Friday, November 14, 2014

Apache virtual hosts in saltstack

  I'll try to explain our environment a bit, we run a few machines that all require different virtual hosts and have different requiremnts. I try to keep these seperated by hostname as much as I can. Seperating these in saltstack took a while to figure out so here are  my notes on it.

  Grains are applied on the fly based on what is in the apache24.ssl template (this will not update config or blow away files). I prefer to listen on test and prod with the same configurations and just do redirection based on IP addresses since everything should work the same across all.

How things are getting assigned below

$ salt 'hostname*' grains.get "ssl_host"

hostname-dev.subdomain.example.com:
    - hostname1.example.com
    - hostname2.example.com    - hostname1-test.example.com
    - hostname2-test.example.com
    - hostname1-dev.example.com
    - hostname2-dev.example.com

hostname-test.subdomain.example.com:
    - hostname1.example.com
    - hostname2.example.com
    - hostname1-test.example.com
    - hostname2-test.example.com
    - hostname1-dev.example.com
    - hostname2-dev.example.com

Common Configuration files


apache24.ssl:
  file.managed:
    - name: /usr/local/etc/apache24/Includes/ssl.conf
    - source: salt://apache24/usr/local/etc/apache24/Includes/ssl.conf
    - user: root
    - group: wheel
    - mode: 400

/usr/local/etc/apache24/ssl:
  file:
    - directory
    - user: root
    - group: wheel
    - mode: 500

/usr/local/etc/apache24/ssl/incommon.chain:
  file.managed:
    - name: /usr/local/etc/apache24/ssl/incommon.chain
    - source: salt://apache24/usr/local/etc/apache24/ssl/incommon.chain
    - user: root
    - group: wheel
    - mode: 400

Host to set ssl settings mappings

{% if 'hostname-dev' in grains.host %}
ssl_host:
  grains.present:
    - value: ['hostname-dev.example.com','hostname2-test.example.com']
{% endif %}
{% if 'hostname-test' in grains.host %}
ssl_host:
  grains.present:
    - value: ['hostname-test.example.com','hostname-test2.example.com']
{% endif %}

Placing the configuration files based on what is set above

# Put custom configuration inside of apache24/usr/local/etc/apache24/vhost/template.jinja2 based on a per {{ i }} setting
# context i should pass i into jinja
{% set domainlist = salt['grains.get']('ssl_host','') %}
{% for i in domainlist %}
/usr/local/etc/apache24/ssl/{{ i }}.key:
  file.managed:
    - name: /usr/local/etc/apache24/ssl/{{ i }}.key
    - source: salt://apache24/usr/local/etc/apache24/ssl/{{ i }}.key
    - user: root
    - group: wheel
    - mode: 400
/usr/local/etc/apache24/ssl/{{ i }}.crt:
  file.managed:
    - name: /usr/local/etc/apache24/ssl/{{ i }}.crt
    - source: salt://apache24/usr/local/etc/apache24/ssl/{{ i }}.crt
    - user: root
    - group: wheel
    - mode: 400
/usr/local/etc/apache24/vhost/{{ i }}:
  file.managed:
    - name: /usr/local/etc/apache24/vhost/{{ i }}
    - source: salt://apache24/usr/local/etc/apache24/vhost/{{ i }}.jinja2
    - template: jinja

    - context: {
      i: "{{ i }}" }
    - user: root
    - group: wheel
    - mode: 400
/usr/local/etc/apache24/vhost/{{ i }}.ssl:
  file.managed:
    - name: /usr/local/etc/apache24/vhost/{{ i }}.ssl
    - source: salt://apache24/usr/local/etc/apache24/vhost/{{ i }}.ssl.jinja2
    - template: jinja
    - context: {
      i: "{{ i }}" }
    - user: root
    - group: wheel
    - mode: 400
/usr/local/etc/apache24/vhost/{{ i }}.conf:
  file.managed:
    - name: /usr/local/etc/apache24/vhost/template.conf
    - source: salt://apache24/usr/local/etc/apache24/vhost/template.conf.jinja2
    - template: jinja
    - context: {
      i: "{{ i }}" }
    - user: root
    - group: wheel
    - mode: 400
{% endfor %}

Other config files

usr/local/etc/apache24/vhost/template.jinja2

ServerName {{ i }}

{% if 'hostname2' in {{ i }} %}
  DocumentRoot /usr/local/www
{% elif %}
  DocumentRoot /usr/local/www
{% endif %}

# Per vhost configuration options
{% if 'hostname1' in {{ i }} %}
  RewriteEngine On
  RewriteCond %{REQUEST_URI} !/Shibboleth.sso
  RewriteRule (.*) https://%{HTTP_HOST}/protectedurl [R=301]
{% endif %}

usr/local/etc/apache24/vhost/template.jinja2

<VirtualHost *:80>
Include etc/apache24/vhost/{{ i }}
</VirtualHost>
<VirtualHost *:443>
Include etc/apache24/vhost/{{ i }}.ssl
Include etc/apache24/vhost/{{ i }}
</VirtualHost>

usr/local/etc/apache24/vhost/template.ssl.jinja2

Include etc/apache24/vhost/defaults.ssl
SSLCertificateFile etc/apache24/ssl/{{ i }}.crt
SSLCertificateKeyFile etc/apache24/ssl/{{ i }}.key
SSLCertificateChainFile etc/apache24/ssl/incommon.chain


Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)