue, 9 Jan 2018 23:38:47 +0100 Subject: [PATCH 07/11] map.jinja: corrected Debian's confdir --- apache/map.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apache/map.jinja b/apache/map.jinja index 4a34f58..cae2034 100644 --- a/apache/map.jinja +++ b/apache/map.jinja @@ -38,7 +38,7 @@ 'mod_fastcgi': 'libapache2-mod-fastcgi', 'vhostdir': '/etc/apache2/sites-available', - 'confdir': '/etc/apache2/conf.d', + 'confdir': '/etc/apache2/conf-available', 'confext': '.conf', 'default_site': 'default', 'default_site_ssl': 'default-ssl', From d3110f93f63f43eed4e4bda27bec478b79a87213 Mon Sep 17 00:00:00 2001 From: Alexander Weidinger Date: Wed, 10 Jan 2018 01:24:17 +0100 Subject: [PATCH 08/11] Manage TLS defaults --- apache/files/FreeBSD/apache-2.4.config.jinja | 4 +++ apache/files/Suse/apache-2.4.config.jinja | 4 +++ apache/files/tls-defaults.conf.jinja | 18 +++++++++++ apache/mod_ssl.sls | 32 ++++++++++++++++++++ pillar.example | 17 ++++++++++- 5 files changed, 74 insertions(+), 1 deletion(-) create mode 100644 apache/files/tls-defaults.conf.jinja diff --git a/apache/files/FreeBSD/apache-2.4.config.jinja b/apache/files/FreeBSD/apache-2.4.config.jinja index d9e1639..0d9d19a 100644 --- a/apache/files/FreeBSD/apache-2.4.config.jinja +++ b/apache/files/FreeBSD/apache-2.4.config.jinja @@ -526,5 +526,9 @@ TraceEnable Off # Well, IncludeOptional behaved lile Include IncludeOptional etc/apache24/extra/security.con[f] +{% if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) -%} +Include etc/apache24/extra/tls-defaults.conf +{%- endif %} + Include etc/apache24/Includes/*.conf diff --git a/apache/files/Suse/apache-2.4.config.jinja b/apache/files/Suse/apache-2.4.config.jinja index 4b2c40d..310ba7f 100644 --- a/apache/files/Suse/apache-2.4.config.jinja +++ b/apache/files/Suse/apache-2.4.config.jinja @@ -163,6 +163,10 @@ Include /etc/apache2/errors.conf # any virtual host Include /etc/apache2/ssl-global.conf +{% if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) -%} +Include /etc/apache24/conf.d/tls-defaults.conf +{%- %} + # global (server-wide) protocol configuration, that is not specific # to any virtual host Include /etc/apache2/protocols.conf diff --git a/apache/files/tls-defaults.conf.jinja b/apache/files/tls-defaults.conf.jinja new file mode 100644 index 0000000..9ee0a67 --- /dev/null +++ b/apache/files/tls-defaults.conf.jinja @@ -0,0 +1,18 @@ +# Managed by saltstack + +{% set data = { + 'SSLCipherSuite': 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA', + 'SSLCompression': 'Off', + 'SSLProtocol': 'all -SSLv2 -SSLv3 -TLSv1', + 'SSLHonorCipherOrder': 'On', + 'SSLOptions': '+StrictRequire', +} -%} +{%- do data.update(salt['pillar.get']('apache:mod_ssl', {})) %} + + +{%- for key, value in data.items() %} +{%- if not key == 'manage_tls_defaults' %} +{{ key }} {{ value }} +{%- endif %} +{%- endfor %} + diff --git a/apache/mod_ssl.sls b/apache/mod_ssl.sls index 744115b..e11557d 100644 --- a/apache/mod_ssl.sls +++ b/apache/mod_ssl.sls @@ -42,3 +42,35 @@ include: - module: apache-restart {% endif %} + +{{ apache.confdir }}/tls-defaults.conf: +{% if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) %} + file.managed: + - source: salt://apache/files/tls-defaults.conf.jinja + - mode: 644 + - template: jinja +{% else %} + file.absent: +{% endif %} + - require: + - pkg: apache + - watch_in: + - module: apache-restart + +{% if grains['os_family']=="Debian" %} +a2endisconf tls-defaults: + cmd.run: +{% if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) %} + - name: a2enconf tls-defaults + - unless: test -L /etc/apache2/conf-enabled/tls-defaults.conf +{% else %} + - name: a2disconf tls-defaults + - onlyif: test -L /etc/apache2/conf-enabled/tls-defaults.conf +{% endif %} + - order: 225 + - require: + - pkg: apache + - file: {{ apache.confdir }}/tls-defaults.conf + - watch_in: + - module: apache-restart +{% endif %} diff --git a/pillar.example b/pillar.example index 845a131..185a535 100644 --- a/pillar.example +++ b/pillar.example @@ -313,4 +313,19 @@ apache: file: 'my name' path: 'salt://path/to/modsecurity/custom/file' enabled: True - + + mod_ssl: + # set this to True if you want to override your distributions default TLS configuration + manage_tls_defaults: False + # This stuff is deliberately not configured via map.jinja resp. apache:lookup. + # We're unable to know sane defaults for each release of every distribution. + # See https://github.com/saltstack-formulas/openssh-formula/issues/102 for a related discussion + # Have a look at bettercrypto.org for up-to-date settings. + # These are default values: + SSLCipherSuite: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA + # Mitigate the CRIME attack + SSLCompression: Off + SSLProtocol: all -SSLv2 -SSLv3 -TLSv1 + SSLHonorCipherOrder: On + SSLOptions: "+StrictRequire" + From 1b5e13a36cb0e046bc072e398adfbbef07b15131 Mon Sep 17 00:00:00 2001 From: Arthur Lutz Date: Tue, 16 Jan 2018 10:04:16 +0100 Subject: [PATCH 09/11] Fix conflict ID #214 --- apache/mod_fcgid.sls | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apache/mod_fcgid.sls b/apache/mod_fcgid.sls index 2aa8f67..66327df 100644 --- a/apache/mod_fcgid.sls +++ b/apache/mod_fcgid.sls @@ -11,8 +11,9 @@ mod-fcgid: - pkg: apache {% if grains['os_family']=="Debian" %} -a2enmod fcgid: +a2enmod fcgid for apache.mod_fcgid: cmd.run: + - name: a2enmod fcgid - order: 225 - unless: ls /etc/apache2/mods-enabled/fcgid.load - require: From 55c6010bde480314aa09ffb2126b75f15aad38ef Mon Sep 17 00:00:00 2001 From: emeygret Date: Wed, 17 Jan 2018 08:36:03 +0100 Subject: [PATCH 10/11] pillar exemple for RedirectMatch directive --- pillar.example | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/pillar.example b/pillar.example index 185a535..c7652f8 100644 --- a/pillar.example +++ b/pillar.example @@ -86,6 +86,20 @@ apache: Additional config as a multi-line string here + redirectmatch.com: + # Use RedirectMatch Directive https://httpd.apache.org/docs/2.4/fr/mod/mod_alias.html#redirectmatch + # Require module mod_alias + enabled: True + template_file: salt://apache/vhosts/redirect.tmpl + ServerName: www.redirectmatch.com + ServerAlias: www.redirectmatch.com + RedirectMatch: true + RedirectSource: '^/$' + RedirectTarget: '/subdirectory' + DocumentRoot: /var/www/html/ + ErrorLog: ${APACHE_LOG_DIR}/error.log + CustomLog: ${APACHE_LOG_DIR}/access.log + 80-proxyexample.com: template_file: salt://apache/vhosts/redirect.tmpl ServerName: www.proxyexample.com From 853ec8e11853f56d1b3b17dc918ca9fbdae2ade2 Mon Sep 17 00:00:00 2001 From: Noel McLoughin Date: Fri, 3 Nov 2017 16:59:12 +0000 Subject: [PATCH 11/11] Allow Skipping of service manipulation via pillar (+PR comments) --- apache/init.sls | 16 ++++++++++++++++ pillar.example | 3 +++ 2 files changed, 19 insertions(+) diff --git a/apache/init.sls b/apache/init.sls index 9731c5b..92c1d0e 100644 --- a/apache/init.sls +++ b/apache/init.sls @@ -10,6 +10,8 @@ apache: - name: {{ apache.user }} - gid: {{ apache.group }} - system: True + {# By default run apache service states (unless pillar is false) #} + {% if salt['pillar.get']('apache:manage_service_states', True) %} service.running: - name: {{ apache.service }} - enable: True @@ -25,3 +27,17 @@ apache-restart: module.wait: - name: service.restart - m_name: {{ apache.service }} + + {% else %} + +apache-reload: + test.show_notification: + - name: Skipping reload per user request + - text: Pillar manage_service_states is False + +apache-restart: + test.show_notification: + - name: Skipping restart per user request + - text: Pillar manage_service_states is False + + {% endif %} diff --git a/pillar.example b/pillar.example index c7652f8..35d0ee5 100644 --- a/pillar.example +++ b/pillar.example @@ -1,6 +1,9 @@ # ``apache`` formula configuration: apache: + # By default apache restart/reload states run (false skips) + manage_service_states: True + # lookup section overrides ``map.jinja`` values lookup: server: apache2