Adding states for Apache2

diff --git a/apache2/files/000-default.conf b/apache2/files/000-default.conf
new file mode 100644 (file)
index 0000000..46a6e5d
--- /dev/null
+++ b/apache2/files/000-default.conf
@@ -0,0 +1,7 @@
+<VirtualHost *:80>
+
+       Include sites-available/default-include.conf
+
+</VirtualHost>
+
+# vim: filetype=apache ts=4 sw=4 sts=4 sr noet

diff --git a/apache2/files/custom-log.conf b/apache2/files/custom-log.conf
new file mode 100644 (file)
index 0000000..6f0a244
--- /dev/null
+++ b/apache2/files/custom-log.conf
@@ -0,0 +1,12 @@
+
+LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%T\" \"%v\" \"%f\"" full
+LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" \"%T\" \"%v\" \"%f\"" full_combined
+
+<IfModule logio_module>
+       # You need to enable mod_logio.c to use %I and %O
+       LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"  \"%T\" \"%v\" \"%f\" %I %O" full_io
+       LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
+       LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" vhostio
+</IfModule>
+
+# vim: filetype=apache ts=4 sw=4 sts=4 sr noet

diff --git a/apache2/files/default-include.conf b/apache2/files/default-include.conf
new file mode 100644 (file)
index 0000000..677f416
--- /dev/null
+++ b/apache2/files/default-include.conf
@@ -0,0 +1,39 @@
+
+#ServerName www.example.com
+
+ServerAdmin frank@brehm-online.com
+DocumentRoot /var/www/html
+
+#LogLevel info ssl:warn
+
+ErrorLog ${APACHE_LOG_DIR}/error.log
+CustomLog ${APACHE_LOG_DIR}/access.log full_combined
+
+#Include conf-available/serve-cgi-bin.conf
+
+#Alias /Debian/ /home/repo/repos/Debian/
+#<Directory "/home/repo/repos/Debian">
+#      Options Indexes FollowSymLinks
+#      AllowOverride All
+#      Order allow,deny
+#      Allow from all
+#</Directory>
+
+#Alias /Ubuntu/ /home/repo/repos/Ubuntu/
+#<Directory "/home/repo/repos/Ubuntu">
+#      Options Indexes FollowSymLinks
+#      AllowOverride All
+#      Order allow,deny
+#      Allow from all
+#</Directory>
+
+#Alias /public/ /home/repo/public/
+#<Directory "/home/repo/public">
+#      Options Indexes FollowSymLinks
+#      AllowOverride All
+#      Order allow,deny
+#      Allow from all
+#</Directory>
+
+
+# vim: filetype=apache ts=4 sw=4 sts=4 sr noet

diff --git a/apache2/files/default-ssl.conf b/apache2/files/default-ssl.conf
new file mode 100644 (file)
index 0000000..4e0f5cc
--- /dev/null
+++ b/apache2/files/default-ssl.conf
@@ -0,0 +1,40 @@
+<IfModule mod_ssl.c>
+       <VirtualHost _default_:443>
+
+               Include sites-available/default-include.conf
+
+               SSLEngine on
+
+               SSLCertificateFile  /etc/ssl/certs/ssl-cert-snakeoil.pem
+               SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+
+               #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
+
+               #SSLCACertificatePath /etc/ssl/certs/
+               #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
+
+               #SSLCARevocationPath /etc/apache2/ssl.crl/
+               #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
+
+               #SSLVerifyClient require
+               #SSLVerifyDepth  10
+
+               #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+
+               <FilesMatch "\.(cgi|shtml|phtml|php)$">
+                       SSLOptions +StdEnvVars
+               </FilesMatch>
+               <Directory /usr/lib/cgi-bin>
+                       SSLOptions +StdEnvVars
+               </Directory>
+
+               BrowserMatch "MSIE [2-6]" \
+                       nokeepalive ssl-unclean-shutdown \
+                       downgrade-1.0 force-response-1.0
+               # MSIE 7 and newer should be able to use keepalive
+               BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+
+       </VirtualHost>
+</IfModule>
+
+# vim: filetype=apache ts=4 sw=4 sts=4 sr noet

diff --git a/apache2/files/logrotate.conf b/apache2/files/logrotate.conf
new file mode 100644 (file)
index 0000000..5176131
--- /dev/null
+++ b/apache2/files/logrotate.conf
@@ -0,0 +1,24 @@
+/var/log/apache2/*.log {
+       daily
+       missingok
+       rotate 14
+       dateext
+       compress
+       delaycompress
+       notifempty
+       size 4M
+       create 640 root adm
+       sharedscripts
+       postrotate
+               if /etc/init.d/apache2 status > /dev/null ; then \
+                       /etc/init.d/apache2 reload > /dev/null; \
+               fi;
+       endscript
+       prerotate
+               if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
+                       run-parts /etc/logrotate.d/httpd-prerotate; \
+               fi; \
+       endscript
+}
+
+# vim: ts=4 filetype=conf

diff --git a/apache2/init.sls b/apache2/init.sls
new file mode 100644 (file)
index 0000000..d27f0fd
--- /dev/null
+++ b/apache2/init.sls
@@ -0,0 +1,155 @@
+{%- set has_apache = salt['pillar.get']('has_apache', False) %}
+{%- if has_apache %}
+
+apache2:
+  pkg.installed:
+    - name: apache2
+  service.running:
+    - name: apache2
+    - enable: True
+    - require:
+      - pkg: apache2
+      - file: apache2_custom_log_symlink
+      - file: apache2_default_config_include
+      - file: apache2_default_config
+      - file: apache2_default_config_ssl
+    - watch:
+      - file: apache2_custom_log_conf
+      - file: apache2_default_config_include
+      - file: apache2_default_config
+      - file: apache2_default_config_include
+    - onlyif:
+      - test -x /etc/init.d/apache2
+
+apache2_conf_dir:
+  file.directory:
+    - name: /etc/apache2
+    - user: root
+    - group: root
+    - mode: 0755
+    - require:
+      - pkg: apache2
+
+apache2_avail_mod_conf_dir:
+  file.directory:
+    - name: /etc/apache2/mods-available
+    - user: root
+    - group: root
+    - mode: 0755
+    - require:
+      - file: apache2_conf_dir
+
+apache2_enabled_mod_conf_dir:
+  file.directory:
+    - name: /etc/apache2/mods-enabled
+    - user: root
+    - group: root
+    - mode: 0755
+    - require:
+      - file: apache2_conf_dir
+
+apache2_avail_conf_conf_dir:
+  file.directory:
+    - name: /etc/apache2/conf-available
+    - user: root
+    - group: root
+    - mode: 0755
+    - require:
+      - file: apache2_conf_dir
+
+apache2_enabled_conf_conf_dir:
+  file.directory:
+    - name: /etc/apache2/conf-enabled
+    - user: root
+    - group: root
+    - mode: 0755
+    - require:
+      - file: apache2_conf_dir
+
+apache2_custom_log_conf:
+  file.managed:
+    - name: /etc/apache2/conf-available/custom-log.conf
+    - source: salt://apache2/files/custom-log.conf
+    - user: root
+    - group: root
+    - mode: 0755
+    - require:
+      - file: apache2_avail_conf_conf_dir
+
+apache2_custom_log_symlink:
+  file.symlink:
+    - name: /etc/apache2/conf-enabled/custom-log.conf
+    - target: ../conf-available/custom-log.conf
+    - force: True
+    - backupname: /etc/apache2/conf-enabled/custom-log.conf.disabled
+    - user: root
+    - group: root
+    - require:
+      - file: apache2_enabled_conf_conf_dir
+      - file: apache2_custom_log_conf
+
+apache2_sites_conf_dir:
+  file.directory:
+    - name: /etc/apache2/sites-available
+    - user: root
+    - group: root
+    - mode: 0755
+    - require:
+      - file: apache2_conf_dir
+
+apache2_default_config_include:
+  file.managed:
+    - name: /etc/apache2/sites-available/default-include.conf
+    - source: salt://apache2/files/default-include.conf
+    - user: root
+    - group: root
+    - mode: 644
+    - template: jinja
+    - backup: minion
+    - require:
+      - pkg: apache2
+      - file: apache2_sites_conf_dir
+      - file: apache2_custom_log_symlink
+
+apache2_default_config:
+  file.managed:
+    - name: /etc/apache2/sites-available/000-default.conf
+    - source: salt://apache2/files/000-default.conf
+    - user: root
+    - group: root
+    - mode: 644
+    - template: jinja
+    - backup: minion
+    - require:
+      - pkg: apache2
+      - file: apache2_default_config_include
+
+apache2_default_config_ssl:
+  file.managed:
+    - name: /etc/apache2/sites-available/default-ssl.conf
+    - source: salt://apache2/files/default-ssl.conf
+    - user: root
+    - group: root
+    - mode: 644
+    - template: jinja
+    - backup: minion
+    - require:
+      - pkg: apache2
+      - file: apache2_default_config_include
+
+apache2_logrotate:
+  file.managed:
+    - name: /etc/logrotate.d/apache2
+    - source: salt://apache2/files/logrotate.conf
+    - user: root
+    - group: root
+    - mode: 644
+    - makedirs: True
+    - template: jinja
+    - backup: minion
+    - require:
+      - pkg: apache2
+      - file: apache2_default_config_include
+
+{%- endif %}
+

diff --git a/fail2ban/files/apache-jail.conf b/fail2ban/files/apache-jail.conf
new file mode 100644 (file)
index 0000000..8a663b5
--- /dev/null
+++ b/fail2ban/files/apache-jail.conf
@@ -0,0 +1,44 @@
+
+[apache]
+
+enabled  = true
+port     = http,https
+filter   = apache-auth
+logpath  = /var/log/apache*/*error.log
+maxretry = 6
+
+[apache-noscript]
+
+enabled  = true
+port     = http,https
+filter   = apache-noscript
+logpath  = /var/log/apache*/*error.log
+maxretry = 6
+
+[apache-overflows]
+
+enabled  = true
+port     = http,https
+filter   = apache-overflows
+logpath  = /var/log/apache*/*error.log
+maxretry = 2
+
+[apache-modsecurity]
+
+enabled  = true
+filter   = apache-modsecurity
+port     = http,https
+logpath  = /var/log/apache*/*error.log
+maxretry = 2
+
+[apache-nohome]
+
+enabled  = true
+filter   = apache-nohome
+port     = http,https
+logpath  = /var/log/apache*/*error.log
+maxretry = 2
+
+
+
+# vim: filetype=dosini

diff --git a/fail2ban/init.sls b/fail2ban/init.sls
index 873de301b9c78cfa3c54c8594a9a854d3c668036..75572eddc756b8a9a37980c0666b26470957f3b3 100644 (file)
--- a/fail2ban/init.sls
+++ b/fail2ban/init.sls
@@ -1,3 +1,4 @@
+{%- set has_apache = salt['pillar.get']('has_apache', False) %}
 
 fail2ban:
   pkg.installed:
@@ -67,6 +68,23 @@ file2ban_{{ filename }}:
     - require:
       - pkg: fail2ban
 
+{%- if has_apache %}
+
+/etc/fail2ban/jail.d/apache-jail.conf:
+  file.managed:
+    - source: salt://fail2ban/files/apache-jail.conf
+    - user: root
+    - group: root
+    - mode: 644
+    - backup: minion
+    - require:
+      - pkg: fail2ban
+      - file: /etc/fail2ban/jail.d
+    - watch_in:
+      - service: fail2ban
+
+{%- endif %}
+
 /etc/fail2ban/jail.d/ssh.conf:
   file.managed:
     - source: salt://fail2ban/files/ssh-jail.conf

diff --git a/top.sls b/top.sls
index 84467f326ee897c8e2c40000dfd66a1eeaa77e9c..dc1f45369d117f914700b7b70d6d9198fc20112a 100644 (file)
--- a/top.sls
+++ b/top.sls
@@ -16,6 +16,7 @@ base:
     - basic.root
     - utils.root
     - postfix.common
+    - apache
     - fail2ban
     - bind