Skip to content

salt-formulas/salt-formula-apache

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Apache Formula

Install and configure Apache webserver

Sample Pillars

Simple Apache proxy

apache:
  server:
    enabled: true
    bind:
      address: '0.0.0.0'
      ports:
      - 80
    modules:
    - proxy
    - proxy_http
    - proxy_balancer

Apache plain static sites (eg. sphinx generated, from git/hg sources)

apache:
  server:
    enabled: true
    bind:
      listen_default_ports: false
      address: '0.0.0.0'
      ports:
      - 80
    modules:
    - rewrite
    - status
    site:
    - enabled: true
      name: 'sphinxdoc'
      type: 'static'
      host:
        name: 'doc.domain.com'
        port: 80
      source:
        engine: local
    - enabled: true
      name: 'impressjs'
      type: 'static'
      host:
        name: 'pres.domain.com'
        port: 80
      source:
        engine: git
        address: '[email protected]:impress/billometer.git'
        revision: 'master'

Tune settings of mpm_prefork

parameters:
  apache:
    mpm:
      prefork:
        max_clients: 250
        servers:
          min: 32
          max: 64
          max_requests: 4000

Apache kerberos authentication:

parameters
  apache:
    server:
      site:
        auth:
         engine: kerberos
         name: "Kerberos Authentication"
         require:
           - "ldap-attribute memberOf='cn=somegroup,cn=groups,cn=accounts,dc=example,dc=com'"

         kerberos:
           realms:
             - EXAMPLE.COM
           # Bellow is optional
           keytab: /etc/apache2/ipa.keytab
           service: HTTP
           method:
             negotiate: true
             k5passwd: true

         ldap:
           url: "ldaps://idm01.example.com/dc=example,dc=com?krbPrincipalName"
           # mech is optional
           mech: GSSAPI

Tune security settings (these are default):

parameters:
  apache:
    server:
      # ServerTokens
      tokens: Prod
      # ServerSignature, can be also set per-site
      signature: false
      # TraceEnable, can be also set per-site
      trace: false
      # Deny access to .git, .svn, .hg directories
      secure_scm: true
      # Required for settings bellow
      modules:
        - headers
      # Set X-Content-Type-Options
      content_type_options: nosniff
      # Set X-Frame-Options
      frame_options: sameorigin

Tuned up log configuration.

parameters:
  apache:
    server:
      site:
        foo:
          enabled: true
          type: static
          log:
            custom:
              enabled: true
              file: /var/log/apache2/mylittleponysitecustom.log
              format: >-
                 %{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"
            error:
              enabled: false
              file: /var/log/apache2/foo.error.log
              level: notice

Apache wsgi application.

apache:
  server:
    enabled: true
    default_mpm: event
    site:
      manila:
        enabled: false
        available: true
        type: wsgi
        name: manila
        wsgi:
          daemon_process: manila-api
          threads: 2
          user: manila
          group: manila
          display_name: '%{GROUP}'
          script_alias: '/ /usr/bin/manila-wsgi'
          application_group: '%{GLOBAL}'
          authorization: 'On'
        limits:
          request_body: 114688

Apache ssl cipher management

parameters:
  apache:
    server:
      enabled: true
      site:
        example:
          enabled: true
          ssl:
            enabled: true
            mode: secure
            ...
parameters:
  apache:
    server:
      enabled: true
      site:
        example:
          enabled: true
          ssl:
            enabled: true
            mode: normal
            ...
parameters:
  apache:
    server:
      enabled: true
      site:
        example:
          enabled: true
          ssl:
            enabled: true
            mode: strict
            ciphers:
              ECDHE_RSA_AES256_GCM_SHA384:
                name: 'ECDHE-RSA-AES256-GCM-SHA384'
                enabled: True
              ECDHE_ECDSA_AES256_GCM_SHA384:
                name: 'ECDHE-ECDSA-AES256-GCM-SHA384'
                enabled: True
            protocols:
              TLS1:
                name: 'TLSv1'
                enabled: True
              TLS1_1:
                name: 'TLSv1.1'
                enabled: True
              TLS1_2:
                name: 'TLSv1.2'
                enabled: False
            prefer_server_ciphers: 'on'
            ...

Advanced SSL configuration, more information about SSL options can be found at https://httpd.apache.org/docs/2.4/mod/mod_ssl.html !Please note that if mode = 'secure' or mode = 'normal' and 'ciphers' or 'protocols' are set - they should have type "string", if mode = 'manual', their type should be "dict" (like shown below)

SSL settings on SITE level:

parameters:
  apache:
    server:
      enabled: true
      site:
        example:
          enabled: true
          ssl:
            enabled: true
            engine: salt
            authority: "${_param:salt_minion_ca_authority}"
            key_file: "/etc/ssl/private/internal_proxy.key"
            cert_file: "/etc/ssl/certs/internal_proxy.crt"
            chain_file: "/etc/ssl/certs/internal_proxy-with-chain.crt"
            mode: 'strict'
            session_timeout: '300'
            protocols:
              TLS1:
                name: 'TLSv1'
                enabled: True
              TLS1_1:
                name: 'TLSv1.1'
                enabled: True
              TLS1_2:
                name: 'TLSv1.2'
                enabled: False
            ciphers:
              ECDHE_RSA_AES256_GCM_SHA384:
                name: 'ECDHE-RSA-AES256-GCM-SHA384'
                enabled: True
              ECDHE_ECDSA_AES256_GCM_SHA384:
                name: 'ECDHE-ECDSA-AES256-GCM-SHA384'
                enabled: True
            prefer_server_ciphers: "off"
            dhparam:
              enabled: True
              numbits: 2048
            ecdh_curve:
              secp384r1:
                name: 'secp384r1'
                enabled: False
            secp521r1:
                name: 'secp521r1'
                enabled: True
            ticket_key:
              enabled: True
              numbytes: 48
            session_tickets: 'on'
            stapling: 'off'
            crl:
              file: '/etc/ssl/crl/crl.pem'
              path: '/etc/ssl/crl'
              value: 'chain'
              enabled: False
            verify_client: 'none'
            client_certificate:
              file: '/etc/ssl/client_cert.pem'
              enabled: False
            compression: 'off'
            ssl_engine: 'on'
            insecure_renegotiation: 'off'
            ocsp:
              default_responder: 'http://responder.example.com:8888/responder'
              ocsp_enable: 'off'
              override_responder: 'off'
              responder_timeout: '50'
              max_age: '300'
              time_skew: '300'
              nonce: 'on'
              enabled: True
            conf_cmd:
              sessionticket:
                command_name: 'Options'
                command_value: '-SessionTicket'
                enabled: True
              serverpreference:
                command_name: 'Options'
                command_value: '-ServerPreference'
                enabled: False
            ssl_options:
              fakebasicauth:
                option: '+FakeBasicAuth'
                enabled: 'True'
              strictrequire:
                option: '-StrictRequire'
                enabled: True
            proxy:
              ca_cert_file: '/etc/ssl/client_cert.pem'
              ca_cert_path: '/etc/ssl/client/'
              crl:
                file: '/etc/ssl/crl/crl.pem'
                path: '/etc/ssl/crl'
                value: 'chain'
                enabled: False
              check_peer_cn: 'off'
              check_peer_expire: 'off'
              check_peer_name: 'off'
              ciphers:
                ECDHE_RSA_AES256_GCM_SHA384:
                  name: 'ECDHE-RSA-AES256-GCM-SHA384'
                  enabled: True
                ECDHE_ECDSA_AES256_GCM_SHA384:
                  name: 'ECDHE-ECDSA-AES256-GCM-SHA384'
                  enabled: False
              ssl_engine: 'on'
              proxy_chain_file: '/etc/ssl/proxy_chain.pem'
              proxy_cert_file: '/etc/ssl/proxy.pem'
              proxy_cert_path: '/etc/ssl/proxy'
              verify: 'none'
              verify_depth: '1'
              srp_unknown_seed: 'secret_string'
              srp_verifier_file: '/path/to/file.srpv'
            ssl_stapling:
              error_cache_timeout: '600'
              fake_try_later: 'off'
              stapling_responder: 'http://responder.example.com:8888/responder'
              responder_timeout: '600'
              response_max_age: '300'
              response_time_skew: '300'
              responder_errors: 'off'
              standard_cache_timeout: '600'
            sniv_host_check: 'off'
            verify_depth: '1'

SSL settings on SERVER level:

apache:
  server:
    ssl:
      enabled: True
      crypto_device: 'rdrand'
      fips: 'off'
      passphrase: 'builtin'
      random_seed:
        seed1:
          context: 'startup'
          source: 'file:/dev/urandom 256'
          enabled: True
        seed2:
          context: 'connect'
          source: 'builtin'
          enabled: True
      session_cache: 'none'
      stapling_cache: 'default'
      ssl_user_name: 'SSL_CLIENT_S_DN_CN'

Roundcube webmail, postfixadmin and mailman

classes:
- service.apache.server.single
parameters:
  apache:
    server:
      enabled: true
      modules:
        - cgi
        - php
      site:
        roundcube:
          enabled: true
          type: static
          name: roundcube
          root: /usr/share/roundcube
          locations:
            - uri: /admin
              path: /usr/share/postfixadmin
            - uri: /mailman
              path: /usr/lib/cgi-bin/mailman
              script: true
            - uri: /pipermail
              path: /var/lib/mailman/archives/public
            - uri: /images/mailman
              path: /usr/share/images/mailman
          host:
            name: mail.example.com
            aliases:
              - mail.example.com
              - lists.example.com
              - mail01.example.com
              - mail01

Logrotate settings which allow you to rotate the logs in a random time in a given time interval. Time in seconds

apache:
  server:
    logrotate:
      start_period: 600
      end_period: 1200

Apache modules management

apache:
  server:
    mods:
      status:
        enabled: True
        status: 'disabled'

More Information

Documentation and Bugs

To learn how to install and update salt-formulas, consult the documentation available online at:

http://salt-formulas.readthedocs.io/

In the unfortunate event that bugs are discovered, they should be reported to the appropriate issue tracker. Use Github issue tracker for specific salt formula:

https://github.com/salt-formulas/salt-formula-apache/issues

For feature requests, bug reports or blueprints affecting entire ecosystem, use Launchpad salt-formulas project:

https://launchpad.net/salt-formulas

You can also join salt-formulas-users team and subscribe to mailing list:

https://launchpad.net/~salt-formulas-users

Developers wishing to work on the salt-formulas projects should always base their work on master branch and submit pull request against specific formula.

https://github.com/salt-formulas/salt-formula-apache

Any questions or feedback is always welcome so feel free to join our IRC channel:

#salt-formulas @ irc.freenode.net