Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / apache / 79ea8b5e0fa612b590baaf3853b2d1f02c8dbbec / . / README.rst
blob: fcf36ff0426c6130f5b1705d3b84c1e1607b03d1 [file] [log] [blame]
Aleš Komárek3a3de6e2017-04-11 13:41:09 +0200[diff] [blame]1==============
2Apache Formula
3==============
Filip Pytloun410abc42015-10-06 16:28:31 +0200[diff] [blame]4
5Install and configure Apache webserver
6
Aleš Komárek3a3de6e2017-04-11 13:41:09 +0200[diff] [blame]7Sample Pillars
8==============
Filip Pytloun410abc42015-10-06 16:28:31 +0200[diff] [blame]9
10Simple Apache proxy
11
12.. code-block:: yaml
13
14 apache:
15 server:
16 enabled: true
17 bind:
18 address: '0.0.0.0'
19 ports:
20 - 80
21 modules:
22 - proxy
23 - proxy_http
24 - proxy_balancer
25
26
27Apache plain static sites (eg. sphinx generated, from git/hg sources)
28
29.. code-block:: yaml
30
31 apache:
32 server:
33 enabled: true
34 bind:
35 address: '0.0.0.0'
36 ports:
37 - 80
38 modules:
39 - rewrite
40 - status
41 site:
42 - enabled: true
43 name: 'sphinxdoc'
44 type: 'static'
45 host:
46 name: 'doc.domain.com'
47 port: 80
48 source:
49 engine: local
50 - enabled: true
51 name: 'impressjs'
52 type: 'static'
53 host:
54 name: 'pres.domain.com'
55 port: 80
56 source:
57 engine: git
58 address: 'git@repo1.domain.cz:impress/billometer.git'
59 revision: 'master'
60
Filip Pytlounc135fa52015-11-25 12:28:45 +0100[diff] [blame]61Tune settings of mpm_prefork
62
63.. code-block:: yaml
64
65 parameters:
66 apache:
67 mpm:
68 prefork:
69 max_clients: 250
70 servers:
71 min: 32
72 max: 64
73 max_requests: 4000
74
Filip Pytloun590b5792016-01-27 11:24:29 +0100[diff] [blame]75Apache kerberos authentication:
76
77.. code-block:: yaml
78
79 parameters
80 apache:
81 server:
82 site:
83 auth:
84 engine: kerberos
85 name: "Kerberos Authentication"
86 require:
87 - "ldap-attribute memberOf='cn=somegroup,cn=groups,cn=accounts,dc=example,dc=com'"
88
89 kerberos:
90 realms:
91 - EXAMPLE.COM
92 # Bellow is optional
93 keytab: /etc/apache2/ipa.keytab
94 service: HTTP
95 method:
96 negotiate: true
97 k5passwd: true
98
99 ldap:
100 url: "ldaps://idm01.example.com/dc=example,dc=com?krbPrincipalName"
101 # mech is optional
102 mech: GSSAPI
103
Filip Pytloun3179bca2016-02-22 13:39:58 +0100[diff] [blame]104Tune security settings (these are default):
105
106.. code-block:: yaml
107
108 parameters:
109 apache:
110 server:
111 # ServerTokens
112 tokens: Prod
Filip Pytlounaffb18d2016-02-22 13:58:27 +0100[diff] [blame]113 # ServerSignature, can be also set per-site
114 signature: false
115 # TraceEnable, can be also set per-site
116 trace: false
117 # Deny access to .git, .svn, .hg directories
118 secure_scm: true
119 # Required for settings bellow
120 modules:
121 - headers
122 # Set X-Content-Type-Options
123 content_type_options: nosniff
124 # Set X-Frame-Options
125 frame_options: sameorigin
Filip Pytloun3179bca2016-02-22 13:39:58 +0100[diff] [blame]126
Aleš Komárek3a3de6e2017-04-11 13:41:09 +0200[diff] [blame]127Tuned up log configuration.
Simon Pasquierd9912952017-01-19 10:34:25 +0100[diff] [blame]128
129.. code-block:: yaml
130
131 parameters:
132 apache:
133 server:
134 site:
135 foo:
136 enabled: true
137 type: static
138 log:
139 custom:
140 enabled: true
141 file: /var/log/apache2/mylittleponysitecustom.log
142 format: >-
143 %{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"
144 error:
145 enabled: false
146 file: /var/log/apache2/foo.error.log
147 level: notice
148
Vasyl Saienkobaf3dde2018-01-31 00:28:29 +0200[diff] [blame]149Apache wsgi application.
150
151.. code-block:: yaml
152
153 apache:
154 server:
155 enabled: true
156 default_mpm: event
157 site:
158 manila:
159 enabled: false
160 available: true
161 type: wsgi
162 name: manila
163 wsgi:
164 daemon_process: manila-api
165 threads: 2
166 user: manila
167 group: manila
168 display_name: '%{GROUP}'
169 script_alias: '/ /usr/bin/manila-wsgi'
170 application_group: '%{GLOBAL}'
171 authorization: 'On'
172 limits:
173 request_body: 114688
174
Dzmitry Stremkouski8d25a0e2018-05-09 18:44:18 +0200[diff] [blame]175Apache ssl cipher management
176
177.. code-block:: yaml
178
179 parameters:
180 apache:
181 server:
182 enabled: true
183 site:
184 example:
185 enabled: true
186 ssl:
187 enabled: true
188 mode: secure
189 ...
190
191.. code-block:: yaml
192
193 parameters:
194 apache:
195 server:
196 enabled: true
197 site:
198 example:
199 enabled: true
200 ssl:
201 enabled: true
202 mode: normal
203 ...
204
205.. code-block:: yaml
206
207 parameters:
208 apache:
209 server:
210 enabled: true
211 site:
212 example:
213 enabled: true
214 ssl:
215 enabled: true
216 mode: strict
217 ciphers:
218 ECDHE_RSA_AES256_GCM_SHA384:
219 name: 'ECDHE-RSA-AES256-GCM-SHA384'
220 enabled: True
221 ECDHE_ECDSA_AES256_GCM_SHA384:
222 name: 'ECDHE-ECDSA-AES256-GCM-SHA384'
223 enabled: True
224 protocols:
225 TLS1:
226 name: 'TLSv1'
227 enabled: True
228 TLS1_1:
229 name: 'TLSv1.1'
230 enabled: True
231 TLS1_2:
232 name: 'TLSv1.2'
233 enabled: False
234 prefer_server_ciphers: 'on'
235 ...
236
Oleksii Grudevd0be2502018-05-25 14:19:43 +0300[diff] [blame]237Advanced SSL configuration, more information about SSL options can be found
238at https://httpd.apache.org/docs/2.4/mod/mod_ssl.html
239!Please note that if mode = 'secure' or mode = 'normal' and 'ciphers' or 'protocols' are set - they should have
240type "string", if mode = 'manual', their type should be "dict" (like shown below)
241
242SSL settings on SITE level:
243
244.. code-block:: yaml
245
246 parameters:
247 apache:
248 server:
249 enabled: true
250 site:
251 example:
252 enabled: true
253 ssl:
254 enabled: true
255 engine: salt
256 authority: "${_param:salt_minion_ca_authority}"
257 key_file: "/etc/ssl/private/internal_proxy.key"
258 cert_file: "/etc/ssl/certs/internal_proxy.crt"
259 chain_file: "/etc/ssl/certs/internal_proxy-with-chain.crt"
260 mode: 'strict'
261 session_timeout: '300'
262 protocols:
263 TLS1:
264 name: 'TLSv1'
265 enabled: True
266 TLS1_1:
267 name: 'TLSv1.1'
268 enabled: True
269 TLS1_2:
270 name: 'TLSv1.2'
271 enabled: False
272 ciphers:
273 ECDHE_RSA_AES256_GCM_SHA384:
274 name: 'ECDHE-RSA-AES256-GCM-SHA384'
275 enabled: True
276 ECDHE_ECDSA_AES256_GCM_SHA384:
277 name: 'ECDHE-ECDSA-AES256-GCM-SHA384'
278 enabled: True
279 prefer_server_ciphers: "off"
280 dhparam:
281 enabled: True
282 numbits: 2048
283 ecdh_curve:
284 secp384r1:
285 name: 'secp384r1'
286 enabled: False
287 secp521r1:
288 name: 'secp521r1'
289 enabled: True
290 ticket_key:
291 enabled: True
292 numbytes: 48
293 session_tickets: 'on'
294 stapling: 'off'
295 crl:
296 file: '/etc/ssl/crl/crl.pem'
297 path: '/etc/ssl/crl'
298 value: 'chain'
299 enabled: False
300 verify_client: 'none'
301 client_certificate:
302 file: '/etc/ssl/client_cert.pem'
303 enabled: False
304 compression: 'off'
305 ssl_engine: 'on'
306 insecure_renegotiation: 'off'
307 ocsp:
308 default_responder: 'http://responder.example.com:8888/responder'
309 ocsp_enable: 'off'
310 override_responder: 'off'
311 responder_timeout: '50'
312 max_age: '300'
313 time_skew: '300'
314 nonce: 'on'
315 enabled: True
316 conf_cmd:
317 sessionticket:
318 command_name: 'Options'
319 command_value: '-SessionTicket'
320 enabled: True
321 serverpreference:
322 command_name: 'Options'
323 command_value: '-ServerPreference'
324 enabled: False
325 ssl_options:
326 fakebasicauth:
327 option: '+FakeBasicAuth'
328 enabled: 'True'
329 strictrequire:
330 option: '-StrictRequire'
331 enabled: True
332 proxy:
333 ca_cert_file: '/etc/ssl/client_cert.pem'
334 ca_cert_path: '/etc/ssl/client/'
335 crl:
336 file: '/etc/ssl/crl/crl.pem'
337 path: '/etc/ssl/crl'
338 value: 'chain'
339 enabled: False
340 check_peer_cn: 'off'
341 check_peer_expire: 'off'
342 check_peer_name: 'off'
343 ciphers:
344 ECDHE_RSA_AES256_GCM_SHA384:
345 name: 'ECDHE-RSA-AES256-GCM-SHA384'
346 enabled: True
347 ECDHE_ECDSA_AES256_GCM_SHA384:
348 name: 'ECDHE-ECDSA-AES256-GCM-SHA384'
349 enabled: False
350 ssl_engine: 'on'
351 proxy_chain_file: '/etc/ssl/proxy_chain.pem'
352 proxy_cert_file: '/etc/ssl/proxy.pem'
353 proxy_cert_path: '/etc/ssl/proxy'
354 verify: 'none'
355 verify_depth: '1'
356 srp_unknown_seed: 'secret_string'
357 srp_verifier_file: '/path/to/file.srpv'
358 ssl_stapling:
359 error_cache_timeout: '600'
360 fake_try_later: 'off'
361 stapling_responder: 'http://responder.example.com:8888/responder'
362 responder_timeout: '600'
363 response_max_age: '300'
364 response_time_skew: '300'
365 responder_errors: 'off'
366 standard_cache_timeout: '600'
367 sniv_host_check: 'off'
368 verify_depth: '1'
369
370SSL settings on SERVER level:
371
372.. code-block:: yaml
373
374 apache:
375 server:
376 ssl:
377 enabled: True
378 crypto_device: 'rdrand'
379 fips: 'off'
380 passphrase: 'builtin'
381 random_seed:
382 seed1:
383 context: 'startup'
384 source: 'file:/dev/urandom 256'
385 enabled: True
386 seed2:
387 context: 'connect'
388 source: 'builtin'
389 enabled: True
390 session_cache: 'none'
391 stapling_cache: 'default'
392 ssl_user_name: 'SSL_CLIENT_S_DN_CN'
393
394
Filip Pytloun410abc42015-10-06 16:28:31 +0200[diff] [blame]395Roundcube webmail, postfixadmin and mailman
396
397.. code-block:: yaml
398
399 classes:
400 - service.apache.server.single
401 parameters:
402 apache:
403 server:
jan kaufman75aae5c2016-01-26 14:49:12 +0100[diff] [blame]404 enabled: true
Filip Pytloun410abc42015-10-06 16:28:31 +0200[diff] [blame]405 modules:
406 - cgi
407 - php
408 site:
409 roundcube:
410 enabled: true
411 type: static
412 name: roundcube
413 root: /usr/share/roundcube
414 locations:
415 - uri: /admin
416 path: /usr/share/postfixadmin
417 - uri: /mailman
418 path: /usr/lib/cgi-bin/mailman
419 script: true
420 - uri: /pipermail
421 path: /var/lib/mailman/archives/public
422 - uri: /images/mailman
423 path: /usr/share/images/mailman
424 host:
425 name: mail.example.com
426 aliases:
427 - mail.example.com
428 - lists.example.com
429 - mail01.example.com
430 - mail01
431
sgarbuz950c64d2018-04-26 12:14:38 +0300[diff] [blame]432Logrotate settings which allow you to rotate the logs in
433a random time in a given time interval. Time in seconds
434
435.. code-block:: yaml
436
437 apache:
438 server:
439 logrotate:
440 start_period: 600
441 end_period: 1200
442
Aleš Komárek3a3de6e2017-04-11 13:41:09 +0200[diff] [blame]443
444More Information
445================
Filip Pytloun410abc42015-10-06 16:28:31 +0200[diff] [blame]446
447* https://httpd.apache.org/docs/
Filip Pytloun87d08142017-02-02 12:52:21 +0100[diff] [blame]448
Aleš Komárek3a3de6e2017-04-11 13:41:09 +0200[diff] [blame]449
Filip Pytloun87d08142017-02-02 12:52:21 +0100[diff] [blame]450Documentation and Bugs
451======================
452
453To learn how to install and update salt-formulas, consult the documentation
454available online at:
455
456 http://salt-formulas.readthedocs.io/
457
458In the unfortunate event that bugs are discovered, they should be reported to
459the appropriate issue tracker. Use Github issue tracker for specific salt
460formula:
461
462 https://github.com/salt-formulas/salt-formula-apache/issues
463
464For feature requests, bug reports or blueprints affecting entire ecosystem,
465use Launchpad salt-formulas project:
466
467 https://launchpad.net/salt-formulas
468
469You can also join salt-formulas-users team and subscribe to mailing list:
470
471 https://launchpad.net/~salt-formulas-users
472
473Developers wishing to work on the salt-formulas projects should always base
474their work on master branch and submit pull request against specific formula.
475
476 https://github.com/salt-formulas/salt-formula-apache
477
478Any questions or feedback is always welcome so feel free to join our IRC
479channel:
480
481 #salt-formulas @ irc.freenode.net