Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / apache / e379d1bf73e53dfc34fdc25b068dcfe48cdc7b5b / . / README.rst
blob: 2f608086779318fdb449e942f4df2016f9ab8714 [file] [log] [blame]
Aleš Komárek3a3de6e2017-04-11 13:41:09 +0200[diff] [blame]1==============
2Apache Formula
3==============
Filip Pytloun410abc42015-10-06 16:28:31 +0200[diff] [blame]4
5Install and configure Apache webserver
6
Aleš Komárek3a3de6e2017-04-11 13:41:09 +0200[diff] [blame]7Sample Pillars
8==============
Filip Pytloun410abc42015-10-06 16:28:31 +0200[diff] [blame]9
10Simple Apache proxy
11
12.. code-block:: yaml
13
14 apache:
15 server:
16 enabled: true
17 bind:
18 address: '0.0.0.0'
19 ports:
20 - 80
21 modules:
22 - proxy
23 - proxy_http
24 - proxy_balancer
Mykyta Karpinbe321f72018-12-19 16:14:38 +0200[diff] [blame]25 site:
26 apache_proxy_site:
27 enabled: true
28 type: proxy
29 name: site_name
30 proxy:
31 host: 1.1.1.1
32 port: 8080
33 protocol: http
34 retry: 30
35 host:
36 name: 2.2.2.2
37 port: 9001
38 address: 2.2.2.2
Filip Pytloun410abc42015-10-06 16:28:31 +0200[diff] [blame]39
40Apache plain static sites (eg. sphinx generated, from git/hg sources)
41
42.. code-block:: yaml
43
44 apache:
45 server:
46 enabled: true
47 bind:
Dzmitry Stremkouskifb99ea52018-10-24 10:09:18 +0200[diff] [blame]48 listen_default_ports: false
Filip Pytloun410abc42015-10-06 16:28:31 +0200[diff] [blame]49 address: '0.0.0.0'
50 ports:
51 - 80
52 modules:
53 - rewrite
54 - status
55 site:
56 - enabled: true
57 name: 'sphinxdoc'
58 type: 'static'
59 host:
60 name: 'doc.domain.com'
61 port: 80
62 source:
63 engine: local
64 - enabled: true
65 name: 'impressjs'
66 type: 'static'
67 host:
68 name: 'pres.domain.com'
69 port: 80
70 source:
71 engine: git
72 address: 'git@repo1.domain.cz:impress/billometer.git'
73 revision: 'master'
74
Filip Pytlounc135fa52015-11-25 12:28:45 +0100[diff] [blame]75Tune settings of mpm_prefork
76
77.. code-block:: yaml
78
79 parameters:
80 apache:
81 mpm:
82 prefork:
83 max_clients: 250
84 servers:
85 min: 32
86 max: 64
87 max_requests: 4000
88
Filip Pytloun590b5792016-01-27 11:24:29 +0100[diff] [blame]89Apache kerberos authentication:
90
91.. code-block:: yaml
92
93 parameters
94 apache:
95 server:
96 site:
97 auth:
98 engine: kerberos
99 name: "Kerberos Authentication"
100 require:
101 - "ldap-attribute memberOf='cn=somegroup,cn=groups,cn=accounts,dc=example,dc=com'"
102
103 kerberos:
104 realms:
105 - EXAMPLE.COM
106 # Bellow is optional
107 keytab: /etc/apache2/ipa.keytab
108 service: HTTP
109 method:
110 negotiate: true
111 k5passwd: true
112
113 ldap:
114 url: "ldaps://idm01.example.com/dc=example,dc=com?krbPrincipalName"
115 # mech is optional
116 mech: GSSAPI
117
Filip Pytloun3179bca2016-02-22 13:39:58 +0100[diff] [blame]118Tune security settings (these are default):
119
120.. code-block:: yaml
121
122 parameters:
123 apache:
124 server:
125 # ServerTokens
126 tokens: Prod
Filip Pytlounaffb18d2016-02-22 13:58:27 +0100[diff] [blame]127 # ServerSignature, can be also set per-site
128 signature: false
129 # TraceEnable, can be also set per-site
130 trace: false
131 # Deny access to .git, .svn, .hg directories
132 secure_scm: true
133 # Required for settings bellow
134 modules:
135 - headers
136 # Set X-Content-Type-Options
137 content_type_options: nosniff
138 # Set X-Frame-Options
139 frame_options: sameorigin
Filip Pytloun3179bca2016-02-22 13:39:58 +0100[diff] [blame]140
Aleš Komárek3a3de6e2017-04-11 13:41:09 +0200[diff] [blame]141Tuned up log configuration.
Simon Pasquierd9912952017-01-19 10:34:25 +0100[diff] [blame]142
143.. code-block:: yaml
144
145 parameters:
146 apache:
147 server:
148 site:
149 foo:
150 enabled: true
151 type: static
152 log:
153 custom:
154 enabled: true
155 file: /var/log/apache2/mylittleponysitecustom.log
156 format: >-
157 %{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"
158 error:
159 enabled: false
160 file: /var/log/apache2/foo.error.log
161 level: notice
162
Vasyl Saienkobaf3dde2018-01-31 00:28:29 +0200[diff] [blame]163Apache wsgi application.
164
165.. code-block:: yaml
166
167 apache:
168 server:
169 enabled: true
170 default_mpm: event
171 site:
172 manila:
173 enabled: false
174 available: true
175 type: wsgi
176 name: manila
177 wsgi:
178 daemon_process: manila-api
179 threads: 2
180 user: manila
181 group: manila
182 display_name: '%{GROUP}'
183 script_alias: '/ /usr/bin/manila-wsgi'
184 application_group: '%{GLOBAL}'
185 authorization: 'On'
186 limits:
187 request_body: 114688
188
Oleh Hryhorov6b91fdf2018-11-26 12:26:42 +0000[diff] [blame]189Apache redirect site definition.
190
191.. code-block:: yaml
192
193 apache:
194 server:
195 site:
196 openstack_web_redirect:
197 name: 'openstack_web_redirect'
198 enabled: true
199 type: 'redirect'
200 root: '/var/www/httproot'
201 host:
202 address: ${_param:apache_horizon_api_address}
203 name: ${_param:apache_horizon_api_host}
204 port: 80
205 redirect_mode: rewrite
206 target_url: 'https://%{SERVER_NAME}'
207 listen_address: '0.0.0.0'
208
Dzmitry Stremkouski8d25a0e2018-05-09 18:44:18 +0200[diff] [blame]209Apache ssl cipher management
210
211.. code-block:: yaml
212
213 parameters:
214 apache:
215 server:
216 enabled: true
217 site:
218 example:
219 enabled: true
220 ssl:
221 enabled: true
222 mode: secure
223 ...
224
225.. code-block:: yaml
226
227 parameters:
228 apache:
229 server:
230 enabled: true
231 site:
232 example:
233 enabled: true
234 ssl:
235 enabled: true
236 mode: normal
237 ...
238
239.. code-block:: yaml
240
241 parameters:
242 apache:
243 server:
244 enabled: true
245 site:
246 example:
247 enabled: true
248 ssl:
249 enabled: true
250 mode: strict
251 ciphers:
252 ECDHE_RSA_AES256_GCM_SHA384:
253 name: 'ECDHE-RSA-AES256-GCM-SHA384'
254 enabled: True
255 ECDHE_ECDSA_AES256_GCM_SHA384:
256 name: 'ECDHE-ECDSA-AES256-GCM-SHA384'
257 enabled: True
258 protocols:
259 TLS1:
260 name: 'TLSv1'
261 enabled: True
262 TLS1_1:
263 name: 'TLSv1.1'
264 enabled: True
265 TLS1_2:
266 name: 'TLSv1.2'
267 enabled: False
268 prefer_server_ciphers: 'on'
269 ...
270
Oleksii Grudevd0be2502018-05-25 14:19:43 +0300[diff] [blame]271Advanced SSL configuration, more information about SSL options can be found
272at https://httpd.apache.org/docs/2.4/mod/mod_ssl.html
273!Please note that if mode = 'secure' or mode = 'normal' and 'ciphers' or 'protocols' are set - they should have
274type "string", if mode = 'manual', their type should be "dict" (like shown below)
275
276SSL settings on SITE level:
277
278.. code-block:: yaml
279
280 parameters:
281 apache:
282 server:
283 enabled: true
284 site:
285 example:
286 enabled: true
287 ssl:
288 enabled: true
289 engine: salt
290 authority: "${_param:salt_minion_ca_authority}"
291 key_file: "/etc/ssl/private/internal_proxy.key"
292 cert_file: "/etc/ssl/certs/internal_proxy.crt"
293 chain_file: "/etc/ssl/certs/internal_proxy-with-chain.crt"
294 mode: 'strict'
295 session_timeout: '300'
296 protocols:
297 TLS1:
298 name: 'TLSv1'
299 enabled: True
300 TLS1_1:
301 name: 'TLSv1.1'
302 enabled: True
303 TLS1_2:
304 name: 'TLSv1.2'
305 enabled: False
306 ciphers:
307 ECDHE_RSA_AES256_GCM_SHA384:
308 name: 'ECDHE-RSA-AES256-GCM-SHA384'
309 enabled: True
310 ECDHE_ECDSA_AES256_GCM_SHA384:
311 name: 'ECDHE-ECDSA-AES256-GCM-SHA384'
312 enabled: True
313 prefer_server_ciphers: "off"
314 dhparam:
315 enabled: True
316 numbits: 2048
317 ecdh_curve:
318 secp384r1:
319 name: 'secp384r1'
320 enabled: False
321 secp521r1:
322 name: 'secp521r1'
323 enabled: True
324 ticket_key:
325 enabled: True
326 numbytes: 48
327 session_tickets: 'on'
328 stapling: 'off'
329 crl:
330 file: '/etc/ssl/crl/crl.pem'
331 path: '/etc/ssl/crl'
332 value: 'chain'
333 enabled: False
334 verify_client: 'none'
335 client_certificate:
336 file: '/etc/ssl/client_cert.pem'
337 enabled: False
338 compression: 'off'
339 ssl_engine: 'on'
340 insecure_renegotiation: 'off'
341 ocsp:
342 default_responder: 'http://responder.example.com:8888/responder'
343 ocsp_enable: 'off'
344 override_responder: 'off'
345 responder_timeout: '50'
346 max_age: '300'
347 time_skew: '300'
348 nonce: 'on'
349 enabled: True
350 conf_cmd:
351 sessionticket:
352 command_name: 'Options'
353 command_value: '-SessionTicket'
354 enabled: True
355 serverpreference:
356 command_name: 'Options'
357 command_value: '-ServerPreference'
358 enabled: False
359 ssl_options:
360 fakebasicauth:
361 option: '+FakeBasicAuth'
362 enabled: 'True'
363 strictrequire:
364 option: '-StrictRequire'
365 enabled: True
366 proxy:
367 ca_cert_file: '/etc/ssl/client_cert.pem'
368 ca_cert_path: '/etc/ssl/client/'
369 crl:
370 file: '/etc/ssl/crl/crl.pem'
371 path: '/etc/ssl/crl'
372 value: 'chain'
373 enabled: False
374 check_peer_cn: 'off'
375 check_peer_expire: 'off'
376 check_peer_name: 'off'
377 ciphers:
378 ECDHE_RSA_AES256_GCM_SHA384:
379 name: 'ECDHE-RSA-AES256-GCM-SHA384'
380 enabled: True
381 ECDHE_ECDSA_AES256_GCM_SHA384:
382 name: 'ECDHE-ECDSA-AES256-GCM-SHA384'
383 enabled: False
384 ssl_engine: 'on'
385 proxy_chain_file: '/etc/ssl/proxy_chain.pem'
386 proxy_cert_file: '/etc/ssl/proxy.pem'
387 proxy_cert_path: '/etc/ssl/proxy'
388 verify: 'none'
389 verify_depth: '1'
390 srp_unknown_seed: 'secret_string'
391 srp_verifier_file: '/path/to/file.srpv'
392 ssl_stapling:
393 error_cache_timeout: '600'
394 fake_try_later: 'off'
395 stapling_responder: 'http://responder.example.com:8888/responder'
396 responder_timeout: '600'
397 response_max_age: '300'
398 response_time_skew: '300'
399 responder_errors: 'off'
400 standard_cache_timeout: '600'
401 sniv_host_check: 'off'
402 verify_depth: '1'
403
404SSL settings on SERVER level:
405
406.. code-block:: yaml
407
408 apache:
409 server:
410 ssl:
411 enabled: True
412 crypto_device: 'rdrand'
413 fips: 'off'
414 passphrase: 'builtin'
415 random_seed:
416 seed1:
417 context: 'startup'
418 source: 'file:/dev/urandom 256'
419 enabled: True
420 seed2:
421 context: 'connect'
422 source: 'builtin'
423 enabled: True
424 session_cache: 'none'
425 stapling_cache: 'default'
426 ssl_user_name: 'SSL_CLIENT_S_DN_CN'
427
428
Filip Pytloun410abc42015-10-06 16:28:31 +0200[diff] [blame]429Roundcube webmail, postfixadmin and mailman
430
431.. code-block:: yaml
432
433 classes:
434 - service.apache.server.single
435 parameters:
436 apache:
437 server:
jan kaufman75aae5c2016-01-26 14:49:12 +0100[diff] [blame]438 enabled: true
Filip Pytloun410abc42015-10-06 16:28:31 +0200[diff] [blame]439 modules:
440 - cgi
441 - php
442 site:
443 roundcube:
444 enabled: true
445 type: static
446 name: roundcube
447 root: /usr/share/roundcube
448 locations:
449 - uri: /admin
450 path: /usr/share/postfixadmin
451 - uri: /mailman
452 path: /usr/lib/cgi-bin/mailman
453 script: true
454 - uri: /pipermail
455 path: /var/lib/mailman/archives/public
456 - uri: /images/mailman
457 path: /usr/share/images/mailman
458 host:
459 name: mail.example.com
460 aliases:
461 - mail.example.com
462 - lists.example.com
463 - mail01.example.com
464 - mail01
465
sgarbuz950c64d2018-04-26 12:14:38 +0300[diff] [blame]466Logrotate settings which allow you to rotate the logs in
467a random time in a given time interval. Time in seconds
468
469.. code-block:: yaml
470
471 apache:
472 server:
473 logrotate:
474 start_period: 600
475 end_period: 1200
476
Oleksandr Bryndziia9b5d3b2018-11-01 17:21:39 +0200[diff] [blame]477Apache modules management
478
479.. code-block:: yaml
480
481 apache:
482 server:
483 mods:
484 status:
485 enabled: True
486 status: 'disabled'
487
Oleksandr Bryndzii4c1a02b2018-12-18 11:23:15 +0000[diff] [blame]488Apache server-status management
489
490.. code-block:: yaml
491
492 apache:
493 server:
494 mods:
495 status:
496 enabled: True
497 status: 'enabled'
498 host:
499 address: 127.0.0.1
500 port: 80
501 allow:
502 localhost:
503 enabled: True
504 value: '127.0.0.0/255.0.0.0'
505 localhost_ipv6:
506 enabled: True
507 value: '::1/128'
Aleš Komárek3a3de6e2017-04-11 13:41:09 +0200[diff] [blame]508
Oleh Hryhorov2e9130f2018-11-26 12:23:19 +0000[diff] [blame]509Apache directories and modules management
510
511.. code-block:: yaml
512
513 apache:
514 server:
515 enabled: true
516 site:
517 sitename:
518 directories:
519 dashboard_static:
520 path: /usr/share/openstack-dashboard/static
521 order: 'allow,deny'
522 allow: 'from all'
523 modules:
524 mod_expires.c:
525 ExpiresActive: 'On'
526 ExpiresDefault: '"access 6 month"'
527 mod_deflate.c:
528 SetOutputFilter: 'DEFLATE'
529 dashboard_wsgi:
530 path: /usr/share/openstack-dashboard/openstack_dashboard/wsgi
531 order: 'allow,deny'
532 allow: 'from all'
533
Aleš Komárek3a3de6e2017-04-11 13:41:09 +0200[diff] [blame]534More Information
535================
Filip Pytloun410abc42015-10-06 16:28:31 +0200[diff] [blame]536
537* https://httpd.apache.org/docs/