Blame - README.rst - salt-formulas/apache

blob: 706bf0bdbe69b650cc371c0d79d198f229eec07b [file] [log] [blame]

Aleš Komárek	3a3de6e	2017-04-11 13:41:09 +0200	[diff] [blame]	1	==============
				2	Apache Formula
				3	==============
Filip Pytloun	410abc4	2015-10-06 16:28:31 +0200	[diff] [blame]	4
				5	Install and configure Apache webserver
				6
Aleš Komárek	3a3de6e	2017-04-11 13:41:09 +0200	[diff] [blame]	7	Sample Pillars
				8	==============
Filip Pytloun	410abc4	2015-10-06 16:28:31 +0200	[diff] [blame]	9
				10	Simple Apache proxy
				11
				12	.. code-block:: yaml
				13
				14	apache:
				15	server:
				16	enabled: true
				17	bind:
				18	address: '0.0.0.0'
				19	ports:
				20	- 80
				21	modules:
				22	- proxy
				23	- proxy_http
				24	- proxy_balancer
				25
				26
				27	Apache plain static sites (eg. sphinx generated, from git/hg sources)
				28
				29	.. code-block:: yaml
				30
				31	apache:
				32	server:
				33	enabled: true
				34	bind:
Dzmitry Stremkouski	fb99ea5	2018-10-24 10:09:18 +0200	[diff] [blame]	35	listen_default_ports: false
Filip Pytloun	410abc4	2015-10-06 16:28:31 +0200	[diff] [blame]	36	address: '0.0.0.0'
				37	ports:
				38	- 80
				39	modules:
				40	- rewrite
				41	- status
				42	site:
				43	- enabled: true
				44	name: 'sphinxdoc'
				45	type: 'static'
				46	host:
				47	name: 'doc.domain.com'
				48	port: 80
				49	source:
				50	engine: local
				51	- enabled: true
				52	name: 'impressjs'
				53	type: 'static'
				54	host:
				55	name: 'pres.domain.com'
				56	port: 80
				57	source:
				58	engine: git
				59	address: 'git@repo1.domain.cz:impress/billometer.git'
				60	revision: 'master'
				61
Filip Pytloun	c135fa5	2015-11-25 12:28:45 +0100	[diff] [blame]	62	Tune settings of mpm_prefork
				63
				64	.. code-block:: yaml
				65
				66	parameters:
				67	apache:
				68	mpm:
				69	prefork:
				70	max_clients: 250
				71	servers:
				72	min: 32
				73	max: 64
				74	max_requests: 4000
				75
Filip Pytloun	590b579	2016-01-27 11:24:29 +0100	[diff] [blame]	76	Apache kerberos authentication:
				77
				78	.. code-block:: yaml
				79
				80	parameters
				81	apache:
				82	server:
				83	site:
				84	auth:
				85	engine: kerberos
				86	name: "Kerberos Authentication"
				87	require:
				88	- "ldap-attribute memberOf='cn=somegroup,cn=groups,cn=accounts,dc=example,dc=com'"
				89
				90	kerberos:
				91	realms:
				92	- EXAMPLE.COM
				93	# Bellow is optional
				94	keytab: /etc/apache2/ipa.keytab
				95	service: HTTP
				96	method:
				97	negotiate: true
				98	k5passwd: true
				99
				100	ldap:
				101	url: "ldaps://idm01.example.com/dc=example,dc=com?krbPrincipalName"
				102	# mech is optional
				103	mech: GSSAPI
				104
Filip Pytloun	3179bca	2016-02-22 13:39:58 +0100	[diff] [blame]	105	Tune security settings (these are default):
				106
				107	.. code-block:: yaml
				108
				109	parameters:
				110	apache:
				111	server:
				112	# ServerTokens
				113	tokens: Prod
Filip Pytloun	affb18d	2016-02-22 13:58:27 +0100	[diff] [blame]	114	# ServerSignature, can be also set per-site
				115	signature: false
				116	# TraceEnable, can be also set per-site
				117	trace: false
				118	# Deny access to .git, .svn, .hg directories
				119	secure_scm: true
				120	# Required for settings bellow
				121	modules:
				122	- headers
				123	# Set X-Content-Type-Options
				124	content_type_options: nosniff
				125	# Set X-Frame-Options
				126	frame_options: sameorigin
Filip Pytloun	3179bca	2016-02-22 13:39:58 +0100	[diff] [blame]	127
Aleš Komárek	3a3de6e	2017-04-11 13:41:09 +0200	[diff] [blame]	128	Tuned up log configuration.
Simon Pasquier	d991295	2017-01-19 10:34:25 +0100	[diff] [blame]	129
				130	.. code-block:: yaml
				131
				132	parameters:
				133	apache:
				134	server:
				135	site:
				136	foo:
				137	enabled: true
				138	type: static
				139	log:
				140	custom:
				141	enabled: true
				142	file: /var/log/apache2/mylittleponysitecustom.log
				143	format: >-
				144	%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"
				145	error:
				146	enabled: false
				147	file: /var/log/apache2/foo.error.log
				148	level: notice
				149
Vasyl Saienko	baf3dde	2018-01-31 00:28:29 +0200	[diff] [blame]	150	Apache wsgi application.
				151
				152	.. code-block:: yaml
				153
				154	apache:
				155	server:
				156	enabled: true
				157	default_mpm: event
				158	site:
				159	manila:
				160	enabled: false
				161	available: true
				162	type: wsgi
				163	name: manila
				164	wsgi:
				165	daemon_process: manila-api
				166	threads: 2
				167	user: manila
				168	group: manila
				169	display_name: '%{GROUP}'
				170	script_alias: '/ /usr/bin/manila-wsgi'
				171	application_group: '%{GLOBAL}'
				172	authorization: 'On'
				173	limits:
				174	request_body: 114688
				175
Oleh Hryhorov	6b91fdf	2018-11-26 12:26:42 +0000	[diff] [blame]	176	Apache redirect site definition.
				177
				178	.. code-block:: yaml
				179
				180	apache:
				181	server:
				182	site:
				183	openstack_web_redirect:
				184	name: 'openstack_web_redirect'
				185	enabled: true
				186	type: 'redirect'
				187	root: '/var/www/httproot'
				188	host:
				189	address: ${_param:apache_horizon_api_address}
				190	name: ${_param:apache_horizon_api_host}
				191	port: 80
				192	redirect_mode: rewrite
				193	target_url: 'https://%{SERVER_NAME}'
				194	listen_address: '0.0.0.0'
				195
Dzmitry Stremkouski	8d25a0e	2018-05-09 18:44:18 +0200	[diff] [blame]	196	Apache ssl cipher management
				197
				198	.. code-block:: yaml
				199
				200	parameters:
				201	apache:
				202	server:
				203	enabled: true
				204	site:
				205	example:
				206	enabled: true
				207	ssl:
				208	enabled: true
				209	mode: secure
				210	...
				211
				212	.. code-block:: yaml
				213
				214	parameters:
				215	apache:
				216	server:
				217	enabled: true
				218	site:
				219	example:
				220	enabled: true
				221	ssl:
				222	enabled: true
				223	mode: normal
				224	...
				225
				226	.. code-block:: yaml
				227
				228	parameters:
				229	apache:
				230	server:
				231	enabled: true
				232	site:
				233	example:
				234	enabled: true
				235	ssl:
				236	enabled: true
				237	mode: strict
				238	ciphers:
				239	ECDHE_RSA_AES256_GCM_SHA384:
				240	name: 'ECDHE-RSA-AES256-GCM-SHA384'
				241	enabled: True
				242	ECDHE_ECDSA_AES256_GCM_SHA384:
				243	name: 'ECDHE-ECDSA-AES256-GCM-SHA384'
				244	enabled: True
				245	protocols:
				246	TLS1:
				247	name: 'TLSv1'
				248	enabled: True
				249	TLS1_1:
				250	name: 'TLSv1.1'
				251	enabled: True
				252	TLS1_2:
				253	name: 'TLSv1.2'
				254	enabled: False
				255	prefer_server_ciphers: 'on'
				256	...
				257
Oleksii Grudev	d0be250	2018-05-25 14:19:43 +0300	[diff] [blame]	258	Advanced SSL configuration, more information about SSL options can be found
				259	at https://httpd.apache.org/docs/2.4/mod/mod_ssl.html
				260	!Please note that if mode = 'secure' or mode = 'normal' and 'ciphers' or 'protocols' are set - they should have
				261	type "string", if mode = 'manual', their type should be "dict" (like shown below)
				262
				263	SSL settings on SITE level:
				264
				265	.. code-block:: yaml
				266
				267	parameters:
				268	apache:
				269	server:
				270	enabled: true
				271	site:
				272	example:
				273	enabled: true
				274	ssl:
				275	enabled: true
				276	engine: salt
				277	authority: "${_param:salt_minion_ca_authority}"
				278	key_file: "/etc/ssl/private/internal_proxy.key"
				279	cert_file: "/etc/ssl/certs/internal_proxy.crt"
				280	chain_file: "/etc/ssl/certs/internal_proxy-with-chain.crt"
				281	mode: 'strict'
				282	session_timeout: '300'
				283	protocols:
				284	TLS1:
				285	name: 'TLSv1'
				286	enabled: True
				287	TLS1_1:
				288	name: 'TLSv1.1'
				289	enabled: True
				290	TLS1_2:
				291	name: 'TLSv1.2'
				292	enabled: False
				293	ciphers:
				294	ECDHE_RSA_AES256_GCM_SHA384:
				295	name: 'ECDHE-RSA-AES256-GCM-SHA384'
				296	enabled: True
				297	ECDHE_ECDSA_AES256_GCM_SHA384:
				298	name: 'ECDHE-ECDSA-AES256-GCM-SHA384'
				299	enabled: True
				300	prefer_server_ciphers: "off"
				301	dhparam:
				302	enabled: True
				303	numbits: 2048
				304	ecdh_curve:
				305	secp384r1:
				306	name: 'secp384r1'
				307	enabled: False
				308	secp521r1:
				309	name: 'secp521r1'
				310	enabled: True
				311	ticket_key:
				312	enabled: True
				313	numbytes: 48
				314	session_tickets: 'on'
				315	stapling: 'off'
				316	crl:
				317	file: '/etc/ssl/crl/crl.pem'
				318	path: '/etc/ssl/crl'
				319	value: 'chain'
				320	enabled: False
				321	verify_client: 'none'
				322	client_certificate:
				323	file: '/etc/ssl/client_cert.pem'
				324	enabled: False
				325	compression: 'off'
				326	ssl_engine: 'on'
				327	insecure_renegotiation: 'off'
				328	ocsp:
				329	default_responder: 'http://responder.example.com:8888/responder'
				330	ocsp_enable: 'off'
				331	override_responder: 'off'
				332	responder_timeout: '50'
				333	max_age: '300'
				334	time_skew: '300'
				335	nonce: 'on'
				336	enabled: True
				337	conf_cmd:
				338	sessionticket:
				339	command_name: 'Options'
				340	command_value: '-SessionTicket'
				341	enabled: True
				342	serverpreference:
				343	command_name: 'Options'
				344	command_value: '-ServerPreference'
				345	enabled: False
				346	ssl_options:
				347	fakebasicauth:
				348	option: '+FakeBasicAuth'
				349	enabled: 'True'
				350	strictrequire:
				351	option: '-StrictRequire'
				352	enabled: True
				353	proxy:
				354	ca_cert_file: '/etc/ssl/client_cert.pem'
				355	ca_cert_path: '/etc/ssl/client/'
				356	crl:
				357	file: '/etc/ssl/crl/crl.pem'
				358	path: '/etc/ssl/crl'
				359	value: 'chain'
				360	enabled: False
				361	check_peer_cn: 'off'
				362	check_peer_expire: 'off'
				363	check_peer_name: 'off'
				364	ciphers:
				365	ECDHE_RSA_AES256_GCM_SHA384:
				366	name: 'ECDHE-RSA-AES256-GCM-SHA384'
				367	enabled: True
				368	ECDHE_ECDSA_AES256_GCM_SHA384:
				369	name: 'ECDHE-ECDSA-AES256-GCM-SHA384'
				370	enabled: False
				371	ssl_engine: 'on'
				372	proxy_chain_file: '/etc/ssl/proxy_chain.pem'
				373	proxy_cert_file: '/etc/ssl/proxy.pem'
				374	proxy_cert_path: '/etc/ssl/proxy'
				375	verify: 'none'
				376	verify_depth: '1'
				377	srp_unknown_seed: 'secret_string'
				378	srp_verifier_file: '/path/to/file.srpv'
				379	ssl_stapling:
				380	error_cache_timeout: '600'
				381	fake_try_later: 'off'
				382	stapling_responder: 'http://responder.example.com:8888/responder'
				383	responder_timeout: '600'
				384	response_max_age: '300'
				385	response_time_skew: '300'
				386	responder_errors: 'off'
				387	standard_cache_timeout: '600'
				388	sniv_host_check: 'off'
				389	verify_depth: '1'
				390
				391	SSL settings on SERVER level:
				392
				393	.. code-block:: yaml
				394
				395	apache:
				396	server:
				397	ssl:
				398	enabled: True
				399	crypto_device: 'rdrand'
				400	fips: 'off'
				401	passphrase: 'builtin'
				402	random_seed:
				403	seed1:
				404	context: 'startup'
				405	source: 'file:/dev/urandom 256'
				406	enabled: True
				407	seed2:
				408	context: 'connect'
				409	source: 'builtin'
				410	enabled: True
				411	session_cache: 'none'
				412	stapling_cache: 'default'
				413	ssl_user_name: 'SSL_CLIENT_S_DN_CN'
				414
				415
Filip Pytloun	410abc4	2015-10-06 16:28:31 +0200	[diff] [blame]	416	Roundcube webmail, postfixadmin and mailman
				417
				418	.. code-block:: yaml
				419
				420	classes:
				421	- service.apache.server.single
				422	parameters:
				423	apache:
				424	server:
jan kaufman	75aae5c	2016-01-26 14:49:12 +0100	[diff] [blame]	425	enabled: true
Filip Pytloun	410abc4	2015-10-06 16:28:31 +0200	[diff] [blame]	426	modules:
				427	- cgi
				428	- php
				429	site:
				430	roundcube:
				431	enabled: true
				432	type: static
				433	name: roundcube
				434	root: /usr/share/roundcube
				435	locations:
				436	- uri: /admin
				437	path: /usr/share/postfixadmin
				438	- uri: /mailman
				439	path: /usr/lib/cgi-bin/mailman
				440	script: true
				441	- uri: /pipermail
				442	path: /var/lib/mailman/archives/public
				443	- uri: /images/mailman
				444	path: /usr/share/images/mailman
				445	host:
				446	name: mail.example.com
				447	aliases:
				448	- mail.example.com
				449	- lists.example.com
				450	- mail01.example.com
				451	- mail01
				452
sgarbuz	950c64d	2018-04-26 12:14:38 +0300	[diff] [blame]	453	Logrotate settings which allow you to rotate the logs in
				454	a random time in a given time interval. Time in seconds
				455
				456	.. code-block:: yaml
				457
				458	apache:
				459	server:
				460	logrotate:
				461	start_period: 600
				462	end_period: 1200
				463
Oleksandr Bryndzii	a9b5d3b	2018-11-01 17:21:39 +0200	[diff] [blame]	464	Apache modules management
				465
				466	.. code-block:: yaml
				467
				468	apache:
				469	server:
				470	mods:
				471	status:
				472	enabled: True
				473	status: 'disabled'
				474
Aleš Komárek	3a3de6e	2017-04-11 13:41:09 +0200	[diff] [blame]	475
Oleh Hryhorov	2e9130f	2018-11-26 12:23:19 +0000	[diff] [blame]	476	Apache directories and modules management
				477
				478	.. code-block:: yaml
				479
				480	apache:
				481	server:
				482	enabled: true
				483	site:
				484	sitename:
				485	directories:
				486	dashboard_static:
				487	path: /usr/share/openstack-dashboard/static
				488	order: 'allow,deny'
				489	allow: 'from all'
				490	modules:
				491	mod_expires.c:
				492	ExpiresActive: 'On'
				493	ExpiresDefault: '"access 6 month"'
				494	mod_deflate.c:
				495	SetOutputFilter: 'DEFLATE'
				496	dashboard_wsgi:
				497	path: /usr/share/openstack-dashboard/openstack_dashboard/wsgi
				498	order: 'allow,deny'
				499	allow: 'from all'
				500
Aleš Komárek	3a3de6e	2017-04-11 13:41:09 +0200	[diff] [blame]	501	More Information
				502	================
Filip Pytloun	410abc4	2015-10-06 16:28:31 +0200	[diff] [blame]	503
				504	* https://httpd.apache.org/docs/
Filip Pytloun	87d0814	2017-02-02 12:52:21 +0100	[diff] [blame]	505
Aleš Komárek	3a3de6e	2017-04-11 13:41:09 +0200	[diff] [blame]	506
Filip Pytloun	87d0814	2017-02-02 12:52:21 +0100	[diff] [blame]	507	Documentation and Bugs
				508	======================
				509
				510	To learn how to install and update salt-formulas, consult the documentation
				511	available online at:
				512
				513	http://salt-formulas.readthedocs.io/
				514
				515	In the unfortunate event that bugs are discovered, they should be reported to
				516	the appropriate issue tracker. Use Github issue tracker for specific salt
				517	formula:
				518
				519	https://github.com/salt-formulas/salt-formula-apache/issues
				520
				521	For feature requests, bug reports or blueprints affecting entire ecosystem,
				522	use Launchpad salt-formulas project:
				523
				524	https://launchpad.net/salt-formulas
				525
				526	You can also join salt-formulas-users team and subscribe to mailing list:
				527
				528	https://launchpad.net/~salt-formulas-users
				529
				530	Developers wishing to work on the salt-formulas projects should always base
				531	their work on master branch and submit pull request against specific formula.
				532
				533	https://github.com/salt-formulas/salt-formula-apache
				534
				535	Any questions or feedback is always welcome so feel free to join our IRC
				536	channel:
				537
				538	#salt-formulas @ irc.freenode.net