forked from saltstack-formulas/apache-formula
-
Notifications
You must be signed in to change notification settings - Fork 0
/
pillar.example
544 lines (485 loc) · 21.3 KB
/
pillar.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
apache:
lookup:
master: template-master
# apache version (generally '2.2' or '2.4')
# version: '2.2'
# Default value for AddDefaultCharset in RedHat configuration
default_charset: 'UTF-8'
# Should we enforce DocumentRoot user/group?
document_root_user: null # Defaults to: apache.user
document_root_group: null # Defaults to: apache.group
# Just for testing purposes
winner: lookup
added_in_lookup: lookup_value
# Using bash package and udev service as an example. This allows us to
# test the template formula itself. You should set these parameters to
# examples that make sense in the contexto of the formula you're writing.
# pkg:
# deps:
# mod_ssl # redhat
# mod_security # redhat
# mod_geoip # redhat
# GeoIP # redhat
# libapache2-mod-security2 # Debian
global:
# global apache directives
AllowEncodedSlashes: 'On'
name_virtual_hosts:
- interface: '*'
port: 80
- interface: '*'
port: 443
# ``apache.vhosts`` formula additional configuration:
# fqdn should be added to /etc/hosts i.e. ##
# $ tail -3 /etc/hosts
# 127.0.0.1 example.com
# 127.0.0.1 www.redirectmatch.com
# 127.0.0.1 www.proxyexample.com
sites:
example.net:
template_file: salt://apache/config/vhosts/minimal.tmpl
port: '8081'
example.com: # must be unique; used as an ID declaration in Salt.
enabled: true
# or minimal.tmpl or redirect.tmpl or proxy.tmpl
template_file: salt://apache/config/vhosts/standard.tmpl
####################### DEFAULT VALUES BELOW ############################
# NOTE: the values below are simply default settings that *can* be
# overridden and are not required in order to use this formula to create
# vhost entries.
#
# Do not copy the values below into your Pillar unless you intend to
# modify these vaules.
####################### DEFAULT VALUES BELOW ############################
template_engine: jinja
interface: '*'
port: '443'
exclude_listen_directive: true # Do not add a Listen directive in httpd.conf
ServerName: example.com # uses the unique ID above unless specified
# ServerAlias: www.example.com # Do not add ServerAlias unless defined
ServerAdmin: [email protected]
LogLevel: warn
# E.g.: /var/log/apache2/example.com-error.log
# ErrorLog: /path/to/logs/example.com-error.log
# E.g.: /var/log/apache2/example.com-access.log
# CustomLog: /path/to/logs/example.com-access.log
# E.g., /var/www/example.com
DocumentRoot: /path/to/www/dir/example.com
# do not enforce user, defaults to lookup:document_root_user or apache.user
DocumentRootUser: null
# Force group, defaults to lookup:document_root_group or apache.user
DocumentRootGroup: null
{%- if grains.os_family in ('Debian', 'Suse', 'Gentoo') %}
SSLCertificateFile: /etc/apache2/conf/server.crt
SSLCertificateKeyFile: /etc/apache2/conf/server.key
{%- else %}
SSLCertificateFile: /etc/httpd/conf/server.crt
SSLCertificateKeyFile: /etc/httpd/conf/server.key
{%- endif %}
# SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer
SSLCertificateFile_content: |
-----BEGIN CERTIFICATE-----
MIIDYTCCAkkCFCKCcuwB/Ze9bI5/75oRChNH8RzHMA0GCSqGSIb3DQEBCwUAMG0x
CzAJBgNVBAYTAklFMREwDwYDVQQIDAhDb25uYWNodDESMBAGA1UEBwwJQ29ubWFp
Y25lMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxFDASBgNVBAMM
C2V4YW1wbGUuY29tMB4XDTIwMTAwMzEzMzI1N1oXDTIxMTAwMzEzMzI1N1owbTEL
MAkGA1UEBhMCSUUxETAPBgNVBAgMCENvbm5hY2h0MRIwEAYDVQQHDAlDb25tYWlj
bmUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEUMBIGA1UEAwwL
ZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSl0qL
ol+/b3R9VccpOLe5Cg1Tf1zstAzV5TvjcjSdytdwMDGy9J8Yi2EcMZ1wNdMkvf4D
mr+72Za+qeHHc0ZA+fIJoV+tTcbLbV/mhv0i0i7Zldi3QuvIVBpLR2Z5s5mXZ7C8
yz8VpF9enQkS3uNnbNuZNT3ElGHmlAj1yHsh0K+TbvZrygFkG0wvYwivhlt1Zcbo
th4LJ+gBwNIdSJUiAa58VO5ZNeenM9DquJfZVcFc1bDFqzU0T9KY4PsxmzO1A2+m
TDHoGR4nCz7B+5Ec4USyBUuKo2FhALBEtYz2hlwaf9XasSSvmzO5hhPCQ3nJ4qeY
i+BLCSpiq2lApPVZAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAD9/78A4ygQWbO27
jQPm+2Zg0f9Sn1tcD4tOVao0MlAfWrALjbmj82hg+givEQKAuN7ptthYoaJcOxHl
aUe++y3bQiCznN73yKSJZFgG5fYR8tyMslsYRBcKSay0nvPhN/3Jry0nNehDREQ+
2H0vB595bymGNTmux13sNwOZH1i8KEgxdLcFbje87+CbhCGbFhS3lHPY2FeXnHpO
W60Zchwsy06xMjo4rzbQatdJj/HAh6lIx0YmNDX/d3dCLpZlkvUBT6ENVhipi5bb
2pF/Awob8AYWbIn4N7gmIP5Sb0tugpEgrSgSyDdZNWoFDChvfHXcNUP8lblIftAl
ylssbnQ=
-----END CERTIFICATE-----
SSLCertificateKeyFile_content: |
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA0pdKi6Jfv290fVXHKTi3uQoNU39c7LQM1eU743I0ncrXcDAx
svSfGIthHDGdcDXTJL3+A5q/u9mWvqnhx3NGQPnyCaFfrU3Gy21f5ob9ItIu2ZXY
t0LryFQaS0dmebOZl2ewvMs/FaRfXp0JEt7jZ2zbmTU9xJRh5pQI9ch7IdCvk272
a8oBZBtML2MIr4ZbdWXG6LYeCyfoAcDSHUiVIgGufFTuWTXnpzPQ6riX2VXBXNWw
xas1NE/SmOD7MZsztQNvpkwx6BkeJws+wfuRHOFEsgVLiqNhYQCwRLWM9oZcGn/V
2rEkr5szuYYTwkN5yeKnmIvgSwkqYqtpQKT1WQIDAQABAoIBAQCI39SP1UWuQ17P
Z8U+waKIHkRzFMDtCEmfbJL0TfJs7L4CKRDkY6JUbaL8lDLkD9fgdax340jja5VS
70/UNtRevxXVtJFfLsIazkgaqXo1+65/talZ06E0X5WHgCzWxSj7A2YYD3I9OszR
zfdr0Hq1akeA2N4AuwC2wVjhhyCg5Lg4xY0l+kRFLrPU4RctsjCAaveVIm3wmJVd
vmHO9hKcR3nxuIx0/cPYe20WgGSqbYJQburE1uXp26uz/Jek/u8FNFIEjWCWB+vj
eRQOcxngebyWCh0dyoxb3nL28Yty9O1MlLP2b0YMmep1ZfEFtwn4M2d8FdW1WCmJ
viOGFx4BAoGBAPTYSIpyxea1qaeNmT97e4YgPwV3rajhdPRYSQKyCsjKHk7Q/uxk
Phddo0ymiGKLCRAUwg9py900slY8mZKbdrVxXV4EEhngrWrr2gpfzxkEF1i0d4bS
2OuRCbkfE23glxqtVjvnTlrRANaXgk5mUQCL1YDUf+hrpEvF0pTbDRYpAoGBANwv
ffy+Sk+e0v+NlthhNHUDcXisIoW7b/DoT0H8DtbJV/QVexaGln7Ts6EgaH2NdpC+
dyLKa+l7oIeKgXeHm2Tgm879di/ChQCkoAHIUu5Nm0c5D2Vst26JrfCA7vZb9ddI
FMFt5bsDgRqFzTXFe0k9TEIBiF0Pp5xfHVwNWeuxAoGAGNY3xZOO77BN3WlHumDU
Tu7Gdc+GFjOIoaCzB0r4PRYDrQsWUPR6N/SPtB7Qhu6DpNX2OYoJ3A6UaJsNGQoc
KJuvVPIkw+s+rDHwlEzTvT3lAGKOHWcWCg9UZSr51ZOKwHIE5V65XA0HgL0twrYu
UVfd+IuVzgXdTLJsgh0WXsECgYApcgcU+/yg4BR3Zf9u2100aWGChWQ6J/36KsBA
e2GPrHaRyzlQFCVf2hmFysPgXjBjLnbeZZvKZyrgWIHmLfBiHKU3YR5N/x9p75Lu
wvZZROJllagAP2aHuAK1so9IcCbmTvsZLcaAXTh/9Y+a/4ElWBRymDdCzR+Pn5e3
LAwxAQKBgBHH42ri6pHbRptINzJ9sw3PhwewQZtGu3sfvrOknBs3togptCrjBWDF
eOGuFmjHO9vnhWs2yWQYETL1jt+CWgzRc4o4akB3qH5sXar5F7h06y16RFV9u6UJ
qaGqPFcy/l/5H6uNPLZt4Ufg3T0Mz0Az+Dti99KqVLKeqWQvXVc4
-----END RSA PRIVATE KEY-----
Directory:
# "default" is a special case; uses DocumentRoot value
# E.g.: /var/www/example.com
default:
Options: -Indexes +FollowSymLinks
Order: allow,deny # For Apache < 2.4
Allow: from all # For apache < 2.4
Require: all granted # For apache > 2.4.
AllowOverride: None
# Formula_Append: |
# Additional config as a
# multi-line string here
# Force SSL: Redirect from 80 to 443
example2.com:
port: 80
template_file: salt://apache/vhosts/redirect.tmpl
RedirectSource: 'permanent /'
# Trailing slash is important
RedirectTarget: 'https://example.com/'
example2.com_ssl:
port: 443
ServerName: example.com
SSLCertificateFile: /path/to/ssl.crt
SSLCertificateKeyFile: /path/to/ssl.key
SSLCertificateChainFile: /path/to/ssl.ca.crt
# Use RedirectMatch Directive
redirectmatch.com:
# - https://httpd.apache.org/docs/2.4/fr/mod/mod_alias.html#redirectmatch
# Require module mod_alias
enabled: true
template_file: salt://apache/config/vhosts/redirect.tmpl
ServerName: www.redirectmatch.com
ServerAlias: www.redirectmatch.com
RedirectMatch: true
RedirectSource: '^/$'
RedirectTarget: '/subdirectory'
DocumentRoot: /var/www/html/
port: '8083'
8084-proxyexample.com:
template_file: salt://apache/config/vhosts/redirect.tmpl
ServerName: www.proxyexample.com
ServerAlias: www.proxyexample.com
RedirectSource: '/'
RedirectTarget: 'https://www.proxyexample.com/'
DocumentRoot: /var/www/proxy
port: '8084'
8443-proxyexample.com:
template_file: salt://apache/config/vhosts/proxy.tmpl
ServerName: www.proxyexample.com
ServerAlias: www.proxyexample.com
interface: '*'
port: '8443'
DocumentRoot: /var/www/proxy
Rewrite: |
RewriteRule ^/webmail$ /webmail/ [R]
RewriteRule ^/webmail(.*) http://mail.example.com$1 [P,L]
RewriteRule ^/vicescws(.*) http://svc.example.com:92$1 [P,L]
SSLCertificateFile: /etc/httpd/conf/server.crt
SSLCertificateKeyFile: /etc/httpd/conf/server.key
# SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer
SSLCertificateFile_content: |
-----BEGIN CERTIFICATE-----
MIIDYTCCAkkCFCKCcuwB/Ze9bI5/75oRChNH8RzHMA0GCSqGSIb3DQEBCwUAMG0x
CzAJBgNVBAYTAklFMREwDwYDVQQIDAhDb25uYWNodDESMBAGA1UEBwwJQ29ubWFp
Y25lMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxFDASBgNVBAMM
C2V4YW1wbGUuY29tMB4XDTIwMTAwMzEzMzI1N1oXDTIxMTAwMzEzMzI1N1owbTEL
MAkGA1UEBhMCSUUxETAPBgNVBAgMCENvbm5hY2h0MRIwEAYDVQQHDAlDb25tYWlj
bmUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEUMBIGA1UEAwwL
ZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSl0qL
ol+/b3R9VccpOLe5Cg1Tf1zstAzV5TvjcjSdytdwMDGy9J8Yi2EcMZ1wNdMkvf4D
mr+72Za+qeHHc0ZA+fIJoV+tTcbLbV/mhv0i0i7Zldi3QuvIVBpLR2Z5s5mXZ7C8
yz8VpF9enQkS3uNnbNuZNT3ElGHmlAj1yHsh0K+TbvZrygFkG0wvYwivhlt1Zcbo
th4LJ+gBwNIdSJUiAa58VO5ZNeenM9DquJfZVcFc1bDFqzU0T9KY4PsxmzO1A2+m
TDHoGR4nCz7B+5Ec4USyBUuKo2FhALBEtYz2hlwaf9XasSSvmzO5hhPCQ3nJ4qeY
i+BLCSpiq2lApPVZAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAD9/78A4ygQWbO27
jQPm+2Zg0f9Sn1tcD4tOVao0MlAfWrALjbmj82hg+givEQKAuN7ptthYoaJcOxHl
aUe++y3bQiCznN73yKSJZFgG5fYR8tyMslsYRBcKSay0nvPhN/3Jry0nNehDREQ+
2H0vB595bymGNTmux13sNwOZH1i8KEgxdLcFbje87+CbhCGbFhS3lHPY2FeXnHpO
W60Zchwsy06xMjo4rzbQatdJj/HAh6lIx0YmNDX/d3dCLpZlkvUBT6ENVhipi5bb
2pF/Awob8AYWbIn4N7gmIP5Sb0tugpEgrSgSyDdZNWoFDChvfHXcNUP8lblIftAl
ylssbnQ=
-----END CERTIFICATE-----
SSLCertificateKeyFile_content: |
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA0pdKi6Jfv290fVXHKTi3uQoNU39c7LQM1eU743I0ncrXcDAx
svSfGIthHDGdcDXTJL3+A5q/u9mWvqnhx3NGQPnyCaFfrU3Gy21f5ob9ItIu2ZXY
t0LryFQaS0dmebOZl2ewvMs/FaRfXp0JEt7jZ2zbmTU9xJRh5pQI9ch7IdCvk272
a8oBZBtML2MIr4ZbdWXG6LYeCyfoAcDSHUiVIgGufFTuWTXnpzPQ6riX2VXBXNWw
xas1NE/SmOD7MZsztQNvpkwx6BkeJws+wfuRHOFEsgVLiqNhYQCwRLWM9oZcGn/V
2rEkr5szuYYTwkN5yeKnmIvgSwkqYqtpQKT1WQIDAQABAoIBAQCI39SP1UWuQ17P
Z8U+waKIHkRzFMDtCEmfbJL0TfJs7L4CKRDkY6JUbaL8lDLkD9fgdax340jja5VS
70/UNtRevxXVtJFfLsIazkgaqXo1+65/talZ06E0X5WHgCzWxSj7A2YYD3I9OszR
zfdr0Hq1akeA2N4AuwC2wVjhhyCg5Lg4xY0l+kRFLrPU4RctsjCAaveVIm3wmJVd
vmHO9hKcR3nxuIx0/cPYe20WgGSqbYJQburE1uXp26uz/Jek/u8FNFIEjWCWB+vj
eRQOcxngebyWCh0dyoxb3nL28Yty9O1MlLP2b0YMmep1ZfEFtwn4M2d8FdW1WCmJ
viOGFx4BAoGBAPTYSIpyxea1qaeNmT97e4YgPwV3rajhdPRYSQKyCsjKHk7Q/uxk
Phddo0ymiGKLCRAUwg9py900slY8mZKbdrVxXV4EEhngrWrr2gpfzxkEF1i0d4bS
2OuRCbkfE23glxqtVjvnTlrRANaXgk5mUQCL1YDUf+hrpEvF0pTbDRYpAoGBANwv
ffy+Sk+e0v+NlthhNHUDcXisIoW7b/DoT0H8DtbJV/QVexaGln7Ts6EgaH2NdpC+
dyLKa+l7oIeKgXeHm2Tgm879di/ChQCkoAHIUu5Nm0c5D2Vst26JrfCA7vZb9ddI
FMFt5bsDgRqFzTXFe0k9TEIBiF0Pp5xfHVwNWeuxAoGAGNY3xZOO77BN3WlHumDU
Tu7Gdc+GFjOIoaCzB0r4PRYDrQsWUPR6N/SPtB7Qhu6DpNX2OYoJ3A6UaJsNGQoc
KJuvVPIkw+s+rDHwlEzTvT3lAGKOHWcWCg9UZSr51ZOKwHIE5V65XA0HgL0twrYu
UVfd+IuVzgXdTLJsgh0WXsECgYApcgcU+/yg4BR3Zf9u2100aWGChWQ6J/36KsBA
e2GPrHaRyzlQFCVf2hmFysPgXjBjLnbeZZvKZyrgWIHmLfBiHKU3YR5N/x9p75Lu
wvZZROJllagAP2aHuAK1so9IcCbmTvsZLcaAXTh/9Y+a/4ElWBRymDdCzR+Pn5e3
LAwxAQKBgBHH42ri6pHbRptINzJ9sw3PhwewQZtGu3sfvrOknBs3togptCrjBWDF
eOGuFmjHO9vnhWs2yWQYETL1jt+CWgzRc4o4akB3qH5sXar5F7h06y16RFV9u6UJ
qaGqPFcy/l/5H6uNPLZt4Ufg3T0Mz0Az+Dti99KqVLKeqWQvXVc4
-----END RSA PRIVATE KEY-----
SSLCertificateChainFile_content: |
-----BEGIN CERTIFICATE-----
MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
Wm7DCfrPNGVwFWUQOmsPue9rZBgO
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
Wm7DCfrPNGVwFWUQOmsPue9rZBgO
-----END CERTIFICATE-----
ProxyRequests: 'Off'
ProxyPreserveHost: 'On'
ProxyRoute:
example prod proxy route:
ProxyPassSource: '/'
ProxyPassTarget: 'http://prod.example.com:85/'
ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
ProxyPassReverseSource: '/'
ProxyPassReverseTarget: 'http://prod.example.com:85/'
example webmail proxy route:
ProxyPassSource: '/webmail/'
ProxyPassTarget: 'http://mail.example.com/'
ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
ProxyPassReverseSource: '/webmail/'
ProxyPassReverseTarget: 'http://mail.example.com/'
example service proxy route:
ProxyPassSource: '/svc/'
ProxyPassTarget: 'http://svc.example.com:92/'
ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90'
ProxyPassReverseSource: '/svc/'
ProxyPassReverseTarget: 'http://svc.example.com:92/'
Location:
/:
Require: false
# Formula_Append: |
# SecRuleRemoveById 981231
# SecRuleRemoveById 981173
/error:
Require: 'all granted'
/docs:
Order: allow,deny # For Apache < 2.4
Allow: from all # For apache < 2.4
Require: all granted # For apache > 2.4.
# Formula_Append: |
# Additional config as a
# multi-line string here
LocationMatch:
'^[.\\/]+([Ww][Ee][Bb][Mm][Aa][Ii][Ll])[.\\/]':
Require: false
Formula_Append: |
RequestHeader set Host mail.example.com
'^[.\\/]+([Ss][Vv][Cc])[.\\/]':
Require: false
Formula_Append: |
Require ip 123.123.13.6 84.24.25.74
Proxy_control:
'*':
AllowAll: false
AllowCountry: false
# - DE
AllowIP:
- 12.5.25.32
- 12.5.25.33
Alias:
/docs: /usr/share/docs
ScriptAlias:
/cgi-bin/: /var/www/cgi-bin/
# Formula_Append: |
# \#Additional config as a
# \#multi-line string here
# ``apache.debian_full`` formula additional configuration:
register-site:
# any name as an array index, and you can duplicate this section
unique_value_here:
name: 'myname'
path: 'salt://apache/files/myname.conf'
state: 'enabled'
# Optional - use managed file as Jinja Template
# template: true
# defaults:
# custom_var: "default value"
modules:
enabled: # List modules to enable
- ssl
- prefork
- rewrite
- proxy
- proxy_ajp
- proxy_html
- headers
# geoip
- status
- logio
- dav
- dav_fs
- dav_lock
- auth_digest
- socache_shmcb
- watchdog
- xml2enc
- ldap
disabled: # List modules to disable
- geoip
flags:
enabled: # List server flags to enable
- SSL
disabled: # List server flags to disable
- status
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
keepalive: 'On'
TimeOut: 60 # software default is 60 seconds
security:
# can be Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
ServerTokens: Prod
# [debian only] configure mod_ssl
ssl:
SSLCipherSuite: 'HIGH:!aNULL'
SSLHonorCipherOrder: 'Off'
SSLProtocol: 'all -SSLv3'
SSLUseStapling: 'Off'
SSLStaplingResponderTimeout: '5'
SSLStaplingReturnResponderErrors: 'Off'
SSLStaplingCache: 'shmcb:/var/run/ocsp(128000)'
# ``apache.mod_remoteip`` formula additional configuration:
mod_remoteip:
RemoteIPHeader: X-Forwarded-For
RemoteIPTrustedProxy:
- 10.0.8.0/24
- 127.0.0.1
RemoteIPInternalProxy:
- 10.10.8.0/24
- 127.0.0.1
# ``apache.mod_security`` formula additional configuration:
mod_security:
crs_install: false
# If not set, default distro's configuration is installed as is
manage_config: true
sec_rule_engine: 'On'
sec_request_body_access: 'On'
sec_request_body_limit: '14000000'
sec_request_body_no_files_limit: '114002'
sec_request_body_in_memory_limit: '114002'
sec_request_body_limit_action: 'Reject'
sec_pcre_match_limit: '15000'
sec_pcre_match_limit_recursion: '15000'
sec_debug_log_level: '3'
rules:
enabled: ~
modsecurity_crs_10_setup.conf:
rule_set: ''
enabled: true
modsecurity_crs_20_protocol_violations.conf:
rule_set: 'base_rules'
enabled: false
custom_rule_files:
# any name as an array index, and you can duplicate this section
UNIQUE_VALUE_HERE:
file: 'myname'
# path/to/modsecurity/custom/file
path: 'salt://apache/files/dummy.conf'
enabled: false
mod_ssl:
# set this to true if you want to override your distributions default TLS
# configuration
manage_tls_defaults: false
# This stuff is deliberately not configured via map.jinja resp.
# apache:lookup. We're unable to know sane defaults for each release of
# every distribution.
# See https://github.com/saltstack-formulas/openssh-formula/issues/102 for
# a related discussion Have a look at bettercrypto.org for up-to-date
# settings.
# These are default values:
# yamllint disable-line rule:line-length
SSLCipherSuite: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
# Mitigate the CRIME attack
SSLCompression: 'Off'
SSLProtocol: all -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder: 'On'
SSLOptions: "+StrictRequire"
server_status_require:
ip:
- 10.8.8.0/24
host:
- foo.example.com
tofs:
# The files_switch key serves as a selector for alternative
# directories under the formula files directory. See TOFS pattern
# doc for more info.
# Note: Any value not evaluated by `config.get` will be used literally.
# This can be used to set custom paths, as many levels deep as required.
files_switch:
- any/path/can/be/used/here
- id
- roles
- osfinger
- os
- os_family
# All aspects of path/file resolution are customisable using the options below.
# This is unnecessary in most cases; there are sensible defaults.
# Default path: salt://< path_prefix >/< dirs.files >/< dirs.default >
# I.e.: salt://apache/files/default
# path_prefix: template_alt
# dirs:
# files: files_alt
# default: default_alt
# The entries under `source_files` are prepended to the default source files
# given for the state
# source_files:
# apache-config-file-file-managed:
# - 'example_alt.tmpl'
# - 'example_alt.tmpl.jinja'
# For testing purposes
source_files:
apache-config-file-file-managed:
- 'example.tmpl.jinja'
apache-subcomponent-config-file-file-managed:
- 'subcomponent-example.tmpl.jinja'
# Just for testing purposes
winner: pillar
added_in_pillar: pillar_value