318 lines
		
	
	
		
			12 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
			
		
		
	
	
			318 lines
		
	
	
		
			12 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
| # ``apache`` formula configuration:
 | |
| apache:
 | |
| 
 | |
|   # lookup section overrides ``map.jinja`` values
 | |
|   lookup:
 | |
|     server: apache2
 | |
|     service: apache2
 | |
|     user: some_system_user
 | |
|     group: some_system_group
 | |
| 
 | |
|     vhostdir: /etc/apache2/sites-available
 | |
|     confdir: /etc/apache2/conf.d
 | |
|     confext: .conf
 | |
|     logdir: /var/log/apache2
 | |
|     wwwdir: /srv/apache2
 | |
| 
 | |
|     # apache version (generally '2.2' or '2.4')
 | |
|     version: '2.2'
 | |
| 
 | |
|     # ``apache.mod_wsgi`` formula additional configuration:
 | |
|     mod_wsgi: mod_wsgi
 | |
| 
 | |
|     # Default value for AddDefaultCharset in RedHat configuration
 | |
|     default_charset: 'UTF-8'
 | |
| 
 | |
|   global:
 | |
|     # global apache directives
 | |
|     AllowEncodedSlashes: 'On'
 | |
| 
 | |
| 
 | |
|   name_virtual_hosts:
 | |
|     - interface: '*'
 | |
|       port: 80
 | |
|     - interface: '*'
 | |
|       port: 443
 | |
| 
 | |
|   # ``apache.vhosts`` formula additional configuration:
 | |
|   sites:
 | |
|     example.net:
 | |
|       template_file: salt://apache/vhosts/minimal.tmpl
 | |
| 
 | |
|     example.com: # must be unique; used as an ID declaration in Salt.
 | |
|       enabled: True
 | |
|       template_file: salt://apache/vhosts/standard.tmpl # or minimal.tmpl or redirect.tmpl or proxy.tmpl
 | |
| 
 | |
|       ####################### DEFAULT VALUES BELOW ############################
 | |
|       # NOTE: the values below are simply default settings that *can* be
 | |
|       # overridden and are not required in order to use this formula to create
 | |
|       # vhost entries.
 | |
|       #
 | |
|       # Do not copy the values below into your Pillar unless you intend to
 | |
|       # modify these vaules.
 | |
|       ####################### DEFAULT VALUES BELOW ############################
 | |
|       template_engine: jinja
 | |
| 
 | |
|       interface: '*'
 | |
|       port: '80'
 | |
| 
 | |
|       exclude_listen_directive: True # Do not add a Listen directive in httpd.conf
 | |
| 
 | |
|       ServerName: example.com # uses the unique ID above unless specified
 | |
|       ServerAlias: www.example.com
 | |
| 
 | |
|       ServerAdmin: webmaster@example.com
 | |
| 
 | |
|       LogLevel: warn
 | |
|       ErrorLog: /path/to/logs/example.com-error.log # E.g.: /var/log/apache2/example.com-error.log
 | |
|       CustomLog: /path/to/logs/example.com-access.log # E.g.: /var/log/apache2/example.com-access.log
 | |
| 
 | |
|       DocumentRoot: /path/to/www/dir/example.com # E.g., /var/www/example.com
 | |
| 
 | |
|       SSLCertificateFile: /etc/ssl/mycert.pem # if ssl is desired
 | |
|       SSLCertificateKeyFile: /etc/ssl/mycert.pem.key # if key for cert is needed or in an extra file
 | |
|       SSLCertificateChainFile: /etc/ssl/mycert.chain.pem # if you require a chain of server certificates file
 | |
| 
 | |
|       Directory:
 | |
|         # "default" is a special case; Adds ``/path/to/www/dir/example.com``
 | |
|         # E.g.: /var/www/example.com
 | |
|         default:
 | |
|           Options: -Indexes +FollowSymLinks
 | |
|           Order: allow,deny    # For Apache < 2.4
 | |
|           Allow: from all      # For apache < 2.4
 | |
|           Require: all granted # For apache > 2.4.
 | |
|           AllowOverride: None
 | |
|           Formula_Append: |
 | |
|             Additional config as a
 | |
|             multi-line string here
 | |
| 
 | |
|     80-proxyexample.com:
 | |
|       template_file: salt://apache/vhosts/redirect.tmpl
 | |
|       ServerName: www.proxyexample.com
 | |
|       ServerAlias: www.proxyexample.com
 | |
|       RedirectSource: '/'
 | |
|       RedirectTarget: 'https://www.proxyexample.com/'
 | |
|       DocumentRoot: /var/www/proxy
 | |
| 
 | |
|     443-proxyexample.com:
 | |
|       template_file: salt://apache/vhosts/proxy.tmpl
 | |
|       ServerName: www.proxyexample.com
 | |
|       ServerAlias: www.proxyexample.com
 | |
|       interface: '*'
 | |
|       port: '443'
 | |
|       DocumentRoot: /var/www/proxy
 | |
| 
 | |
|       Rewrite: |
 | |
|         RewriteRule ^/webmail$ /webmail/ [R]
 | |
|         RewriteRule ^/webmail(.*) http://mail.example.com$1 [P,L]
 | |
|         RewriteRule ^/vicescws(.*) http://svc.example.com:92$1 [P,L]
 | |
| 
 | |
|       SSLCertificateFile: /etc/httpd/ssl/example.com.crt
 | |
|       SSLCertificateKeyFile: /etc/httpd/ssl/example.com.key
 | |
|       SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer
 | |
| 
 | |
|       SSLCertificateFile_content: |
 | |
|         -----BEGIN CERTIFICATE-----
 | |
|         MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
 | |
|         MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
 | |
|         VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
 | |
|         NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
 | |
|         TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
 | |
|         ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
 | |
|         V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
 | |
|         gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
 | |
|         FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
 | |
|         CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
 | |
|         BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
 | |
|         BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
 | |
|         Wm7DCfrPNGVwFWUQOmsPue9rZBgO
 | |
|         -----END CERTIFICATE-----
 | |
| 
 | |
|       SSLCertificateKeyFile_content: |
 | |
|         -----BEGIN PRIVATE KEY-----
 | |
|         MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
 | |
|         MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
 | |
|         VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
 | |
|         NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
 | |
|         TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
 | |
|         ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
 | |
|         V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
 | |
|         gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
 | |
|         FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
 | |
|         CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
 | |
|         BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
 | |
|         BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
 | |
|         Wm7DCfrPNGVwFWUQOmsPue9rZBgO
 | |
|         -----END PRIVATE KEY-----
 | |
| 
 | |
|       SSLCertificateChainFile_content: |
 | |
|         -----BEGIN CERTIFICATE-----
 | |
|         MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
 | |
|         MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
 | |
|         VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
 | |
|         NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
 | |
|         TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
 | |
|         ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
 | |
|         V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
 | |
|         gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
 | |
|         FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
 | |
|         CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
 | |
|         BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
 | |
|         BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
 | |
|         Wm7DCfrPNGVwFWUQOmsPue9rZBgO
 | |
|         -----END CERTIFICATE-----
 | |
|         -----BEGIN CERTIFICATE-----
 | |
|         MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
 | |
|         MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
 | |
|         VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
 | |
|         NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
 | |
|         TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
 | |
|         ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
 | |
|         V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
 | |
|         gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
 | |
|         FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
 | |
|         CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
 | |
|         BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
 | |
|         BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
 | |
|         Wm7DCfrPNGVwFWUQOmsPue9rZBgO
 | |
|         -----END CERTIFICATE-----
 | |
| 
 | |
|       ProxyRequests: 'Off'
 | |
|       ProxyPreserveHost: 'On'
 | |
| 
 | |
|       ProxyRoute:
 | |
|         example prod proxy route:
 | |
|           ProxyPassSource: '/'
 | |
|           ProxyPassTarget: 'http://prod.example.com:85/'
 | |
|           ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
 | |
|           ProxyPassReverseSource: '/'
 | |
|           ProxyPassReverseTarget: 'http://prod.example.com:85/'
 | |
| 
 | |
|         example webmail proxy route:
 | |
|           ProxyPassSource: '/webmail/'
 | |
|           ProxyPassTarget: 'http://mail.example.com/'
 | |
|           ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
 | |
|           ProxyPassReverseSource: '/webmail/'
 | |
|           ProxyPassReverseTarget: 'http://mail.example.com/'
 | |
| 
 | |
|         example service proxy route:
 | |
|           ProxyPassSource: '/svc/'
 | |
|           ProxyPassTarget: 'http://svc.example.com:92/'
 | |
|           ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
 | |
|           ProxyPassReverseSource: '/svc/'
 | |
|           ProxyPassReverseTarget: 'http://svc.example.com:92/'
 | |
| 
 | |
|       Location:
 | |
|         /:
 | |
|           Require: False
 | |
|           Formula_Append: |
 | |
|             SecRuleRemoveById 981231
 | |
|             SecRuleRemoveById 981173
 | |
| 
 | |
|         /error:
 | |
|           Require: 'all granted'
 | |
| 
 | |
|       LocationMatch:
 | |
|         '^[.\\/]+([Ww][Ee][Bb][Mm][Aa][Ii][Ll])[.\\/]':
 | |
|           Require: False
 | |
|           Formula_Append: |
 | |
|             RequestHeader  set  Host  mail.example.com
 | |
| 
 | |
|         '^[.\\/]+([Ss][Vv][Cc])[.\\/]':
 | |
|           Require: False
 | |
|           Formula_Append: |
 | |
|             Require ip 123.123.13.6 84.24.25.74
 | |
| 
 | |
|       Proxy_control:
 | |
|         '*':
 | |
|           AllowAll: False
 | |
|           AllowCountry:
 | |
|             - DE
 | |
|           AllowIP:
 | |
|             - 12.5.25.32
 | |
|             - 12.5.25.33
 | |
| 
 | |
| 
 | |
|       Alias:
 | |
|         /docs: /usr/share/docs
 | |
| 
 | |
|       Location:
 | |
|         /docs:
 | |
|           Order: allow,deny    # For Apache < 2.4
 | |
|           Allow: from all      # For apache < 2.4
 | |
|           Require: all granted # For apache > 2.4.
 | |
|           Formula_Append: |
 | |
|             Additional config as a
 | |
|             multi-line string here
 | |
| 
 | |
|       Formula_Append: |
 | |
|         Additional config as a
 | |
|         multi-line string here
 | |
| 
 | |
|   # ``apache.debian_full`` formula additional configuration:
 | |
|   register-site:
 | |
|     # any name as an array index, and you can duplicate this section
 | |
|     UNIQUE_VALUE_HERE:
 | |
|       name: 'my name'
 | |
|       path: 'salt://path/to/sites-available/conf/file'
 | |
|       state: 'enabled'
 | |
|       # Optional - use managed file as Jinja Template
 | |
|       #template: true
 | |
|       #defaults:
 | |
|       #  custom_var: "default value"
 | |
| 
 | |
|   modules:
 | |
|     enabled:  # List modules to enable
 | |
|       - ldap
 | |
|       - ssl
 | |
|     disabled:  # List modules to disable
 | |
|       - rewrite
 | |
| 
 | |
|   # KeepAlive: Whether or not to allow persistent connections (more than
 | |
|   # one request per connection). Set to "Off" to deactivate.
 | |
|   keepalive: 'On'
 | |
| 
 | |
|   security:
 | |
|     # can be Full | OS | Minimal | Minor | Major | Prod
 | |
|     # where Full conveys the most information, and Prod the least.
 | |
|     ServerTokens: Prod
 | |
| 
 | |
|   # ``apache.mod_remoteip`` formula additional configuration:
 | |
|   mod_remoteip:
 | |
|     RemoteIPHeader: X-Forwarded-For
 | |
|     RemoteIPTrustedProxy:
 | |
|       - 10.0.8.0/24
 | |
|       - 127.0.0.1
 | |
| 
 | |
|   # ``apache.mod_security`` formula additional configuration:
 | |
|   mod_security:
 | |
|     crs_install: True
 | |
|     # If not set, default distro's configuration is installed as is
 | |
|     manage_config: True
 | |
|     sec_rule_engine: 'On'
 | |
|     sec_request_body_access: 'On'
 | |
|     sec_request_body_limit: '14000000'
 | |
|     sec_request_body_no_files_limit: '114002'
 | |
|     sec_request_body_in_memory_limit: '114002'
 | |
|     sec_request_body_limit_action: 'Reject'
 | |
|     sec_pcre_match_limit: '15000'
 | |
|     sec_pcre_match_limit_recursion: '15000'
 | |
|     sec_debug_log_level: '3'
 | |
| 
 | |
|     rules:
 | |
|       enabled:
 | |
|       modsecurity_crs_10_setup.conf:
 | |
|         rule_set: ''
 | |
|         enabled: True
 | |
|       modsecurity_crs_20_protocol_violations.conf:
 | |
|         rule_set: 'base_rules'
 | |
|         enabled: False
 | |
| 
 | |
|     custom_rule_files:
 | |
|       # any name as an array index, and you can duplicate this section
 | |
|       UNIQUE_VALUE_HERE:
 | |
|         file: 'my name'
 | |
|         path: 'salt://path/to/modsecurity/custom/file'
 | |
|         enabled: True
 | |
|   
 | 
