# ``apache`` formula configuration:
apache:

  # lookup section overrides ``map.jinja`` values
  lookup:
    server: apache2
    service: apache2

    vhostdir: /etc/apache2/sites-available
    confdir: /etc/apache2/conf.d
    confext: .conf
    logdir: /var/log/apache2
    wwwdir: /srv/apache2

    # apache version (generally '2.2' or '2.4')
    version: '2.2'

    # ``apache.mod_wsgi`` formula additional configuration:
    mod_wsgi: mod_wsgi

    # Default value for AddDefaultCharset in RedHat configuration
    default_charset: 'UTF-8'

  global:
    # global apache directives
    AllowEncodedSlashes: 'On'


  name_virtual_hosts:
    - interface: '*'
      port: 80
    - interface: '*'
      port: 443

  # ``apache.vhosts`` formula additional configuration:
  sites:
    example.net:
      template_file: salt://apache/vhosts/minimal.tmpl

    example.com: # must be unique; used as an ID declaration in Salt.
      enabled: True
      template_file: salt://apache/vhosts/standard.tmpl # or redirect.tmpl or proxy.tmpl

      ####################### DEFAULT VALUES BELOW ############################
      # NOTE: the values below are simply default settings that *can* be
      # overridden and are not required in order to use this formula to create
      # vhost entries.
      #
      # Do not copy the values below into your Pillar unless you intend to
      # modify these vaules.
      ####################### DEFAULT VALUES BELOW ############################
      template_engine: jinja

      interface: '*'
      port: '80'

      ServerName: example.com # uses the unique ID above unless specified
      ServerAlias: www.example.com

      ServerAdmin: webmaster@example.com

      LogLevel: warn
      ErrorLog: /path/to/logs/example.com-error.log # E.g.: /var/log/apache2/example.com-error.log
      CustomLog: /path/to/logs/example.com-access.log # E.g.: /var/log/apache2/example.com-access.log

      DocumentRoot: /path/to/www/dir/example.com # E.g., /var/www/example.com

      SSLCertificateFile: /etc/ssl/mycert.pem # if ssl is desired
      SSLCertificateKeyFile: /etc/ssl/mycert.pem.key # if key for cert is needed or in an extra file
      SSLCertificateChainFile: /etc/ssl/mycert.chain.pem # if you require a chain of server certificates file

      Directory:
        # "default" is a special case; Adds ``/path/to/www/dir/example.com``
        # E.g.: /var/www/example.com
        default:
          Options: -Indexes +FollowSymLinks
          Order: allow,deny    # For Apache < 2.4
          Allow: from all      # For apache < 2.4
          Require: all granted # For apache > 2.4.
          AllowOverride: None
          Formula_Append: |
            Additional config as a
            multi-line string here

      # if template is 'redirect.tmpl'
      # RedirectSource: '/'
      # RedirectTarget: 'http://www.example.net'

      # if template is 'proxy.tmpl'
      # ProxyRequests: 'On'
      # ProxyPreserveHost: 'On'
      # ProxyRoute:
      #   my sample route:
      #      ProxyPassSource: '/'
      #      ProxyPassTarget: 'http://www.example.net'
      #      ProxyPassTargetOptions: 'connectiontimeout=5 timeout=30'
      #      ProxyPassReverseSource: '/'
      #      ProxyPassReverseTarget: 'http://www.example.net'

      Alias:
        /docs: /usr/share/docs

      Location:
        /docs:
          Order: allow,deny    # For Apache < 2.4
          Allow: from all      # For apache < 2.4
          Require: all granted # For apache > 2.4.
          Formula_Append: |
            Additional config as a
            multi-line string here

      Formula_Append: |
        Additional config as a
        multi-line string here

  # ``apache.debian_full`` formula additional configuration:
  register-site:
    # any name as an array index, and you can duplicate this section
    UNIQUE_VALUE_HERE:
      name: 'my name'
      path: 'salt://path/to/sites-available/conf/file'
      state: 'enabled'
      # Optional - use managed file as Jinja Template
      #template: true
      #defaults:
      #  custom_var: "default value"

  modules:
    enabled:  # List modules to enable
      - ldap
      - ssl
    disabled:  # List modules to disable
      - rewrite

  # KeepAlive: Whether or not to allow persistent connections (more than
  # one request per connection). Set to "Off" to deactivate.
  keepalive: 'On'

  security:
    # can be Full | OS | Minimal | Minor | Major | Prod
    # where Full conveys the most information, and Prod the least.
    ServerTokens: Prod

  # ``apache.mod_remoteip`` formula additional configuration:
  mod_remoteip:
    RemoteIPHeader: X-Forwarded-For
    RemoteIPTrustedProxy:
      - 10.0.8.0/24
      - 127.0.0.1

  # ``apache.mod_security`` formula additional configuration:
  mod_security:
    crs_install: True
    # If not set, default distro's configuration is installed as is
    manage_config: True
    sec_rule_engine: 'On'
    sec_request_body_access: 'On'
    sec_request_body_limit: '14000000'
    sec_request_body_no_files_limit: '114002'
    sec_request_body_in_memory_limit: '114002'
    sec_request_body_limit_action: 'Reject'
    sec_pcre_match_limit: '15000'
    sec_pcre_match_limit_recursion: '15000'
    sec_debug_log_level: '3'