Merge branch 'master' into 217-customlog

2018-01-30 14:24:16 +01:00 · 2018-01-30 14:24:16 +01:00 · fd23f29cf8
commit fd23f29cf8
parent 1ebee8bc07 853ec8e118
14 changed files with 147 additions and 49 deletions
--- a/apache/files/FreeBSD/apache-2.4.config.jinja
+++ b/apache/files/FreeBSD/apache-2.4.config.jinja
@ -526,5 +526,9 @@ TraceEnable Off
 # Well, IncludeOptional behaved lile Include
 IncludeOptional etc/apache24/extra/security.con[f]

+{% if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) -%}
+Include etc/apache24/extra/tls-defaults.conf
+{%- endif %}
+
 Include etc/apache24/Includes/*.conf

--- a/apache/files/Suse/apache-2.4.config.jinja
+++ b/apache/files/Suse/apache-2.4.config.jinja
@ -163,6 +163,10 @@ Include /etc/apache2/errors.conf
 # any virtual host
 Include /etc/apache2/ssl-global.conf

+{% if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) -%}
+Include /etc/apache24/conf.d/tls-defaults.conf
+{%- %}
+
 # global (server-wide) protocol configuration, that is not specific
 # to any virtual host
 Include /etc/apache2/protocols.conf
--- a/apache/files/FreeBSD/security.conf.jinja
+++ b/apache/files/FreeBSD/security.conf.jinja
--- a/apache/files/tls-defaults.conf.jinja
+++ b/apache/files/tls-defaults.conf.jinja
@ -0,0 +1,18 @@
+# Managed by saltstack
+
+{% set data = {
+  'SSLCipherSuite': 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA',
+  'SSLCompression': 'Off',
+  'SSLProtocol': 'all -SSLv2 -SSLv3 -TLSv1',
+  'SSLHonorCipherOrder': 'On',
+  'SSLOptions': '+StrictRequire',
+} -%}
+{%- do data.update(salt['pillar.get']('apache:mod_ssl', {})) %}
+
+<IfModule mod_ssl.c>
+{%- for key, value in data.items() %}
+{%-   if not key == 'manage_tls_defaults' %}
+{{ key }} {{ value }}
+{%-   endif %}
+{%- endfor %}
+</IfModule>
--- a/apache/init.sls
+++ b/apache/init.sls
@ -10,6 +10,8 @@ apache:
    - name: {{ apache.user }}
    - gid: {{ apache.group }}
    - system: True
+  {# By default run apache service states (unless pillar is false) #}
+  {% if salt['pillar.get']('apache:manage_service_states', True) %}
  service.running:
    - name: {{ apache.service }}
    - enable: True
@ -25,3 +27,17 @@ apache-restart:
  module.wait:
    - name: service.restart
    - m_name: {{ apache.service }}
+
+  {% else %}
+
+apache-reload:
+  test.show_notification:
+    - name: Skipping reload per user request
+    - text: Pillar manage_service_states is False
+
+apache-restart:
+  test.show_notification:
+    - name: Skipping restart per user request
+    - text: Pillar manage_service_states is False
+
+  {% endif %}
--- a/apache/manage_security.sls
+++ b/apache/manage_security.sls
@ -1,43 +1,28 @@
 {% from "apache/map.jinja" import apache with context %}

+{%- macro security_config(name) %}
+{{ name }}:
+  file.managed:
+    - source:
+      - salt://apache/files/{{ salt['grains.get']('os_family') }}/security.conf.jinja
+      - salt://apache/files/security.conf.jinja
+    - mode: 644
+    - template: jinja
+    - require:
+      - pkg: apache
+    - watch_in:
+      - module: apache-restart
+{%- endmacro %}
+
 include:
  - apache

 {% if grains['os_family']=="Debian" %}

 {% if salt['file.file_exists' ]('/etc/apache2/conf-available/security.conf') %}
-apache_security-block:
-  file.blockreplace:
-    - name: /etc/apache2/conf-available/security.conf
-    - marker_start: "# START managed zone -DO-NOT-EDIT-"
-    - marker_end: "# END managed zone --"
-    - append_if_not_found: True
-    - show_changes: True
-    - require:
-      - pkg: apache
-    - watch_in:
-      - module: apache-reload
-
-{% for option, value in salt['pillar.get']('apache:security', {}).items() %}
-apache_manage-security-{{ option }}:
-  file.accumulated:
-    - filename: /etc/apache2/conf-available/security.conf
-    - name: apache_manage-security-add-{{ option }}
-    - text: "{{ option }} {{ value }}"
-    - require_in:
-      - file: apache_security-block
-{% endfor %}
-
+{{ security_config('/etc/apache2/conf-available/security.conf') }}
 {% endif %}

 {% elif grains['os_family']=="FreeBSD" %}
-{{ apache.confdir }}/security.conf:
-  file.managed:
-    - source: salt://apache/files/{{ salt['grains.get']('os_family') }}/security.conf.jinja
-    - mode: 644
-    - template: jinja
-    - require:
-      - pkg: apache
-    - watch_in:
-      - module: apache-restart
+{{ security_config(apache.confdir+'/security.conf') }}
 {% endif %}
--- a/apache/map.jinja
+++ b/apache/map.jinja
@ -38,7 +38,7 @@
        'mod_fastcgi': 'libapache2-mod-fastcgi',

        'vhostdir': '/etc/apache2/sites-available',
-        'confdir': '/etc/apache2/conf.d',
+        'confdir': '/etc/apache2/conf-available',
        'confext': '.conf',
        'default_site': 'default',
        'default_site_ssl': 'default-ssl',
@ -89,27 +89,27 @@
        'wwwdir': '/srv/www',
    },
    'FreeBSD': {
-        'server': 'apache22',
-        'service': 'apache22',
+        'server': 'apache24',
+        'service': 'apache24',
        'user': 'www',
        'group': 'www',
-        'configfile': '/usr/local/etc/apache22/httpd.conf',
-        'portsfile': '/usr/local/etc/apache22/ports.conf',
+        'configfile': '/usr/local/etc/apache24/httpd.conf',
+        'portsfile': '/usr/local/etc/apache24/ports.conf',

        'mod_php5': 'mod_php56',
-        'mod_perl2': 'ap22-mod_perl2',
-        'mod_wsgi': 'ap22-mod_wsgi3',
+        'mod_perl2': 'ap24-mod_perl2',
+        'mod_wsgi': 'ap24-mod_wsgi3',

-        'vhostdir': '/usr/local/etc/apache22/Includes',
-        'confdir': '/usr/local/etc/apache22/extra',
-        'modulesdir': '/usr/local/etc/apache22/modules.d',
-        'global_document_root': '/usr/local/www/apache22/data',
+        'vhostdir': '/usr/local/etc/apache24/Includes',
+        'confdir': '/usr/local/etc/apache24/extra',
+        'modulesdir': '/usr/local/etc/apache24/modules.d',
+        'global_document_root': '/usr/local/www/apache24/data',

        'confext': '',
        'default_site': 'default',
        'default_site_ssl': 'default-ssl',
        'logdir': '/var/log/',
-        'wwwdir': '/usr/local/www/apache22/',
+        'wwwdir': '/usr/local/www/apache24/',
    },
    'Arch': {
        'server': 'apache',
--- a/apache/mod_fcgid.sls
+++ b/apache/mod_fcgid.sls
@ -11,8 +11,9 @@ mod-fcgid:
      - pkg: apache

 {% if grains['os_family']=="Debian" %}
-a2enmod fcgid:
+a2enmod fcgid for apache.mod_fcgid:
  cmd.run:
+    - name: a2enmod fcgid
    - order: 225
    - unless: ls /etc/apache2/mods-enabled/fcgid.load
    - require:
--- a/apache/mod_ssl.sls
+++ b/apache/mod_ssl.sls
@ -42,3 +42,35 @@ include:
      - module: apache-restart

 {% endif %}
+
+{{ apache.confdir }}/tls-defaults.conf:
+{% if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) %}
+  file.managed:
+    - source: salt://apache/files/tls-defaults.conf.jinja
+    - mode: 644
+    - template: jinja
+{% else %}
+  file.absent:
+{% endif %}
+    - require:
+      - pkg: apache
+    - watch_in:
+      - module: apache-restart
+
+{% if grains['os_family']=="Debian" %}
+a2endisconf tls-defaults:
+  cmd.run:
+{%   if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) %}
+    - name: a2enconf tls-defaults
+    - unless: test -L /etc/apache2/conf-enabled/tls-defaults.conf
+{%   else %}
+    - name: a2disconf tls-defaults
+    - onlyif: test -L /etc/apache2/conf-enabled/tls-defaults.conf
+{%   endif %}
+    - order: 225
+    - require:
+      - pkg: apache
+      - file: {{ apache.confdir }}/tls-defaults.conf
+    - watch_in:
+      - module: apache-restart
+{% endif %}
--- a/apache/mod_wsgi.sls
+++ b/apache/mod_wsgi.sls
@ -9,7 +9,7 @@ mod_wsgi:
    - require:
      - pkg: apache

-{% if apache.conf_mod_wsgi %}
+{% if 'conf_mod_wsgi' in apache %}
 {{ apache.conf_mod_wsgi }}:
  file.uncomment:
    - regex: LoadModule
--- a/apache/vhosts/minimal.tmpl
+++ b/apache/vhosts/minimal.tmpl
@ -28,5 +28,7 @@

    {% if site.get('LogLevel') != False -%}LogLevel {{ vals.LogLevel }}{% endif %}
    {% if site.get('ErrorLog') != False -%}ErrorLog {{ vals.ErrorLog }}{% endif %}
-    {% if site.get('CustomLog') != False -%}CustomLog {{ vals.CustomLog }} {{ vals.LogFormat }}{% endif %}
+    {% if site.get('LogFormat') != False -%}LogFormat {{ vals.LogFormat }}{% endif %}
+    {% if site.get('CustomLog') != False -%}LogFormat {{ vals.LogFormat }} {{ sitename }}
+    CustomLog {{ vals.CustomLog }} {{ sitename }}{% endif %}
 </VirtualHost>
--- a/apache/vhosts/proxy.tmpl
+++ b/apache/vhosts/proxy.tmpl
@ -40,7 +40,9 @@

    {% if site.get('LogLevel') != False %}LogLevel {{ vals.LogLevel }}{% endif %}
    {% if site.get('ErrorLog') != False %}ErrorLog {{ vals.ErrorLog }}{% endif %}
-    {% if site.get('CustomLog') != False %}CustomLog {{ vals.CustomLog }} {{ vals.LogFormat }}{% endif %}
+    {% if site.get('LogFormat') != False -%}LogFormat {{ vals.LogFormat }}{% endif %}
+    {% if site.get('CustomLog') != False -%}LogFormat {{ vals.LogFormat }} {{ sitename }}
+    CustomLog {{ vals.CustomLog }} {{ sitename }}{% endif %}

    {% if site.get('SSLCertificateFile') %}SSLEngine on
    SSLCertificateFile {{ site.SSLCertificateFile }}
--- a/apache/vhosts/redirect.tmpl
+++ b/apache/vhosts/redirect.tmpl
@ -32,7 +32,9 @@

    {% if site.get('LogLevel') != False %}LogLevel {{ vals.LogLevel }}{% endif %}
    {% if site.get('ErrorLog') != False %}ErrorLog {{ vals.ErrorLog }}{% endif %}
-    {% if site.get('CustomLog') != False %}CustomLog {{ vals.CustomLog }} {{ vals.LogFormat }}{% endif %}
+    {% if site.get('LogFormat') != False -%}LogFormat {{ vals.LogFormat }}{% endif %}
+    {% if site.get('CustomLog') != False -%}LogFormat {{ vals.LogFormat }} {{ sitename }}
+    CustomLog {{ vals.CustomLog }} {{ sitename }}{% endif %}

    Redirect {{ vals.RedirectSource }} {{ vals.RedirectTarget }}

--- a/pillar.example
+++ b/pillar.example
@ -1,6 +1,9 @@
 # ``apache`` formula configuration:
 apache:

+  # By default apache restart/reload states run (false skips)
+  manage_service_states: True
+
  # lookup section overrides ``map.jinja`` values
  lookup:
    server: apache2
@ -86,6 +89,20 @@ apache:
            Additional config as a
            multi-line string here

+    redirectmatch.com:
+      # Use RedirectMatch Directive https://httpd.apache.org/docs/2.4/fr/mod/mod_alias.html#redirectmatch
+      # Require module mod_alias 
+      enabled: True
+      template_file: salt://apache/vhosts/redirect.tmpl
+      ServerName: www.redirectmatch.com
+      ServerAlias: www.redirectmatch.com
+      RedirectMatch: true
+      RedirectSource: '^/$'
+      RedirectTarget: '/subdirectory'
+      DocumentRoot: /var/www/html/
+      ErrorLog: ${APACHE_LOG_DIR}/error.log
+      CustomLog: ${APACHE_LOG_DIR}/access.log
+
    80-proxyexample.com:
      template_file: salt://apache/vhosts/redirect.tmpl
      ServerName: www.proxyexample.com
@ -314,3 +331,18 @@ apache:
        path: 'salt://path/to/modsecurity/custom/file'
        enabled: True

+  mod_ssl:
+    # set this to True if you want to override your distributions default TLS configuration
+    manage_tls_defaults: False
+    # This stuff is deliberately not configured via map.jinja resp. apache:lookup.
+    # We're unable to know sane defaults for each release of every distribution.
+    # See https://github.com/saltstack-formulas/openssh-formula/issues/102 for a related discussion
+    # Have a look at bettercrypto.org for up-to-date settings.
+    # These are default values:
+    SSLCipherSuite: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
+    # Mitigate the CRIME attack
+    SSLCompression: Off
+    SSLProtocol: all -SSLv2 -SSLv3 -TLSv1
+    SSLHonorCipherOrder: On
+    SSLOptions: "+StrictRequire"
+