Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / apache / refs/heads/release/2019.2.0 / . / README.rst
blob: ced8f6f0c60fbaf88b3e7622148876e8e816c733 [file] [log] [blame]
Aleš Komárek3a3de6e2017-04-11 13:41:09 +0200[diff] [blame]1==============
2Apache Formula
3==============
Filip Pytloun410abc42015-10-06 16:28:31 +0200[diff] [blame]4
5Install and configure Apache webserver
6
Aleš Komárek3a3de6e2017-04-11 13:41:09 +0200[diff] [blame]7Sample Pillars
8==============
Filip Pytloun410abc42015-10-06 16:28:31 +0200[diff] [blame]9
10Simple Apache proxy
11
12.. code-block:: yaml
13
14 apache:
15 server:
16 enabled: true
17 bind:
18 address: '0.0.0.0'
19 ports:
20 - 80
21 modules:
22 - proxy
23 - proxy_http
24 - proxy_balancer
Mykyta Karpinbe321f72018-12-19 16:14:38 +0200[diff] [blame]25 site:
26 apache_proxy_site:
27 enabled: true
28 type: proxy
29 name: site_name
30 proxy:
31 host: 1.1.1.1
32 port: 8080
33 protocol: http
34 retry: 30
35 host:
36 name: 2.2.2.2
37 port: 9001
38 address: 2.2.2.2
Filip Pytloun410abc42015-10-06 16:28:31 +0200[diff] [blame]39
40Apache plain static sites (eg. sphinx generated, from git/hg sources)
41
42.. code-block:: yaml
43
44 apache:
45 server:
46 enabled: true
47 bind:
Dzmitry Stremkouskifb99ea52018-10-24 10:09:18 +0200[diff] [blame]48 listen_default_ports: false
Filip Pytloun410abc42015-10-06 16:28:31 +0200[diff] [blame]49 address: '0.0.0.0'
50 ports:
51 - 80
52 modules:
53 - rewrite
54 - status
55 site:
56 - enabled: true
57 name: 'sphinxdoc'
58 type: 'static'
59 host:
60 name: 'doc.domain.com'
61 port: 80
62 source:
63 engine: local
64 - enabled: true
65 name: 'impressjs'
66 type: 'static'
67 host:
68 name: 'pres.domain.com'
69 port: 80
70 source:
71 engine: git
72 address: 'git@repo1.domain.cz:impress/billometer.git'
73 revision: 'master'
74
Filip Pytlounc135fa52015-11-25 12:28:45 +0100[diff] [blame]75Tune settings of mpm_prefork
76
77.. code-block:: yaml
78
79 parameters:
80 apache:
81 mpm:
82 prefork:
83 max_clients: 250
84 servers:
85 min: 32
86 max: 64
87 max_requests: 4000
88
Filip Pytloun590b5792016-01-27 11:24:29 +0100[diff] [blame]89Apache kerberos authentication:
90
91.. code-block:: yaml
92
93 parameters
94 apache:
95 server:
96 site:
97 auth:
98 engine: kerberos
99 name: "Kerberos Authentication"
100 require:
101 - "ldap-attribute memberOf='cn=somegroup,cn=groups,cn=accounts,dc=example,dc=com'"
102
103 kerberos:
104 realms:
105 - EXAMPLE.COM
106 # Bellow is optional
107 keytab: /etc/apache2/ipa.keytab
108 service: HTTP
109 method:
110 negotiate: true
111 k5passwd: true
112
113 ldap:
114 url: "ldaps://idm01.example.com/dc=example,dc=com?krbPrincipalName"
115 # mech is optional
116 mech: GSSAPI
117
Filip Pytloun3179bca2016-02-22 13:39:58 +0100[diff] [blame]118Tune security settings (these are default):
119
120.. code-block:: yaml
121
122 parameters:
123 apache:
124 server:
125 # ServerTokens
126 tokens: Prod
Filip Pytlounaffb18d2016-02-22 13:58:27 +0100[diff] [blame]127 # ServerSignature, can be also set per-site
128 signature: false
129 # TraceEnable, can be also set per-site
130 trace: false
131 # Deny access to .git, .svn, .hg directories
132 secure_scm: true
133 # Required for settings bellow
134 modules:
135 - headers
136 # Set X-Content-Type-Options
137 content_type_options: nosniff
138 # Set X-Frame-Options
139 frame_options: sameorigin
Filip Pytloun3179bca2016-02-22 13:39:58 +0100[diff] [blame]140
Aleš Komárek3a3de6e2017-04-11 13:41:09 +0200[diff] [blame]141Tuned up log configuration.
Simon Pasquierd9912952017-01-19 10:34:25 +0100[diff] [blame]142
143.. code-block:: yaml
144
145 parameters:
146 apache:
147 server:
148 site:
149 foo:
150 enabled: true
151 type: static
152 log:
153 custom:
154 enabled: true
155 file: /var/log/apache2/mylittleponysitecustom.log
156 format: >-
157 %{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"
158 error:
159 enabled: false
160 file: /var/log/apache2/foo.error.log
161 level: notice
162
Vasyl Saienkobaf3dde2018-01-31 00:28:29 +0200[diff] [blame]163Apache wsgi application.
164
165.. code-block:: yaml
166
167 apache:
168 server:
169 enabled: true
170 default_mpm: event
171 site:
172 manila:
173 enabled: false
174 available: true
175 type: wsgi
176 name: manila
177 wsgi:
178 daemon_process: manila-api
179 threads: 2
180 user: manila
181 group: manila
182 display_name: '%{GROUP}'
183 script_alias: '/ /usr/bin/manila-wsgi'
184 application_group: '%{GLOBAL}'
185 authorization: 'On'
186 limits:
187 request_body: 114688
188
Dzmitry Stremkouski1429fd32021-02-24 18:36:23 +0100[diff] [blame]189Apache environment modules (mod_env, mod_setendif).
190
191.. code-block:: yaml
192
193 apache:
194 server:
195 site:
196 horizon:
197 env:
198 passenv:
199 - variable: LC_ALL
200 enabled: False
201 setenv:
202 - variable: X-Forwarded-Proxy
203 value: somehost
204 enabled: False
205 unsetenv:
206 - variable: LC_LOCAL
207 envif:
208 browsermatch:
209 - rule: ^MSIE mozilla
210 setenvif:
211 - rule: X-Forwarded-Proto https HTTPS=1
212 enabled: False
213
Oleh Hryhorov6b91fdf2018-11-26 12:26:42 +0000[diff] [blame]214Apache redirect site definition.
215
216.. code-block:: yaml
217
218 apache:
219 server:
220 site:
221 openstack_web_redirect:
222 name: 'openstack_web_redirect'
223 enabled: true
224 type: 'redirect'
225 root: '/var/www/httproot'
226 host:
227 address: ${_param:apache_horizon_api_address}
228 name: ${_param:apache_horizon_api_host}
229 port: 80
230 redirect_mode: rewrite
231 target_url: 'https://%{SERVER_NAME}'
232 listen_address: '0.0.0.0'
233
Dzmitry Stremkouski8d25a0e2018-05-09 18:44:18 +0200[diff] [blame]234Apache ssl cipher management
235
236.. code-block:: yaml
237
238 parameters:
239 apache:
240 server:
241 enabled: true
242 site:
243 example:
244 enabled: true
245 ssl:
246 enabled: true
247 mode: secure
248 ...
249
250.. code-block:: yaml
251
252 parameters:
253 apache:
254 server:
255 enabled: true
256 site:
257 example:
258 enabled: true
259 ssl:
260 enabled: true
261 mode: normal
262 ...
263
264.. code-block:: yaml
265
266 parameters:
267 apache:
268 server:
269 enabled: true
270 site:
271 example:
272 enabled: true
273 ssl:
274 enabled: true
275 mode: strict
276 ciphers:
277 ECDHE_RSA_AES256_GCM_SHA384:
278 name: 'ECDHE-RSA-AES256-GCM-SHA384'
279 enabled: True
280 ECDHE_ECDSA_AES256_GCM_SHA384:
281 name: 'ECDHE-ECDSA-AES256-GCM-SHA384'
282 enabled: True
283 protocols:
284 TLS1:
285 name: 'TLSv1'
286 enabled: True
287 TLS1_1:
288 name: 'TLSv1.1'
289 enabled: True
290 TLS1_2:
291 name: 'TLSv1.2'
292 enabled: False
293 prefer_server_ciphers: 'on'
294 ...
295
Oleksii Grudevd0be2502018-05-25 14:19:43 +0300[diff] [blame]296Advanced SSL configuration, more information about SSL options can be found
297at https://httpd.apache.org/docs/2.4/mod/mod_ssl.html
298!Please note that if mode = 'secure' or mode = 'normal' and 'ciphers' or 'protocols' are set - they should have
299type "string", if mode = 'manual', their type should be "dict" (like shown below)
300
301SSL settings on SITE level:
302
303.. code-block:: yaml
304
305 parameters:
306 apache:
307 server:
308 enabled: true
309 site:
310 example:
311 enabled: true
312 ssl:
313 enabled: true
314 engine: salt
315 authority: "${_param:salt_minion_ca_authority}"
316 key_file: "/etc/ssl/private/internal_proxy.key"
317 cert_file: "/etc/ssl/certs/internal_proxy.crt"
318 chain_file: "/etc/ssl/certs/internal_proxy-with-chain.crt"
319 mode: 'strict'
320 session_timeout: '300'
321 protocols:
322 TLS1:
323 name: 'TLSv1'
324 enabled: True
325 TLS1_1:
326 name: 'TLSv1.1'
327 enabled: True
328 TLS1_2:
329 name: 'TLSv1.2'
330 enabled: False
331 ciphers:
332 ECDHE_RSA_AES256_GCM_SHA384:
333 name: 'ECDHE-RSA-AES256-GCM-SHA384'
334 enabled: True
335 ECDHE_ECDSA_AES256_GCM_SHA384:
336 name: 'ECDHE-ECDSA-AES256-GCM-SHA384'
337 enabled: True
338 prefer_server_ciphers: "off"
339 dhparam:
340 enabled: True
341 numbits: 2048
342 ecdh_curve:
343 secp384r1:
344 name: 'secp384r1'
345 enabled: False
346 secp521r1:
347 name: 'secp521r1'
348 enabled: True
349 ticket_key:
350 enabled: True
351 numbytes: 48
352 session_tickets: 'on'
353 stapling: 'off'
354 crl:
355 file: '/etc/ssl/crl/crl.pem'
356 path: '/etc/ssl/crl'
357 value: 'chain'
358 enabled: False
359 verify_client: 'none'
360 client_certificate:
361 file: '/etc/ssl/client_cert.pem'
362 enabled: False
363 compression: 'off'
364 ssl_engine: 'on'
365 insecure_renegotiation: 'off'
366 ocsp:
367 default_responder: 'http://responder.example.com:8888/responder'
368 ocsp_enable: 'off'
369 override_responder: 'off'
370 responder_timeout: '50'
371 max_age: '300'
372 time_skew: '300'
373 nonce: 'on'
374 enabled: True
375 conf_cmd:
376 sessionticket:
377 command_name: 'Options'
378 command_value: '-SessionTicket'
379 enabled: True
380 serverpreference:
381 command_name: 'Options'
382 command_value: '-ServerPreference'
383 enabled: False
384 ssl_options:
385 fakebasicauth:
386 option: '+FakeBasicAuth'
387 enabled: 'True'
388 strictrequire:
389 option: '-StrictRequire'
390 enabled: True
391 proxy:
392 ca_cert_file: '/etc/ssl/client_cert.pem'
393 ca_cert_path: '/etc/ssl/client/'
394 crl:
395 file: '/etc/ssl/crl/crl.pem'
396 path: '/etc/ssl/crl'
397 value: 'chain'
398 enabled: False
399 check_peer_cn: 'off'
400 check_peer_expire: 'off'
401 check_peer_name: 'off'
402 ciphers:
403 ECDHE_RSA_AES256_GCM_SHA384:
404 name: 'ECDHE-RSA-AES256-GCM-SHA384'
405 enabled: True
406 ECDHE_ECDSA_AES256_GCM_SHA384:
407 name: 'ECDHE-ECDSA-AES256-GCM-SHA384'
408 enabled: False
409 ssl_engine: 'on'
410 proxy_chain_file: '/etc/ssl/proxy_chain.pem'
411 proxy_cert_file: '/etc/ssl/proxy.pem'
412 proxy_cert_path: '/etc/ssl/proxy'
413 verify: 'none'
414 verify_depth: '1'
415 srp_unknown_seed: 'secret_string'
416 srp_verifier_file: '/path/to/file.srpv'
417 ssl_stapling:
418 error_cache_timeout: '600'
419 fake_try_later: 'off'
420 stapling_responder: 'http://responder.example.com:8888/responder'
421 responder_timeout: '600'
422 response_max_age: '300'
423 response_time_skew: '300'
424 responder_errors: 'off'
425 standard_cache_timeout: '600'
426 sniv_host_check: 'off'
427 verify_depth: '1'
428
429SSL settings on SERVER level:
430
431.. code-block:: yaml
432
433 apache:
434 server:
435 ssl:
436 enabled: True
437 crypto_device: 'rdrand'
438 fips: 'off'
439 passphrase: 'builtin'
440 random_seed:
441 seed1:
442 context: 'startup'
443 source: 'file:/dev/urandom 256'
444 enabled: True
445 seed2:
446 context: 'connect'
447 source: 'builtin'
448 enabled: True
449 session_cache: 'none'
450 stapling_cache: 'default'
451 ssl_user_name: 'SSL_CLIENT_S_DN_CN'
452
453
Filip Pytloun410abc42015-10-06 16:28:31 +0200[diff] [blame]454Roundcube webmail, postfixadmin and mailman
455
456.. code-block:: yaml
457
458 classes:
459 - service.apache.server.single
460 parameters:
461 apache:
462 server:
jan kaufman75aae5c2016-01-26 14:49:12 +0100[diff] [blame]463 enabled: true
Filip Pytloun410abc42015-10-06 16:28:31 +0200[diff] [blame]464 modules:
465 - cgi
466 - php
467 site:
468 roundcube:
469 enabled: true
470 type: static
471 name: roundcube
472 root: /usr/share/roundcube
473 locations:
474 - uri: /admin
475 path: /usr/share/postfixadmin
476 - uri: /mailman
477 path: /usr/lib/cgi-bin/mailman
478 script: true
479 - uri: /pipermail
480 path: /var/lib/mailman/archives/public
481 - uri: /images/mailman
482 path: /usr/share/images/mailman
483 host:
484 name: mail.example.com
485 aliases:
486 - mail.example.com
487 - lists.example.com
488 - mail01.example.com
489 - mail01
490
sgarbuz950c64d2018-04-26 12:14:38 +0300[diff] [blame]491Logrotate settings which allow you to rotate the logs in
Kostiantyn Ovchynnykovb7ab9bc2021-02-03 18:50:04 +0200[diff] [blame]492a random time in a given time interval. Time in seconds.
493Rotate count is also supported.
sgarbuz950c64d2018-04-26 12:14:38 +0300[diff] [blame]494
495.. code-block:: yaml
496
497 apache:
498 server:
499 logrotate:
500 start_period: 600
501 end_period: 1200
Kostiantyn Ovchynnykovb7ab9bc2021-02-03 18:50:04 +0200[diff] [blame]502 rotate: 5
sgarbuz950c64d2018-04-26 12:14:38 +0300[diff] [blame]503
Oleksandr Bryndziia9b5d3b2018-11-01 17:21:39 +0200[diff] [blame]504Apache modules management
505
506.. code-block:: yaml
507
508 apache:
509 server:
510 mods:
511 status:
512 enabled: True
513 status: 'disabled'
514
Oleksandr Bryndzii4c1a02b2018-12-18 11:23:15 +0000[diff] [blame]515Apache server-status management
516
517.. code-block:: yaml
518
519 apache:
520 server:
521 mods:
522 status:
523 enabled: True
524 status: 'enabled'
525 host:
526 address: 127.0.0.1
527 port: 80
528 allow:
529 localhost:
530 enabled: True
531 value: '127.0.0.0/255.0.0.0'
532 localhost_ipv6:
533 enabled: True
534 value: '::1/128'
Aleš Komárek3a3de6e2017-04-11 13:41:09 +0200[diff] [blame]535
Oleh Hryhorov2e9130f2018-11-26 12:23:19 +0000[diff] [blame]536Apache directories and modules management
537
538.. code-block:: yaml
539
540 apache:
541 server:
542 enabled: true
543 site:
544 sitename:
545 directories:
546 dashboard_static:
547 path: /usr/share/openstack-dashboard/static
548 order: 'allow,deny'
549 allow: 'from all'
550 modules:
551 mod_expires.c:
552 ExpiresActive: 'On'
553 ExpiresDefault: '"access 6 month"'
554 mod_deflate.c:
555 SetOutputFilter: 'DEFLATE'
556 dashboard_wsgi:
557 path: /usr/share/openstack-dashboard/openstack_dashboard/wsgi
558 order: 'allow,deny'
559 allow: 'from all'
560
Ivan Berezovskiy1f814582020-03-17 14:50:47 +0400[diff] [blame]561Apache2 configured to wait for another service/s before
562starting (currently only with systemd):
563
564.. code-block:: yaml
565
566 apache:
567 server:
568 wait_for_service:
569 - foo-bar.mount
570 enabled: true
571 ...
572
Aleš Komárek3a3de6e2017-04-11 13:41:09 +0200[diff] [blame]573More Information
574================
Filip Pytloun410abc42015-10-06 16:28:31 +0200[diff] [blame]575
576* https://httpd.apache.org/docs/