base: 'ubuntu-xenial-salt': - systems.ubuntu-xenial-salt include: -

1. base:
2. 'ubuntu-xenial-salt':
3. - systems.ubuntu-xenial-salt
4.  
5. include:
6. - setups.apache.prod
7.  
8. apache:
9. sites:
10. ubuntu-salt-xenial:
11. enabled: True
12. template_file: salt://apache/vhosts/standard.tmpl
13. template_engine: jinja
14.  
15. interface: '*'
16. port: '80'
17.  
18. exclude_listen_directive: True # Do not add a Listen directive in httpd.conf
19.  
20. ServerName: ubuntu-salt-xenial
21. ServerAlias: ubuntu-salt-xenial
22.  
23. ServerAdmin: minion@ubuntu-salt-xenial.com
24.  
25. LogLevel: debug
26. ErrorLog: /var/log/apache2/example.com-error.log
27. CustomLog: /var/log/apache2/example.com-access.log
28.  
29. DocumentRoot: /var/www/ubuntu-salt-xenial/
30.  
31. Directory:
32. default:
33. Options: -Indexes +FollowSymLinks
34. Require: all granted
35. AllowOverride: None
36.  
37. include:
38. - applications.apache
39.  
40. # ``apache`` formula configuration:
41. apache:
42. register-site:
43. # any name as an array index, and you can duplicate this section
44. UNIQUE_VALUE_HERE:
45. name: 'PROD'
46. path: 'salt://path/to/sites-available/conf/file'
47. state: 'enabled'
48. # Optional - use managed file as Jinja Template
49. #template: true
50. #defaults:
51. # custom_var: "default value"
52.  
53. modules:
54. enabled: # List modules to enable
55. - rewrite
56. - ssl
57. disabled: # List modules to disable
58. - ldap
59.  
60. # KeepAlive: Whether or not to allow persistent connections (more than
61. # one request per connection). Set to "Off" to deactivate.
62. keepalive: 'On'
63.  
64. security:
65. # can be Full | OS | Minimal | Minor | Major | Prod
66. # where Full conveys the most information, and Prod the least.
67. ServerTokens: Prod
68.  
69. # ``apache.mod_remoteip`` formula additional configuration:
70. mod_remoteip:
71. RemoteIPHeader: X-Forwarded-For
72. RemoteIPTrustedProxy:
73. - 10.0.8.0/24
74. - 127.0.0.1
75.  
76. # ``apache.mod_security`` formula additional configuration:
77. mod_security:
78. crs_install: True
79. # If not set, default distro's configuration is installed as is
80. manage_config: True
81. sec_rule_engine: 'On'
82. sec_request_body_access: 'On'
83. sec_request_body_limit: '14000000'
84. sec_request_body_no_files_limit: '114002'
85. sec_request_body_in_memory_limit: '114002'
86. sec_request_body_limit_action: 'Reject'
87. sec_pcre_match_limit: '15000'
88. sec_pcre_match_limit_recursion: '15000'
89. sec_debug_log_level: '3'
90.  
91. rules:
92. enabled:
93. modsecurity_crs_10_setup.conf:
94. rule_set: ''
95. enabled: True
96. modsecurity_crs_20_protocol_violations.conf:
97. rule_set: 'base_rules'
98. enabled: False
99.  
100. custom_rule_files:
101. # any name as an array index, and you can duplicate this section
102. UNIQUE_VALUE_HERE:
103. file: 'PROD'
104. path: 'salt://path/to/modsecurity/custom/file'
105. enabled: True
106.  
107. apache:
108. lookup:
109. version: '2.4'
110. default_charset: 'UTF-8'
111.  
112. global:
113. AllowEncodedSlashes: 'On'
114.  
115. name_virtual_hosts:
116. - interface: '*'
117. port: 80
118. - interface: '*'
119. port: 443
120.  
121. salt 'ubuntu-xenial-salt' pillar.data
122.  
123. ubuntu-xenial-salt:
124. ----------
125. apache:
126. ----------
127. keepalive:
128. On
129. lookup:
130. ----------
131. default_charset:
132. UTF-8
133. global:
134. ----------
135. AllowEncodedSlashes:
136. On
137. name_virtual_hosts:
138. |_
139. ----------
140. interface:
141. *
142. port:
143. 80
144. |_
145. ----------
146. interface:
147. *
148. port:
149. 443
150. version:
151. 2.4
152. mod_remoteip:
153. ----------
154. RemoteIPHeader:
155. X-Forwarded-For
156. RemoteIPTrustedProxy:
157. - 10.0.8.0/24
158. - 127.0.0.1
159. mod_security:
160. ----------
161. crs_install:
162. True
163. custom_rule_files:
164. ----------
165. UNIQUE_VALUE_HERE:
166. ----------
167. enabled:
168. True
169. file:
170. PROD
171. path:
172. salt://path/to/modsecurity/custom/file
173. manage_config:
174. True
175. rules:
176. ----------
177. enabled:
178. None
179. modsecurity_crs_10_setup.conf:
180. ----------
181. enabled:
182. True
183. rule_set:
184. modsecurity_crs_20_protocol_violations.conf:
185. ----------
186. enabled:
187. False
188. rule_set:
189. base_rules
190. sec_debug_log_level:
191. 3
192. sec_pcre_match_limit:
193. 15000
194. sec_pcre_match_limit_recursion:
195. 15000
196. sec_request_body_access:
197. On
198. sec_request_body_in_memory_limit:
199. 114002
200. sec_request_body_limit:
201. 14000000
202. sec_request_body_limit_action:
203. Reject
204. sec_request_body_no_files_limit:
205. 114002
206. sec_rule_engine:
207. On
208. modules:
209. ----------
210. disabled:
211. - ldap
212. enabled:
213. - ssl
214. - rewrite
215. register-site:
216. ----------
217. UNIQUE_VALUE_HERE:
218. ----------
219. name:
220. PROD
221. path:
222. salt://path/to/sites-available/conf/file
223. state:
224. enabled
225. security:
226. ----------
227. ServerTokens:
228. Prod
229. sites:
230. ----------
231. ubuntu-salt-xenial:
232. ----------
233. CustomLog:
234. /var/log/apache2/example.com-access.log
235. Directory:
236. ----------
237. default:
238. ----------
239. AllowOverride:
240. None
241. Options:
242. -Indexes +FollowSymLinks
243. Require:
244. all granted
245. DocumentRoot:
246. /var/www/ubuntu-salt-xenial/
247. ErrorLog:
248. /var/log/apache2/example.com-error.log
249. LogLevel:
250. debug
251. ServerAdmin:
252. minion@ubuntu-salt-xenial.com
253. ServerAlias:
254. ubuntu-salt-xenial
255. ServerName:
256. ubuntu-salt-xenial
257. enabled:
258. True
259. exclude_listen_directive:
260. True
261. interface:
262. *
263. port:
264. 80
265. template_engine:
266. jinja
267. template_file:
268. salt://apache/vhosts/standard.tmpl