Merge branch 'master' into 217-customlog
This commit is contained in:
commit
fd23f29cf8
@ -526,5 +526,9 @@ TraceEnable Off
|
|||||||
# Well, IncludeOptional behaved lile Include
|
# Well, IncludeOptional behaved lile Include
|
||||||
IncludeOptional etc/apache24/extra/security.con[f]
|
IncludeOptional etc/apache24/extra/security.con[f]
|
||||||
|
|
||||||
|
{% if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) -%}
|
||||||
|
Include etc/apache24/extra/tls-defaults.conf
|
||||||
|
{%- endif %}
|
||||||
|
|
||||||
Include etc/apache24/Includes/*.conf
|
Include etc/apache24/Includes/*.conf
|
||||||
|
|
||||||
|
@ -163,6 +163,10 @@ Include /etc/apache2/errors.conf
|
|||||||
# any virtual host
|
# any virtual host
|
||||||
Include /etc/apache2/ssl-global.conf
|
Include /etc/apache2/ssl-global.conf
|
||||||
|
|
||||||
|
{% if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) -%}
|
||||||
|
Include /etc/apache24/conf.d/tls-defaults.conf
|
||||||
|
{%- %}
|
||||||
|
|
||||||
# global (server-wide) protocol configuration, that is not specific
|
# global (server-wide) protocol configuration, that is not specific
|
||||||
# to any virtual host
|
# to any virtual host
|
||||||
Include /etc/apache2/protocols.conf
|
Include /etc/apache2/protocols.conf
|
||||||
|
18
apache/files/tls-defaults.conf.jinja
Normal file
18
apache/files/tls-defaults.conf.jinja
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
# Managed by saltstack
|
||||||
|
|
||||||
|
{% set data = {
|
||||||
|
'SSLCipherSuite': 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA',
|
||||||
|
'SSLCompression': 'Off',
|
||||||
|
'SSLProtocol': 'all -SSLv2 -SSLv3 -TLSv1',
|
||||||
|
'SSLHonorCipherOrder': 'On',
|
||||||
|
'SSLOptions': '+StrictRequire',
|
||||||
|
} -%}
|
||||||
|
{%- do data.update(salt['pillar.get']('apache:mod_ssl', {})) %}
|
||||||
|
|
||||||
|
<IfModule mod_ssl.c>
|
||||||
|
{%- for key, value in data.items() %}
|
||||||
|
{%- if not key == 'manage_tls_defaults' %}
|
||||||
|
{{ key }} {{ value }}
|
||||||
|
{%- endif %}
|
||||||
|
{%- endfor %}
|
||||||
|
</IfModule>
|
@ -10,6 +10,8 @@ apache:
|
|||||||
- name: {{ apache.user }}
|
- name: {{ apache.user }}
|
||||||
- gid: {{ apache.group }}
|
- gid: {{ apache.group }}
|
||||||
- system: True
|
- system: True
|
||||||
|
{# By default run apache service states (unless pillar is false) #}
|
||||||
|
{% if salt['pillar.get']('apache:manage_service_states', True) %}
|
||||||
service.running:
|
service.running:
|
||||||
- name: {{ apache.service }}
|
- name: {{ apache.service }}
|
||||||
- enable: True
|
- enable: True
|
||||||
@ -25,3 +27,17 @@ apache-restart:
|
|||||||
module.wait:
|
module.wait:
|
||||||
- name: service.restart
|
- name: service.restart
|
||||||
- m_name: {{ apache.service }}
|
- m_name: {{ apache.service }}
|
||||||
|
|
||||||
|
{% else %}
|
||||||
|
|
||||||
|
apache-reload:
|
||||||
|
test.show_notification:
|
||||||
|
- name: Skipping reload per user request
|
||||||
|
- text: Pillar manage_service_states is False
|
||||||
|
|
||||||
|
apache-restart:
|
||||||
|
test.show_notification:
|
||||||
|
- name: Skipping restart per user request
|
||||||
|
- text: Pillar manage_service_states is False
|
||||||
|
|
||||||
|
{% endif %}
|
||||||
|
@ -1,43 +1,28 @@
|
|||||||
{% from "apache/map.jinja" import apache with context %}
|
{% from "apache/map.jinja" import apache with context %}
|
||||||
|
|
||||||
|
{%- macro security_config(name) %}
|
||||||
|
{{ name }}:
|
||||||
|
file.managed:
|
||||||
|
- source:
|
||||||
|
- salt://apache/files/{{ salt['grains.get']('os_family') }}/security.conf.jinja
|
||||||
|
- salt://apache/files/security.conf.jinja
|
||||||
|
- mode: 644
|
||||||
|
- template: jinja
|
||||||
|
- require:
|
||||||
|
- pkg: apache
|
||||||
|
- watch_in:
|
||||||
|
- module: apache-restart
|
||||||
|
{%- endmacro %}
|
||||||
|
|
||||||
include:
|
include:
|
||||||
- apache
|
- apache
|
||||||
|
|
||||||
{% if grains['os_family']=="Debian" %}
|
{% if grains['os_family']=="Debian" %}
|
||||||
|
|
||||||
{% if salt['file.file_exists' ]('/etc/apache2/conf-available/security.conf') %}
|
{% if salt['file.file_exists' ]('/etc/apache2/conf-available/security.conf') %}
|
||||||
apache_security-block:
|
{{ security_config('/etc/apache2/conf-available/security.conf') }}
|
||||||
file.blockreplace:
|
|
||||||
- name: /etc/apache2/conf-available/security.conf
|
|
||||||
- marker_start: "# START managed zone -DO-NOT-EDIT-"
|
|
||||||
- marker_end: "# END managed zone --"
|
|
||||||
- append_if_not_found: True
|
|
||||||
- show_changes: True
|
|
||||||
- require:
|
|
||||||
- pkg: apache
|
|
||||||
- watch_in:
|
|
||||||
- module: apache-reload
|
|
||||||
|
|
||||||
{% for option, value in salt['pillar.get']('apache:security', {}).items() %}
|
|
||||||
apache_manage-security-{{ option }}:
|
|
||||||
file.accumulated:
|
|
||||||
- filename: /etc/apache2/conf-available/security.conf
|
|
||||||
- name: apache_manage-security-add-{{ option }}
|
|
||||||
- text: "{{ option }} {{ value }}"
|
|
||||||
- require_in:
|
|
||||||
- file: apache_security-block
|
|
||||||
{% endfor %}
|
|
||||||
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
{% elif grains['os_family']=="FreeBSD" %}
|
{% elif grains['os_family']=="FreeBSD" %}
|
||||||
{{ apache.confdir }}/security.conf:
|
{{ security_config(apache.confdir+'/security.conf') }}
|
||||||
file.managed:
|
|
||||||
- source: salt://apache/files/{{ salt['grains.get']('os_family') }}/security.conf.jinja
|
|
||||||
- mode: 644
|
|
||||||
- template: jinja
|
|
||||||
- require:
|
|
||||||
- pkg: apache
|
|
||||||
- watch_in:
|
|
||||||
- module: apache-restart
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
@ -38,7 +38,7 @@
|
|||||||
'mod_fastcgi': 'libapache2-mod-fastcgi',
|
'mod_fastcgi': 'libapache2-mod-fastcgi',
|
||||||
|
|
||||||
'vhostdir': '/etc/apache2/sites-available',
|
'vhostdir': '/etc/apache2/sites-available',
|
||||||
'confdir': '/etc/apache2/conf.d',
|
'confdir': '/etc/apache2/conf-available',
|
||||||
'confext': '.conf',
|
'confext': '.conf',
|
||||||
'default_site': 'default',
|
'default_site': 'default',
|
||||||
'default_site_ssl': 'default-ssl',
|
'default_site_ssl': 'default-ssl',
|
||||||
@ -89,27 +89,27 @@
|
|||||||
'wwwdir': '/srv/www',
|
'wwwdir': '/srv/www',
|
||||||
},
|
},
|
||||||
'FreeBSD': {
|
'FreeBSD': {
|
||||||
'server': 'apache22',
|
'server': 'apache24',
|
||||||
'service': 'apache22',
|
'service': 'apache24',
|
||||||
'user': 'www',
|
'user': 'www',
|
||||||
'group': 'www',
|
'group': 'www',
|
||||||
'configfile': '/usr/local/etc/apache22/httpd.conf',
|
'configfile': '/usr/local/etc/apache24/httpd.conf',
|
||||||
'portsfile': '/usr/local/etc/apache22/ports.conf',
|
'portsfile': '/usr/local/etc/apache24/ports.conf',
|
||||||
|
|
||||||
'mod_php5': 'mod_php56',
|
'mod_php5': 'mod_php56',
|
||||||
'mod_perl2': 'ap22-mod_perl2',
|
'mod_perl2': 'ap24-mod_perl2',
|
||||||
'mod_wsgi': 'ap22-mod_wsgi3',
|
'mod_wsgi': 'ap24-mod_wsgi3',
|
||||||
|
|
||||||
'vhostdir': '/usr/local/etc/apache22/Includes',
|
'vhostdir': '/usr/local/etc/apache24/Includes',
|
||||||
'confdir': '/usr/local/etc/apache22/extra',
|
'confdir': '/usr/local/etc/apache24/extra',
|
||||||
'modulesdir': '/usr/local/etc/apache22/modules.d',
|
'modulesdir': '/usr/local/etc/apache24/modules.d',
|
||||||
'global_document_root': '/usr/local/www/apache22/data',
|
'global_document_root': '/usr/local/www/apache24/data',
|
||||||
|
|
||||||
'confext': '',
|
'confext': '',
|
||||||
'default_site': 'default',
|
'default_site': 'default',
|
||||||
'default_site_ssl': 'default-ssl',
|
'default_site_ssl': 'default-ssl',
|
||||||
'logdir': '/var/log/',
|
'logdir': '/var/log/',
|
||||||
'wwwdir': '/usr/local/www/apache22/',
|
'wwwdir': '/usr/local/www/apache24/',
|
||||||
},
|
},
|
||||||
'Arch': {
|
'Arch': {
|
||||||
'server': 'apache',
|
'server': 'apache',
|
||||||
|
@ -11,8 +11,9 @@ mod-fcgid:
|
|||||||
- pkg: apache
|
- pkg: apache
|
||||||
|
|
||||||
{% if grains['os_family']=="Debian" %}
|
{% if grains['os_family']=="Debian" %}
|
||||||
a2enmod fcgid:
|
a2enmod fcgid for apache.mod_fcgid:
|
||||||
cmd.run:
|
cmd.run:
|
||||||
|
- name: a2enmod fcgid
|
||||||
- order: 225
|
- order: 225
|
||||||
- unless: ls /etc/apache2/mods-enabled/fcgid.load
|
- unless: ls /etc/apache2/mods-enabled/fcgid.load
|
||||||
- require:
|
- require:
|
||||||
|
@ -42,3 +42,35 @@ include:
|
|||||||
- module: apache-restart
|
- module: apache-restart
|
||||||
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
{{ apache.confdir }}/tls-defaults.conf:
|
||||||
|
{% if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) %}
|
||||||
|
file.managed:
|
||||||
|
- source: salt://apache/files/tls-defaults.conf.jinja
|
||||||
|
- mode: 644
|
||||||
|
- template: jinja
|
||||||
|
{% else %}
|
||||||
|
file.absent:
|
||||||
|
{% endif %}
|
||||||
|
- require:
|
||||||
|
- pkg: apache
|
||||||
|
- watch_in:
|
||||||
|
- module: apache-restart
|
||||||
|
|
||||||
|
{% if grains['os_family']=="Debian" %}
|
||||||
|
a2endisconf tls-defaults:
|
||||||
|
cmd.run:
|
||||||
|
{% if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) %}
|
||||||
|
- name: a2enconf tls-defaults
|
||||||
|
- unless: test -L /etc/apache2/conf-enabled/tls-defaults.conf
|
||||||
|
{% else %}
|
||||||
|
- name: a2disconf tls-defaults
|
||||||
|
- onlyif: test -L /etc/apache2/conf-enabled/tls-defaults.conf
|
||||||
|
{% endif %}
|
||||||
|
- order: 225
|
||||||
|
- require:
|
||||||
|
- pkg: apache
|
||||||
|
- file: {{ apache.confdir }}/tls-defaults.conf
|
||||||
|
- watch_in:
|
||||||
|
- module: apache-restart
|
||||||
|
{% endif %}
|
||||||
|
@ -9,7 +9,7 @@ mod_wsgi:
|
|||||||
- require:
|
- require:
|
||||||
- pkg: apache
|
- pkg: apache
|
||||||
|
|
||||||
{% if apache.conf_mod_wsgi %}
|
{% if 'conf_mod_wsgi' in apache %}
|
||||||
{{ apache.conf_mod_wsgi }}:
|
{{ apache.conf_mod_wsgi }}:
|
||||||
file.uncomment:
|
file.uncomment:
|
||||||
- regex: LoadModule
|
- regex: LoadModule
|
||||||
|
@ -28,5 +28,7 @@
|
|||||||
|
|
||||||
{% if site.get('LogLevel') != False -%}LogLevel {{ vals.LogLevel }}{% endif %}
|
{% if site.get('LogLevel') != False -%}LogLevel {{ vals.LogLevel }}{% endif %}
|
||||||
{% if site.get('ErrorLog') != False -%}ErrorLog {{ vals.ErrorLog }}{% endif %}
|
{% if site.get('ErrorLog') != False -%}ErrorLog {{ vals.ErrorLog }}{% endif %}
|
||||||
{% if site.get('CustomLog') != False -%}CustomLog {{ vals.CustomLog }} {{ vals.LogFormat }}{% endif %}
|
{% if site.get('LogFormat') != False -%}LogFormat {{ vals.LogFormat }}{% endif %}
|
||||||
|
{% if site.get('CustomLog') != False -%}LogFormat {{ vals.LogFormat }} {{ sitename }}
|
||||||
|
CustomLog {{ vals.CustomLog }} {{ sitename }}{% endif %}
|
||||||
</VirtualHost>
|
</VirtualHost>
|
||||||
|
@ -40,7 +40,9 @@
|
|||||||
|
|
||||||
{% if site.get('LogLevel') != False %}LogLevel {{ vals.LogLevel }}{% endif %}
|
{% if site.get('LogLevel') != False %}LogLevel {{ vals.LogLevel }}{% endif %}
|
||||||
{% if site.get('ErrorLog') != False %}ErrorLog {{ vals.ErrorLog }}{% endif %}
|
{% if site.get('ErrorLog') != False %}ErrorLog {{ vals.ErrorLog }}{% endif %}
|
||||||
{% if site.get('CustomLog') != False %}CustomLog {{ vals.CustomLog }} {{ vals.LogFormat }}{% endif %}
|
{% if site.get('LogFormat') != False -%}LogFormat {{ vals.LogFormat }}{% endif %}
|
||||||
|
{% if site.get('CustomLog') != False -%}LogFormat {{ vals.LogFormat }} {{ sitename }}
|
||||||
|
CustomLog {{ vals.CustomLog }} {{ sitename }}{% endif %}
|
||||||
|
|
||||||
{% if site.get('SSLCertificateFile') %}SSLEngine on
|
{% if site.get('SSLCertificateFile') %}SSLEngine on
|
||||||
SSLCertificateFile {{ site.SSLCertificateFile }}
|
SSLCertificateFile {{ site.SSLCertificateFile }}
|
||||||
|
@ -32,7 +32,9 @@
|
|||||||
|
|
||||||
{% if site.get('LogLevel') != False %}LogLevel {{ vals.LogLevel }}{% endif %}
|
{% if site.get('LogLevel') != False %}LogLevel {{ vals.LogLevel }}{% endif %}
|
||||||
{% if site.get('ErrorLog') != False %}ErrorLog {{ vals.ErrorLog }}{% endif %}
|
{% if site.get('ErrorLog') != False %}ErrorLog {{ vals.ErrorLog }}{% endif %}
|
||||||
{% if site.get('CustomLog') != False %}CustomLog {{ vals.CustomLog }} {{ vals.LogFormat }}{% endif %}
|
{% if site.get('LogFormat') != False -%}LogFormat {{ vals.LogFormat }}{% endif %}
|
||||||
|
{% if site.get('CustomLog') != False -%}LogFormat {{ vals.LogFormat }} {{ sitename }}
|
||||||
|
CustomLog {{ vals.CustomLog }} {{ sitename }}{% endif %}
|
||||||
|
|
||||||
Redirect {{ vals.RedirectSource }} {{ vals.RedirectTarget }}
|
Redirect {{ vals.RedirectSource }} {{ vals.RedirectTarget }}
|
||||||
|
|
||||||
|
@ -1,6 +1,9 @@
|
|||||||
# ``apache`` formula configuration:
|
# ``apache`` formula configuration:
|
||||||
apache:
|
apache:
|
||||||
|
|
||||||
|
# By default apache restart/reload states run (false skips)
|
||||||
|
manage_service_states: True
|
||||||
|
|
||||||
# lookup section overrides ``map.jinja`` values
|
# lookup section overrides ``map.jinja`` values
|
||||||
lookup:
|
lookup:
|
||||||
server: apache2
|
server: apache2
|
||||||
@ -86,6 +89,20 @@ apache:
|
|||||||
Additional config as a
|
Additional config as a
|
||||||
multi-line string here
|
multi-line string here
|
||||||
|
|
||||||
|
redirectmatch.com:
|
||||||
|
# Use RedirectMatch Directive https://httpd.apache.org/docs/2.4/fr/mod/mod_alias.html#redirectmatch
|
||||||
|
# Require module mod_alias
|
||||||
|
enabled: True
|
||||||
|
template_file: salt://apache/vhosts/redirect.tmpl
|
||||||
|
ServerName: www.redirectmatch.com
|
||||||
|
ServerAlias: www.redirectmatch.com
|
||||||
|
RedirectMatch: true
|
||||||
|
RedirectSource: '^/$'
|
||||||
|
RedirectTarget: '/subdirectory'
|
||||||
|
DocumentRoot: /var/www/html/
|
||||||
|
ErrorLog: ${APACHE_LOG_DIR}/error.log
|
||||||
|
CustomLog: ${APACHE_LOG_DIR}/access.log
|
||||||
|
|
||||||
80-proxyexample.com:
|
80-proxyexample.com:
|
||||||
template_file: salt://apache/vhosts/redirect.tmpl
|
template_file: salt://apache/vhosts/redirect.tmpl
|
||||||
ServerName: www.proxyexample.com
|
ServerName: www.proxyexample.com
|
||||||
@ -313,4 +330,19 @@ apache:
|
|||||||
file: 'my name'
|
file: 'my name'
|
||||||
path: 'salt://path/to/modsecurity/custom/file'
|
path: 'salt://path/to/modsecurity/custom/file'
|
||||||
enabled: True
|
enabled: True
|
||||||
|
|
||||||
|
mod_ssl:
|
||||||
|
# set this to True if you want to override your distributions default TLS configuration
|
||||||
|
manage_tls_defaults: False
|
||||||
|
# This stuff is deliberately not configured via map.jinja resp. apache:lookup.
|
||||||
|
# We're unable to know sane defaults for each release of every distribution.
|
||||||
|
# See https://github.com/saltstack-formulas/openssh-formula/issues/102 for a related discussion
|
||||||
|
# Have a look at bettercrypto.org for up-to-date settings.
|
||||||
|
# These are default values:
|
||||||
|
SSLCipherSuite: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
|
||||||
|
# Mitigate the CRIME attack
|
||||||
|
SSLCompression: Off
|
||||||
|
SSLProtocol: all -SSLv2 -SSLv3 -TLSv1
|
||||||
|
SSLHonorCipherOrder: On
|
||||||
|
SSLOptions: "+StrictRequire"
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user