# ``apache`` formula configuration: apache: # lookup section overrides ``map.jinja`` values lookup: server: apache2 service: apache2 vhostdir: /etc/apache2/sites-available confdir: /etc/apache2/conf.d confext: .conf logdir: /var/log/apache2 wwwdir: /srv/apache2 # apache version (generally '2.2' or '2.4') version: '2.2' # ``apache.mod_wsgi`` formula additional configuration: mod_wsgi: mod_wsgi # Default value for AddDefaultCharset in RedHat configuration default_charset: 'UTF-8' global: # global apache directives AllowEncodedSlashes: 'On' name_virtual_hosts: - interface: '*' port: 80 - interface: '*' port: 443 # ``apache.vhosts`` formula additional configuration: sites: example.net: template_file: salt://apache/vhosts/minimal.tmpl example.com: # must be unique; used as an ID declaration in Salt. enabled: True template_file: salt://apache/vhosts/standard.tmpl # or redirect.tmpl or proxy.tmpl ####################### DEFAULT VALUES BELOW ############################ # NOTE: the values below are simply default settings that *can* be # overridden and are not required in order to use this formula to create # vhost entries. # # Do not copy the values below into your Pillar unless you intend to # modify these vaules. ####################### DEFAULT VALUES BELOW ############################ template_engine: jinja interface: '*' port: '80' exclude_listen_directive: True # Do not add a Listen directive in httpd.conf ServerName: example.com # uses the unique ID above unless specified ServerAlias: www.example.com ServerAdmin: webmaster@example.com LogLevel: warn ErrorLog: /path/to/logs/example.com-error.log # E.g.: /var/log/apache2/example.com-error.log CustomLog: /path/to/logs/example.com-access.log # E.g.: /var/log/apache2/example.com-access.log DocumentRoot: /path/to/www/dir/example.com # E.g., /var/www/example.com SSLCertificateFile: /etc/ssl/mycert.pem # if ssl is desired SSLCertificateKeyFile: /etc/ssl/mycert.pem.key # if key for cert is needed or in an extra file SSLCertificateChainFile: /etc/ssl/mycert.chain.pem # if you require a chain of server certificates file Directory: # "default" is a special case; Adds ``/path/to/www/dir/example.com`` # E.g.: /var/www/example.com default: Options: -Indexes +FollowSymLinks Order: allow,deny # For Apache < 2.4 Allow: from all # For apache < 2.4 Require: all granted # For apache > 2.4. AllowOverride: None Formula_Append: | Additional config as a multi-line string here # if template is 'redirect.tmpl' # RedirectSource: '/' # RedirectTarget: 'http://www.example.net' # if template is 'proxy.tmpl' # ProxyRequests: 'On' # ProxyPreserveHost: 'On' # ProxyRoute: # my sample route: # ProxyPassSource: '/' # ProxyPassTarget: 'http://www.example.net' # ProxyPassTargetOptions: 'connectiontimeout=5 timeout=30' # ProxyPassReverseSource: '/' # ProxyPassReverseTarget: 'http://www.example.net' Alias: /docs: /usr/share/docs Location: /docs: Order: allow,deny # For Apache < 2.4 Allow: from all # For apache < 2.4 Require: all granted # For apache > 2.4. Formula_Append: | Additional config as a multi-line string here Formula_Append: | Additional config as a multi-line string here # ``apache.debian_full`` formula additional configuration: register-site: # any name as an array index, and you can duplicate this section UNIQUE_VALUE_HERE: name: 'my name' path: 'salt://path/to/sites-available/conf/file' state: 'enabled' # Optional - use managed file as Jinja Template #template: true #defaults: # custom_var: "default value" modules: enabled: # List modules to enable - ldap - ssl disabled: # List modules to disable - rewrite # KeepAlive: Whether or not to allow persistent connections (more than # one request per connection). Set to "Off" to deactivate. keepalive: 'On' security: # can be Full | OS | Minimal | Minor | Major | Prod # where Full conveys the most information, and Prod the least. ServerTokens: Prod # ``apache.mod_remoteip`` formula additional configuration: mod_remoteip: RemoteIPHeader: X-Forwarded-For RemoteIPTrustedProxy: - 10.0.8.0/24 - 127.0.0.1 # ``apache.mod_security`` formula additional configuration: mod_security: crs_install: True # If not set, default distro's configuration is installed as is manage_config: True sec_rule_engine: 'On' sec_request_body_access: 'On' sec_request_body_limit: '14000000' sec_request_body_no_files_limit: '114002' sec_request_body_in_memory_limit: '114002' sec_request_body_limit_action: 'Reject' sec_pcre_match_limit: '15000' sec_pcre_match_limit_recursion: '15000' sec_debug_log_level: '3' rules: enabled: modsecurity_crs_10_setup.conf: rule_set: '' enabled: True modsecurity_crs_20_protocol_violations.conf: rule_set: 'base_rules' enabled: False custom_rule_files: # any name as an array index, and you can duplicate this section UNIQUE_VALUE_HERE: file: 'my name' path: 'salt://path/to/modsecurity/custom/file' enabled: True