diff options
author | Silvio Rhatto <rhatto@riseup.net> | 2010-02-17 19:30:17 -0200 |
---|---|---|
committer | Silvio Rhatto <rhatto@riseup.net> | 2010-02-17 19:30:17 -0200 |
commit | 16e684ac77c95789a9903cdbeb5baf5b95cfe07c (patch) | |
tree | a67d6f0ee802fba0eaa727e44dd36798bde97e47 | |
parent | 24dac3e185d66299519f80f990436028c3a6cf15 (diff) | |
download | puppet-nginx-16e684ac77c95789a9903cdbeb5baf5b95cfe07c.tar.gz puppet-nginx-16e684ac77c95789a9903cdbeb5baf5b95cfe07c.tar.bz2 |
Split proxy config
-rw-r--r-- | manifests/init.pp | 9 | ||||
-rw-r--r-- | templates/puppetmaster.conf.erb | 18 | ||||
-rw-r--r-- | templates/puppetmaster.erb | 129 |
3 files changed, 69 insertions, 87 deletions
diff --git a/manifests/init.pp b/manifests/init.pp index 11c1166..7d28fa1 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -115,6 +115,15 @@ class nginx::puppetmaster inherits nginx::base { $ssl_port = 8140, $non_ssl_port = 8141, $puppetmaster_servers = [ "127.0.0.1:18140" ]) { + file { "/etc/nginx/conf.d/puppetmaster.conf": + content => template("nginx/puppetmaster.conf.erb"), + owner => "root", + group => "root", + mode => 0644, + ensure => present, + notify => Service["nginx"], + } + file { "/etc/nginx/sites-available/$name": content => template("nginx/puppetmaster.erb"), owner => "root", diff --git a/templates/puppetmaster.conf.erb b/templates/puppetmaster.conf.erb new file mode 100644 index 0000000..65240e7 --- /dev/null +++ b/templates/puppetmaster.conf.erb @@ -0,0 +1,18 @@ +# This configuration file was auto-generated by the Puppet configuration +# management system. Any changes you make to this file will be overwritten +# the next time Puppet runs. Please make configuration changes to this +# service in Puppet. + +ssl on; +ssl_certificate /var/lib/puppet/ssl/certs/puppetmaster.example.com.pem; +ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppetmaster.example.com.pem; +ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem; +ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA; +ssl_session_cache shared:SSL:8m; +ssl_session_timeout 5m; + +upstream puppet-production { + <% puppetmaster_servers.each do |upstream| -%> + server <%= upstream %>; + <% end -%> +} diff --git a/templates/puppetmaster.erb b/templates/puppetmaster.erb index addd22a..c96472e 100644 --- a/templates/puppetmaster.erb +++ b/templates/puppetmaster.erb @@ -3,94 +3,49 @@ # the next time Puppet runs. Please make configuration changes to this # service in Puppet. -user www-data www-data; -worker_processes <%= worker_processes %>; - -error_log /var/log/nginx-puppet.log notice; -pid /var/run/nginx-puppet.pid; - -events { - worker_connections <%= worker_connections %>; -} - -http { - # include /etc/mime.types; - default_type application/octet-stream; - - # no sendfile on OSX uncomment - #this if your on linux or bsd - sendfile on; - tcp_nopush on; - - # Look at TLB size in /proc/cpuinfo (Linux) for the 4k pagesize - large_client_header_buffers 16 4k; - proxy_buffers 128 4k; - - # if you adjust this setting to something higher - # you should as well update the proxy_read_timeout - # in the server config part (see below) - # Otherwise nginx will rerequest a manifest compile. - keepalive_timeout 65; - tcp_nodelay on; - - ssl on; - ssl_certificate /Library/Puppet/Generated/Server/SSL/host_cert.pem; - ssl_certificate_key /Library/Puppet/Generated/Server/SSL/host_key.pem; - ssl_client_certificate /Library/Puppet/Generated/Server/SSL/ca/ca_crt.pem; - ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA; - ssl_session_cache shared:SSL:8m; - ssl_session_timeout 5m; - - upstream puppet-production { - <% puppetmaster_servers.each do |upstream| -%> - server <%= upstream %>; - <% end -%> +server { + listen <%= ssl_port %>; + ssl_verify_client on; + root /var/empty; + access_log /var/log/nginx/access-<%= ssl_port %>.log; + rewrite_log /var/log/nginx/rewrite-<%= ssl_port %>.log; + + # Variables + # $ssl_cipher returns the line of those utilized it is cipher for established SSL-connection + # $ssl_client_serial returns the series number of client certificate for established SSL-connection + # $ssl_client_s_dn returns line subject DN of client certificate for established SSL-connection + # $ssl_client_i_dn returns line issuer DN of client certificate for established SSL-connection + # $ssl_protocol returns the protocol of established SSL-connection + + location / { + proxy_pass http://puppet-production; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Client-Verify SUCCESS; + proxy_set_header X-SSL-Subject $ssl_client_s_dn; + proxy_set_header X-SSL-Issuer $ssl_client_i_dn; + proxy_read_timeout 65; } +} - server { - listen <%= ssl_port %>; - ssl_verify_client on; - root /var/empty; - access_log /var/log/nginx/access-<%= ssl_port %>.log; - rewrite_log /var/log/nginx/rewrite-<%= ssl_port %>.log; - - # Variables - # $ssl_cipher returns the line of those utilized it is cipher for established SSL-connection - # $ssl_client_serial returns the series number of client certificate for established SSL-connection - # $ssl_client_s_dn returns line subject DN of client certificate for established SSL-connection - # $ssl_client_i_dn returns line issuer DN of client certificate for established SSL-connection - # $ssl_protocol returns the protocol of established SSL-connection - - location / { - proxy_pass http://puppet-production; - proxy_redirect off; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Client-Verify SUCCESS; - proxy_set_header X-SSL-Subject $ssl_client_s_dn; - proxy_set_header X-SSL-Issuer $ssl_client_i_dn; - proxy_read_timeout 65; - } - } - - server { - listen <%= non_ssl_port %>; - ssl_verify_client off; - root /var/empty; - access_log /var/log/nginx/access-<%= non_ssl_port %>.log; - rewrite_log /var/log/nginx/rewrite-<%= non_ssl_port %>.log; - - location / { - proxy_pass http://puppet-production; - proxy_redirect off; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Client-Verify FAILURE; - proxy_set_header X-SSL-Subject $ssl_client_s_dn; - proxy_set_header X-SSL-Issuer $ssl_client_i_dn; - proxy_read_timeout 65; - } +server { + listen <%= non_ssl_port %>; + ssl_verify_client off; + root /var/empty; + access_log /var/log/nginx/access-<%= non_ssl_port %>.log; + rewrite_log /var/log/nginx/rewrite-<%= non_ssl_port %>.log; + + location / { + proxy_pass http://puppet-production; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Client-Verify FAILURE; + proxy_set_header X-SSL-Subject $ssl_client_s_dn; + proxy_set_header X-SSL-Issuer $ssl_client_i_dn; + proxy_read_timeout 65; } } |