saltstack-formulas/apache-formula
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
b0bbd0b91d
apache-formula/pillar.example
Imran Iqbal 97f6ead9f4
fix(yamllint): fix all errors 
```bash
apache-formula$ yamllint -s .
./pillar.example
  2:1       warning  missing document start "---"  (document-start)
  5:26      warning  truthy value should be one of [false, true]  (truthy)
  50:18     warning  too few spaces before comment  (comments)
  51:16     warning  truthy value should be one of [false, true]  (truthy)
  52:57     warning  too few spaces before comment  (comments)
  52:89     error    line too long (104 > 88 characters)  (line-length)
  67:33     warning  truthy value should be one of [false, true]  (truthy)
  67:38     warning  too few spaces before comment  (comments)
  69:31     warning  too few spaces before comment  (comments)
  70:8      warning  missing starting space in comment  (comments)
  75:53     warning  too few spaces before comment  (comments)
  75:89     error    line too long (98 > 88 characters)  (line-length)
  76:55     warning  too few spaces before comment  (comments)
  76:89     error    line too long (101 > 88 characters)  (line-length)
  78:50     warning  too few spaces before comment  (comments)
  79:89     error    line too long (95 > 88 characters)  (line-length)
  82:47     warning  too few spaces before comment  (comments)
  83:54     warning  too few spaces before comment  (comments)
  83:89     error    line too long (100 > 88 characters)  (line-length)
  84:58     warning  too few spaces before comment  (comments)
  84:89     error    line too long (109 > 88 characters)  (line-length)
  93:32     warning  too few spaces before comment  (comments)
  100:89    error    line too long (105 > 88 characters)  (line-length)
  101:33    error    trailing spaces  (trailing-spaces)
  102:16    warning  truthy value should be one of [false, true]  (truthy)
  231:20    warning  truthy value should be one of [false, true]  (truthy)
  242:32    warning  too few spaces before comment  (comments)
  249:20    warning  truthy value should be one of [false, true]  (truthy)
  254:20    warning  truthy value should be one of [false, true]  (truthy)
  260:21    warning  truthy value should be one of [false, true]  (truthy)
  283:8     warning  missing starting space in comment  (comments)
  284:8     warning  missing starting space in comment  (comments)
  297:15    warning  too few spaces before comment  (comments)
  328:18    warning  truthy value should be one of [false, true]  (truthy)
  330:20    warning  truthy value should be one of [false, true]  (truthy)
  342:15    error    empty value in block mapping  (empty-values)
  345:18    warning  truthy value should be one of [false, true]  (truthy)
  348:18    warning  truthy value should be one of [false, true]  (truthy)
  355:18    warning  truthy value should be one of [false, true]  (truthy)
  358:89    error    line too long (91 > 88 characters)  (line-length)
  359:26    warning  truthy value should be one of [false, true]  (truthy)
  362:89    error    line too long (99 > 88 characters)  (line-length)
  365:89    error    line too long (267 > 88 characters)  (line-length)
  367:21    warning  truthy value should be one of [false, true]  (truthy)
  369:26    warning  truthy value should be one of [false, true]  (truthy)
  371:1     error    too many blank lines (1 > 0)  (empty-lines)

./apache/osfingermap.yaml
  3:1       warning  missing document start "---"  (document-start)

./apache/modsecurity.yaml
  4:1       warning  missing document start "---"  (document-start)
  6:18      warning  truthy value should be one of [false, true]  (truthy)
  7:20      warning  truthy value should be one of [false, true]  (truthy)
  14:18     warning  truthy value should be one of [false, true]  (truthy)
  15:20     warning  truthy value should be one of [false, true]  (truthy)
  22:18     warning  truthy value should be one of [false, true]  (truthy)
  23:20     warning  truthy value should be one of [false, true]  (truthy)

./apache/defaults.yaml
  4:1       warning  missing document start "---"  (document-start)
  5:26      warning  truthy value should be one of [false, true]  (truthy)
  7:19      warning  truthy value should be one of [false, true]  (truthy)
  10:18     warning  truthy value should be one of [false, true]  (truthy)
  11:20     warning  truthy value should be one of [false, true]  (truthy)

./apache/oscodenamemap.yaml
  4:1       warning  missing document start "---"  (document-start)
  4:8       error    trailing spaces  (trailing-spaces)
  9:8       error    trailing spaces  (trailing-spaces)
  14:7      error    trailing spaces  (trailing-spaces)
  19:6      error    trailing spaces  (trailing-spaces)
  24:8      error    trailing spaces  (trailing-spaces)
  29:9      error    trailing spaces  (trailing-spaces)
  34:7      error    trailing spaces  (trailing-spaces)
  39:8      error    trailing spaces  (trailing-spaces)
  44:8      error    trailing spaces  (trailing-spaces)
  50:9      error    trailing spaces  (trailing-spaces)
  61:1      error    too many blank lines (1 > 0)  (empty-lines)

./apache/osfamilymap.yaml
  4:1       warning  missing document start "---"  (document-start)
  16:89     error    line too long (104 > 88 characters)  (line-length)
  43:89     error    line too long (105 > 88 characters)  (line-length)
  56:16     warning  truthy value should be one of [false, true]  (truthy)
  114:11    error    empty value in block mapping  (empty-values)
  114:11    error    trailing spaces  (trailing-spaces)

./test/salt/pillar/default.sls
  5:26      warning  truthy value should be one of [false, true]  (truthy)
  7:18      warning  truthy value should be one of [false, true]  (truthy)
  8:20      warning  truthy value should be one of [false, true]  (truthy)
```
2019-10-17 08:32:30 +01:00

388 lines
14 KiB
YAML
Raw Blame History

# -*- coding: utf-8 -*-
# vim: ft=yaml
---
# ``apache`` formula configuration:
apache:
# By default apache restart/reload states run (false skips)
manage_service_states: true
# lookup section overrides ``map.jinja`` values
lookup:
server: apache2
service: apache2
user: some_system_user
group: some_system_group
vhostdir: /etc/apache2/sites-available
confdir: /etc/apache2/conf.d
confext: .conf
logdir: /var/log/apache2
wwwdir: /srv/apache2
# apache version (generally '2.2' or '2.4')
version: '2.2'
# ``apache.mod_wsgi`` formula additional configuration:
mod_wsgi: mod_wsgi
# Default value for AddDefaultCharset in RedHat configuration
default_charset: 'UTF-8'
# Should we enforce DocumentRoot user/group?
# Default: do not enforce
document_root_user: www-data # Force user if specified, leave it default if not
document_root_group: null # Do not enforce group
global:
# global apache directives
AllowEncodedSlashes: 'On'
name_virtual_hosts:
- interface: '*'
port: 80
- interface: '*'
port: 443
# ``apache.vhosts`` formula additional configuration:
sites:
example.net:
template_file: salt://apache/vhosts/minimal.tmpl
example.com: # must be unique; used as an ID declaration in Salt.
enabled: true
# or minimal.tmpl or redirect.tmpl or proxy.tmpl
template_file: salt://apache/vhosts/standard.tmpl
####################### DEFAULT VALUES BELOW ############################
# NOTE: the values below are simply default settings that *can* be
# overridden and are not required in order to use this formula to create
# vhost entries.
#
# Do not copy the values below into your Pillar unless you intend to
# modify these vaules.
####################### DEFAULT VALUES BELOW ############################
template_engine: jinja
interface: '*'
port: '80'
exclude_listen_directive: true # Do not add a Listen directive in httpd.conf
ServerName: example.com # uses the unique ID above unless specified
# ServerAlias: www.example.com # Do not add ServerAlias unless defined
ServerAdmin: webmaster@example.com
LogLevel: warn
# E.g.: /var/log/apache2/example.com-error.log
ErrorLog: /path/to/logs/example.com-error.log
# E.g.: /var/log/apache2/example.com-access.log
CustomLog: /path/to/logs/example.com-access.log
# E.g., /var/www/example.com
DocumentRoot: /path/to/www/dir/example.com
# do not enforce user, defaults to lookup:document_root_user
DocumentRootUser: null
# Force group, defaults to lookup:document_root_group
DocumentRootGroup: www-data
# if ssl is desired
SSLCertificateFile: /etc/ssl/mycert.pem
# if key for cert is needed or in an extra file
SSLCertificateKeyFile: /etc/ssl/mycert.pem.key
# if you require a chain of server certificates file
SSLCertificateChainFile: /etc/ssl/mycert.chain.pem
Directory:
# "default" is a special case; uses DocumentRoot value
# E.g.: /var/www/example.com
default:
Options: -Indexes +FollowSymLinks
Order: allow,deny # For Apache < 2.4
Allow: from all # For apache < 2.4
Require: all granted # For apache > 2.4.
AllowOverride: None
Formula_Append: |
Additional config as a
multi-line string here
redirectmatch.com:
# Use RedirectMatch Directive
# - https://httpd.apache.org/docs/2.4/fr/mod/mod_alias.html#redirectmatch
# Require module mod_alias
enabled: true
template_file: salt://apache/vhosts/redirect.tmpl
ServerName: www.redirectmatch.com
ServerAlias: www.redirectmatch.com
RedirectMatch: true
RedirectSource: '^/$'
RedirectTarget: '/subdirectory'
DocumentRoot: /var/www/html/
ErrorLog: ${APACHE_LOG_DIR}/error.log
CustomLog: ${APACHE_LOG_DIR}/access.log
80-proxyexample.com:
template_file: salt://apache/vhosts/redirect.tmpl
ServerName: www.proxyexample.com
ServerAlias: www.proxyexample.com
RedirectSource: '/'
RedirectTarget: 'https://www.proxyexample.com/'
DocumentRoot: /var/www/proxy
443-proxyexample.com:
template_file: salt://apache/vhosts/proxy.tmpl
ServerName: www.proxyexample.com
ServerAlias: www.proxyexample.com
interface: '*'
port: '443'
DocumentRoot: /var/www/proxy
Rewrite: |
RewriteRule ^/webmail$ /webmail/ [R]
RewriteRule ^/webmail(.*) http://mail.example.com$1 [P,L]
RewriteRule ^/vicescws(.*) http://svc.example.com:92$1 [P,L]
SSLCertificateFile: /etc/httpd/ssl/example.com.crt
SSLCertificateKeyFile: /etc/httpd/ssl/example.com.key
SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer
SSLCertificateFile_content: |
-----BEGIN CERTIFICATE-----
MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
Wm7DCfrPNGVwFWUQOmsPue9rZBgO
-----END CERTIFICATE-----
SSLCertificateKeyFile_content: |
-----BEGIN PRIVATE KEY-----
MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
Wm7DCfrPNGVwFWUQOmsPue9rZBgO
-----END PRIVATE KEY-----
SSLCertificateChainFile_content: |
-----BEGIN CERTIFICATE-----
MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
Wm7DCfrPNGVwFWUQOmsPue9rZBgO
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
Wm7DCfrPNGVwFWUQOmsPue9rZBgO
-----END CERTIFICATE-----
ProxyRequests: 'Off'
ProxyPreserveHost: 'On'
ProxyRoute:
example prod proxy route:
ProxyPassSource: '/'
ProxyPassTarget: 'http://prod.example.com:85/'
ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
ProxyPassReverseSource: '/'
ProxyPassReverseTarget: 'http://prod.example.com:85/'
example webmail proxy route:
ProxyPassSource: '/webmail/'
ProxyPassTarget: 'http://mail.example.com/'
ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
ProxyPassReverseSource: '/webmail/'
ProxyPassReverseTarget: 'http://mail.example.com/'
example service proxy route:
ProxyPassSource: '/svc/'
ProxyPassTarget: 'http://svc.example.com:92/'
ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
ProxyPassReverseSource: '/svc/'
ProxyPassReverseTarget: 'http://svc.example.com:92/'
Location:
/:
Require: false
Formula_Append: |
SecRuleRemoveById 981231
SecRuleRemoveById 981173
/error:
Require: 'all granted'
/docs:
Order: allow,deny # For Apache < 2.4
Allow: from all # For apache < 2.4
Require: all granted # For apache > 2.4.
Formula_Append: |
Additional config as a
multi-line string here
LocationMatch:
'^[.\\/]+([Ww][Ee][Bb][Mm][Aa][Ii][Ll])[.\\/]':
Require: false
Formula_Append: |
RequestHeader set Host mail.example.com
'^[.\\/]+([Ss][Vv][Cc])[.\\/]':
Require: false
Formula_Append: |
Require ip 123.123.13.6 84.24.25.74
Proxy_control:
'*':
AllowAll: false
AllowCountry:
- DE
AllowIP:
- 12.5.25.32
- 12.5.25.33
Alias:
/docs: /usr/share/docs
Formula_Append: |
Additional config as a
multi-line string here
# ``apache.debian_full`` formula additional configuration:
register-site:
# any name as an array index, and you can duplicate this section
UNIQUE_VALUE_HERE:
name: 'my name'
path: 'salt://path/to/sites-available/conf/file'
state: 'enabled'
# Optional - use managed file as Jinja Template
# template: true
# defaults:
# custom_var: "default value"
modules:
enabled: # List modules to enable
- ldap
- ssl
disabled: # List modules to disable
- rewrite
flags:
enabled: # List server flags to enable
- SSL
disabled: # List server flags to disable
- status
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
keepalive: 'On'
security:
# can be Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
ServerTokens: Prod
# [debian only] configure mod_ssl
ssl:
SSLCipherSuite: 'HIGH:!aNULL'
SSLHonorCipherOrder: 'Off'
SSLProtocol: 'all -SSLv3'
SSLUseStapling: 'Off'
SSLStaplingResponderTimeout: '5'
SSLStaplingReturnResponderErrors: 'Off'
SSLStaplingCache: 'shmcb:/var/run/ocsp(128000)'
# ``apache.mod_remoteip`` formula additional configuration:
mod_remoteip:
RemoteIPHeader: X-Forwarded-For
RemoteIPTrustedProxy:
- 10.0.8.0/24
- 127.0.0.1
# ``apache.mod_security`` formula additional configuration:
mod_security:
crs_install: true
# If not set, default distro's configuration is installed as is
manage_config: true
sec_rule_engine: 'On'
sec_request_body_access: 'On'
sec_request_body_limit: '14000000'
sec_request_body_no_files_limit: '114002'
sec_request_body_in_memory_limit: '114002'
sec_request_body_limit_action: 'Reject'
sec_pcre_match_limit: '15000'
sec_pcre_match_limit_recursion: '15000'
sec_debug_log_level: '3'
rules:
enabled: ~
modsecurity_crs_10_setup.conf:
rule_set: ''
enabled: true
modsecurity_crs_20_protocol_violations.conf:
rule_set: 'base_rules'
enabled: false
custom_rule_files:
# any name as an array index, and you can duplicate this section
UNIQUE_VALUE_HERE:
file: 'my name'
path: 'salt://path/to/modsecurity/custom/file'
enabled: true
mod_ssl:
# set this to true if you want to override your distributions default TLS
# configuration
manage_tls_defaults: false
# This stuff is deliberately not configured via map.jinja resp.
# apache:lookup. We're unable to know sane defaults for each release of
# every distribution.
# See https://github.com/saltstack-formulas/openssh-formula/issues/102 for
# a related discussion Have a look at bettercrypto.org for up-to-date
# settings.
# These are default values:
# yamllint disable-line rule:line-length
SSLCipherSuite: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
# Mitigate the CRIME attack
SSLCompression: 'Off'
SSLProtocol: all -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder: 'On'
SSLOptions: "+StrictRequire"
Reference in New Issue View Git Blame Copy Permalink