--- /dev/null
+<VirtualHost *:80>
+
+ Include sites-available/default-include.conf
+
+</VirtualHost>
+
+# vim: filetype=apache ts=4 sw=4 sts=4 sr noet
--- /dev/null
+
+LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%T\" \"%v\" \"%f\"" full
+LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" \"%T\" \"%v\" \"%f\"" full_combined
+
+<IfModule logio_module>
+ # You need to enable mod_logio.c to use %I and %O
+ LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%T\" \"%v\" \"%f\" %I %O" full_io
+ LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
+ LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" vhostio
+</IfModule>
+
+# vim: filetype=apache ts=4 sw=4 sts=4 sr noet
--- /dev/null
+
+#ServerName www.example.com
+
+ServerAdmin frank@brehm-online.com
+DocumentRoot /var/www/html
+
+#LogLevel info ssl:warn
+
+ErrorLog ${APACHE_LOG_DIR}/error.log
+CustomLog ${APACHE_LOG_DIR}/access.log full_combined
+
+#Include conf-available/serve-cgi-bin.conf
+
+#Alias /Debian/ /home/repo/repos/Debian/
+#<Directory "/home/repo/repos/Debian">
+# Options Indexes FollowSymLinks
+# AllowOverride All
+# Order allow,deny
+# Allow from all
+#</Directory>
+
+#Alias /Ubuntu/ /home/repo/repos/Ubuntu/
+#<Directory "/home/repo/repos/Ubuntu">
+# Options Indexes FollowSymLinks
+# AllowOverride All
+# Order allow,deny
+# Allow from all
+#</Directory>
+
+#Alias /public/ /home/repo/public/
+#<Directory "/home/repo/public">
+# Options Indexes FollowSymLinks
+# AllowOverride All
+# Order allow,deny
+# Allow from all
+#</Directory>
+
+
+# vim: filetype=apache ts=4 sw=4 sts=4 sr noet
--- /dev/null
+<IfModule mod_ssl.c>
+ <VirtualHost _default_:443>
+
+ Include sites-available/default-include.conf
+
+ SSLEngine on
+
+ SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
+ SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+
+ #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
+
+ #SSLCACertificatePath /etc/ssl/certs/
+ #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
+
+ #SSLCARevocationPath /etc/apache2/ssl.crl/
+ #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
+
+ #SSLVerifyClient require
+ #SSLVerifyDepth 10
+
+ #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+
+ <FilesMatch "\.(cgi|shtml|phtml|php)$">
+ SSLOptions +StdEnvVars
+ </FilesMatch>
+ <Directory /usr/lib/cgi-bin>
+ SSLOptions +StdEnvVars
+ </Directory>
+
+ BrowserMatch "MSIE [2-6]" \
+ nokeepalive ssl-unclean-shutdown \
+ downgrade-1.0 force-response-1.0
+ # MSIE 7 and newer should be able to use keepalive
+ BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+
+ </VirtualHost>
+</IfModule>
+
+# vim: filetype=apache ts=4 sw=4 sts=4 sr noet
--- /dev/null
+/var/log/apache2/*.log {
+ daily
+ missingok
+ rotate 14
+ dateext
+ compress
+ delaycompress
+ notifempty
+ size 4M
+ create 640 root adm
+ sharedscripts
+ postrotate
+ if /etc/init.d/apache2 status > /dev/null ; then \
+ /etc/init.d/apache2 reload > /dev/null; \
+ fi;
+ endscript
+ prerotate
+ if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
+ run-parts /etc/logrotate.d/httpd-prerotate; \
+ fi; \
+ endscript
+}
+
+# vim: ts=4 filetype=conf
--- /dev/null
+{%- set has_apache = salt['pillar.get']('has_apache', False) %}
+{%- if has_apache %}
+
+apache2:
+ pkg.installed:
+ - name: apache2
+ service.running:
+ - name: apache2
+ - enable: True
+ - require:
+ - pkg: apache2
+ - file: apache2_custom_log_symlink
+ - file: apache2_default_config_include
+ - file: apache2_default_config
+ - file: apache2_default_config_ssl
+ - watch:
+ - file: apache2_custom_log_conf
+ - file: apache2_default_config_include
+ - file: apache2_default_config
+ - file: apache2_default_config_include
+ - onlyif:
+ - test -x /etc/init.d/apache2
+
+apache2_conf_dir:
+ file.directory:
+ - name: /etc/apache2
+ - user: root
+ - group: root
+ - mode: 0755
+ - require:
+ - pkg: apache2
+
+apache2_avail_mod_conf_dir:
+ file.directory:
+ - name: /etc/apache2/mods-available
+ - user: root
+ - group: root
+ - mode: 0755
+ - require:
+ - file: apache2_conf_dir
+
+apache2_enabled_mod_conf_dir:
+ file.directory:
+ - name: /etc/apache2/mods-enabled
+ - user: root
+ - group: root
+ - mode: 0755
+ - require:
+ - file: apache2_conf_dir
+
+apache2_avail_conf_conf_dir:
+ file.directory:
+ - name: /etc/apache2/conf-available
+ - user: root
+ - group: root
+ - mode: 0755
+ - require:
+ - file: apache2_conf_dir
+
+apache2_enabled_conf_conf_dir:
+ file.directory:
+ - name: /etc/apache2/conf-enabled
+ - user: root
+ - group: root
+ - mode: 0755
+ - require:
+ - file: apache2_conf_dir
+
+apache2_custom_log_conf:
+ file.managed:
+ - name: /etc/apache2/conf-available/custom-log.conf
+ - source: salt://apache2/files/custom-log.conf
+ - user: root
+ - group: root
+ - mode: 0755
+ - require:
+ - file: apache2_avail_conf_conf_dir
+
+apache2_custom_log_symlink:
+ file.symlink:
+ - name: /etc/apache2/conf-enabled/custom-log.conf
+ - target: ../conf-available/custom-log.conf
+ - force: True
+ - backupname: /etc/apache2/conf-enabled/custom-log.conf.disabled
+ - user: root
+ - group: root
+ - require:
+ - file: apache2_enabled_conf_conf_dir
+ - file: apache2_custom_log_conf
+
+apache2_sites_conf_dir:
+ file.directory:
+ - name: /etc/apache2/sites-available
+ - user: root
+ - group: root
+ - mode: 0755
+ - require:
+ - file: apache2_conf_dir
+
+apache2_default_config_include:
+ file.managed:
+ - name: /etc/apache2/sites-available/default-include.conf
+ - source: salt://apache2/files/default-include.conf
+ - user: root
+ - group: root
+ - mode: 644
+ - template: jinja
+ - backup: minion
+ - require:
+ - pkg: apache2
+ - file: apache2_sites_conf_dir
+ - file: apache2_custom_log_symlink
+
+apache2_default_config:
+ file.managed:
+ - name: /etc/apache2/sites-available/000-default.conf
+ - source: salt://apache2/files/000-default.conf
+ - user: root
+ - group: root
+ - mode: 644
+ - template: jinja
+ - backup: minion
+ - require:
+ - pkg: apache2
+ - file: apache2_default_config_include
+
+apache2_default_config_ssl:
+ file.managed:
+ - name: /etc/apache2/sites-available/default-ssl.conf
+ - source: salt://apache2/files/default-ssl.conf
+ - user: root
+ - group: root
+ - mode: 644
+ - template: jinja
+ - backup: minion
+ - require:
+ - pkg: apache2
+ - file: apache2_default_config_include
+
+apache2_logrotate:
+ file.managed:
+ - name: /etc/logrotate.d/apache2
+ - source: salt://apache2/files/logrotate.conf
+ - user: root
+ - group: root
+ - mode: 644
+ - makedirs: True
+ - template: jinja
+ - backup: minion
+ - require:
+ - pkg: apache2
+ - file: apache2_default_config_include
+
+{%- endif %}
+
--- /dev/null
+
+[apache]
+
+enabled = true
+port = http,https
+filter = apache-auth
+logpath = /var/log/apache*/*error.log
+maxretry = 6
+
+[apache-noscript]
+
+enabled = true
+port = http,https
+filter = apache-noscript
+logpath = /var/log/apache*/*error.log
+maxretry = 6
+
+[apache-overflows]
+
+enabled = true
+port = http,https
+filter = apache-overflows
+logpath = /var/log/apache*/*error.log
+maxretry = 2
+
+[apache-modsecurity]
+
+enabled = true
+filter = apache-modsecurity
+port = http,https
+logpath = /var/log/apache*/*error.log
+maxretry = 2
+
+[apache-nohome]
+
+enabled = true
+filter = apache-nohome
+port = http,https
+logpath = /var/log/apache*/*error.log
+maxretry = 2
+
+
+
+# vim: filetype=dosini
+{%- set has_apache = salt['pillar.get']('has_apache', False) %}
fail2ban:
pkg.installed:
- require:
- pkg: fail2ban
+{%- if has_apache %}
+
+/etc/fail2ban/jail.d/apache-jail.conf:
+ file.managed:
+ - source: salt://fail2ban/files/apache-jail.conf
+ - user: root
+ - group: root
+ - mode: 644
+ - backup: minion
+ - require:
+ - pkg: fail2ban
+ - file: /etc/fail2ban/jail.d
+ - watch_in:
+ - service: fail2ban
+
+{%- endif %}
+
/etc/fail2ban/jail.d/ssh.conf:
file.managed:
- source: salt://fail2ban/files/ssh-jail.conf
- basic.root
- utils.root
- postfix.common
+ - apache
- fail2ban
- bind