blob: c12d847c42924b5908643ac7ed0323c62a7fc768 [file] [log] [blame]
==============
Apache Formula
==============
Install and configure Apache webserver
Sample Pillars
==============
Simple Apache proxy
.. code-block:: yaml
apache:
server:
enabled: true
bind:
address: '0.0.0.0'
ports:
- 80
modules:
- proxy
- proxy_http
- proxy_balancer
site:
apache_proxy_site:
enabled: true
type: proxy
name: site_name
proxy:
host: 1.1.1.1
port: 8080
protocol: http
retry: 30
host:
name: 2.2.2.2
port: 9001
address: 2.2.2.2
Apache plain static sites (eg. sphinx generated, from git/hg sources)
.. code-block:: yaml
apache:
server:
enabled: true
bind:
listen_default_ports: false
address: '0.0.0.0'
ports:
- 80
modules:
- rewrite
- status
site:
- enabled: true
name: 'sphinxdoc'
type: 'static'
host:
name: 'doc.domain.com'
port: 80
source:
engine: local
- enabled: true
name: 'impressjs'
type: 'static'
host:
name: 'pres.domain.com'
port: 80
source:
engine: git
address: 'git@repo1.domain.cz:impress/billometer.git'
revision: 'master'
Tune settings of mpm_prefork
.. code-block:: yaml
parameters:
apache:
mpm:
prefork:
max_clients: 250
servers:
min: 32
max: 64
max_requests: 4000
Apache kerberos authentication:
.. code-block:: yaml
parameters
apache:
server:
site:
auth:
engine: kerberos
name: "Kerberos Authentication"
require:
- "ldap-attribute memberOf='cn=somegroup,cn=groups,cn=accounts,dc=example,dc=com'"
kerberos:
realms:
- EXAMPLE.COM
# Bellow is optional
keytab: /etc/apache2/ipa.keytab
service: HTTP
method:
negotiate: true
k5passwd: true
ldap:
url: "ldaps://idm01.example.com/dc=example,dc=com?krbPrincipalName"
# mech is optional
mech: GSSAPI
Tune security settings (these are default):
.. code-block:: yaml
parameters:
apache:
server:
# ServerTokens
tokens: Prod
# ServerSignature, can be also set per-site
signature: false
# TraceEnable, can be also set per-site
trace: false
# Deny access to .git, .svn, .hg directories
secure_scm: true
# Required for settings bellow
modules:
- headers
# Set X-Content-Type-Options
content_type_options: nosniff
# Set X-Frame-Options
frame_options: sameorigin
Tuned up log configuration.
.. code-block:: yaml
parameters:
apache:
server:
site:
foo:
enabled: true
type: static
log:
custom:
enabled: true
file: /var/log/apache2/mylittleponysitecustom.log
format: >-
%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"
error:
enabled: false
file: /var/log/apache2/foo.error.log
level: notice
Apache wsgi application.
.. code-block:: yaml
apache:
server:
enabled: true
default_mpm: event
site:
manila:
enabled: false
available: true
type: wsgi
name: manila
wsgi:
daemon_process: manila-api
threads: 2
user: manila
group: manila
display_name: '%{GROUP}'
script_alias: '/ /usr/bin/manila-wsgi'
application_group: '%{GLOBAL}'
authorization: 'On'
limits:
request_body: 114688
Apache redirect site definition.
.. code-block:: yaml
apache:
server:
site:
openstack_web_redirect:
name: 'openstack_web_redirect'
enabled: true
type: 'redirect'
root: '/var/www/httproot'
host:
address: ${_param:apache_horizon_api_address}
name: ${_param:apache_horizon_api_host}
port: 80
redirect_mode: rewrite
target_url: 'https://%{SERVER_NAME}'
listen_address: '0.0.0.0'
Apache ssl cipher management
.. code-block:: yaml
parameters:
apache:
server:
enabled: true
site:
example:
enabled: true
ssl:
enabled: true
mode: secure
...
.. code-block:: yaml
parameters:
apache:
server:
enabled: true
site:
example:
enabled: true
ssl:
enabled: true
mode: normal
...
.. code-block:: yaml
parameters:
apache:
server:
enabled: true
site:
example:
enabled: true
ssl:
enabled: true
mode: strict
ciphers:
ECDHE_RSA_AES256_GCM_SHA384:
name: 'ECDHE-RSA-AES256-GCM-SHA384'
enabled: True
ECDHE_ECDSA_AES256_GCM_SHA384:
name: 'ECDHE-ECDSA-AES256-GCM-SHA384'
enabled: True
protocols:
TLS1:
name: 'TLSv1'
enabled: True
TLS1_1:
name: 'TLSv1.1'
enabled: True
TLS1_2:
name: 'TLSv1.2'
enabled: False
prefer_server_ciphers: 'on'
...
Advanced SSL configuration, more information about SSL options can be found
at https://httpd.apache.org/docs/2.4/mod/mod_ssl.html
!Please note that if mode = 'secure' or mode = 'normal' and 'ciphers' or 'protocols' are set - they should have
type "string", if mode = 'manual', their type should be "dict" (like shown below)
SSL settings on SITE level:
.. code-block:: yaml
parameters:
apache:
server:
enabled: true
site:
example:
enabled: true
ssl:
enabled: true
engine: salt
authority: "${_param:salt_minion_ca_authority}"
key_file: "/etc/ssl/private/internal_proxy.key"
cert_file: "/etc/ssl/certs/internal_proxy.crt"
chain_file: "/etc/ssl/certs/internal_proxy-with-chain.crt"
mode: 'strict'
session_timeout: '300'
protocols:
TLS1:
name: 'TLSv1'
enabled: True
TLS1_1:
name: 'TLSv1.1'
enabled: True
TLS1_2:
name: 'TLSv1.2'
enabled: False
ciphers:
ECDHE_RSA_AES256_GCM_SHA384:
name: 'ECDHE-RSA-AES256-GCM-SHA384'
enabled: True
ECDHE_ECDSA_AES256_GCM_SHA384:
name: 'ECDHE-ECDSA-AES256-GCM-SHA384'
enabled: True
prefer_server_ciphers: "off"
dhparam:
enabled: True
numbits: 2048
ecdh_curve:
secp384r1:
name: 'secp384r1'
enabled: False
secp521r1:
name: 'secp521r1'
enabled: True
ticket_key:
enabled: True
numbytes: 48
session_tickets: 'on'
stapling: 'off'
crl:
file: '/etc/ssl/crl/crl.pem'
path: '/etc/ssl/crl'
value: 'chain'
enabled: False
verify_client: 'none'
client_certificate:
file: '/etc/ssl/client_cert.pem'
enabled: False
compression: 'off'
ssl_engine: 'on'
insecure_renegotiation: 'off'
ocsp:
default_responder: 'http://responder.example.com:8888/responder'
ocsp_enable: 'off'
override_responder: 'off'
responder_timeout: '50'
max_age: '300'
time_skew: '300'
nonce: 'on'
enabled: True
conf_cmd:
sessionticket:
command_name: 'Options'
command_value: '-SessionTicket'
enabled: True
serverpreference:
command_name: 'Options'
command_value: '-ServerPreference'
enabled: False
ssl_options:
fakebasicauth:
option: '+FakeBasicAuth'
enabled: 'True'
strictrequire:
option: '-StrictRequire'
enabled: True
proxy:
ca_cert_file: '/etc/ssl/client_cert.pem'
ca_cert_path: '/etc/ssl/client/'
crl:
file: '/etc/ssl/crl/crl.pem'
path: '/etc/ssl/crl'
value: 'chain'
enabled: False
check_peer_cn: 'off'
check_peer_expire: 'off'
check_peer_name: 'off'
ciphers:
ECDHE_RSA_AES256_GCM_SHA384:
name: 'ECDHE-RSA-AES256-GCM-SHA384'
enabled: True
ECDHE_ECDSA_AES256_GCM_SHA384:
name: 'ECDHE-ECDSA-AES256-GCM-SHA384'
enabled: False
ssl_engine: 'on'
proxy_chain_file: '/etc/ssl/proxy_chain.pem'
proxy_cert_file: '/etc/ssl/proxy.pem'
proxy_cert_path: '/etc/ssl/proxy'
verify: 'none'
verify_depth: '1'
srp_unknown_seed: 'secret_string'
srp_verifier_file: '/path/to/file.srpv'
ssl_stapling:
error_cache_timeout: '600'
fake_try_later: 'off'
stapling_responder: 'http://responder.example.com:8888/responder'
responder_timeout: '600'
response_max_age: '300'
response_time_skew: '300'
responder_errors: 'off'
standard_cache_timeout: '600'
sniv_host_check: 'off'
verify_depth: '1'
SSL settings on SERVER level:
.. code-block:: yaml
apache:
server:
ssl:
enabled: True
crypto_device: 'rdrand'
fips: 'off'
passphrase: 'builtin'
random_seed:
seed1:
context: 'startup'
source: 'file:/dev/urandom 256'
enabled: True
seed2:
context: 'connect'
source: 'builtin'
enabled: True
session_cache: 'none'
stapling_cache: 'default'
ssl_user_name: 'SSL_CLIENT_S_DN_CN'
Roundcube webmail, postfixadmin and mailman
.. code-block:: yaml
classes:
- service.apache.server.single
parameters:
apache:
server:
enabled: true
modules:
- cgi
- php
site:
roundcube:
enabled: true
type: static
name: roundcube
root: /usr/share/roundcube
locations:
- uri: /admin
path: /usr/share/postfixadmin
- uri: /mailman
path: /usr/lib/cgi-bin/mailman
script: true
- uri: /pipermail
path: /var/lib/mailman/archives/public
- uri: /images/mailman
path: /usr/share/images/mailman
host:
name: mail.example.com
aliases:
- mail.example.com
- lists.example.com
- mail01.example.com
- mail01
Logrotate settings which allow you to rotate the logs in
a random time in a given time interval. Time in seconds
.. code-block:: yaml
apache:
server:
logrotate:
start_period: 600
end_period: 1200
Apache modules management
.. code-block:: yaml
apache:
server:
mods:
status:
enabled: True
status: 'disabled'
Apache server-status management
.. code-block:: yaml
apache:
server:
mods:
status:
enabled: True
status: 'enabled'
host:
address: 127.0.0.1
port: 80
allow:
localhost:
enabled: True
value: '127.0.0.0/255.0.0.0'
localhost_ipv6:
enabled: True
value: '::1/128'
Apache directories and modules management
.. code-block:: yaml
apache:
server:
enabled: true
site:
sitename:
directories:
dashboard_static:
path: /usr/share/openstack-dashboard/static
order: 'allow,deny'
allow: 'from all'
modules:
mod_expires.c:
ExpiresActive: 'On'
ExpiresDefault: '"access 6 month"'
mod_deflate.c:
SetOutputFilter: 'DEFLATE'
dashboard_wsgi:
path: /usr/share/openstack-dashboard/openstack_dashboard/wsgi
order: 'allow,deny'
allow: 'from all'
Apache2 configured to wait for another service/s before
starting (currently only with systemd):
.. code-block:: yaml
apache:
server:
wait_for_service:
- foo-bar.mount
enabled: true
...
More Information
================
* https://httpd.apache.org/docs/