From a5f81d06d29d72c0c6692cecc015631a0fc02400 Mon Sep 17 00:00:00 2001 From: Karim Hamza Date: Mon, 25 Feb 2019 19:52:22 +0100 Subject: [PATCH 1/6] remove -ng stuff --- README-ng.rst | 149 ------- README.rst | 264 ++++------- apache/config-ng.sls | 118 ----- apache/config.sls | 154 +++---- .../files/RedHat/apache-2.4-ng.config.jinja | 40 -- apache/files/RedHat/apache-2.4.config.jinja | 414 ++---------------- apache/modules-ng.sls | 86 ---- apache/modules.sls | 36 +- apache/osfamilymap.yaml | 3 +- apache/vhosts/cleanup.sls | 41 -- apache/vhosts/minimal.tmpl | 37 -- apache/vhosts/proxy.tmpl | 131 ------ apache/vhosts/redirect.tmpl | 51 --- apache/vhosts/standard.sls | 65 --- apache/vhosts/standard.tmpl | 136 ------ .../{vhost-ng.conf.jinja => vhost.conf.jinja} | 12 +- apache/vhosts/{vhost-ng.sls => vhost.sls} | 220 +++++----- pillar.example | 372 ---------------- pillar-ng.example.yaml => pillar.example.yaml | 244 +++++------ 19 files changed, 425 insertions(+), 2148 deletions(-) delete mode 100644 README-ng.rst delete mode 100644 apache/config-ng.sls delete mode 100644 apache/files/RedHat/apache-2.4-ng.config.jinja delete mode 100644 apache/modules-ng.sls delete mode 100644 apache/vhosts/cleanup.sls delete mode 100644 apache/vhosts/minimal.tmpl delete mode 100644 apache/vhosts/proxy.tmpl delete mode 100644 apache/vhosts/redirect.tmpl delete mode 100644 apache/vhosts/standard.sls delete mode 100644 apache/vhosts/standard.tmpl rename apache/vhosts/{vhost-ng.conf.jinja => vhost.conf.jinja} (97%) rename apache/vhosts/{vhost-ng.sls => vhost.sls} (92%) delete mode 100644 pillar.example rename pillar-ng.example.yaml => pillar.example.yaml (97%) diff --git a/README-ng.rst b/README-ng.rst deleted file mode 100644 index eeee1535..00000000 --- a/README-ng.rst +++ /dev/null @@ -1,149 +0,0 @@ -====== -apache -====== - -Formulas to set up and configure the Apache HTTP server. - -This Formula uses the concepts of ``directive`` and ``container`` in pillars - -* ``directive`` is an httpd directive https://httpd.apache.org/docs/2.4/en/mod/directives.html -* ``container`` is what described the `configuration sections` https://httpd.apache.org/docs/2.4/en/sections.html - -see examples below for more explanation - -Also it includes and enforce some hardening rules to prevent security issues - -See ``_ and ``_. - -.. note:: - - See the full `Salt Formulas installation and usage instructions - `_. - -Available states -================ - -.. contents:: - :local: - -``apache`` ----------- - -Installs the Apache package and starts the service. - -``apache.config-ng`` ------------------ - -Configures apache server. - -The configuration is done by merging the pillar content with defaults -present in the state ``_ - -.. code:: yaml - - apache: - server_apache_config: - directives: - - Timeout: 5 - containers: - IfModule: - - - item: 'mime_module' - directives: - - AddType: 'application/x-font-ttf ttc ttf' - - AddType: 'application/x-font-opentype otf' - - AddType: 'application/x-font-woff woff2' - - -``apache.modules-ng`` ------------------- - -Enables and disables Apache modules. - -``apache.vhosts.vhost-ng`` --------------------------- - -Configures Apache name-based virtual hosts and creates virtual host directories using data from Pillar. - -All necessary data must be provided in the pillar - -Exceptions are : - -* ``CustomLog`` default is ``/path/apache/log/ServerName-access.log combined`` - -* if ``Logformat`` is defined in pillar, ``CustomLog`` is enforced to ``/path/apache/log/ServerName-access.log Logformat`` - -* ``ErrorLog`` is enforced to ``/path/apache/log/ServerName-error.log`` - -Example Pillar: - -Create two vhosts ``example.com.conf`` and ``test.example.com.conf`` - -.. code:: yaml - - apache: - VirtualHost: - example.com: # <-- this is an id decalaration used in salt and default ServerName - item: '*:80' - directives: - - RewriteEngine: 'on' - - Header: 'set Access-Control-Allow-Methods GET,PUT,POST,DELETE,OPTIONS' - containers: - Location: - item: '/test.html' - directives: - - Require: 'all granted' - site_id_declaration: - item: '10.10.1.1:8080' - directives: - - ServerName: 'test.example.com' - - LogFormat: '"%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %{ms}T"' - -Files produced by these pillars : - -``example.com.conf`` - -.. code:: bash - - - ServerName example.com - CustomLog /var/log/httpd/example.com-access.log combined - ErrorLog /var/log/httpd/example.com-error.log - RewriteEngine on - Header set Access-Control-Allow-Methods GET,PUT,POST,DELETE,OPTIONS - - Require all granted - - - - -``test.example.com.conf`` - -.. code:: bash - - - ServerName test.example.com - CustomLog /var/log/httpd/test.example.com-access.log "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %{ms}T" - ErrorLog /var/log/httpd/test.example.com-error.log - - - - -this will delete ``test.example.com.conf`` - -.. code:: yaml - - apache: - VirtualHost: - test.example.com: - item: '10.10.1.1:8080' - absent: True # <-- delete test.example.com.conf - directives: - - ServerName: 'test.example.com' - - - -``apache.uninstall`` ----------- - -Stops the Apache service and uninstalls the package. diff --git a/README.rst b/README.rst index fb860fd5..f08e501d 100644 --- a/README.rst +++ b/README.rst @@ -2,10 +2,18 @@ apache ====== +Formulas to set up and configure the Apache HTTP server. -.. note:: See ``_ for new gen of the state. +This Formula uses the concepts of ``directive`` and ``container`` in pillars -Formulas to set up and configure the Apache HTTP server. +* ``directive`` is an httpd directive https://httpd.apache.org/docs/2.4/en/mod/directives.html +* ``container`` is what described the `configuration sections` https://httpd.apache.org/docs/2.4/en/sections.html + +see examples below for more explanation + +Also it includes and enforce some hardening rules to prevent security issues + +See ``_ and ``_. .. note:: @@ -23,221 +31,119 @@ Available states Installs the Apache package and starts the service. -``apache.config`` +``apache.config-ng`` ----------------- -Configures apache based on os_family +Configures apache server. -``apache.certificates`` ------------------ - -Deploy SSL certificates from pillars - -``apache.mod_mpm`` ------------------- +The configuration is done by merging the pillar content with defaults +present in the state ``_ -Configures the apache mpm modules on Debian ``mpm_prefork``, ``mpm_worker`` or ``mpm_event`` (Debian Only) +.. code:: yaml -``apache.modules`` + apache: + server_apache_config: + directives: + - Timeout: 5 + containers: + IfModule: + - + item: 'mime_module' + directives: + - AddType: 'application/x-font-ttf ttc ttf' + - AddType: 'application/x-font-opentype otf' + - AddType: 'application/x-font-woff woff2' + + +``apache.modules-ng`` ------------------ Enables and disables Apache modules. -``apache.mod_rewrite`` ----------------------- - -Enabled the Apache module mod_rewrite (Debian and FreeBSD only) - -``apache.mod_proxy`` -------------------- - -Enables the Apache module mod_proxy. (Debian and FreeBSD only) - -``apache.mod_proxy_http`` -------------------------- - -Enables the Apache module mod_proxy_http and requires the Apache module mod_proxy to be enabled. (Debian Only) - -``apache.mod_proxy_fcgi`` -------------------------- - -Enables the Apache module mod_proxy_fcgi and requires the Apache module mod_proxy to be enabled. (Debian Only) - -``apache.mod_wsgi`` -------------------- - -Installs the mod_wsgi package and enables the Apache module. - -``apache.mod_actions`` ----------------------- - -Enables the Apache module mod_actions. (Debian Only) - -``apache.mod_headers`` ----------------------- - -Enables the Apache module mod_headers. (Debian Only) - -``apache.mod_pagespeed`` ------------------------- - -Installs and Enables the mod_pagespeed module. (Debian and RedHat Only) - -``apache.mod_perl2`` -------------------- - -Installs and enables the mod_perl2 module (Debian and FreeBSD only) - -``apache.mod_geoip`` -------------------- - -Installs and enables the mod_geoIP (RedHat only) - -``apache.mod_php5`` -------------------- - -Installs and enables the mod_php5 module - -``apache.mod_cgi`` ---------------------- - -Enables mod_cgi. (FreeBSD only) - -``apache.mod_fcgid`` --------------------- - -Installs and enables the mod_fcgid module (Debian only) - -``apache.mod_fastcgi`` --------------------- - -Installs and enables the mod_fastcgi module - -``apache.mod_dav_svn`` --------------------- - -Installs and enables the mod_dav_svn module (Debian only) - -``apache.mod_security`` ----------------------- - -Installs an enables the `Apache mod_security2 WAF``_ -using data from Pillar. (Debian and RedHat Only) - -Allows you to install the basic Core Rules (CRS) and some basic configuration for mod_security2 - -``apache.mod_security.rules`` ------------------------------ - -This state can create symlinks based on basic Core Rules package. (Debian only) -Or it can distribute a mod_security rule file and place it /etc/modsecurity/ - -``apache.mod_socache_shmcb`` ---------------------- +``apache.vhosts.vhost-ng`` +-------------------------- -Enables mod_socache_shmcb. (FreeBSD only) +Configures Apache name-based virtual hosts and creates virtual host directories using data from Pillar. -``apache.mod_ssl`` ----------------------- +All necessary data must be provided in the pillar -Installs and enables the mod_ssl module (Debian, RedHat and FreeBSD only) +Exceptions are : -``apache.mod_suexec`` ---------------------- +* ``CustomLog`` default is ``/path/apache/log/ServerName-access.log combined`` -Enables mod_suexec. (FreeBSD only) +* if ``Logformat`` is defined in pillar, ``CustomLog`` is enforced to ``/path/apache/log/ServerName-access.log Logformat`` -``apache.mod_vhost_alias`` ----------------------- +* ``ErrorLog`` is enforced to ``/path/apache/log/ServerName-error.log`` -Enables the Apache module vhost_alias (Debian Only) +Example Pillar: -``apache.mod_remoteip`` ----------------------- +Create two vhosts ``example.com.conf`` and ``test.example.com.conf`` -Enables and configures the Apache module mod_remoteip using data from Pillar. (Debian Only) +.. code:: yaml -``apache.mod_xsendfile`` ----------------------- + apache: + VirtualHost: + example.com: # <-- this is an id decalaration used in salt and default ServerName + item: '*:80' + directives: + - RewriteEngine: 'on' + - Header: 'set Access-Control-Allow-Methods GET,PUT,POST,DELETE,OPTIONS' + containers: + Location: + item: '/test.html' + directives: + - Require: 'all granted' + site_id_declaration: + item: '10.10.1.1:8080' + directives: + - ServerName: 'test.example.com' + - LogFormat: '"%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %{ms}T"' -Installs and enables mod_xsendfile module. (Debian Only) +Files produced by these pillars : -``apache.own_default_vhost`` --------------------------- +``example.com.conf`` -Replace default vhost with own version. By default, it's 503 code. (Debian Only) +.. code:: bash -``apache.no_default_vhost`` --------------------------- + + ServerName example.com + CustomLog /var/log/httpd/example.com-access.log combined + ErrorLog /var/log/httpd/example.com-error.log + RewriteEngine on + Header set Access-Control-Allow-Methods GET,PUT,POST,DELETE,OPTIONS + + Require all granted + + -Remove the default vhost. (Debian Only) -``apache.vhosts.standard`` --------------------------- +``test.example.com.conf`` -Configures Apache name-based virtual hosts and creates virtual host directories using data from Pillar. +.. code:: bash -Example Pillar: + + ServerName test.example.com + CustomLog /var/log/httpd/test.example.com-access.log "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %{ms}T" + ErrorLog /var/log/httpd/test.example.com-error.log + -.. code:: yaml - apache: - sites: - example.com: # must be unique; used as an ID declaration in Salt; also passed to the template context as {{ id }} - template_file: salt://apache/vhosts/standard.tmpl -When using the provided templates, one can use a space separated list -of interfaces to bind to. For example, to bind both IPv4 and IPv6: +this will delete ``test.example.com.conf`` .. code:: yaml apache: - sites: - example.com: - interface: '1.2.3.4 [2001:abc:def:100::3]' - -``apache.manage_security`` --------------------------- - -Configures Apache's security.conf options by reassinging them using data from Pillar. - -``apache.server_status`` --------------------------- + VirtualHost: + test.example.com: + item: '10.10.1.1:8080' + absent: True # <-- delete test.example.com.conf + directives: + - ServerName: 'test.example.com' -Configures Apache's server_status handler for localhost -``apache.debian_full`` ----------------------- - -Installs and configures Apache on Debian and Ubuntu systems. ``apache.uninstall`` ---------- Stops the Apache service and uninstalls the package. - -These states are ordered using the ``order`` declaration. Different stages -are divided into the following number ranges: - -1) apache will use 1-500 for ordering -2) apache will reserve 1 -100 as unused -3) apache will reserve 101-150 for pre pkg install -4) apache will reserve 151-200 for pkg install -5) apache will reserve 201-250 for pkg configure -6) apache will reserve 251-300 for downloads, git stuff, load data -7) apache will reserve 301-400 for unknown purposes -8) apache will reserve 401-450 for service restart-reloads -9) apache WILL reserve 451-460 for service.running -10) apache will reserve 461-500 for cmd requiring operational services - -Example Pillar: - -.. code:: yaml - - apache: - register-site: - # any name as an array index, and you can duplicate this section - {{UNIQUE}}: - name: 'my name' - path: 'salt://path/to/sites-available/conf/file' - state: 'enabled' diff --git a/apache/config-ng.sls b/apache/config-ng.sls deleted file mode 100644 index d23bb137..00000000 --- a/apache/config-ng.sls +++ /dev/null @@ -1,118 +0,0 @@ -{% from "apache/map.jinja" import apache with context %} -{% import_yaml "apache/hardening-values.yaml" as hardening_values %} -{% import_yaml "apache/defaults/" ~ salt['grains.get']('os_family') ~ "/defaults-apache-" ~ apache.version ~ ".yaml" as global_defaults %} - -include: - - apache - - apache.mod_ssl - - apache.hardening - -{# merge defaults with pillar content #} -{% set pillar_server_config = salt['pillar.get']('apache:server_apache_config', {}) %} -{% set server_config = salt['apache_directives.merge_container_with_additional_data']( - global_defaults.server_apache_config, - pillar_server_config) %} - -{# enforce directives values #} -{% for directive, directive_data in hardening_values.enforced_directives.items() %} -{% set server_config = salt['apache_directives.enforce_directive_value'](directive, - directive_data, - container_name='server', - container_data=server_config) %} -{% endfor %} - -{# merge server config with hardened sections #} -{% set server_config = salt['apache_directives.enforce_security_directives_into_containers']( - server_config, - hardening_values.enforced_containers ) %} - -{# remove containers #} -{% for container_name_to_remove, items_names in hardening_values.containers_to_remove.items() %} -{% for item_name in items_names %} -{% set server_config = salt['apache_directives.remove_container']( - server_config, - container_name_to_remove, - item_name) %} -{% endfor %} -{% endfor %} - -{# add supplemental security directives in server configuration #} -{% for d_directive in hardening_values.server_supplemental_directives %} -{% for directive, value in d_directive.items() %} -{% set server_config = salt['apache_directives.append_to_container_directives']( - directive, - value, - server_config) %} -{% endfor %} -{% endfor %} - -{% if grains['os_family']=="RedHat" %} - -{{ apache.logdir }}: - file.directory: - - makedirs: True - - require: - - pkg: apache - - user: root - - group: {{ apache.group }} - - dir_mode: 750 - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{{ apache.configfile }}: - file.managed: - - template: jinja - - source: - - salt://apache/files/{{ salt['grains.get']('os_family') }}/apache-{{ apache.version }}-ng.config.jinja - - user: root - - group: root - - mode: 644 - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - - context: - apache: {{ apache }} - server_config: {{ server_config | json }} - -{{ apache.vhostdir_ng }}: - file.directory: - - makedirs: True - - require: - - pkg: apache - - user: root - - group: root - - dir_mode: 755 - - file_mode: 644 - - recurse: - - user - - group - - mode - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - - -/etc/httpd/conf.d/welcome.conf: - file.managed: - - source: - - salt://apache/files/{{ salt['grains.get']('os_family') }}/welcome.conf - - user: root - - group: root - - mode: 644 - - require: - - pkg: apache - - watch_in: - - service: apache -{% endif %} diff --git a/apache/config.sls b/apache/config.sls index dd3cb9b7..6e60c44e 100644 --- a/apache/config.sls +++ b/apache/config.sls @@ -1,13 +1,61 @@ {% from "apache/map.jinja" import apache with context %} +{% import_yaml "apache/hardening-values.yaml" as hardening_values %} +{% import_yaml "apache/defaults/" ~ salt['grains.get']('os_family') ~ "/defaults-apache-" ~ apache.version ~ ".yaml" as global_defaults %} include: - apache + - apache.mod_ssl + - apache.hardening + +{# merge defaults with pillar content #} +{% set pillar_server_config = salt['pillar.get']('apache:server_apache_config', {}) %} +{% set server_config = salt['apache_directives.merge_container_with_additional_data']( + global_defaults.server_apache_config, + pillar_server_config) %} + +{# enforce directives values #} +{% for directive, directive_data in hardening_values.enforced_directives.items() %} +{% set server_config = salt['apache_directives.enforce_directive_value'](directive, + directive_data, + container_name='server', + container_data=server_config) %} +{% endfor %} + +{# merge server config with hardened sections #} +{% set server_config = salt['apache_directives.enforce_security_directives_into_containers']( + server_config, + hardening_values.enforced_containers ) %} + +{# remove containers #} +{% for container_name_to_remove, items_names in hardening_values.containers_to_remove.items() %} +{% for item_name in items_names %} +{% set server_config = salt['apache_directives.remove_container']( + server_config, + container_name_to_remove, + item_name) %} +{% endfor %} +{% endfor %} + +{# add supplemental security directives in server configuration #} +{% for d_directive in hardening_values.server_supplemental_directives %} +{% for directive, value in d_directive.items() %} +{% set server_config = salt['apache_directives.append_to_container_directives']( + directive, + value, + server_config) %} +{% endfor %} +{% endfor %} + +{% if grains['os_family']=="RedHat" %} {{ apache.logdir }}: file.directory: - makedirs: True - require: - pkg: apache + - user: root + - group: {{ apache.group }} + - dir_mode: 750 - watch_in: - module: apache-restart - require_in: @@ -20,6 +68,9 @@ include: - template: jinja - source: - salt://apache/files/{{ salt['grains.get']('os_family') }}/apache-{{ apache.version }}.config.jinja + - user: root + - group: root + - mode: 644 - require: - pkg: apache - watch_in: @@ -29,13 +80,22 @@ include: - module: apache-reload - service: apache - context: - apache: {{ apache | json }} + apache: {{ apache }} + server_config: {{ server_config | json }} {{ apache.vhostdir }}: file.directory: - makedirs: True - require: - pkg: apache + - user: root + - group: root + - dir_mode: 755 + - file_mode: 644 + - recurse: + - user + - group + - mode - watch_in: - module: apache-restart - require_in: @@ -43,98 +103,16 @@ include: - module: apache-reload - service: apache -{% if grains['os_family']=="Debian" %} -/etc/apache2/envvars: - file.managed: - - template: jinja - - source: - - salt://apache/files/{{ salt['grains.get']('os_family') }}/envvars-{{ apache.version }}.jinja - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{{ apache.portsfile }}: - file.managed: - - template: jinja - - source: - - salt://apache/files/{{ salt['grains.get']('os_family') }}/ports-{{ apache.version }}.conf.jinja - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - - context: - apache: {{ apache | json }} - -{% endif %} - -{% if grains['os_family']=="RedHat" %} -{{ apache.confdir }}/welcome.conf: - file.absent: - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache -{% endif %} - -{% if grains['os_family']=="Suse" or salt['grains.get']('os') == 'SUSE' %} -/etc/apache2/global.conf: - file.managed: - - template: jinja - - source: - - salt://apache/files/{{ salt['grains.get']('os_family') }}/global.config.jinja - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - - context: - apache: {{ apache | json }} -{% endif %} - -{% if grains['os_family']=="FreeBSD" %} -/usr/local/etc/{{ apache.service }}/envvars.d/by_salt.env: - file.managed: - - template: jinja - - source: - - salt://apache/files/{{ salt['grains.get']('os_family') }}/envvars-{{ apache.version }}.jinja - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache -{{ apache.portsfile }}: +/etc/httpd/conf.d/welcome.conf: file.managed: - - template: jinja - source: - - salt://apache/files/{{ salt['grains.get']('os_family') }}/ports-{{ apache.version }}.conf.jinja + - salt://apache/files/{{ salt['grains.get']('os_family') }}/welcome.conf + - user: root + - group: root + - mode: 644 - require: - pkg: apache - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - service: apache - - context: - apache: {{ apache | json }} {% endif %} diff --git a/apache/files/RedHat/apache-2.4-ng.config.jinja b/apache/files/RedHat/apache-2.4-ng.config.jinja deleted file mode 100644 index 97ed6360..00000000 --- a/apache/files/RedHat/apache-2.4-ng.config.jinja +++ /dev/null @@ -1,40 +0,0 @@ -# -# This file is managed by Salt! Do not edit by hand! -# -{%- from "apache/map.jinja" import apache with context %} -{%- import_yaml "apache/hardening-values.yaml" as hardening_values %} -{%- from "apache/lib.sls" import directives_output, container_output with context %} - -{%- set list_interfaces_ports = [] %} -{%- for name, vhost in salt['pillar.get']('apache:VirtualHost', {}).items() %} -{%- set items = vhost.item.split() %} -{%- for item in items if item not in list_interfaces_ports %} -{%- do list_interfaces_ports.append(item) %} -{%- endfor %} -{%- endfor %} - -{%- for item in list_interfaces_ports %} -Listen {{ item }} -{% else %} -Listen *:80 -{%- endfor %} - -{{ directives_output(server_config, 0) }} - -Include conf.modules.d/*.conf - -User {{ apache.user }} -Group {{ apache.group }} - - -{%- for container_name, container_data_list in server_config.get('containers', {}).items() %} -{%- for container_data in container_data_list %} -{{ container_output(container_name, container_data) }} -{%- endfor %} -{%- endfor %} - - -IncludeOptional {{ apache.confdir }}/*.conf -{%- if apache.vhostdir_ng != apache.confdir %} -IncludeOptional {{ apache.vhostdir_ng }}/*.conf -{%- endif %} diff --git a/apache/files/RedHat/apache-2.4.config.jinja b/apache/files/RedHat/apache-2.4.config.jinja index 5456d5e1..48b1d098 100644 --- a/apache/files/RedHat/apache-2.4.config.jinja +++ b/apache/files/RedHat/apache-2.4.config.jinja @@ -1,400 +1,40 @@ # # This file is managed by Salt! Do not edit by hand! # -{% from "apache/map.jinja" import apache with context %} -# -# This is the main Apache HTTP server configuration file. It contains the -# configuration directives that give the server its instructions. -# See for detailed information. -# In particular, see -# -# for a discussion of each configuration directive. -# -# Do NOT simply read the instructions in here without understanding -# what they do. They're here only as hints or reminders. If you are unsure -# consult the online docs. You have been warned. -# -# Configuration and logfile names: If the filenames you specify for many -# of the server's control files begin with "/" (or "drive:/" for Win32), the -# server will use that explicit path. If the filenames do *not* begin -# with "/", the value of ServerRoot is prepended -- so 'log/access_log' -# with ServerRoot set to '/www' will be interpreted by the -# server as '/www/log/access_log', where as '/log/access_log' will be -# interpreted as '/log/access_log'. - -# -# ServerRoot: The top of the directory tree under which the server's -# configuration, error, and log files are kept. -# -# Do not add a slash at the end of the directory path. If you point -# ServerRoot at a non-local disk, be sure to specify a local disk on the -# Mutex directive, if file-based mutexes are used. If you wish to share the -# same ServerRoot for multiple httpd daemons, you will need to change at -# least PidFile. -# -ServerRoot "{{ apache.get('serverroot', '/etc/httpd') }}" - -# -# Listen: Allows you to bind Apache to specific IP addresses and/or -# ports, instead of the default. See also the -# directive. -# -# Change this to Listen on specific IP addresses as shown below to -# prevent Apache from glomming onto all bound IP addresses. -# -#Listen 12.34.56.78:80 - -{% if salt['pillar.get']('apache:sites') is mapping %} - {%- set listen_directives = [] %} - {%- for id, site in salt['pillar.get']('apache:sites').items() %} - {%- set interfaces = site.get('interface', '*').split() %} - {%- set port = site.get('port', 80) %} - {%- for interface in interfaces %} - {%- if not site.get('exclude_listen_directive', False) and not port == '*' %} - {%- set listen_directive = interface ~ ':' ~ port %} - {%- if listen_directive not in listen_directives %} - {%- do listen_directives.append(listen_directive) %} - {%- endif %} - {%- endif %} - {%- endfor %} - {%- endfor %} - {%- for listen in listen_directives %} -Listen {{ listen }} - {%- endfor %} -{%- else %} -Listen 80 +{%- from "apache/map.jinja" import apache with context %} +{%- import_yaml "apache/hardening-values.yaml" as hardening_values %} +{%- from "apache/lib.sls" import directives_output, container_output with context %} + +{%- set list_interfaces_ports = [] %} +{%- for name, vhost in salt['pillar.get']('apache:VirtualHost', {}).items() %} +{%- set items = vhost.item.split() %} +{%- for item in items if item not in list_interfaces_ports %} +{%- do list_interfaces_ports.append(item) %} +{%- endfor %} +{%- endfor %} - - Listen 443 - +{%- for item in list_interfaces_ports %} +Listen {{ item }} +{% else %} +Listen *:80 +{%- endfor %} - - Listen 443 - -{%- endif %} +{{ directives_output(server_config, 0) }} -# -# Dynamic Shared Object (DSO) Support -# -# To be able to use the functionality of a module which was built as a DSO you -# have to place corresponding `LoadModule' lines at this location so the -# directives contained in it are actually available _before_ they are used. -# Statically compiled modules (those listed by `httpd -l') do not need -# to be loaded here. -# -# Example: -# LoadModule foo_module modules/mod_foo.so -# Include conf.modules.d/*.conf -# -# If you wish httpd to run as a different user or group, you must run -# httpd as root initially and it will switch. -# -# User/Group: The name (or #number) of the user/group to run httpd as. -# It is usually good practice to create a dedicated user and group for -# running httpd, as with most system services. -# -User apache -Group apache - -# 'Main' server configuration -# -# The directives in this section set up the values used by the 'main' -# server, which responds to any requests that aren't handled by a -# definition. These values also provide defaults for -# any containers you may define later in the file. -# -# All of these directives may appear inside containers, -# in which case these default settings will be overridden for the -# virtual host being defined. -# - -# -# ServerAdmin: Your address, where problems with the server should be -# e-mailed. This address appears on some server-generated pages, such -# as error documents. e.g. admin@your-domain.com -# -ServerAdmin root@localhost - -# -# ServerName gives the name and port that the server uses to identify itself. -# This can often be determined automatically, but we recommend you specify -# it explicitly to prevent problems during startup. -# -# If your host doesn't have a registered DNS name, enter its IP address here. -# -#ServerName www.example.com:80 - -# -# Deny access to the entirety of your server's filesystem. You must -# explicitly permit access to web content directories in other -# blocks below. -# - - AllowOverride none - Require all denied - - -# -# Note that from this point forward you must specifically allow -# particular features to be enabled - so if something's not working as -# you might expect, make sure that you have specifically enabled it -# below. -# - -# -# DocumentRoot: The directory out of which you will serve your -# documents. By default, all requests are taken from this directory, but -# symbolic links and aliases may be used to point to other locations. -# -DocumentRoot "{{ apache.get('docroot', apache.wwwdir + '/html') }}" - -# -# Relax access to content within {{ apache.wwwdir }}. -# - - AllowOverride None - # Allow open access: - Require all granted - - -# Further relax access to the default document root: - - # - # Possible values for the Options directive are "None", "All", - # or any combination of: - # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews - # - # Note that "MultiViews" must be named *explicitly* --- "Options All" - # doesn't give it to you. - # - # The Options directive is both complicated and important. Please see - # http://httpd.apache.org/docs/2.4/mod/core.html#options - # for more information. - # - Options Indexes FollowSymLinks - - # - # AllowOverride controls what directives may be placed in .htaccess files. - # It can be "All", "None", or any combination of the keywords: - # Options FileInfo AuthConfig Limit - # - AllowOverride None - - # - # Controls who can get stuff from this server. - # - Require all granted - - -# -# DirectoryIndex: sets the file that Apache will serve if a directory -# is requested. -# - - DirectoryIndex index.html - - -# -# The following lines prevent .htaccess and .htpasswd files from being -# viewed by Web clients. -# - - Require all denied - - -# -# ErrorLog: The location of the error log file. -# If you do not specify an ErrorLog directive within a -# container, error messages relating to that virtual host will be -# logged here. If you *do* define an error logfile for a -# container, that host's errors will be logged there and not here. -# -ErrorLog "{{ apache.logdir }}/error_log" - -# -# LogLevel: Control the number of messages logged to the error_log. -# Possible values include: debug, info, notice, warn, error, crit, -# alert, emerg. -# -LogLevel warn - - - # - # The following directives define some format nicknames for use with - # a CustomLog directive (see below). - # - LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined - LogFormat "%h %l %u %t \"%r\" %>s %b" common - {%- for log_format in salt['pillar.get']('apache:log_formats', []) %} - LogFormat {{ log_format }} - {%- endfor %} - - - # You need to enable mod_logio.c to use %I and %O - LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio - - - # - # The location and format of the access logfile (Common Logfile Format). - # If you do not define any access logfiles within a - # container, they will be logged here. Contrariwise, if you *do* - # define per- access logfiles, transactions will be - # logged therein and *not* in this file. - # - #CustomLog "logs/access_log" common - - # - # If you prefer a logfile with access, agent, and referer information - # (Combined Logfile Format) you can use the following directive. - # - CustomLog "{{ apache.logdir }}/access_log" combined - - - - # - # Redirect: Allows you to tell clients about documents that used to - # exist in your server's namespace, but do not anymore. The client - # will make a new request for the document at its new location. - # Example: - # Redirect permanent /foo http://www.example.com/bar - - # - # Alias: Maps web paths into filesystem paths and is used to - # access content that does not live under the DocumentRoot. - # Example: - # Alias /webpath /full/filesystem/path - # - # If you include a trailing / on /webpath then the server will - # require it to be present in the URL. You will also likely - # need to provide a section to allow access to - # the filesystem path. - - # - # ScriptAlias: This controls which directories contain server scripts. - # ScriptAliases are essentially the same as Aliases, except that - # documents in the target directory are treated as applications and - # run by the server when requested rather than as documents sent to the - # client. The same rules about trailing "/" apply to ScriptAlias - # directives as to Alias. - # - ScriptAlias /cgi-bin/ "{{ apache.wwwdir }}/cgi-bin/" - - +User {{ apache.user }} +Group {{ apache.group }} -# -# "{{ apache.wwwdir }}/cgi-bin/" should be changed to whatever your ScriptAliased -# CGI directory exists, if you have that configured. -# - - AllowOverride None - Options None - Require all granted - - - - # - # TypesConfig points to the file containing the list of mappings from - # filename extension to MIME-type. - # - TypesConfig /etc/mime.types - - # - # AddType allows you to add to or override the MIME configuration - # file specified in TypesConfig for specific file types. - # - #AddType application/x-gzip .tgz - # - # AddEncoding allows you to have certain browsers uncompress - # information on the fly. Note: Not all browsers support this. - # - #AddEncoding x-compress .Z - #AddEncoding x-gzip .gz .tgz - # - # If the AddEncoding directives above are commented-out, then you - # probably should define those extensions to indicate media types: - # - AddType application/x-compress .Z - AddType application/x-gzip .gz .tgz - - # - # AddHandler allows you to map certain file extensions to "handlers": - # actions unrelated to filetype. These can be either built into the server - # or added with the Action directive (see below) - # - # To use CGI scripts outside of ScriptAliased directories: - # (You will also need to add "ExecCGI" to the "Options" directive.) - # - #AddHandler cgi-script .cgi - - # For type maps (negotiated resources): - #AddHandler type-map var - # - # Filters allow you to process content before it is sent to the client. - # - # To parse .shtml files for server-side includes (SSI): - # (You will also need to add "Includes" to the "Options" directive.) - # - AddType text/html .shtml - AddOutputFilter INCLUDES .shtml - - -# -# Specify a default charset for all content served; this enables -# interpretation of all content as UTF-8 by default. To use the -# default browser choice (ISO-8859-1), or to allow the META tags -# in HTML content to override this choice, comment out this -# directive: -# -AddDefaultCharset {{ apache.default_charset }} - - - # - # The mod_mime_magic module allows the server to use various hints from the - # contents of the file itself to determine its type. The MIMEMagicFile - # directive tells the module where the hint definitions are located. - # - MIMEMagicFile conf/magic - - -# -# Customizable error responses come in three flavors: -# 1) plain text 2) local redirects 3) external redirects -# -# Some examples: -#ErrorDocument 500 "The server made a boo boo." -#ErrorDocument 404 /missing.html -#ErrorDocument 404 "/cgi-bin/missing_handler.pl" -#ErrorDocument 402 http://www.example.com/subscription_info.html -# - -# -# EnableMMAP and EnableSendfile: On systems that support it, -# memory-mapping or the sendfile syscall may be used to deliver -# files. This usually improves server performance, but must -# be turned off when serving from networked-mounted -# filesystems or if support for these functions is otherwise -# broken on your system. -# Defaults if commented: EnableMMAP On, EnableSendfile Off -# -#EnableMMAP off -EnableSendfile on - -{%- for directive, dvalue in salt['pillar.get']('apache:global', {}).items() %} -{{ directive }} {{ dvalue }} +{%- for container_name, container_data_list in server_config.get('containers', {}).items() %} +{%- for container_data in container_data_list %} +{{ container_output(container_name, container_data) }} +{%- endfor %} {%- endfor %} -# Supplemental configuration -# -# Load config files in the "/etc/httpd/conf.d" directory, if any. -IncludeOptional {{ apache.confdir }}/*.conf -{% if apache.vhostdir != apache.confdir %} -IncludeOptional {{ apache.vhostdir }}/*.conf -{% endif %} -# Added for security enhancements -TraceEnable off -ServerSignature off -ServerTokens Prod +IncludeOptional {{ apache.confdir }}/*.conf +{%- if apache.vhostdir_ng != apache.confdir %} +IncludeOptional {{ apache.vhostdir_ng }}/*.conf +{%- endif %} diff --git a/apache/modules-ng.sls b/apache/modules-ng.sls deleted file mode 100644 index ad6f0aad..00000000 --- a/apache/modules-ng.sls +++ /dev/null @@ -1,86 +0,0 @@ -{%- import_yaml "apache/hardening-values.yaml" as hardening_values %} - -{% if grains['os_family']=="Debian" %} - -include: - - apache - -{% for module in salt['pillar.get']('apache:modules:enabled', []) %} -a2enmod {{ module }}: - cmd.run: - - unless: ls /etc/apache2/mods-enabled/{{ module }}.load - - order: 225 - - require: - - pkg: apache - - watch_in: - - module: apache-restart -{% endfor %} - -{% for module in salt['pillar.get']('apache:modules:disabled', []) %} -a2dismod -f {{ module }}: - cmd.run: - - onlyif: ls /etc/apache2/mods-enabled/{{ module }}.load - - order: 225 - - require: - - pkg: apache - - watch_in: - - module: apache-restart -{% endfor %} - -{% elif grains['os_family']=="RedHat" %} - -include: - - apache - -{% for module in salt['pillar.get']('apache:modules:enabled', default=hardening_values.modules.enforce_enabled, merge=True) if module not in hardening_values.modules.enforce_disabled %} -find /etc/httpd/ -name '*.conf' -type f -exec sed -i -e 's/\(^#\)\(\s*LoadModule.{{ module }}_module\)/\2/g' {} \;: - cmd.run: - - unless: httpd -M 2> /dev/null | grep "[[:space:]]{{ module }}_module" - - order: 225 - - require: - - pkg: apache - - watch_in: - - module: apache-restart -{% endfor %} - -{% for module in salt['pillar.get']('apache:modules:disabled', default=hardening_values.modules.enforce_disabled, merge=True) if module not in hardening_values.modules.enforce_enabled %} -find /etc/httpd/ -name '*.conf' -type f -exec sed -i -e 's/\(^\s*LoadModule.{{ module }}_module\)/#\1/g' {} \;: - cmd.run: - - onlyif: httpd -M 2> /dev/null | grep "[[:space:]]{{ module }}_module" - - order: 225 - - require: - - pkg: apache - - watch_in: - - module: apache-restart -{% endfor %} - - - -{% elif salt['grains.get']('os_family') == 'Suse' or salt['grains.get']('os') == 'SUSE' %} - -include: - - apache - -{% for module in salt['pillar.get']('apache:modules:enabled', []) %} -a2enmod {{ module }}: - cmd.run: - - unless: egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep {{ module }} - - order: 225 - - require: - - pkg: apache - - watch_in: - - module: apache-restart -{% endfor %} - -{% for module in salt['pillar.get']('apache:modules:disabled', []) %} -a2dismod -f {{ module }}: - cmd.run: - - onlyif: egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep {{ module }} - - order: 225 - - require: - - pkg: apache - - watch_in: - - module: apache-restart -{% endfor %} - -{% endif %} diff --git a/apache/modules.sls b/apache/modules.sls index 15947240..ad6f0aad 100644 --- a/apache/modules.sls +++ b/apache/modules.sls @@ -1,3 +1,5 @@ +{%- import_yaml "apache/hardening-values.yaml" as hardening_values %} + {% if grains['os_family']=="Debian" %} include: @@ -12,10 +14,6 @@ a2enmod {{ module }}: - pkg: apache - watch_in: - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache {% endfor %} {% for module in salt['pillar.get']('apache:modules:disabled', []) %} @@ -27,18 +25,14 @@ a2dismod -f {{ module }}: - pkg: apache - watch_in: - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache {% endfor %} {% elif grains['os_family']=="RedHat" %} include: - apache - -{% for module in salt['pillar.get']('apache:modules:enabled', []) %} + +{% for module in salt['pillar.get']('apache:modules:enabled', default=hardening_values.modules.enforce_enabled, merge=True) if module not in hardening_values.modules.enforce_disabled %} find /etc/httpd/ -name '*.conf' -type f -exec sed -i -e 's/\(^#\)\(\s*LoadModule.{{ module }}_module\)/\2/g' {} \;: cmd.run: - unless: httpd -M 2> /dev/null | grep "[[:space:]]{{ module }}_module" @@ -47,13 +41,9 @@ find /etc/httpd/ -name '*.conf' -type f -exec sed -i -e 's/\(^#\)\(\s*LoadModule - pkg: apache - watch_in: - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache {% endfor %} -{% for module in salt['pillar.get']('apache:modules:disabled', []) %} +{% for module in salt['pillar.get']('apache:modules:disabled', default=hardening_values.modules.enforce_disabled, merge=True) if module not in hardening_values.modules.enforce_enabled %} find /etc/httpd/ -name '*.conf' -type f -exec sed -i -e 's/\(^\s*LoadModule.{{ module }}_module\)/#\1/g' {} \;: cmd.run: - onlyif: httpd -M 2> /dev/null | grep "[[:space:]]{{ module }}_module" @@ -62,17 +52,15 @@ find /etc/httpd/ -name '*.conf' -type f -exec sed -i -e 's/\(^\s*LoadModule.{{ m - pkg: apache - watch_in: - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache {% endfor %} + + {% elif salt['grains.get']('os_family') == 'Suse' or salt['grains.get']('os') == 'SUSE' %} include: - apache - + {% for module in salt['pillar.get']('apache:modules:enabled', []) %} a2enmod {{ module }}: cmd.run: @@ -82,10 +70,6 @@ a2enmod {{ module }}: - pkg: apache - watch_in: - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache {% endfor %} {% for module in salt['pillar.get']('apache:modules:disabled', []) %} @@ -97,10 +81,6 @@ a2dismod -f {{ module }}: - pkg: apache - watch_in: - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache {% endfor %} {% endif %} diff --git a/apache/osfamilymap.yaml b/apache/osfamilymap.yaml index 0efbe03f..3a9e95bd 100644 --- a/apache/osfamilymap.yaml +++ b/apache/osfamilymap.yaml @@ -44,8 +44,7 @@ RedHat: mod_geoip: mod_geoip mod_geoip_database: GeoIP - vhostdir: /etc/httpd/vhosts.d - vhostdir_ng: /etc/httpd/conf.d + vhostdir: /etc/httpd/conf.d confdir: /etc/httpd/conf.d confext: .conf default_site: default diff --git a/apache/vhosts/cleanup.sls b/apache/vhosts/cleanup.sls deleted file mode 100644 index e6b3decb..00000000 --- a/apache/vhosts/cleanup.sls +++ /dev/null @@ -1,41 +0,0 @@ -{% from "apache/map.jinja" import apache with context %} - -include: - - apache - -{% if grains.os_family == 'Debian' %} - -{% set dirpath = '/etc/apache2/sites-enabled' %} - -{# Add . and .. to make it easier to not clean those #} -{% set valid_sites = ['.', '..', ] %} - -{# Take sites from apache.vhosts.standard #} -{% for id, site in salt['pillar.get']('apache:sites', {}).items() %} -{% do valid_sites.append('{}{}'.format(id, apache.confext)) %} -{% endfor %} - -{# Take sites from apache.register_site #} -{% for id, site in salt['pillar.get']('apache:register-site', {}) %} -{% do valid_sites.append('{}{}'.format(site.name, apache.confext)) %} -{% endfor %} - - -{% for filename in salt['file.readdir']('/etc/apache2/sites-enabled/') %} -{% if filename not in valid_sites %} - -a2dissite {{ filename }}: - cmd.run: - - onlyif: "test -L {{ dirpath}}/{{ filename }} || test -f {{ dirpath}}/{{ filename }}" - - watch_in: - - module: apache-reload - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{% endif %} -{% endfor %} - - -{% endif %}{# Debian #} diff --git a/apache/vhosts/minimal.tmpl b/apache/vhosts/minimal.tmpl deleted file mode 100644 index 11ca0c4d..00000000 --- a/apache/vhosts/minimal.tmpl +++ /dev/null @@ -1,37 +0,0 @@ -# -# This file is managed by Salt! Do not edit by hand! -# -{# Define default values here so the template below can just focus on layout #} -{%- set sitename = site.get('ServerName', id) -%} - -{%- set vals = { - 'interfaces': site.get('interface', '*').split(), - 'port': site.get('port', '80'), - - 'ServerName': sitename, - 'ServerAlias': site.get('ServerAlias', ''), - - 'ServerAdmin': site.get('ServerAdmin', 'webmaster@{0}'.format(sitename)), - - 'LogLevel': site.get('LogLevel', 'warn'), - 'ErrorLog': site.get('ErrorLog', '{0}/{1}-error.log'.format(map.logdir, sitename)), - 'CustomLog': site.get('CustomLog', '{0}/{1}-access.log'.format(map.logdir, sitename)), - 'LogFormat': site.get('LogFormat', '"%h %l %u %t \\\"%r\\\" %>s %b"'), - - - 'DocumentRoot': site.get('DocumentRoot', '{0}/{1}'.format(map.wwwdir, sitename)) -} -%} - - - ServerName {{ vals.ServerName }} - {% if site.get('ServerAlias') != False %}ServerAlias {{ vals.ServerAlias }}{% endif %} - {% if site.get('ServerAdmin') != False %}ServerAdmin {{ vals.ServerAdmin }}{% endif %} - - {% if site.get('DocumentRoot') != False -%}DocumentRoot {{ vals.DocumentRoot }}{% endif %} - - {% if site.get('LogLevel') != False -%}LogLevel {{ vals.LogLevel }}{% endif %} - {% if site.get('ErrorLog') != False -%}ErrorLog {{ vals.ErrorLog }}{% endif %} - {% if site.get('LogFormat') != False -%}LogFormat {{ vals.LogFormat }}{% endif %} - {% if site.get('CustomLog') != False -%}LogFormat {{ vals.LogFormat }} {{ sitename }} - CustomLog {{ vals.CustomLog }} {{ sitename }}{% endif %} - diff --git a/apache/vhosts/proxy.tmpl b/apache/vhosts/proxy.tmpl deleted file mode 100644 index 4f45ecfe..00000000 --- a/apache/vhosts/proxy.tmpl +++ /dev/null @@ -1,131 +0,0 @@ -# -# This file is managed by Salt! Do not edit by hand! -# -{# Define default values here so the template below can just focus on layout #} -{% from "apache/map.jinja" import apache with context %} -{% set sitename = site.get('ServerName', id) %} -{% set vals = { - 'interfaces': site.get('interface', '*').split(), - 'port': site.get('port', '80'), - - 'ServerName': sitename, - 'ServerAlias': site.get('ServerAlias', ''), - - 'ServerAdmin': site.get('ServerAdmin', 'webmaster@{0}'.format(sitename)), - - 'UseCanonicalName': site.get('UseCanonicalName'), - - 'LogLevel': site.get('LogLevel', 'warn'), - 'ErrorLog': site.get('ErrorLog', '{0}/{1}-error.log'.format(map.logdir, sitename)), - 'LogFormat': site.get('LogFormat', '"%a %l %u %t \\"%r\\" %>s %O \\"%{Referer}i\\" \\"%{User-Agent}i\\""'), - 'CustomLog': site.get('CustomLog', '{0}/{1}-access.log'.format(map.logdir, sitename)), - - 'ProxyRequests': site.get('ProxyRequests', 'Off'), - 'ProxyPreserveHost': site.get('ProxyPreserveHost', 'On'), - 'ProxyRoute': site.get('ProxyRoute', {}), - - 'Location': { - 'Order': 'allow,deny', - 'Allow': 'from all', - 'Require': 'all granted', - }, - 'LocationMatch': { - 'Order': 'allow,deny', - 'Allow': 'from all', - 'Require': 'all granted', - }, -} %} - - ServerName {{ vals.ServerName }} - {% if site.get('ServerAlias') != False %}ServerAlias {{ vals.ServerAlias }}{% endif %} - {% if site.get('ServerAdmin') != False %}ServerAdmin {{ vals.ServerAdmin }}{% endif %} - {% if site.get('UseCanonicalName') %}UseCanonicalName {{ vals.UseCanonicalName }}{% endif %} - - {% if site.get('LogLevel') != False %}LogLevel {{ vals.LogLevel }}{% endif %} - {% if site.get('ErrorLog') != False %}ErrorLog {{ vals.ErrorLog }}{% endif %} - {% if site.get('LogFormat') != False -%}LogFormat {{ vals.LogFormat }}{% endif %} - {% if site.get('CustomLog') != False -%}LogFormat {{ vals.LogFormat }} {{ sitename }} - CustomLog {{ vals.CustomLog }} {{ sitename }}{% endif %} - - {% if site.get('SSLCertificateFile') %}SSLEngine on - SSLCertificateFile {{ site.SSLCertificateFile }} - {% if site.get('SSLCertificateKeyFile') %}SSLCertificateKeyFile {{ site.SSLCertificateKeyFile }}{% endif %} - {% if site.get('SSLCertificateChainFile') %}SSLCertificateChainFile {{ site.SSLCertificateChainFile}}{% endif %} - {% endif %} - {% if site.get('Rewrite') %}RewriteEngine on - {{ site.Rewrite }} - {% endif %} - {% if site.get('SSLProxyEngine') %}SSLProxyEngine {{ site.SSLProxyEngine }}{% endif %} - ProxyRequests {{ vals.ProxyRequests }} - ProxyPreserveHost {{ vals.ProxyPreserveHost }} - {% if site.get('ProxyErrorOverride') %}ProxyErrorOverride {{ site.ProxyErrorOverride }} {% endif %} - {% if site.get('ProxyErrorDir') %}ProxyPass /{{ site.ProxyErrorDir }}/ ! {% endif %} - {% for proxy, proxyargs in vals.ProxyRoute|dictsort|reverse %} - {% set proxyvals = { - 'ProxyPassSource': proxyargs.get('ProxyPassSource', '/'), - 'ProxyPassTarget': proxyargs.get('ProxyPassTarget', 'https://{0}'.format(sitename)), - 'ProxyPassTargetOptions': proxyargs.get('ProxyPassTargetOptions', ''), - 'ProxyPassReverseSource': proxyargs.get('ProxyPassReverseSource', '/'), - 'ProxyPassReverseTarget': proxyargs.get('ProxyPassReverseTarget', proxyargs.get('ProxyPassTarget', 'https://{0}'.format(sitename))), - } %} - ######### {{proxy}} ######### - ProxyPass {{ proxyvals.ProxyPassSource }} {{ proxyvals.ProxyPassTarget }} {{ proxyvals.ProxyPassTargetOptions }} - ProxyPassReverse {{ proxyvals.ProxyPassReverseSource }} {{ proxyvals.ProxyPassReverseTarget }} - {% endfor %} - - {%- for path, loc in site.get('Location', {}).items() %} - {%- set lvals = { - 'Order': loc.get('Order', vals.Location.Order), - 'Allow': loc.get('Allow', vals.Location.Allow), - 'Require': loc.get('Require', vals.Location.Require), - 'Dav': loc.get('Dav', False), - } %} - - {% if apache.version == '2.4' %} - {%- if lvals.get('Require') != False %}Require {{lvals.Require}}{% endif %} - {% else %} - {%- if lvals.get('Order') != False %}Order {{ lvals.Order }}{% endif %} - {%- if lvals.get('Allow') != False %}Allow {{ lvals.Allow }}{% endif %} - {% endif %} - {%- if loc.get('Formula_Append') %} {{ loc.Formula_Append|indent(8) }} {% endif %} - - {% endfor %} - {%- for regpath, locmat in site.get('LocationMatch', {}).items() %} - {%- set lmvals = { - 'Order': locmat.get('Order', vals.LocationMatch.Order), - 'Allow': locmat.get('Allow', vals.LocationMatch.Allow), - 'Require': locmat.get('Require', vals.LocationMatch.Require), - 'Dav': locmat.get('Dav', False), - } %} - - {% if apache.version == '2.4' %} - {%- if lmvals.get('Require') != False %}Require {{lmvals.Require}}{% endif %} - {% else %} - {%- if lmvals.get('Order') != False %}Order {{ lmvals.Order }}{% endif %} - {%- if lmvals.get('Allow') != False %}Allow {{ lmvals.Allow }}{% endif %} - {% endif %} - {%- if locmat.get('Formula_Append') %} {{ locmat.Formula_Append|indent(8) }} {% endif %} - - {% endfor %} - {%- for proxypath, prox in site.get('Proxy_control', {}).items() %} - {%- set proxvals = { - 'AllowAll': prox.get('AllowAll', vals.AllowAll), - 'AllowCountry': prox.get('AllowCountry', vals.AllowCountry), - 'AllowIP': prox.get('AllowIP', vals.AllowIP), - } %} - - {%- if proxvals.get('AllowAll') != False %} - Require all granted - {%- else %} - {% if proxvals.get('AllowCountry') != False %}{% set country_list = proxvals.get('AllowCountry', {}) %}GeoIPEnable On - {% for every_country in country_list %}SetEnvIf GEOIP_COUNTRY_CODE {{ every_country }} AllowCountry - {% endfor %}Require env AllowCountry {% endif %} - {% if proxvals.get('AllowIP') is defined %} {% set ip_list = proxvals.get('AllowIP', {}) %} - Require ip {% for every_ip in ip_list %}{{ every_ip }} {% endfor %} {% endif %} - {%- endif %} - - {%- endfor %} - {% if site.get('Formula_Append') %} - {{ site.Formula_Append|indent(4) }} - {% endif %} - diff --git a/apache/vhosts/redirect.tmpl b/apache/vhosts/redirect.tmpl deleted file mode 100644 index 3a3759ce..00000000 --- a/apache/vhosts/redirect.tmpl +++ /dev/null @@ -1,51 +0,0 @@ -# -# This file is managed by Salt! Do not edit by hand! -# -{# Define default values here so the template below can just focus on layout #} -{%- from "apache/map.jinja" import apache with context %} -{%- set sitename = site.get('ServerName', id) %} - -{%- set vals = { - 'interfaces': site.get('interface', '*').split(), - 'port': site.get('port', '80'), - - 'ServerName': sitename, - 'ServerAlias': site.get('ServerAlias', ''), - - 'ServerAdmin': site.get('ServerAdmin', 'webmaster@{0}'.format(sitename)), - - 'UseCanonicalName': site.get('UseCanonicalName'), - - 'LogLevel': site.get('LogLevel', 'warn'), - 'ErrorLog': site.get('ErrorLog', '{0}/{1}-error.log'.format(map.logdir, sitename)), - 'LogFormat': site.get('LogFormat', '"%h %l %u %t \\\"%r\\\" %>s %O"'), - 'CustomLog': site.get('CustomLog', '{0}/{1}-access.log'.format(map.logdir, sitename)), - - 'RedirectSource': site.get('RedirectSource', '/'), - 'RedirectTarget': site.get('RedirectTarget', 'https://{0}/'.format(sitename)), -} %} - - - ServerName {{ vals.ServerName }} - {% if site.get('ServerAlias') != False %}ServerAlias {{ vals.ServerAlias }}{% endif %} - - {% if site.get('ServerAdmin') != False %}ServerAdmin {{ vals.ServerAdmin }}{% endif %} - - {% if site.get('UseCanonicalName') %}UseCanonicalName {{ vals.UseCanonicalName }}{% endif %} - - {% if site.get('LogLevel') != False %}LogLevel {{ vals.LogLevel }}{% endif %} - {% if site.get('ErrorLog') != False %}ErrorLog {{ vals.ErrorLog }}{% endif %} - {% if site.get('LogFormat') != False -%}LogFormat {{ vals.LogFormat }}{% endif %} - {% if site.get('CustomLog') != False -%}LogFormat {{ vals.LogFormat }} {{ sitename }} - CustomLog {{ vals.CustomLog }} {{ sitename }}{% endif %} - - {% if site.get('RedirectMatch') %} - RedirectMatch {{ vals.RedirectSource }} {{ vals.RedirectTarget }} - {% else %} - Redirect {{ vals.RedirectSource }} {{ vals.RedirectTarget }} - {% endif %} - - {% if site.get('Formula_Append') %} - {{ site.Formula_Append|indent(4) }} - {% endif %} - diff --git a/apache/vhosts/standard.sls b/apache/vhosts/standard.sls deleted file mode 100644 index 5ad967b7..00000000 --- a/apache/vhosts/standard.sls +++ /dev/null @@ -1,65 +0,0 @@ -{% from "apache/map.jinja" import apache with context %} - -include: - - apache - -{% for id, site in salt['pillar.get']('apache:sites', {}).items() %} -{% set documentroot = site.get('DocumentRoot', '{0}/{1}'.format(apache.wwwdir, site.get('ServerName', id))) %} - -apache_vhosts_{{ id }}: - file.managed: - - name: {{ apache.vhostdir }}/{{ id }}{{ apache.confext }} - - source: {{ site.get('template_file', 'salt://apache/vhosts/standard.tmpl') }} - - template: {{ site.get('template_engine', 'jinja') }} - - context: - id: {{ id|json }} - site: {{ site|json }} - map: {{ apache|json }} - - require: - - pkg: apache - - watch_in: - - module: apache-reload - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{% if site.get('DocumentRoot') != False %} -{{ id }}-documentroot: - file.directory: - - name: {{ documentroot }} - - makedirs: True - - user: {{ site.get('DocumentRootUser', apache.get('document_root_user'))|json }} - - group: {{ site.get('DocumentRootGroup', apache.get('document_root_group'))|json }} - - allow_symlink: True -{% endif %} - -{% if grains.os_family == 'Debian' %} -{% if site.get('enabled', True) %} -a2ensite {{ id }}{{ apache.confext }}: - cmd.run: - - unless: test -f /etc/apache2/sites-enabled/{{ id }}{{ apache.confext }} - - require: - - file: /etc/apache2/sites-available/{{ id }}{{ apache.confext }} - - watch_in: - - module: apache-reload - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache -{% else %} -a2dissite {{ id }}{{ apache.confext }}: - cmd.run: - - onlyif: test -f /etc/apache2/sites-enabled/{{ id }}{{ apache.confext }} - - require: - - file: /etc/apache2/sites-available/{{ id }}{{ apache.confext }} - - watch_in: - - module: apache-reload - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache -{% endif %} -{% endif %} - -{% endfor %} diff --git a/apache/vhosts/standard.tmpl b/apache/vhosts/standard.tmpl deleted file mode 100644 index ff79e1f3..00000000 --- a/apache/vhosts/standard.tmpl +++ /dev/null @@ -1,136 +0,0 @@ -# -# This file is managed by Salt! Do not edit by hand! -# -{# Define default values here so the template below can just focus on layout #} -{%- set sitename = site.get('ServerName', id) -%} - -{%- set vals = { - 'interfaces': site.get('interface', '*').split(), - 'port': site.get('port', '80'), - - 'ServerName': sitename, - 'ServerAlias': site.get('ServerAlias', ''), - - 'ServerAdmin': site.get('ServerAdmin', 'webmaster@{0}'.format(sitename)), - - 'DirectoryIndex': site.get('DirectoryIndex'), - 'UseCanonicalName': site.get('UseCanonicalName'), - 'AllowEncodedSlashes': site.get('AllowEncodedSlashes', 'Off'), - - 'LogLevel': site.get('LogLevel', 'warn'), - 'ErrorLog': site.get('ErrorLog', '{0}/{1}-error.log'.format(map.logdir, sitename)), - 'LogFormat': site.get('LogFormat', '"%h %l %u %t \\\"%r\\\" %>s"'), - 'CustomLog': site.get('CustomLog', '{0}/{1}-access.log'.format(map.logdir, sitename)), - - 'DocumentRoot': site.get('DocumentRoot', '{0}/{1}'.format(map.wwwdir, sitename)), - 'VirtualDocumentRoot': site.get('VirtualDocumentRoot'), - - 'Timeout': site.get('Timeout'), - 'LimitRequestFields': site.get('LimitRequestFields'), - - 'Directory_default': site.get('DocumentRoot', '{0}/{1}'.format(map.wwwdir, sitename)), - 'Directory': { - 'Options': '-Indexes +FollowSymLinks', - 'Order': 'allow,deny', - 'Allow': 'from all', - 'Require': 'all granted', - 'AllowOverride': 'None', - }, - 'Location': { - 'Order': 'allow,deny', - 'Allow': 'from all', - 'Require': 'all granted', - }, -} -%} - - - ServerName {{ vals.ServerName }} - {% if site.get('ServerAlias') != False %}ServerAlias {{ vals.ServerAlias }}{% endif %} - - {% if site.get('ServerAdmin') != False %}ServerAdmin {{ vals.ServerAdmin }}{% endif %} - - {% if site.get('DirectoryIndex') -%}DirectoryIndex {{ vals.DirectoryIndex }}{% endif %} - {% if site.get('UseCanonicalName') -%}UseCanonicalName {{ vals.UseCanonicalName }}{% endif %} - {% if site.get('AllowEncodedSlashes') != False -%}AllowEncodedSlashes {{ vals.AllowEncodedSlashes }}{% endif %} - - {% if site.get('LogLevel') != False -%}LogLevel {{ vals.LogLevel }}{% endif %} - {% if site.get('ErrorLog') != False -%}ErrorLog {{ vals.ErrorLog }}{% endif %} - {% if site.get('LogFormat') != False -%}LogFormat {{ vals.LogFormat }}{% endif %} - {% if site.get('CustomLog') != False -%}CustomLog {{ vals.CustomLog }} {{ vals.LogFormat }}{% endif %} - - {% if site.get('DocumentRoot') != False -%}DocumentRoot {{ vals.DocumentRoot }}{% endif %} - {% if site.get('VirtualDocumentRoot') -%}VirtualDocumentRoot {{ vals.VirtualDocumentRoot }}{% endif %} - - {% if site.get('Timeout') != False and site.get('Timeout') != None %}Timeout {{ vals.Timeout }}{% endif %} - {% if site.get('LimitRequestFields') %}LimitRequestFields {{ vals.LimitRequestFields }}{% endif %} - - {% if site.get('SSLCertificateFile') %}SSLEngine on - SSLCertificateFile {{ site.SSLCertificateFile }} - {% if site.get('SSLCertificateKeyFile') %}SSLCertificateKeyFile {{ site.SSLCertificateKeyFile }}{% endif %} - {% if site.get('SSLCertificateChainFile') %}SSLCertificateChainFile {{ site.SSLCertificateChainFile}}{% endif %} - {% endif %} - - {% if site.get('Rewrite') %}RewriteEngine on - {{ site.Rewrite }} - {% endif %} - - {%- for loc, path in site.get('Alias', {}).items() %} - Alias {{ loc }} {{ path }} - {%- endfor %} - - {%- for path, dir in site.get('Directory', {}).items() -%} - {%- set dvals = { - 'Options': dir.get('Options', vals.Directory.Options), - 'Order': dir.get('Order', vals.Directory.Order), - 'Allow': dir.get('Allow', vals.Directory.Allow), - 'Require': dir.get('Require', vals.Directory.Require), - 'AllowOverride': dir.get('AllowOverride', vals.Directory.AllowOverride), - 'Dav': dir.get('Dav', False), - } %} - - {%- if path == 'default' %}{% set path = vals.Directory_default %}{% endif %} - - - {% if dvals.get('Options') != False %}Options {{ dvals.Options }}{% endif %} - {% if map.version == '2.4' %} - {% if dvals.get('Require') != False %}Require {{dvals.Require}}{% endif %} - {% else %} - {% if dvals.get('Order') != False %}Order {{ dvals.Order }}{% endif %} - {% if dvals.get('Allow') != False %}Allow {{ dvals.Allow }}{% endif %} - {% endif %} - {% if dvals.get('AllowOverride') != False %}AllowOverride {{ dvals.AllowOverride }}{% endif %} - {% if dvals.get('Dav') != False %}Dav On{% endif %} - - {% if dir.get('Formula_Append') %} - {{ dir.Formula_Append|indent(8) }} - {% endif %} - - {%- endfor %} - - {%- for path, loc in site.get('Location', {}).items() %} - {%- set lvals = { - 'Order': loc.get('Order', vals.Location.Order), - 'Allow': loc.get('Allow', vals.Location.Allow), - 'Require': loc.get('Require', vals.Location.Require), - 'Dav': loc.get('Dav', False), - } %} - - - {% if map.version == '2.4' %} - {%- if lvals.get('Require') != False %}Require {{lvals.Require}}{% endif %} - {% else %} - {%- if lvals.get('Order') != False %}Order {{ lvals.Order }}{% endif %} - {%- if lvals.get('Allow') != False %}Allow {{ lvals.Allow }}{% endif %} - {% endif %} - {%- if lvals.get('Dav') != False %}Dav On{% endif %} - - {%- if loc.get('Formula_Append') %} - {{ loc.Formula_Append|indent(8) }} - {% endif %} - - {% endfor %} - - {%- if site.get('Formula_Append') %} - {{ site.Formula_Append|indent(4) }} - {% endif %} - diff --git a/apache/vhosts/vhost-ng.conf.jinja b/apache/vhosts/vhost.conf.jinja similarity index 97% rename from apache/vhosts/vhost-ng.conf.jinja rename to apache/vhosts/vhost.conf.jinja index 267ad719..a5898619 100644 --- a/apache/vhosts/vhost-ng.conf.jinja +++ b/apache/vhosts/vhost.conf.jinja @@ -1,6 +1,6 @@ -{% from "apache/lib.sls" import container_output with context %} -# -# This file is managed by Salt! Do not edit by hand! -# - -{{ container_output('VirtualHost', vhost_data, col=0, default_directives = []) }} +{% from "apache/lib.sls" import container_output with context %} +# +# This file is managed by Salt! Do not edit by hand! +# + +{{ container_output('VirtualHost', vhost_data, col=0, default_directives = []) }} diff --git a/apache/vhosts/vhost-ng.sls b/apache/vhosts/vhost.sls similarity index 92% rename from apache/vhosts/vhost-ng.sls rename to apache/vhosts/vhost.sls index 2218f0e6..21ce32fc 100644 --- a/apache/vhosts/vhost-ng.sls +++ b/apache/vhosts/vhost.sls @@ -1,110 +1,110 @@ -{% from "apache/map.jinja" import apache with context %} -{% import_yaml "apache/hardening-values.yaml" as hardening_values %} - -include: - - apache - -{% set vhosts = salt['pillar.get']('apache:VirtualHost', {}) %} - -{% for virtual_name, vhost in vhosts.items() %} - -{% set vhost_server_name = salt['apache_directives.get_directive_single_value']( - 'ServerName', - vhost.get('directives'), - default=virtual_name) %} -{% set vhost = salt['apache_directives.enforce_directive_value'](directive='ServerName', - enforced_directive_data={'value': vhost_server_name, - 'add_if_absent': True}, - container_name='VirtualHost', - container_data=vhost) %} -{% set default_documentroot = '{0}/{1}'.format(apache.wwwdir, vhost_server_name) %} -{% set documentroot = salt['apache_directives.get_directive_single_value']( - 'DocumentRoot', - vhost.get('directives'), - default=default_documentroot) %} -{% set vhost = salt['apache_directives.set_vhost_logging_directives'](vhost, - vhost_server_name, - apache.logdir) %} - -# enforce directives values # - -{% for directive, directive_data in hardening_values.enforced_directives.items() %} -{% if 'add_if_absent' in directive_data %} -{% do directive_data.update({'add_if_absent': False}) %} -{% endif %} -{% set vhost = salt['apache_directives.enforce_directive_value'](directive, - directive_data, - container_name='VirtualHost', - container_data=vhost) %} -{% endfor %} - -# merge vhost config with hardened sections # -{% set vhost = salt['apache_directives.enforce_security_directives_into_containers']( - vhost, - hardening_values.enforced_containers, - add_container=False ) %} - -# remove containers # -{% for container_name_to_remove, items_names in hardening_values.containers_to_remove.items() %} -{% for item_name in items_names %} -{% set vhost = salt['apache_directives.remove_container']( - vhost, - container_name_to_remove, - item_name) %} -{% endfor %} -{% endfor %} - -# add supplemental security directives in vhost configuration # -{% for d_directive in hardening_values.vhost_supplemental_directives %} -{% for directive, value in d_directive.items() %} -{% set vhost = salt['apache_directives.append_to_container_directives']( - directive, - value, - vhost) %} -{% endfor %} -{% endfor %} - -{% if vhost.get('absent', False) %} -{{ vhost_server_name }}: - file.absent: - - name: {{ apache.vhostdir_ng }}/{{ vhost_server_name }}{{ apache.confext }} - - require: - - pkg: apache - - watch_in: - - module: apache-reload - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{% else %} - - -{{ vhost_server_name }}: - file.managed: - - name: {{ apache.vhostdir_ng }}/{{ vhost_server_name }}{{ apache.confext }} - - source: 'salt://apache/vhosts/vhost-ng.conf.jinja' - - template: 'jinja' - - user: root - - group: root - - mode: 644 - - context: - vhost_data: {{ vhost|json }} - - require: - - pkg: apache - - watch_in: - - module: apache-reload - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - - -{{ documentroot }}-documentroot: - file.directory: - - name: {{ documentroot }} - - makedirs: True - - allow_symlink: True - -{% endif %} -{% endfor %} +{% from "apache/map.jinja" import apache with context %} +{% import_yaml "apache/hardening-values.yaml" as hardening_values %} + +include: + - apache + +{% set vhosts = salt['pillar.get']('apache:VirtualHost', {}) %} + +{% for virtual_name, vhost in vhosts.items() %} + +{% set vhost_server_name = salt['apache_directives.get_directive_single_value']( + 'ServerName', + vhost.get('directives'), + default=virtual_name) %} +{% set vhost = salt['apache_directives.enforce_directive_value'](directive='ServerName', + enforced_directive_data={'value': vhost_server_name, + 'add_if_absent': True}, + container_name='VirtualHost', + container_data=vhost) %} +{% set default_documentroot = '{0}/{1}'.format(apache.wwwdir, vhost_server_name) %} +{% set documentroot = salt['apache_directives.get_directive_single_value']( + 'DocumentRoot', + vhost.get('directives'), + default=default_documentroot) %} +{% set vhost = salt['apache_directives.set_vhost_logging_directives'](vhost, + vhost_server_name, + apache.logdir) %} + +# enforce directives values # + +{% for directive, directive_data in hardening_values.enforced_directives.items() %} +{% if 'add_if_absent' in directive_data %} +{% do directive_data.update({'add_if_absent': False}) %} +{% endif %} +{% set vhost = salt['apache_directives.enforce_directive_value'](directive, + directive_data, + container_name='VirtualHost', + container_data=vhost) %} +{% endfor %} + +# merge vhost config with hardened sections # +{% set vhost = salt['apache_directives.enforce_security_directives_into_containers']( + vhost, + hardening_values.enforced_containers, + add_container=False ) %} + +# remove containers # +{% for container_name_to_remove, items_names in hardening_values.containers_to_remove.items() %} +{% for item_name in items_names %} +{% set vhost = salt['apache_directives.remove_container']( + vhost, + container_name_to_remove, + item_name) %} +{% endfor %} +{% endfor %} + +# add supplemental security directives in vhost configuration # +{% for d_directive in hardening_values.vhost_supplemental_directives %} +{% for directive, value in d_directive.items() %} +{% set vhost = salt['apache_directives.append_to_container_directives']( + directive, + value, + vhost) %} +{% endfor %} +{% endfor %} + +{% if vhost.get('absent', False) %} +{{ vhost_server_name }}: + file.absent: + - name: {{ apache.vhostdir }}/{{ vhost_server_name }}{{ apache.confext }} + - require: + - pkg: apache + - watch_in: + - module: apache-reload + - require_in: + - module: apache-restart + - module: apache-reload + - service: apache + +{% else %} + + +{{ vhost_server_name }}: + file.managed: + - name: {{ apache.vhostdir }}/{{ vhost_server_name }}{{ apache.confext }} + - source: 'salt://apache/vhosts/vhost.conf.jinja' + - template: 'jinja' + - user: root + - group: root + - mode: 644 + - context: + vhost_data: {{ vhost|json }} + - require: + - pkg: apache + - watch_in: + - module: apache-reload + - require_in: + - module: apache-restart + - module: apache-reload + - service: apache + + +{{ documentroot }}-documentroot: + file.directory: + - name: {{ documentroot }} + - makedirs: True + - allow_symlink: True + +{% endif %} +{% endfor %} diff --git a/pillar.example b/pillar.example deleted file mode 100644 index dffd2e91..00000000 --- a/pillar.example +++ /dev/null @@ -1,372 +0,0 @@ -# see ``pillar-ng.example.yaml`` for new gen pillar - -# ``apache`` formula configuration: -apache: - - # By default apache restart/reload states run (false skips) - manage_service_states: True - - # lookup section overrides ``map.jinja`` values - lookup: - server: apache2 - service: apache2 - user: some_system_user - group: some_system_group - - vhostdir: /etc/apache2/sites-available - confdir: /etc/apache2/conf.d - confext: .conf - logdir: /var/log/apache2 - wwwdir: /srv/apache2 - - # apache version (generally '2.2' or '2.4') - version: '2.2' - - # ``apache.mod_wsgi`` formula additional configuration: - mod_wsgi: mod_wsgi - - # Default value for AddDefaultCharset in RedHat configuration - default_charset: 'UTF-8' - - # Should we enforce DocumentRoot user/group? - # Default: do not enforce - document_root_user: www-data # Force user if specified, leave it default if not - document_root_group: null # Do not enforce group - - global: - # global apache directives - AllowEncodedSlashes: 'On' - - - name_virtual_hosts: - - interface: '*' - port: 80 - - interface: '*' - port: 443 - - # ``apache.vhosts`` formula additional configuration: - sites: - example.net: - template_file: salt://apache/vhosts/minimal.tmpl - - example.com: # must be unique; used as an ID declaration in Salt. - enabled: True - template_file: salt://apache/vhosts/standard.tmpl # or minimal.tmpl or redirect.tmpl or proxy.tmpl - - ####################### DEFAULT VALUES BELOW ############################ - # NOTE: the values below are simply default settings that *can* be - # overridden and are not required in order to use this formula to create - # vhost entries. - # - # Do not copy the values below into your Pillar unless you intend to - # modify these vaules. - ####################### DEFAULT VALUES BELOW ############################ - template_engine: jinja - - interface: '*' - port: '80' - - exclude_listen_directive: True # Do not add a Listen directive in httpd.conf - - ServerName: example.com # uses the unique ID above unless specified - #ServerAlias: www.example.com # Do not add ServerAlias unless defined - - ServerAdmin: webmaster@example.com - - LogLevel: warn - ErrorLog: /path/to/logs/example.com-error.log # E.g.: /var/log/apache2/example.com-error.log - CustomLog: /path/to/logs/example.com-access.log # E.g.: /var/log/apache2/example.com-access.log - - DocumentRoot: /path/to/www/dir/example.com # E.g., /var/www/example.com - DocumentRootUser: null # do not enforce user, defaults to lookup:document_root_user - DocumentRootGroup: www-data # Force group, defaults to lookup:document_root_group - - SSLCertificateFile: /etc/ssl/mycert.pem # if ssl is desired - SSLCertificateKeyFile: /etc/ssl/mycert.pem.key # if key for cert is needed or in an extra file - SSLCertificateChainFile: /etc/ssl/mycert.chain.pem # if you require a chain of server certificates file - - Directory: - # "default" is a special case; uses DocumentRoot value - # E.g.: /var/www/example.com - default: - Options: -Indexes +FollowSymLinks - Order: allow,deny # For Apache < 2.4 - Allow: from all # For apache < 2.4 - Require: all granted # For apache > 2.4. - AllowOverride: None - Formula_Append: | - Additional config as a - multi-line string here - - redirectmatch.com: - # Use RedirectMatch Directive https://httpd.apache.org/docs/2.4/fr/mod/mod_alias.html#redirectmatch - # Require module mod_alias - enabled: True - template_file: salt://apache/vhosts/redirect.tmpl - ServerName: www.redirectmatch.com - ServerAlias: www.redirectmatch.com - RedirectMatch: true - RedirectSource: '^/$' - RedirectTarget: '/subdirectory' - DocumentRoot: /var/www/html/ - ErrorLog: ${APACHE_LOG_DIR}/error.log - CustomLog: ${APACHE_LOG_DIR}/access.log - - 80-proxyexample.com: - template_file: salt://apache/vhosts/redirect.tmpl - ServerName: www.proxyexample.com - ServerAlias: www.proxyexample.com - RedirectSource: '/' - RedirectTarget: 'https://www.proxyexample.com/' - DocumentRoot: /var/www/proxy - - 443-proxyexample.com: - template_file: salt://apache/vhosts/proxy.tmpl - ServerName: www.proxyexample.com - ServerAlias: www.proxyexample.com - interface: '*' - port: '443' - DocumentRoot: /var/www/proxy - - Rewrite: | - RewriteRule ^/webmail$ /webmail/ [R] - RewriteRule ^/webmail(.*) http://mail.example.com$1 [P,L] - RewriteRule ^/vicescws(.*) http://svc.example.com:92$1 [P,L] - - SSLCertificateFile: /etc/httpd/ssl/example.com.crt - SSLCertificateKeyFile: /etc/httpd/ssl/example.com.key - SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer - - SSLCertificateFile_content: | - -----BEGIN CERTIFICATE----- - MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL - MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC - VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx - NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD - TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu - ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j - V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj - gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA - FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE - CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS - BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE - BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju - Wm7DCfrPNGVwFWUQOmsPue9rZBgO - -----END CERTIFICATE----- - - SSLCertificateKeyFile_content: | - -----BEGIN PRIVATE KEY----- - MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL - MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC - VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx - NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD - TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu - ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j - V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj - gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA - FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE - CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS - BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE - BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju - Wm7DCfrPNGVwFWUQOmsPue9rZBgO - -----END PRIVATE KEY----- - - SSLCertificateChainFile_content: | - -----BEGIN CERTIFICATE----- - MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL - MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC - VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx - NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD - TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu - ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j - V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj - gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA - FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE - CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS - BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE - BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju - Wm7DCfrPNGVwFWUQOmsPue9rZBgO - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL - MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC - VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx - NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD - TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu - ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j - V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj - gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA - FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE - CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS - BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE - BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju - Wm7DCfrPNGVwFWUQOmsPue9rZBgO - -----END CERTIFICATE----- - - ProxyRequests: 'Off' - ProxyPreserveHost: 'On' - - ProxyRoute: - example prod proxy route: - ProxyPassSource: '/' - ProxyPassTarget: 'http://prod.example.com:85/' - ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90' - ProxyPassReverseSource: '/' - ProxyPassReverseTarget: 'http://prod.example.com:85/' - - example webmail proxy route: - ProxyPassSource: '/webmail/' - ProxyPassTarget: 'http://mail.example.com/' - ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90' - ProxyPassReverseSource: '/webmail/' - ProxyPassReverseTarget: 'http://mail.example.com/' - - example service proxy route: - ProxyPassSource: '/svc/' - ProxyPassTarget: 'http://svc.example.com:92/' - ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90' - ProxyPassReverseSource: '/svc/' - ProxyPassReverseTarget: 'http://svc.example.com:92/' - - Location: - /: - Require: False - Formula_Append: | - SecRuleRemoveById 981231 - SecRuleRemoveById 981173 - - /error: - Require: 'all granted' - - /docs: - Order: allow,deny # For Apache < 2.4 - Allow: from all # For apache < 2.4 - Require: all granted # For apache > 2.4. - Formula_Append: | - Additional config as a - multi-line string here - - LocationMatch: - '^[.\\/]+([Ww][Ee][Bb][Mm][Aa][Ii][Ll])[.\\/]': - Require: False - Formula_Append: | - RequestHeader set Host mail.example.com - - '^[.\\/]+([Ss][Vv][Cc])[.\\/]': - Require: False - Formula_Append: | - Require ip 123.123.13.6 84.24.25.74 - - Proxy_control: - '*': - AllowAll: False - AllowCountry: - - DE - AllowIP: - - 12.5.25.32 - - 12.5.25.33 - - - Alias: - /docs: /usr/share/docs - - Formula_Append: | - Additional config as a - multi-line string here - - # ``apache.debian_full`` formula additional configuration: - register-site: - # any name as an array index, and you can duplicate this section - UNIQUE_VALUE_HERE: - name: 'my name' - path: 'salt://path/to/sites-available/conf/file' - state: 'enabled' - # Optional - use managed file as Jinja Template - #template: true - #defaults: - # custom_var: "default value" - - modules: - enabled: # List modules to enable - - ldap - - ssl - disabled: # List modules to disable - - rewrite - - flags: - enabled: # List server flags to enable - - SSL - disabled: # List server flags to disable - - status - - # KeepAlive: Whether or not to allow persistent connections (more than - # one request per connection). Set to "Off" to deactivate. - keepalive: 'On' - - security: - # can be Full | OS | Minimal | Minor | Major | Prod - # where Full conveys the most information, and Prod the least. - ServerTokens: Prod - - # [debian only] configure mod_ssl - ssl: - SSLCipherSuite: 'HIGH:!aNULL' - SSLHonorCipherOrder: 'Off' - SSLProtocol: 'all -SSLv3' - SSLUseStapling: 'Off' - SSLStaplingResponderTimeout: '5' - SSLStaplingReturnResponderErrors: 'Off' - SSLStaplingCache: 'shmcb:/var/run/ocsp(128000)' - - # ``apache.mod_remoteip`` formula additional configuration: - mod_remoteip: - RemoteIPHeader: X-Forwarded-For - RemoteIPTrustedProxy: - - 10.0.8.0/24 - - 127.0.0.1 - - # ``apache.mod_security`` formula additional configuration: - mod_security: - crs_install: True - # If not set, default distro's configuration is installed as is - manage_config: True - sec_rule_engine: 'On' - sec_request_body_access: 'On' - sec_request_body_limit: '14000000' - sec_request_body_no_files_limit: '114002' - sec_request_body_in_memory_limit: '114002' - sec_request_body_limit_action: 'Reject' - sec_pcre_match_limit: '15000' - sec_pcre_match_limit_recursion: '15000' - sec_debug_log_level: '3' - - rules: - enabled: - modsecurity_crs_10_setup.conf: - rule_set: '' - enabled: True - modsecurity_crs_20_protocol_violations.conf: - rule_set: 'base_rules' - enabled: False - - custom_rule_files: - # any name as an array index, and you can duplicate this section - UNIQUE_VALUE_HERE: - file: 'my name' - path: 'salt://path/to/modsecurity/custom/file' - enabled: True - - mod_ssl: - # set this to True if you want to override your distributions default TLS configuration - manage_tls_defaults: False - # This stuff is deliberately not configured via map.jinja resp. apache:lookup. - # We're unable to know sane defaults for each release of every distribution. - # See https://github.com/saltstack-formulas/openssh-formula/issues/102 for a related discussion - # Have a look at bettercrypto.org for up-to-date settings. - # These are default values: - SSLCipherSuite: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA - # Mitigate the CRIME attack - SSLCompression: Off - SSLProtocol: all -SSLv2 -SSLv3 -TLSv1 - SSLHonorCipherOrder: On - SSLOptions: "+StrictRequire" diff --git a/pillar-ng.example.yaml b/pillar.example.yaml similarity index 97% rename from pillar-ng.example.yaml rename to pillar.example.yaml index 8be4d4cc..187dc550 100644 --- a/pillar-ng.example.yaml +++ b/pillar.example.yaml @@ -1,122 +1,122 @@ -# server configuration and any vhost configuration have the same data structure -# This data structure is similar to below : -# -# directives: # list of top level directives/values -# - directive_1: value_1 -# - directive_2: value_2 -# - directive_3: value_3 -# containers: # any type of httpd container -# container_name_1: # Files|Directory|DirectoryMatch|Proxy|location|locationMatch ... -# - -# item: 'path/to/1' # label, path or whatever that container applies to -# directives: # list of directives into this container -# - directive_1: value_1 -# ... -# - -# item: '/path/to/2' -# direcives: -# - ... -# containers: # nested containers in /path/to/2 -# nested_c_1: -# - item: '...' -# directives: -# - ... -# container_name_2: -# - -# item: '...' -# ... - -# ``apache`` formula configuration: -apache: - - # By default apache restart/reload states run (false skips) - manage_service_states: True - - # lookup section overrides ``map.jinja`` values - lookup: - server: apache2 - service: apache2 - user: some_system_user - group: some_system_group - - vhostdir: /etc/apache2/sites-available - confdir: /etc/apache2/conf.d - confext: .conf - logdir: /var/log/apache2 - wwwdir: /srv/apache2 - - # apache version (generally '2.2' or '2.4') - version: '2.2' - - # ``apache.mod_wsgi`` formula additional configuration: - mod_wsgi: mod_wsgi - - # global (server) apache directives - server_apache_config: # this content will populate httpd.conf - directives: - - AllowEncodedSlashes: 'On' - - Timeout: 5 - containers: - IfModule: - - - item: 'mime_module' - directives: - - AddType: 'application/x-font-ttf ttc ttf' - - AddType: 'application/x-font-opentype otf' - - AddType: 'application/x-font-woff woff2' - - - # ``apache.vhosts.vhost-ng`` formula additional configuration: - VirtualHost: - example.com: # <-- site_name : can be the real ServerName or a virtual name - item: '*:8080' # simple example - directives: - - ServerName: 'example.com' # if not defined default is site_name - - ServerAdmin: 'webmaster@example.com' - - DocumentRoot: '/path/to/www/dir/example.com' - - LogLevel: 'warn' - containers: - Location: - - - item: '/test.html' - directives: - - Require: 'all granted' - my_reverse_proxy: # example with a virtual site_name - item: '*:80' # vhost with proxypass - directives: - - ServerName: 'rp-example.com' - - ServerAdmin: 'webmaster@example.com' - - DocumentRoot: '/path/to/www/dir/rp-example.com' - - LogLevel: 'warn' - - ProxyPass: '/ balancer://cluster_1' - - ProxyPassReverse: '/ balancer://cluster_1' - - ProxyPreserveHost: 'On' - containers: - Proxy: - - - item: 'balancer://cluster_1' - directives: - - BalancerMember: 'http://my_backend_1:8081 route=backend-1-8081 timeout=240 retry=120' - - BalancerMember: 'http://my_backend_2:8081 route=backend-2-8081 timeout=240 retry=120' - - ProxySet: 'stickysession=JSESSIONID|jsessionid nofailover=off maxattempts=1' - unused_vhost: - item: '*:80' - absent: True # Delete this vhost - directives: - - ServerName: 'to-delete-example.com' - - ServerAdmin: 'webmaster@example.com' - - DocumentRoot: '/path/to/www/dir/to-delete-example.com' - - LogLevel: 'warn' - containers: - Location: - - - item: '/test.html' - directives: - - Require: 'all granted' - - modules: - enabled: # List modules to enable - - ldap - - ssl - disabled: # List modules to disable - - rewrite +# server configuration and any vhost configuration have the same data structure +# This data structure is similar to below : +# +# directives: # list of top level directives/values +# - directive_1: value_1 +# - directive_2: value_2 +# - directive_3: value_3 +# containers: # any type of httpd container +# container_name_1: # Files|Directory|DirectoryMatch|Proxy|location|locationMatch ... +# - +# item: 'path/to/1' # label, path or whatever that container applies to +# directives: # list of directives into this container +# - directive_1: value_1 +# ... +# - +# item: '/path/to/2' +# direcives: +# - ... +# containers: # nested containers in /path/to/2 +# nested_c_1: +# - item: '...' +# directives: +# - ... +# container_name_2: +# - +# item: '...' +# ... + +# ``apache`` formula configuration: +apache: + + # By default apache restart/reload states run (false skips) + manage_service_states: True + + # lookup section overrides ``map.jinja`` values + lookup: + server: apache2 + service: apache2 + user: some_system_user + group: some_system_group + + vhostdir: /etc/apache2/sites-available + confdir: /etc/apache2/conf.d + confext: .conf + logdir: /var/log/apache2 + wwwdir: /srv/apache2 + + # apache version (generally '2.2' or '2.4') + version: '2.2' + + # ``apache.mod_wsgi`` formula additional configuration: + mod_wsgi: mod_wsgi + + # global (server) apache directives + server_apache_config: # this content will populate httpd.conf + directives: + - AllowEncodedSlashes: 'On' + - Timeout: 5 + containers: + IfModule: + - + item: 'mime_module' + directives: + - AddType: 'application/x-font-ttf ttc ttf' + - AddType: 'application/x-font-opentype otf' + - AddType: 'application/x-font-woff woff2' + + + # ``apache.vhosts.vhost-ng`` formula additional configuration: + VirtualHost: + example.com: # <-- site_name : can be the real ServerName or a virtual name + item: '*:8080' # simple example + directives: + - ServerName: 'example.com' # if not defined default is site_name + - ServerAdmin: 'webmaster@example.com' + - DocumentRoot: '/path/to/www/dir/example.com' + - LogLevel: 'warn' + containers: + Location: + - + item: '/test.html' + directives: + - Require: 'all granted' + my_reverse_proxy: # example with a virtual site_name + item: '*:80' # vhost with proxypass + directives: + - ServerName: 'rp-example.com' + - ServerAdmin: 'webmaster@example.com' + - DocumentRoot: '/path/to/www/dir/rp-example.com' + - LogLevel: 'warn' + - ProxyPass: '/ balancer://cluster_1' + - ProxyPassReverse: '/ balancer://cluster_1' + - ProxyPreserveHost: 'On' + containers: + Proxy: + - + item: 'balancer://cluster_1' + directives: + - BalancerMember: 'http://my_backend_1:8081 route=backend-1-8081 timeout=240 retry=120' + - BalancerMember: 'http://my_backend_2:8081 route=backend-2-8081 timeout=240 retry=120' + - ProxySet: 'stickysession=JSESSIONID|jsessionid nofailover=off maxattempts=1' + unused_vhost: + item: '*:80' + absent: True # Delete this vhost + directives: + - ServerName: 'to-delete-example.com' + - ServerAdmin: 'webmaster@example.com' + - DocumentRoot: '/path/to/www/dir/to-delete-example.com' + - LogLevel: 'warn' + containers: + Location: + - + item: '/test.html' + directives: + - Require: 'all granted' + + modules: + enabled: # List modules to enable + - ldap + - ssl + disabled: # List modules to disable + - rewrite From 1f3712523fa27e746143de9faa0d54eeb6cbfc47 Mon Sep 17 00:00:00 2001 From: Karim Hamza Date: Tue, 26 Feb 2019 10:46:56 +0100 Subject: [PATCH 2/6] remove ng from template --- apache/files/RedHat/apache-2.4.config.jinja | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apache/files/RedHat/apache-2.4.config.jinja b/apache/files/RedHat/apache-2.4.config.jinja index 48b1d098..5cce25c6 100644 --- a/apache/files/RedHat/apache-2.4.config.jinja +++ b/apache/files/RedHat/apache-2.4.config.jinja @@ -35,6 +35,6 @@ Group {{ apache.group }} IncludeOptional {{ apache.confdir }}/*.conf -{%- if apache.vhostdir_ng != apache.confdir %} -IncludeOptional {{ apache.vhostdir_ng }}/*.conf +{%- if apache.vhostdir != apache.confdir %} +IncludeOptional {{ apache.vhostdir }}/*.conf {%- endif %} From 3bafe673a376b441a00eb63acfe158d282c5a35c Mon Sep 17 00:00:00 2001 From: Karim Hamza Date: Tue, 26 Feb 2019 11:33:36 +0100 Subject: [PATCH 3/6] remove -ng from readme --- README.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.rst b/README.rst index f08e501d..5cdae398 100644 --- a/README.rst +++ b/README.rst @@ -31,7 +31,7 @@ Available states Installs the Apache package and starts the service. -``apache.config-ng`` +``apache.config`` ----------------- Configures apache server. @@ -55,12 +55,12 @@ present in the state ``_ - AddType: 'application/x-font-woff woff2' -``apache.modules-ng`` +``apache.modules`` ------------------ Enables and disables Apache modules. -``apache.vhosts.vhost-ng`` +``apache.vhosts.vhost`` -------------------------- Configures Apache name-based virtual hosts and creates virtual host directories using data from Pillar. From 7124b8122f54f5f93ac00f881e1bf61ac3ec4852 Mon Sep 17 00:00:00 2001 From: Karim Hamza Date: Tue, 26 Feb 2019 11:50:59 +0100 Subject: [PATCH 4/6] manage listen directive with disabled vhosts --- apache/files/RedHat/apache-2.4.config.jinja | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apache/files/RedHat/apache-2.4.config.jinja b/apache/files/RedHat/apache-2.4.config.jinja index 5cce25c6..8908b6af 100644 --- a/apache/files/RedHat/apache-2.4.config.jinja +++ b/apache/files/RedHat/apache-2.4.config.jinja @@ -7,10 +7,12 @@ {%- set list_interfaces_ports = [] %} {%- for name, vhost in salt['pillar.get']('apache:VirtualHost', {}).items() %} +{%- if not vhost.get('absent', False) %} {%- set items = vhost.item.split() %} {%- for item in items if item not in list_interfaces_ports %} {%- do list_interfaces_ports.append(item) %} {%- endfor %} +{%- endif %} {%- endfor %} {%- for item in list_interfaces_ports %} From dae5409d1d2dfb463be96abc2b6961e0e869e6aa Mon Sep 17 00:00:00 2001 From: Karim Hamza Date: Tue, 26 Feb 2019 22:00:59 +0100 Subject: [PATCH 5/6] add json filter --- apache/config.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apache/config.sls b/apache/config.sls index 6e60c44e..af636ddc 100644 --- a/apache/config.sls +++ b/apache/config.sls @@ -80,7 +80,7 @@ include: - module: apache-reload - service: apache - context: - apache: {{ apache }} + apache: {{ apache | json}} server_config: {{ server_config | json }} {{ apache.vhostdir }}: From b7d8b052e460bc900611691c95e608d98ca630b0 Mon Sep 17 00:00:00 2001 From: Karim Hamza Date: Fri, 22 Mar 2019 16:33:18 +0100 Subject: [PATCH 6/6] remove hardcoded path --- apache/config.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apache/config.sls b/apache/config.sls index af636ddc..281aa135 100644 --- a/apache/config.sls +++ b/apache/config.sls @@ -104,7 +104,7 @@ include: - service: apache -/etc/httpd/conf.d/welcome.conf: +{{ apache.confdir }}/welcome.conf: file.managed: - source: - salt://apache/files/{{ salt['grains.get']('os_family') }}/welcome.conf