* Feature (rhel7/httpd 2.4) : hardening apache and code refactoring
* remove hard returns
* Add default Listen 80 in httpd.conf
In case there no vhosts defined in pillar httpd will listen on port 80.
Without this default it will not start
* empty file autoindex.conf instead of deleting it
* explicit hardening items and references from CIS
* add #3.5 hardening rule
* explain CIS recommendations categories
* add dependencies before start service
* add recommendation #7.1 Install mod_ssl
* link in readme to hardening doc
Some configuration changes only take effect after a restart of the service.
When the module 'apache-reload' is triggered too early, it fails which results
in a false-negative result of the Salt run.
In order to fix that 'apache-restart' and the service definition itself are
put before 'apache-reload'. Reload should always succeed if restart did.
The formula currently adds a Listen directive for the port '*' if
any configured vhost is configured to listen on :* which does not
work and instead prevents apache from starting.
It is possible to prevent this by setting the
exclude_listen_directive pillar to True but this is a manual
workaround.
Instead, this commit excludes :* Listeners automatically.
When using the mod_ssl state on Red Hat family systems the httpd
server will currently not start.
This is due to duplicate Listen directives provided in the
ssl.conf file shipped with the mod_ssl rpm package and the directives
configured by saltstack.
The easy solution is to just ensure the rpm shipped mod_ssl is removed.
The docroot fix from PR#240 worked fine for default servers.
But as soon as one uses vhosts this broke as the vhosts were
created under the docroot in /var/www/html rather than the better
/var/www.
Fix this by differentiating between docroot and wwwdir.
Further allow to override both in Red Hat-style configs.
The override allows to reuse this formula for the softwarecollections
rpms.
SUSE reads additional FLAGS that are used on the server start. They are
read from the APACHE_SERVER_FLAGS key, so we use a2enflag/a2disflag to
set those as we do with modules.
New behavior properly explained in pillar.example
Warning: changes directory.default when used with non-standard documentroot.
Now uses documentroot, instead of previously "default" documentroot path.
Templates already fallback to SiteName before site id.
This attemps to be consistent with them, and avoid having to explicitly specify
the DocumentRoot, when the template already does the proper inference.
