# -*- coding: utf-8 -*- # vim: ft=yaml --- # ``apache`` formula configuration: apache: # By default apache restart/reload states run (false skips) manage_service_states: true # lookup section overrides ``map.jinja`` values lookup: server: apache2 service: apache2 user: some_system_user group: some_system_group vhostdir: /etc/apache2/sites-available confdir: /etc/apache2/conf.d confext: .conf logdir: /var/log/apache2 wwwdir: /srv/apache2 # apache version (generally '2.2' or '2.4') version: '2.2' # mod_ssl package name mod_ssl_pkg: mod_ssl # ``apache.mod_wsgi`` formula additional configuration: mod_wsgi: mod_wsgi # Default value for AddDefaultCharset in RedHat configuration default_charset: 'UTF-8' # Should we enforce DocumentRoot user/group? # Default: do not enforce document_root_user: www-data # Force user if specified, leave it default if not document_root_group: null # Do not enforce group global: # global apache directives AllowEncodedSlashes: 'On' name_virtual_hosts: - interface: '*' port: 80 - interface: '*' port: 443 # ``apache.vhosts`` formula additional configuration: sites: example.net: template_file: salt://apache/vhosts/minimal.tmpl example.com: # must be unique; used as an ID declaration in Salt. enabled: true # or minimal.tmpl or redirect.tmpl or proxy.tmpl template_file: salt://apache/vhosts/standard.tmpl ####################### DEFAULT VALUES BELOW ############################ # NOTE: the values below are simply default settings that *can* be # overridden and are not required in order to use this formula to create # vhost entries. # # Do not copy the values below into your Pillar unless you intend to # modify these vaules. ####################### DEFAULT VALUES BELOW ############################ template_engine: jinja interface: '*' port: '80' exclude_listen_directive: true # Do not add a Listen directive in httpd.conf ServerName: example.com # uses the unique ID above unless specified # ServerAlias: www.example.com # Do not add ServerAlias unless defined ServerAdmin: webmaster@example.com LogLevel: warn # E.g.: /var/log/apache2/example.com-error.log ErrorLog: /path/to/logs/example.com-error.log # E.g.: /var/log/apache2/example.com-access.log CustomLog: /path/to/logs/example.com-access.log # E.g., /var/www/example.com DocumentRoot: /path/to/www/dir/example.com # do not enforce user, defaults to lookup:document_root_user DocumentRootUser: null # Force group, defaults to lookup:document_root_group DocumentRootGroup: www-data # if ssl is desired SSLCertificateFile: /etc/ssl/mycert.pem # if key for cert is needed or in an extra file SSLCertificateKeyFile: /etc/ssl/mycert.pem.key # if you require a chain of server certificates file SSLCertificateChainFile: /etc/ssl/mycert.chain.pem Directory: # "default" is a special case; uses DocumentRoot value # E.g.: /var/www/example.com default: Options: -Indexes +FollowSymLinks Order: allow,deny # For Apache < 2.4 Allow: from all # For apache < 2.4 Require: all granted # For apache > 2.4. AllowOverride: None Formula_Append: | Additional config as a multi-line string here redirectmatch.com: # Use RedirectMatch Directive # - https://httpd.apache.org/docs/2.4/fr/mod/mod_alias.html#redirectmatch # Require module mod_alias enabled: true template_file: salt://apache/vhosts/redirect.tmpl ServerName: www.redirectmatch.com ServerAlias: www.redirectmatch.com RedirectMatch: true RedirectSource: '^/$' RedirectTarget: '/subdirectory' DocumentRoot: /var/www/html/ ErrorLog: ${APACHE_LOG_DIR}/error.log CustomLog: ${APACHE_LOG_DIR}/access.log 80-proxyexample.com: template_file: salt://apache/vhosts/redirect.tmpl ServerName: www.proxyexample.com ServerAlias: www.proxyexample.com RedirectSource: '/' RedirectTarget: 'https://www.proxyexample.com/' DocumentRoot: /var/www/proxy 443-proxyexample.com: template_file: salt://apache/vhosts/proxy.tmpl ServerName: www.proxyexample.com ServerAlias: www.proxyexample.com interface: '*' port: '443' DocumentRoot: /var/www/proxy Rewrite: | RewriteRule ^/webmail$ /webmail/ [R] RewriteRule ^/webmail(.*) http://mail.example.com$1 [P,L] RewriteRule ^/vicescws(.*) http://svc.example.com:92$1 [P,L] SSLCertificateFile: /etc/httpd/ssl/example.com.crt SSLCertificateKeyFile: /etc/httpd/ssl/example.com.key SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer SSLCertificateFile_content: | -----BEGIN CERTIFICATE----- MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju Wm7DCfrPNGVwFWUQOmsPue9rZBgO -----END CERTIFICATE----- SSLCertificateKeyFile_content: | -----BEGIN PRIVATE KEY----- MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju Wm7DCfrPNGVwFWUQOmsPue9rZBgO -----END PRIVATE KEY----- SSLCertificateChainFile_content: | -----BEGIN CERTIFICATE----- MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju Wm7DCfrPNGVwFWUQOmsPue9rZBgO -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju Wm7DCfrPNGVwFWUQOmsPue9rZBgO -----END CERTIFICATE----- ProxyRequests: 'Off' ProxyPreserveHost: 'On' ProxyRoute: example prod proxy route: ProxyPassSource: '/' ProxyPassTarget: 'http://prod.example.com:85/' ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90' ProxyPassReverseSource: '/' ProxyPassReverseTarget: 'http://prod.example.com:85/' example webmail proxy route: ProxyPassSource: '/webmail/' ProxyPassTarget: 'http://mail.example.com/' ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90' ProxyPassReverseSource: '/webmail/' ProxyPassReverseTarget: 'http://mail.example.com/' example service proxy route: ProxyPassSource: '/svc/' ProxyPassTarget: 'http://svc.example.com:92/' ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90' ProxyPassReverseSource: '/svc/' ProxyPassReverseTarget: 'http://svc.example.com:92/' Location: /: Require: false Formula_Append: | SecRuleRemoveById 981231 SecRuleRemoveById 981173 /error: Require: 'all granted' /docs: Order: allow,deny # For Apache < 2.4 Allow: from all # For apache < 2.4 Require: all granted # For apache > 2.4. Formula_Append: | Additional config as a multi-line string here LocationMatch: '^[.\\/]+([Ww][Ee][Bb][Mm][Aa][Ii][Ll])[.\\/]': Require: false Formula_Append: | RequestHeader set Host mail.example.com '^[.\\/]+([Ss][Vv][Cc])[.\\/]': Require: false Formula_Append: | Require ip 123.123.13.6 84.24.25.74 Proxy_control: '*': AllowAll: false AllowCountry: - DE AllowIP: - 12.5.25.32 - 12.5.25.33 Alias: /docs: /usr/share/docs ScriptAlias: /cgi-bin/: /var/www/cgi-bin/ Formula_Append: | Additional config as a multi-line string here # ``apache.debian_full`` formula additional configuration: register-site: # any name as an array index, and you can duplicate this section UNIQUE_VALUE_HERE: name: 'my name' path: 'salt://path/to/sites-available/conf/file' state: 'enabled' # Optional - use managed file as Jinja Template # template: true # defaults: # custom_var: "default value" modules: enabled: # List modules to enable - ldap - ssl disabled: # List modules to disable - rewrite flags: enabled: # List server flags to enable - SSL disabled: # List server flags to disable - status # KeepAlive: Whether or not to allow persistent connections (more than # one request per connection). Set to "Off" to deactivate. keepalive: 'On' security: # can be Full | OS | Minimal | Minor | Major | Prod # where Full conveys the most information, and Prod the least. ServerTokens: Prod # [debian only] configure mod_ssl ssl: SSLCipherSuite: 'HIGH:!aNULL' SSLHonorCipherOrder: 'Off' SSLProtocol: 'all -SSLv3' SSLUseStapling: 'Off' SSLStaplingResponderTimeout: '5' SSLStaplingReturnResponderErrors: 'Off' SSLStaplingCache: 'shmcb:/var/run/ocsp(128000)' # ``apache.mod_remoteip`` formula additional configuration: mod_remoteip: RemoteIPHeader: X-Forwarded-For RemoteIPTrustedProxy: - 10.0.8.0/24 - 127.0.0.1 # ``apache.mod_security`` formula additional configuration: mod_security: crs_install: true # If not set, default distro's configuration is installed as is manage_config: true sec_rule_engine: 'On' sec_request_body_access: 'On' sec_request_body_limit: '14000000' sec_request_body_no_files_limit: '114002' sec_request_body_in_memory_limit: '114002' sec_request_body_limit_action: 'Reject' sec_pcre_match_limit: '15000' sec_pcre_match_limit_recursion: '15000' sec_debug_log_level: '3' rules: enabled: ~ modsecurity_crs_10_setup.conf: rule_set: '' enabled: true modsecurity_crs_20_protocol_violations.conf: rule_set: 'base_rules' enabled: false custom_rule_files: # any name as an array index, and you can duplicate this section UNIQUE_VALUE_HERE: file: 'my name' path: 'salt://path/to/modsecurity/custom/file' enabled: true mod_ssl: # set this to true if you want to override your distributions default TLS # configuration manage_tls_defaults: false # This stuff is deliberately not configured via map.jinja resp. # apache:lookup. We're unable to know sane defaults for each release of # every distribution. # See https://github.com/saltstack-formulas/openssh-formula/issues/102 for # a related discussion Have a look at bettercrypto.org for up-to-date # settings. # These are default values: # yamllint disable-line rule:line-length SSLCipherSuite: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA # Mitigate the CRIME attack SSLCompression: 'Off' SSLProtocol: all -SSLv2 -SSLv3 -TLSv1 SSLHonorCipherOrder: 'On' SSLOptions: "+StrictRequire" server_status_require: ip: - 10.8.8.0/24 host: - foo.example.com