Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / apache / fb99ea5d0412dfbac81cc5a7e940846aee6825e6 / . / README.rst
blob: 6578abe8a4b958da31b99926adb008a3580a2668 [file] [log] [blame]
Aleš Komárek3a3de6e2017-04-11 13:41:09 +0200[diff] [blame]1==============
2Apache Formula
3==============
Filip Pytloun410abc42015-10-06 16:28:31 +0200[diff] [blame]4
5Install and configure Apache webserver
6
Aleš Komárek3a3de6e2017-04-11 13:41:09 +0200[diff] [blame]7Sample Pillars
8==============
Filip Pytloun410abc42015-10-06 16:28:31 +0200[diff] [blame]9
10Simple Apache proxy
11
12.. code-block:: yaml
13
14 apache:
15 server:
16 enabled: true
17 bind:
18 address: '0.0.0.0'
19 ports:
20 - 80
21 modules:
22 - proxy
23 - proxy_http
24 - proxy_balancer
25
26
27Apache plain static sites (eg. sphinx generated, from git/hg sources)
28
29.. code-block:: yaml
30
31 apache:
32 server:
33 enabled: true
34 bind:
Dzmitry Stremkouskifb99ea52018-10-24 10:09:18 +0200[diff] [blame^]35 listen_default_ports: false
Filip Pytloun410abc42015-10-06 16:28:31 +0200[diff] [blame]36 address: '0.0.0.0'
37 ports:
38 - 80
39 modules:
40 - rewrite
41 - status
42 site:
43 - enabled: true
44 name: 'sphinxdoc'
45 type: 'static'
46 host:
47 name: 'doc.domain.com'
48 port: 80
49 source:
50 engine: local
51 - enabled: true
52 name: 'impressjs'
53 type: 'static'
54 host:
55 name: 'pres.domain.com'
56 port: 80
57 source:
58 engine: git
59 address: 'git@repo1.domain.cz:impress/billometer.git'
60 revision: 'master'
61
Filip Pytlounc135fa52015-11-25 12:28:45 +0100[diff] [blame]62Tune settings of mpm_prefork
63
64.. code-block:: yaml
65
66 parameters:
67 apache:
68 mpm:
69 prefork:
70 max_clients: 250
71 servers:
72 min: 32
73 max: 64
74 max_requests: 4000
75
Filip Pytloun590b5792016-01-27 11:24:29 +0100[diff] [blame]76Apache kerberos authentication:
77
78.. code-block:: yaml
79
80 parameters
81 apache:
82 server:
83 site:
84 auth:
85 engine: kerberos
86 name: "Kerberos Authentication"
87 require:
88 - "ldap-attribute memberOf='cn=somegroup,cn=groups,cn=accounts,dc=example,dc=com'"
89
90 kerberos:
91 realms:
92 - EXAMPLE.COM
93 # Bellow is optional
94 keytab: /etc/apache2/ipa.keytab
95 service: HTTP
96 method:
97 negotiate: true
98 k5passwd: true
99
100 ldap:
101 url: "ldaps://idm01.example.com/dc=example,dc=com?krbPrincipalName"
102 # mech is optional
103 mech: GSSAPI
104
Filip Pytloun3179bca2016-02-22 13:39:58 +0100[diff] [blame]105Tune security settings (these are default):
106
107.. code-block:: yaml
108
109 parameters:
110 apache:
111 server:
112 # ServerTokens
113 tokens: Prod
Filip Pytlounaffb18d2016-02-22 13:58:27 +0100[diff] [blame]114 # ServerSignature, can be also set per-site
115 signature: false
116 # TraceEnable, can be also set per-site
117 trace: false
118 # Deny access to .git, .svn, .hg directories
119 secure_scm: true
120 # Required for settings bellow
121 modules:
122 - headers
123 # Set X-Content-Type-Options
124 content_type_options: nosniff
125 # Set X-Frame-Options
126 frame_options: sameorigin
Filip Pytloun3179bca2016-02-22 13:39:58 +0100[diff] [blame]127
Aleš Komárek3a3de6e2017-04-11 13:41:09 +0200[diff] [blame]128Tuned up log configuration.
Simon Pasquierd9912952017-01-19 10:34:25 +0100[diff] [blame]129
130.. code-block:: yaml
131
132 parameters:
133 apache:
134 server:
135 site:
136 foo:
137 enabled: true
138 type: static
139 log:
140 custom:
141 enabled: true
142 file: /var/log/apache2/mylittleponysitecustom.log
143 format: >-
144 %{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"
145 error:
146 enabled: false
147 file: /var/log/apache2/foo.error.log
148 level: notice
149
Vasyl Saienkobaf3dde2018-01-31 00:28:29 +0200[diff] [blame]150Apache wsgi application.
151
152.. code-block:: yaml
153
154 apache:
155 server:
156 enabled: true
157 default_mpm: event
158 site:
159 manila:
160 enabled: false
161 available: true
162 type: wsgi
163 name: manila
164 wsgi:
165 daemon_process: manila-api
166 threads: 2
167 user: manila
168 group: manila
169 display_name: '%{GROUP}'
170 script_alias: '/ /usr/bin/manila-wsgi'
171 application_group: '%{GLOBAL}'
172 authorization: 'On'
173 limits:
174 request_body: 114688
175
Dzmitry Stremkouski8d25a0e2018-05-09 18:44:18 +0200[diff] [blame]176Apache ssl cipher management
177
178.. code-block:: yaml
179
180 parameters:
181 apache:
182 server:
183 enabled: true
184 site:
185 example:
186 enabled: true
187 ssl:
188 enabled: true
189 mode: secure
190 ...
191
192.. code-block:: yaml
193
194 parameters:
195 apache:
196 server:
197 enabled: true
198 site:
199 example:
200 enabled: true
201 ssl:
202 enabled: true
203 mode: normal
204 ...
205
206.. code-block:: yaml
207
208 parameters:
209 apache:
210 server:
211 enabled: true
212 site:
213 example:
214 enabled: true
215 ssl:
216 enabled: true
217 mode: strict
218 ciphers:
219 ECDHE_RSA_AES256_GCM_SHA384:
220 name: 'ECDHE-RSA-AES256-GCM-SHA384'
221 enabled: True
222 ECDHE_ECDSA_AES256_GCM_SHA384:
223 name: 'ECDHE-ECDSA-AES256-GCM-SHA384'
224 enabled: True
225 protocols:
226 TLS1:
227 name: 'TLSv1'
228 enabled: True
229 TLS1_1:
230 name: 'TLSv1.1'
231 enabled: True
232 TLS1_2:
233 name: 'TLSv1.2'
234 enabled: False
235 prefer_server_ciphers: 'on'
236 ...
237
Oleksii Grudevd0be2502018-05-25 14:19:43 +0300[diff] [blame]238Advanced SSL configuration, more information about SSL options can be found
239at https://httpd.apache.org/docs/2.4/mod/mod_ssl.html
240!Please note that if mode = 'secure' or mode = 'normal' and 'ciphers' or 'protocols' are set - they should have
241type "string", if mode = 'manual', their type should be "dict" (like shown below)
242
243SSL settings on SITE level:
244
245.. code-block:: yaml
246
247 parameters:
248 apache:
249 server:
250 enabled: true
251 site:
252 example:
253 enabled: true
254 ssl:
255 enabled: true
256 engine: salt
257 authority: "${_param:salt_minion_ca_authority}"
258 key_file: "/etc/ssl/private/internal_proxy.key"
259 cert_file: "/etc/ssl/certs/internal_proxy.crt"
260 chain_file: "/etc/ssl/certs/internal_proxy-with-chain.crt"
261 mode: 'strict'
262 session_timeout: '300'
263 protocols:
264 TLS1:
265 name: 'TLSv1'
266 enabled: True
267 TLS1_1:
268 name: 'TLSv1.1'
269 enabled: True
270 TLS1_2:
271 name: 'TLSv1.2'
272 enabled: False
273 ciphers:
274 ECDHE_RSA_AES256_GCM_SHA384:
275 name: 'ECDHE-RSA-AES256-GCM-SHA384'
276 enabled: True
277 ECDHE_ECDSA_AES256_GCM_SHA384:
278 name: 'ECDHE-ECDSA-AES256-GCM-SHA384'
279 enabled: True
280 prefer_server_ciphers: "off"
281 dhparam:
282 enabled: True
283 numbits: 2048
284 ecdh_curve:
285 secp384r1:
286 name: 'secp384r1'
287 enabled: False
288 secp521r1:
289 name: 'secp521r1'
290 enabled: True
291 ticket_key:
292 enabled: True
293 numbytes: 48
294 session_tickets: 'on'
295 stapling: 'off'
296 crl:
297 file: '/etc/ssl/crl/crl.pem'
298 path: '/etc/ssl/crl'
299 value: 'chain'
300 enabled: False
301 verify_client: 'none'
302 client_certificate:
303 file: '/etc/ssl/client_cert.pem'
304 enabled: False
305 compression: 'off'
306 ssl_engine: 'on'
307 insecure_renegotiation: 'off'
308 ocsp:
309 default_responder: 'http://responder.example.com:8888/responder'
310 ocsp_enable: 'off'
311 override_responder: 'off'
312 responder_timeout: '50'
313 max_age: '300'
314 time_skew: '300'
315 nonce: 'on'
316 enabled: True
317 conf_cmd:
318 sessionticket:
319 command_name: 'Options'
320 command_value: '-SessionTicket'
321 enabled: True
322 serverpreference:
323 command_name: 'Options'
324 command_value: '-ServerPreference'
325 enabled: False
326 ssl_options:
327 fakebasicauth:
328 option: '+FakeBasicAuth'
329 enabled: 'True'
330 strictrequire:
331 option: '-StrictRequire'
332 enabled: True
333 proxy:
334 ca_cert_file: '/etc/ssl/client_cert.pem'
335 ca_cert_path: '/etc/ssl/client/'
336 crl:
337 file: '/etc/ssl/crl/crl.pem'
338 path: '/etc/ssl/crl'
339 value: 'chain'
340 enabled: False
341 check_peer_cn: 'off'
342 check_peer_expire: 'off'
343 check_peer_name: 'off'
344 ciphers:
345 ECDHE_RSA_AES256_GCM_SHA384:
346 name: 'ECDHE-RSA-AES256-GCM-SHA384'
347 enabled: True
348 ECDHE_ECDSA_AES256_GCM_SHA384:
349 name: 'ECDHE-ECDSA-AES256-GCM-SHA384'
350 enabled: False
351 ssl_engine: 'on'
352 proxy_chain_file: '/etc/ssl/proxy_chain.pem'
353 proxy_cert_file: '/etc/ssl/proxy.pem'
354 proxy_cert_path: '/etc/ssl/proxy'
355 verify: 'none'
356 verify_depth: '1'
357 srp_unknown_seed: 'secret_string'
358 srp_verifier_file: '/path/to/file.srpv'
359 ssl_stapling:
360 error_cache_timeout: '600'
361 fake_try_later: 'off'
362 stapling_responder: 'http://responder.example.com:8888/responder'
363 responder_timeout: '600'
364 response_max_age: '300'
365 response_time_skew: '300'
366 responder_errors: 'off'
367 standard_cache_timeout: '600'
368 sniv_host_check: 'off'
369 verify_depth: '1'
370
371SSL settings on SERVER level:
372
373.. code-block:: yaml
374
375 apache:
376 server:
377 ssl:
378 enabled: True
379 crypto_device: 'rdrand'
380 fips: 'off'
381 passphrase: 'builtin'
382 random_seed:
383 seed1:
384 context: 'startup'
385 source: 'file:/dev/urandom 256'
386 enabled: True
387 seed2:
388 context: 'connect'
389 source: 'builtin'
390 enabled: True
391 session_cache: 'none'
392 stapling_cache: 'default'
393 ssl_user_name: 'SSL_CLIENT_S_DN_CN'
394
395
Filip Pytloun410abc42015-10-06 16:28:31 +0200[diff] [blame]396Roundcube webmail, postfixadmin and mailman
397
398.. code-block:: yaml
399
400 classes:
401 - service.apache.server.single
402 parameters:
403 apache:
404 server:
jan kaufman75aae5c2016-01-26 14:49:12 +0100[diff] [blame]405 enabled: true
Filip Pytloun410abc42015-10-06 16:28:31 +0200[diff] [blame]406 modules:
407 - cgi
408 - php
409 site:
410 roundcube:
411 enabled: true
412 type: static
413 name: roundcube
414 root: /usr/share/roundcube
415 locations:
416 - uri: /admin
417 path: /usr/share/postfixadmin
418 - uri: /mailman
419 path: /usr/lib/cgi-bin/mailman
420 script: true
421 - uri: /pipermail
422 path: /var/lib/mailman/archives/public
423 - uri: /images/mailman
424 path: /usr/share/images/mailman
425 host:
426 name: mail.example.com
427 aliases:
428 - mail.example.com
429 - lists.example.com
430 - mail01.example.com
431 - mail01
432
sgarbuz950c64d2018-04-26 12:14:38 +0300[diff] [blame]433Logrotate settings which allow you to rotate the logs in
434a random time in a given time interval. Time in seconds
435
436.. code-block:: yaml
437
438 apache:
439 server:
440 logrotate:
441 start_period: 600
442 end_period: 1200
443
Aleš Komárek3a3de6e2017-04-11 13:41:09 +0200[diff] [blame]444
445More Information
446================
Filip Pytloun410abc42015-10-06 16:28:31 +0200[diff] [blame]447
448* https://httpd.apache.org/docs/
Filip Pytloun87d08142017-02-02 12:52:21 +0100[diff] [blame]449
Aleš Komárek3a3de6e2017-04-11 13:41:09 +0200[diff] [blame]450
Filip Pytloun87d08142017-02-02 12:52:21 +0100[diff] [blame]451Documentation and Bugs
452======================
453
454To learn how to install and update salt-formulas, consult the documentation
455available online at:
456
457 http://salt-formulas.readthedocs.io/
458
459In the unfortunate event that bugs are discovered, they should be reported to
460the appropriate issue tracker. Use Github issue tracker for specific salt
461formula:
462
463 https://github.com/salt-formulas/salt-formula-apache/issues
464
465For feature requests, bug reports or blueprints affecting entire ecosystem,
466use Launchpad salt-formulas project:
467
468 https://launchpad.net/salt-formulas
469
470You can also join salt-formulas-users team and subscribe to mailing list:
471
472 https://launchpad.net/~salt-formulas-users
473
474Developers wishing to work on the salt-formulas projects should always base
475their work on master branch and submit pull request against specific formula.
476
477 https://github.com/salt-formulas/salt-formula-apache
478
479Any questions or feedback is always welcome so feel free to join our IRC
480channel:
481
482 #salt-formulas @ irc.freenode.net