Merge branch 'master' into 217-customlog

This commit is contained in:
Arthur Lutz 2018-01-30 14:24:16 +01:00 committed by GitHub
commit fd23f29cf8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 147 additions and 49 deletions

View File

@ -526,5 +526,9 @@ TraceEnable Off
# Well, IncludeOptional behaved lile Include # Well, IncludeOptional behaved lile Include
IncludeOptional etc/apache24/extra/security.con[f] IncludeOptional etc/apache24/extra/security.con[f]
{% if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) -%}
Include etc/apache24/extra/tls-defaults.conf
{%- endif %}
Include etc/apache24/Includes/*.conf Include etc/apache24/Includes/*.conf

View File

@ -163,6 +163,10 @@ Include /etc/apache2/errors.conf
# any virtual host # any virtual host
Include /etc/apache2/ssl-global.conf Include /etc/apache2/ssl-global.conf
{% if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) -%}
Include /etc/apache24/conf.d/tls-defaults.conf
{%- %}
# global (server-wide) protocol configuration, that is not specific # global (server-wide) protocol configuration, that is not specific
# to any virtual host # to any virtual host
Include /etc/apache2/protocols.conf Include /etc/apache2/protocols.conf

View File

@ -0,0 +1,18 @@
# Managed by saltstack
{% set data = {
'SSLCipherSuite': 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA',
'SSLCompression': 'Off',
'SSLProtocol': 'all -SSLv2 -SSLv3 -TLSv1',
'SSLHonorCipherOrder': 'On',
'SSLOptions': '+StrictRequire',
} -%}
{%- do data.update(salt['pillar.get']('apache:mod_ssl', {})) %}
<IfModule mod_ssl.c>
{%- for key, value in data.items() %}
{%- if not key == 'manage_tls_defaults' %}
{{ key }} {{ value }}
{%- endif %}
{%- endfor %}
</IfModule>

View File

@ -10,6 +10,8 @@ apache:
- name: {{ apache.user }} - name: {{ apache.user }}
- gid: {{ apache.group }} - gid: {{ apache.group }}
- system: True - system: True
{# By default run apache service states (unless pillar is false) #}
{% if salt['pillar.get']('apache:manage_service_states', True) %}
service.running: service.running:
- name: {{ apache.service }} - name: {{ apache.service }}
- enable: True - enable: True
@ -25,3 +27,17 @@ apache-restart:
module.wait: module.wait:
- name: service.restart - name: service.restart
- m_name: {{ apache.service }} - m_name: {{ apache.service }}
{% else %}
apache-reload:
test.show_notification:
- name: Skipping reload per user request
- text: Pillar manage_service_states is False
apache-restart:
test.show_notification:
- name: Skipping restart per user request
- text: Pillar manage_service_states is False
{% endif %}

View File

@ -1,43 +1,28 @@
{% from "apache/map.jinja" import apache with context %} {% from "apache/map.jinja" import apache with context %}
{%- macro security_config(name) %}
{{ name }}:
file.managed:
- source:
- salt://apache/files/{{ salt['grains.get']('os_family') }}/security.conf.jinja
- salt://apache/files/security.conf.jinja
- mode: 644
- template: jinja
- require:
- pkg: apache
- watch_in:
- module: apache-restart
{%- endmacro %}
include: include:
- apache - apache
{% if grains['os_family']=="Debian" %} {% if grains['os_family']=="Debian" %}
{% if salt['file.file_exists' ]('/etc/apache2/conf-available/security.conf') %} {% if salt['file.file_exists' ]('/etc/apache2/conf-available/security.conf') %}
apache_security-block: {{ security_config('/etc/apache2/conf-available/security.conf') }}
file.blockreplace:
- name: /etc/apache2/conf-available/security.conf
- marker_start: "# START managed zone -DO-NOT-EDIT-"
- marker_end: "# END managed zone --"
- append_if_not_found: True
- show_changes: True
- require:
- pkg: apache
- watch_in:
- module: apache-reload
{% for option, value in salt['pillar.get']('apache:security', {}).items() %}
apache_manage-security-{{ option }}:
file.accumulated:
- filename: /etc/apache2/conf-available/security.conf
- name: apache_manage-security-add-{{ option }}
- text: "{{ option }} {{ value }}"
- require_in:
- file: apache_security-block
{% endfor %}
{% endif %} {% endif %}
{% elif grains['os_family']=="FreeBSD" %} {% elif grains['os_family']=="FreeBSD" %}
{{ apache.confdir }}/security.conf: {{ security_config(apache.confdir+'/security.conf') }}
file.managed:
- source: salt://apache/files/{{ salt['grains.get']('os_family') }}/security.conf.jinja
- mode: 644
- template: jinja
- require:
- pkg: apache
- watch_in:
- module: apache-restart
{% endif %} {% endif %}

View File

@ -38,7 +38,7 @@
'mod_fastcgi': 'libapache2-mod-fastcgi', 'mod_fastcgi': 'libapache2-mod-fastcgi',
'vhostdir': '/etc/apache2/sites-available', 'vhostdir': '/etc/apache2/sites-available',
'confdir': '/etc/apache2/conf.d', 'confdir': '/etc/apache2/conf-available',
'confext': '.conf', 'confext': '.conf',
'default_site': 'default', 'default_site': 'default',
'default_site_ssl': 'default-ssl', 'default_site_ssl': 'default-ssl',
@ -89,27 +89,27 @@
'wwwdir': '/srv/www', 'wwwdir': '/srv/www',
}, },
'FreeBSD': { 'FreeBSD': {
'server': 'apache22', 'server': 'apache24',
'service': 'apache22', 'service': 'apache24',
'user': 'www', 'user': 'www',
'group': 'www', 'group': 'www',
'configfile': '/usr/local/etc/apache22/httpd.conf', 'configfile': '/usr/local/etc/apache24/httpd.conf',
'portsfile': '/usr/local/etc/apache22/ports.conf', 'portsfile': '/usr/local/etc/apache24/ports.conf',
'mod_php5': 'mod_php56', 'mod_php5': 'mod_php56',
'mod_perl2': 'ap22-mod_perl2', 'mod_perl2': 'ap24-mod_perl2',
'mod_wsgi': 'ap22-mod_wsgi3', 'mod_wsgi': 'ap24-mod_wsgi3',
'vhostdir': '/usr/local/etc/apache22/Includes', 'vhostdir': '/usr/local/etc/apache24/Includes',
'confdir': '/usr/local/etc/apache22/extra', 'confdir': '/usr/local/etc/apache24/extra',
'modulesdir': '/usr/local/etc/apache22/modules.d', 'modulesdir': '/usr/local/etc/apache24/modules.d',
'global_document_root': '/usr/local/www/apache22/data', 'global_document_root': '/usr/local/www/apache24/data',
'confext': '', 'confext': '',
'default_site': 'default', 'default_site': 'default',
'default_site_ssl': 'default-ssl', 'default_site_ssl': 'default-ssl',
'logdir': '/var/log/', 'logdir': '/var/log/',
'wwwdir': '/usr/local/www/apache22/', 'wwwdir': '/usr/local/www/apache24/',
}, },
'Arch': { 'Arch': {
'server': 'apache', 'server': 'apache',

View File

@ -11,8 +11,9 @@ mod-fcgid:
- pkg: apache - pkg: apache
{% if grains['os_family']=="Debian" %} {% if grains['os_family']=="Debian" %}
a2enmod fcgid: a2enmod fcgid for apache.mod_fcgid:
cmd.run: cmd.run:
- name: a2enmod fcgid
- order: 225 - order: 225
- unless: ls /etc/apache2/mods-enabled/fcgid.load - unless: ls /etc/apache2/mods-enabled/fcgid.load
- require: - require:

View File

@ -42,3 +42,35 @@ include:
- module: apache-restart - module: apache-restart
{% endif %} {% endif %}
{{ apache.confdir }}/tls-defaults.conf:
{% if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) %}
file.managed:
- source: salt://apache/files/tls-defaults.conf.jinja
- mode: 644
- template: jinja
{% else %}
file.absent:
{% endif %}
- require:
- pkg: apache
- watch_in:
- module: apache-restart
{% if grains['os_family']=="Debian" %}
a2endisconf tls-defaults:
cmd.run:
{% if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) %}
- name: a2enconf tls-defaults
- unless: test -L /etc/apache2/conf-enabled/tls-defaults.conf
{% else %}
- name: a2disconf tls-defaults
- onlyif: test -L /etc/apache2/conf-enabled/tls-defaults.conf
{% endif %}
- order: 225
- require:
- pkg: apache
- file: {{ apache.confdir }}/tls-defaults.conf
- watch_in:
- module: apache-restart
{% endif %}

View File

@ -9,7 +9,7 @@ mod_wsgi:
- require: - require:
- pkg: apache - pkg: apache
{% if apache.conf_mod_wsgi %} {% if 'conf_mod_wsgi' in apache %}
{{ apache.conf_mod_wsgi }}: {{ apache.conf_mod_wsgi }}:
file.uncomment: file.uncomment:
- regex: LoadModule - regex: LoadModule

View File

@ -28,5 +28,7 @@
{% if site.get('LogLevel') != False -%}LogLevel {{ vals.LogLevel }}{% endif %} {% if site.get('LogLevel') != False -%}LogLevel {{ vals.LogLevel }}{% endif %}
{% if site.get('ErrorLog') != False -%}ErrorLog {{ vals.ErrorLog }}{% endif %} {% if site.get('ErrorLog') != False -%}ErrorLog {{ vals.ErrorLog }}{% endif %}
{% if site.get('CustomLog') != False -%}CustomLog {{ vals.CustomLog }} {{ vals.LogFormat }}{% endif %} {% if site.get('LogFormat') != False -%}LogFormat {{ vals.LogFormat }}{% endif %}
{% if site.get('CustomLog') != False -%}LogFormat {{ vals.LogFormat }} {{ sitename }}
CustomLog {{ vals.CustomLog }} {{ sitename }}{% endif %}
</VirtualHost> </VirtualHost>

View File

@ -40,7 +40,9 @@
{% if site.get('LogLevel') != False %}LogLevel {{ vals.LogLevel }}{% endif %} {% if site.get('LogLevel') != False %}LogLevel {{ vals.LogLevel }}{% endif %}
{% if site.get('ErrorLog') != False %}ErrorLog {{ vals.ErrorLog }}{% endif %} {% if site.get('ErrorLog') != False %}ErrorLog {{ vals.ErrorLog }}{% endif %}
{% if site.get('CustomLog') != False %}CustomLog {{ vals.CustomLog }} {{ vals.LogFormat }}{% endif %} {% if site.get('LogFormat') != False -%}LogFormat {{ vals.LogFormat }}{% endif %}
{% if site.get('CustomLog') != False -%}LogFormat {{ vals.LogFormat }} {{ sitename }}
CustomLog {{ vals.CustomLog }} {{ sitename }}{% endif %}
{% if site.get('SSLCertificateFile') %}SSLEngine on {% if site.get('SSLCertificateFile') %}SSLEngine on
SSLCertificateFile {{ site.SSLCertificateFile }} SSLCertificateFile {{ site.SSLCertificateFile }}

View File

@ -32,7 +32,9 @@
{% if site.get('LogLevel') != False %}LogLevel {{ vals.LogLevel }}{% endif %} {% if site.get('LogLevel') != False %}LogLevel {{ vals.LogLevel }}{% endif %}
{% if site.get('ErrorLog') != False %}ErrorLog {{ vals.ErrorLog }}{% endif %} {% if site.get('ErrorLog') != False %}ErrorLog {{ vals.ErrorLog }}{% endif %}
{% if site.get('CustomLog') != False %}CustomLog {{ vals.CustomLog }} {{ vals.LogFormat }}{% endif %} {% if site.get('LogFormat') != False -%}LogFormat {{ vals.LogFormat }}{% endif %}
{% if site.get('CustomLog') != False -%}LogFormat {{ vals.LogFormat }} {{ sitename }}
CustomLog {{ vals.CustomLog }} {{ sitename }}{% endif %}
Redirect {{ vals.RedirectSource }} {{ vals.RedirectTarget }} Redirect {{ vals.RedirectSource }} {{ vals.RedirectTarget }}

View File

@ -1,6 +1,9 @@
# ``apache`` formula configuration: # ``apache`` formula configuration:
apache: apache:
# By default apache restart/reload states run (false skips)
manage_service_states: True
# lookup section overrides ``map.jinja`` values # lookup section overrides ``map.jinja`` values
lookup: lookup:
server: apache2 server: apache2
@ -86,6 +89,20 @@ apache:
Additional config as a Additional config as a
multi-line string here multi-line string here
redirectmatch.com:
# Use RedirectMatch Directive https://httpd.apache.org/docs/2.4/fr/mod/mod_alias.html#redirectmatch
# Require module mod_alias
enabled: True
template_file: salt://apache/vhosts/redirect.tmpl
ServerName: www.redirectmatch.com
ServerAlias: www.redirectmatch.com
RedirectMatch: true
RedirectSource: '^/$'
RedirectTarget: '/subdirectory'
DocumentRoot: /var/www/html/
ErrorLog: ${APACHE_LOG_DIR}/error.log
CustomLog: ${APACHE_LOG_DIR}/access.log
80-proxyexample.com: 80-proxyexample.com:
template_file: salt://apache/vhosts/redirect.tmpl template_file: salt://apache/vhosts/redirect.tmpl
ServerName: www.proxyexample.com ServerName: www.proxyexample.com
@ -313,4 +330,19 @@ apache:
file: 'my name' file: 'my name'
path: 'salt://path/to/modsecurity/custom/file' path: 'salt://path/to/modsecurity/custom/file'
enabled: True enabled: True
mod_ssl:
# set this to True if you want to override your distributions default TLS configuration
manage_tls_defaults: False
# This stuff is deliberately not configured via map.jinja resp. apache:lookup.
# We're unable to know sane defaults for each release of every distribution.
# See https://github.com/saltstack-formulas/openssh-formula/issues/102 for a related discussion
# Have a look at bettercrypto.org for up-to-date settings.
# These are default values:
SSLCipherSuite: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
# Mitigate the CRIME attack
SSLCompression: Off
SSLProtocol: all -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder: On
SSLOptions: "+StrictRequire"