 97f6ead9f4
			
		
	
	
		97f6ead9f4
		
			
		
	
	
	
	
		
			
			```bash apache-formula$ yamllint -s . ./pillar.example 2:1 warning missing document start "---" (document-start) 5:26 warning truthy value should be one of [false, true] (truthy) 50:18 warning too few spaces before comment (comments) 51:16 warning truthy value should be one of [false, true] (truthy) 52:57 warning too few spaces before comment (comments) 52:89 error line too long (104 > 88 characters) (line-length) 67:33 warning truthy value should be one of [false, true] (truthy) 67:38 warning too few spaces before comment (comments) 69:31 warning too few spaces before comment (comments) 70:8 warning missing starting space in comment (comments) 75:53 warning too few spaces before comment (comments) 75:89 error line too long (98 > 88 characters) (line-length) 76:55 warning too few spaces before comment (comments) 76:89 error line too long (101 > 88 characters) (line-length) 78:50 warning too few spaces before comment (comments) 79:89 error line too long (95 > 88 characters) (line-length) 82:47 warning too few spaces before comment (comments) 83:54 warning too few spaces before comment (comments) 83:89 error line too long (100 > 88 characters) (line-length) 84:58 warning too few spaces before comment (comments) 84:89 error line too long (109 > 88 characters) (line-length) 93:32 warning too few spaces before comment (comments) 100:89 error line too long (105 > 88 characters) (line-length) 101:33 error trailing spaces (trailing-spaces) 102:16 warning truthy value should be one of [false, true] (truthy) 231:20 warning truthy value should be one of [false, true] (truthy) 242:32 warning too few spaces before comment (comments) 249:20 warning truthy value should be one of [false, true] (truthy) 254:20 warning truthy value should be one of [false, true] (truthy) 260:21 warning truthy value should be one of [false, true] (truthy) 283:8 warning missing starting space in comment (comments) 284:8 warning missing starting space in comment (comments) 297:15 warning too few spaces before comment (comments) 328:18 warning truthy value should be one of [false, true] (truthy) 330:20 warning truthy value should be one of [false, true] (truthy) 342:15 error empty value in block mapping (empty-values) 345:18 warning truthy value should be one of [false, true] (truthy) 348:18 warning truthy value should be one of [false, true] (truthy) 355:18 warning truthy value should be one of [false, true] (truthy) 358:89 error line too long (91 > 88 characters) (line-length) 359:26 warning truthy value should be one of [false, true] (truthy) 362:89 error line too long (99 > 88 characters) (line-length) 365:89 error line too long (267 > 88 characters) (line-length) 367:21 warning truthy value should be one of [false, true] (truthy) 369:26 warning truthy value should be one of [false, true] (truthy) 371:1 error too many blank lines (1 > 0) (empty-lines) ./apache/osfingermap.yaml 3:1 warning missing document start "---" (document-start) ./apache/modsecurity.yaml 4:1 warning missing document start "---" (document-start) 6:18 warning truthy value should be one of [false, true] (truthy) 7:20 warning truthy value should be one of [false, true] (truthy) 14:18 warning truthy value should be one of [false, true] (truthy) 15:20 warning truthy value should be one of [false, true] (truthy) 22:18 warning truthy value should be one of [false, true] (truthy) 23:20 warning truthy value should be one of [false, true] (truthy) ./apache/defaults.yaml 4:1 warning missing document start "---" (document-start) 5:26 warning truthy value should be one of [false, true] (truthy) 7:19 warning truthy value should be one of [false, true] (truthy) 10:18 warning truthy value should be one of [false, true] (truthy) 11:20 warning truthy value should be one of [false, true] (truthy) ./apache/oscodenamemap.yaml 4:1 warning missing document start "---" (document-start) 4:8 error trailing spaces (trailing-spaces) 9:8 error trailing spaces (trailing-spaces) 14:7 error trailing spaces (trailing-spaces) 19:6 error trailing spaces (trailing-spaces) 24:8 error trailing spaces (trailing-spaces) 29:9 error trailing spaces (trailing-spaces) 34:7 error trailing spaces (trailing-spaces) 39:8 error trailing spaces (trailing-spaces) 44:8 error trailing spaces (trailing-spaces) 50:9 error trailing spaces (trailing-spaces) 61:1 error too many blank lines (1 > 0) (empty-lines) ./apache/osfamilymap.yaml 4:1 warning missing document start "---" (document-start) 16:89 error line too long (104 > 88 characters) (line-length) 43:89 error line too long (105 > 88 characters) (line-length) 56:16 warning truthy value should be one of [false, true] (truthy) 114:11 error empty value in block mapping (empty-values) 114:11 error trailing spaces (trailing-spaces) ./test/salt/pillar/default.sls 5:26 warning truthy value should be one of [false, true] (truthy) 7:18 warning truthy value should be one of [false, true] (truthy) 8:20 warning truthy value should be one of [false, true] (truthy) ```
		
			
				
	
	
		
			388 lines
		
	
	
		
			14 KiB
		
	
	
	
		
			YAML
		
	
	
	
	
	
			
		
		
	
	
			388 lines
		
	
	
		
			14 KiB
		
	
	
	
		
			YAML
		
	
	
	
	
	
| # -*- coding: utf-8 -*-
 | |
| # vim: ft=yaml
 | |
| ---
 | |
| # ``apache`` formula configuration:
 | |
| apache:
 | |
| 
 | |
|   # By default apache restart/reload states run (false skips)
 | |
|   manage_service_states: true
 | |
| 
 | |
|   # lookup section overrides ``map.jinja`` values
 | |
|   lookup:
 | |
|     server: apache2
 | |
|     service: apache2
 | |
|     user: some_system_user
 | |
|     group: some_system_group
 | |
| 
 | |
|     vhostdir: /etc/apache2/sites-available
 | |
|     confdir: /etc/apache2/conf.d
 | |
|     confext: .conf
 | |
|     logdir: /var/log/apache2
 | |
|     wwwdir: /srv/apache2
 | |
| 
 | |
|     # apache version (generally '2.2' or '2.4')
 | |
|     version: '2.2'
 | |
| 
 | |
|     # ``apache.mod_wsgi`` formula additional configuration:
 | |
|     mod_wsgi: mod_wsgi
 | |
| 
 | |
|     # Default value for AddDefaultCharset in RedHat configuration
 | |
|     default_charset: 'UTF-8'
 | |
| 
 | |
|     # Should we enforce DocumentRoot user/group?
 | |
|     # Default: do not enforce
 | |
|     document_root_user: www-data   # Force user if specified, leave it default if not
 | |
|     document_root_group: null      # Do not enforce group
 | |
| 
 | |
|   global:
 | |
|     # global apache directives
 | |
|     AllowEncodedSlashes: 'On'
 | |
| 
 | |
| 
 | |
|   name_virtual_hosts:
 | |
|     - interface: '*'
 | |
|       port: 80
 | |
|     - interface: '*'
 | |
|       port: 443
 | |
| 
 | |
|   # ``apache.vhosts`` formula additional configuration:
 | |
|   sites:
 | |
|     example.net:
 | |
|       template_file: salt://apache/vhosts/minimal.tmpl
 | |
| 
 | |
|     example.com:  # must be unique; used as an ID declaration in Salt.
 | |
|       enabled: true
 | |
|       # or minimal.tmpl or redirect.tmpl or proxy.tmpl
 | |
|       template_file: salt://apache/vhosts/standard.tmpl
 | |
| 
 | |
|       ####################### DEFAULT VALUES BELOW ############################
 | |
|       # NOTE: the values below are simply default settings that *can* be
 | |
|       # overridden and are not required in order to use this formula to create
 | |
|       # vhost entries.
 | |
|       #
 | |
|       # Do not copy the values below into your Pillar unless you intend to
 | |
|       # modify these vaules.
 | |
|       ####################### DEFAULT VALUES BELOW ############################
 | |
|       template_engine: jinja
 | |
| 
 | |
|       interface: '*'
 | |
|       port: '80'
 | |
| 
 | |
|       exclude_listen_directive: true  # Do not add a Listen directive in httpd.conf
 | |
| 
 | |
|       ServerName: example.com  # uses the unique ID above unless specified
 | |
|       # ServerAlias: www.example.com  # Do not add ServerAlias unless defined
 | |
| 
 | |
|       ServerAdmin: webmaster@example.com
 | |
| 
 | |
|       LogLevel: warn
 | |
|       # E.g.: /var/log/apache2/example.com-error.log
 | |
|       ErrorLog: /path/to/logs/example.com-error.log
 | |
|       # E.g.: /var/log/apache2/example.com-access.log
 | |
|       CustomLog: /path/to/logs/example.com-access.log
 | |
| 
 | |
|       # E.g., /var/www/example.com
 | |
|       DocumentRoot: /path/to/www/dir/example.com
 | |
|       # do not enforce user, defaults to lookup:document_root_user
 | |
|       DocumentRootUser: null
 | |
|       # Force group, defaults to lookup:document_root_group
 | |
|       DocumentRootGroup: www-data
 | |
| 
 | |
|       # if ssl is desired
 | |
|       SSLCertificateFile: /etc/ssl/mycert.pem
 | |
|       # if key for cert is needed or in an extra file
 | |
|       SSLCertificateKeyFile: /etc/ssl/mycert.pem.key
 | |
|       # if you require a chain of server certificates file
 | |
|       SSLCertificateChainFile: /etc/ssl/mycert.chain.pem
 | |
| 
 | |
|       Directory:
 | |
|         # "default" is a special case; uses DocumentRoot value
 | |
|         # E.g.: /var/www/example.com
 | |
|         default:
 | |
|           Options: -Indexes +FollowSymLinks
 | |
|           Order: allow,deny     # For Apache < 2.4
 | |
|           Allow: from all       # For apache < 2.4
 | |
|           Require: all granted  # For apache > 2.4.
 | |
|           AllowOverride: None
 | |
|           Formula_Append: |
 | |
|             Additional config as a
 | |
|             multi-line string here
 | |
| 
 | |
|     redirectmatch.com:
 | |
|       # Use RedirectMatch Directive
 | |
|       # - https://httpd.apache.org/docs/2.4/fr/mod/mod_alias.html#redirectmatch
 | |
|       # Require module mod_alias
 | |
|       enabled: true
 | |
|       template_file: salt://apache/vhosts/redirect.tmpl
 | |
|       ServerName: www.redirectmatch.com
 | |
|       ServerAlias: www.redirectmatch.com
 | |
|       RedirectMatch: true
 | |
|       RedirectSource: '^/$'
 | |
|       RedirectTarget: '/subdirectory'
 | |
|       DocumentRoot: /var/www/html/
 | |
|       ErrorLog: ${APACHE_LOG_DIR}/error.log
 | |
|       CustomLog: ${APACHE_LOG_DIR}/access.log
 | |
| 
 | |
|     80-proxyexample.com:
 | |
|       template_file: salt://apache/vhosts/redirect.tmpl
 | |
|       ServerName: www.proxyexample.com
 | |
|       ServerAlias: www.proxyexample.com
 | |
|       RedirectSource: '/'
 | |
|       RedirectTarget: 'https://www.proxyexample.com/'
 | |
|       DocumentRoot: /var/www/proxy
 | |
| 
 | |
|     443-proxyexample.com:
 | |
|       template_file: salt://apache/vhosts/proxy.tmpl
 | |
|       ServerName: www.proxyexample.com
 | |
|       ServerAlias: www.proxyexample.com
 | |
|       interface: '*'
 | |
|       port: '443'
 | |
|       DocumentRoot: /var/www/proxy
 | |
| 
 | |
|       Rewrite: |
 | |
|         RewriteRule ^/webmail$ /webmail/ [R]
 | |
|         RewriteRule ^/webmail(.*) http://mail.example.com$1 [P,L]
 | |
|         RewriteRule ^/vicescws(.*) http://svc.example.com:92$1 [P,L]
 | |
| 
 | |
|       SSLCertificateFile: /etc/httpd/ssl/example.com.crt
 | |
|       SSLCertificateKeyFile: /etc/httpd/ssl/example.com.key
 | |
|       SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer
 | |
| 
 | |
|       SSLCertificateFile_content: |
 | |
|         -----BEGIN CERTIFICATE-----
 | |
|         MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
 | |
|         MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
 | |
|         VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
 | |
|         NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
 | |
|         TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
 | |
|         ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
 | |
|         V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
 | |
|         gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
 | |
|         FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
 | |
|         CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
 | |
|         BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
 | |
|         BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
 | |
|         Wm7DCfrPNGVwFWUQOmsPue9rZBgO
 | |
|         -----END CERTIFICATE-----
 | |
| 
 | |
|       SSLCertificateKeyFile_content: |
 | |
|         -----BEGIN PRIVATE KEY-----
 | |
|         MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
 | |
|         MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
 | |
|         VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
 | |
|         NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
 | |
|         TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
 | |
|         ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
 | |
|         V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
 | |
|         gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
 | |
|         FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
 | |
|         CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
 | |
|         BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
 | |
|         BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
 | |
|         Wm7DCfrPNGVwFWUQOmsPue9rZBgO
 | |
|         -----END PRIVATE KEY-----
 | |
| 
 | |
|       SSLCertificateChainFile_content: |
 | |
|         -----BEGIN CERTIFICATE-----
 | |
|         MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
 | |
|         MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
 | |
|         VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
 | |
|         NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
 | |
|         TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
 | |
|         ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
 | |
|         V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
 | |
|         gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
 | |
|         FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
 | |
|         CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
 | |
|         BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
 | |
|         BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
 | |
|         Wm7DCfrPNGVwFWUQOmsPue9rZBgO
 | |
|         -----END CERTIFICATE-----
 | |
|         -----BEGIN CERTIFICATE-----
 | |
|         MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
 | |
|         MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
 | |
|         VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
 | |
|         NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
 | |
|         TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
 | |
|         ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
 | |
|         V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
 | |
|         gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
 | |
|         FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
 | |
|         CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
 | |
|         BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
 | |
|         BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
 | |
|         Wm7DCfrPNGVwFWUQOmsPue9rZBgO
 | |
|         -----END CERTIFICATE-----
 | |
| 
 | |
|       ProxyRequests: 'Off'
 | |
|       ProxyPreserveHost: 'On'
 | |
| 
 | |
|       ProxyRoute:
 | |
|         example prod proxy route:
 | |
|           ProxyPassSource: '/'
 | |
|           ProxyPassTarget: 'http://prod.example.com:85/'
 | |
|           ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
 | |
|           ProxyPassReverseSource: '/'
 | |
|           ProxyPassReverseTarget: 'http://prod.example.com:85/'
 | |
| 
 | |
|         example webmail proxy route:
 | |
|           ProxyPassSource: '/webmail/'
 | |
|           ProxyPassTarget: 'http://mail.example.com/'
 | |
|           ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
 | |
|           ProxyPassReverseSource: '/webmail/'
 | |
|           ProxyPassReverseTarget: 'http://mail.example.com/'
 | |
| 
 | |
|         example service proxy route:
 | |
|           ProxyPassSource: '/svc/'
 | |
|           ProxyPassTarget: 'http://svc.example.com:92/'
 | |
|           ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
 | |
|           ProxyPassReverseSource: '/svc/'
 | |
|           ProxyPassReverseTarget: 'http://svc.example.com:92/'
 | |
| 
 | |
|       Location:
 | |
|         /:
 | |
|           Require: false
 | |
|           Formula_Append: |
 | |
|             SecRuleRemoveById 981231
 | |
|             SecRuleRemoveById 981173
 | |
| 
 | |
|         /error:
 | |
|           Require: 'all granted'
 | |
| 
 | |
|         /docs:
 | |
|           Order: allow,deny     # For Apache < 2.4
 | |
|           Allow: from all       # For apache < 2.4
 | |
|           Require: all granted  # For apache > 2.4.
 | |
|           Formula_Append: |
 | |
|             Additional config as a
 | |
|             multi-line string here
 | |
| 
 | |
|       LocationMatch:
 | |
|         '^[.\\/]+([Ww][Ee][Bb][Mm][Aa][Ii][Ll])[.\\/]':
 | |
|           Require: false
 | |
|           Formula_Append: |
 | |
|             RequestHeader  set  Host  mail.example.com
 | |
| 
 | |
|         '^[.\\/]+([Ss][Vv][Cc])[.\\/]':
 | |
|           Require: false
 | |
|           Formula_Append: |
 | |
|             Require ip 123.123.13.6 84.24.25.74
 | |
| 
 | |
|       Proxy_control:
 | |
|         '*':
 | |
|           AllowAll: false
 | |
|           AllowCountry:
 | |
|             - DE
 | |
|           AllowIP:
 | |
|             - 12.5.25.32
 | |
|             - 12.5.25.33
 | |
| 
 | |
| 
 | |
|       Alias:
 | |
|         /docs: /usr/share/docs
 | |
| 
 | |
|       Formula_Append: |
 | |
|         Additional config as a
 | |
|         multi-line string here
 | |
| 
 | |
|   # ``apache.debian_full`` formula additional configuration:
 | |
|   register-site:
 | |
|     # any name as an array index, and you can duplicate this section
 | |
|     UNIQUE_VALUE_HERE:
 | |
|       name: 'my name'
 | |
|       path: 'salt://path/to/sites-available/conf/file'
 | |
|       state: 'enabled'
 | |
|       # Optional - use managed file as Jinja Template
 | |
|       # template: true
 | |
|       # defaults:
 | |
|       #   custom_var: "default value"
 | |
| 
 | |
|   modules:
 | |
|     enabled:   # List modules to enable
 | |
|       - ldap
 | |
|       - ssl
 | |
|     disabled:  # List modules to disable
 | |
|       - rewrite
 | |
| 
 | |
|   flags:
 | |
|     enabled:   # List server flags to enable
 | |
|       - SSL
 | |
|     disabled:  # List server flags to disable
 | |
|       - status
 | |
| 
 | |
|   # KeepAlive: Whether or not to allow persistent connections (more than
 | |
|   # one request per connection). Set to "Off" to deactivate.
 | |
|   keepalive: 'On'
 | |
| 
 | |
|   security:
 | |
|     # can be Full | OS | Minimal | Minor | Major | Prod
 | |
|     # where Full conveys the most information, and Prod the least.
 | |
|     ServerTokens: Prod
 | |
| 
 | |
|   # [debian only] configure mod_ssl
 | |
|   ssl:
 | |
|     SSLCipherSuite: 'HIGH:!aNULL'
 | |
|     SSLHonorCipherOrder: 'Off'
 | |
|     SSLProtocol: 'all -SSLv3'
 | |
|     SSLUseStapling: 'Off'
 | |
|     SSLStaplingResponderTimeout: '5'
 | |
|     SSLStaplingReturnResponderErrors: 'Off'
 | |
|     SSLStaplingCache: 'shmcb:/var/run/ocsp(128000)'
 | |
| 
 | |
|   # ``apache.mod_remoteip`` formula additional configuration:
 | |
|   mod_remoteip:
 | |
|     RemoteIPHeader: X-Forwarded-For
 | |
|     RemoteIPTrustedProxy:
 | |
|       - 10.0.8.0/24
 | |
|       - 127.0.0.1
 | |
| 
 | |
|   # ``apache.mod_security`` formula additional configuration:
 | |
|   mod_security:
 | |
|     crs_install: true
 | |
|     # If not set, default distro's configuration is installed as is
 | |
|     manage_config: true
 | |
|     sec_rule_engine: 'On'
 | |
|     sec_request_body_access: 'On'
 | |
|     sec_request_body_limit: '14000000'
 | |
|     sec_request_body_no_files_limit: '114002'
 | |
|     sec_request_body_in_memory_limit: '114002'
 | |
|     sec_request_body_limit_action: 'Reject'
 | |
|     sec_pcre_match_limit: '15000'
 | |
|     sec_pcre_match_limit_recursion: '15000'
 | |
|     sec_debug_log_level: '3'
 | |
| 
 | |
|     rules:
 | |
|       enabled: ~
 | |
|       modsecurity_crs_10_setup.conf:
 | |
|         rule_set: ''
 | |
|         enabled: true
 | |
|       modsecurity_crs_20_protocol_violations.conf:
 | |
|         rule_set: 'base_rules'
 | |
|         enabled: false
 | |
| 
 | |
|     custom_rule_files:
 | |
|       # any name as an array index, and you can duplicate this section
 | |
|       UNIQUE_VALUE_HERE:
 | |
|         file: 'my name'
 | |
|         path: 'salt://path/to/modsecurity/custom/file'
 | |
|         enabled: true
 | |
| 
 | |
|   mod_ssl:
 | |
|     # set this to true if you want to override your distributions default TLS
 | |
|     # configuration
 | |
|     manage_tls_defaults: false
 | |
|     # This stuff is deliberately not configured via map.jinja resp.
 | |
|     # apache:lookup.  We're unable to know sane defaults for each release of
 | |
|     # every distribution.
 | |
|     # See https://github.com/saltstack-formulas/openssh-formula/issues/102 for
 | |
|     # a related discussion Have a look at bettercrypto.org for up-to-date
 | |
|     # settings.
 | |
|     # These are default values:
 | |
|     # yamllint disable-line rule:line-length
 | |
|     SSLCipherSuite: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
 | |
|     # Mitigate the CRIME attack
 | |
|     SSLCompression: 'Off'
 | |
|     SSLProtocol: all -SSLv2 -SSLv3 -TLSv1
 | |
|     SSLHonorCipherOrder: 'On'
 | |
|     SSLOptions: "+StrictRequire"
 |