summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSilvio Rhatto <rhatto@riseup.net>2010-02-17 19:30:17 -0200
committerSilvio Rhatto <rhatto@riseup.net>2010-02-17 19:30:17 -0200
commit16e684ac77c95789a9903cdbeb5baf5b95cfe07c (patch)
treea67d6f0ee802fba0eaa727e44dd36798bde97e47
parent24dac3e185d66299519f80f990436028c3a6cf15 (diff)
downloadpuppet-nginx-16e684ac77c95789a9903cdbeb5baf5b95cfe07c.tar.gz
puppet-nginx-16e684ac77c95789a9903cdbeb5baf5b95cfe07c.tar.bz2
Split proxy config
-rw-r--r--manifests/init.pp9
-rw-r--r--templates/puppetmaster.conf.erb18
-rw-r--r--templates/puppetmaster.erb129
3 files changed, 69 insertions, 87 deletions
diff --git a/manifests/init.pp b/manifests/init.pp
index 11c1166..7d28fa1 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -115,6 +115,15 @@ class nginx::puppetmaster inherits nginx::base {
$ssl_port = 8140, $non_ssl_port = 8141,
$puppetmaster_servers = [ "127.0.0.1:18140" ]) {
+ file { "/etc/nginx/conf.d/puppetmaster.conf":
+ content => template("nginx/puppetmaster.conf.erb"),
+ owner => "root",
+ group => "root",
+ mode => 0644,
+ ensure => present,
+ notify => Service["nginx"],
+ }
+
file { "/etc/nginx/sites-available/$name":
content => template("nginx/puppetmaster.erb"),
owner => "root",
diff --git a/templates/puppetmaster.conf.erb b/templates/puppetmaster.conf.erb
new file mode 100644
index 0000000..65240e7
--- /dev/null
+++ b/templates/puppetmaster.conf.erb
@@ -0,0 +1,18 @@
+# This configuration file was auto-generated by the Puppet configuration
+# management system. Any changes you make to this file will be overwritten
+# the next time Puppet runs. Please make configuration changes to this
+# service in Puppet.
+
+ssl on;
+ssl_certificate /var/lib/puppet/ssl/certs/puppetmaster.example.com.pem;
+ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppetmaster.example.com.pem;
+ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem;
+ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
+ssl_session_cache shared:SSL:8m;
+ssl_session_timeout 5m;
+
+upstream puppet-production {
+ <% puppetmaster_servers.each do |upstream| -%>
+ server <%= upstream %>;
+ <% end -%>
+}
diff --git a/templates/puppetmaster.erb b/templates/puppetmaster.erb
index addd22a..c96472e 100644
--- a/templates/puppetmaster.erb
+++ b/templates/puppetmaster.erb
@@ -3,94 +3,49 @@
# the next time Puppet runs. Please make configuration changes to this
# service in Puppet.
-user www-data www-data;
-worker_processes <%= worker_processes %>;
-
-error_log /var/log/nginx-puppet.log notice;
-pid /var/run/nginx-puppet.pid;
-
-events {
- worker_connections <%= worker_connections %>;
-}
-
-http {
- # include /etc/mime.types;
- default_type application/octet-stream;
-
- # no sendfile on OSX uncomment
- #this if your on linux or bsd
- sendfile on;
- tcp_nopush on;
-
- # Look at TLB size in /proc/cpuinfo (Linux) for the 4k pagesize
- large_client_header_buffers 16 4k;
- proxy_buffers 128 4k;
-
- # if you adjust this setting to something higher
- # you should as well update the proxy_read_timeout
- # in the server config part (see below)
- # Otherwise nginx will rerequest a manifest compile.
- keepalive_timeout 65;
- tcp_nodelay on;
-
- ssl on;
- ssl_certificate /Library/Puppet/Generated/Server/SSL/host_cert.pem;
- ssl_certificate_key /Library/Puppet/Generated/Server/SSL/host_key.pem;
- ssl_client_certificate /Library/Puppet/Generated/Server/SSL/ca/ca_crt.pem;
- ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
- ssl_session_cache shared:SSL:8m;
- ssl_session_timeout 5m;
-
- upstream puppet-production {
- <% puppetmaster_servers.each do |upstream| -%>
- server <%= upstream %>;
- <% end -%>
+server {
+ listen <%= ssl_port %>;
+ ssl_verify_client on;
+ root /var/empty;
+ access_log /var/log/nginx/access-<%= ssl_port %>.log;
+ rewrite_log /var/log/nginx/rewrite-<%= ssl_port %>.log;
+
+ # Variables
+ # $ssl_cipher returns the line of those utilized it is cipher for established SSL-connection
+ # $ssl_client_serial returns the series number of client certificate for established SSL-connection
+ # $ssl_client_s_dn returns line subject DN of client certificate for established SSL-connection
+ # $ssl_client_i_dn returns line issuer DN of client certificate for established SSL-connection
+ # $ssl_protocol returns the protocol of established SSL-connection
+
+ location / {
+ proxy_pass http://puppet-production;
+ proxy_redirect off;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Client-Verify SUCCESS;
+ proxy_set_header X-SSL-Subject $ssl_client_s_dn;
+ proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
+ proxy_read_timeout 65;
}
+}
- server {
- listen <%= ssl_port %>;
- ssl_verify_client on;
- root /var/empty;
- access_log /var/log/nginx/access-<%= ssl_port %>.log;
- rewrite_log /var/log/nginx/rewrite-<%= ssl_port %>.log;
-
- # Variables
- # $ssl_cipher returns the line of those utilized it is cipher for established SSL-connection
- # $ssl_client_serial returns the series number of client certificate for established SSL-connection
- # $ssl_client_s_dn returns line subject DN of client certificate for established SSL-connection
- # $ssl_client_i_dn returns line issuer DN of client certificate for established SSL-connection
- # $ssl_protocol returns the protocol of established SSL-connection
-
- location / {
- proxy_pass http://puppet-production;
- proxy_redirect off;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Client-Verify SUCCESS;
- proxy_set_header X-SSL-Subject $ssl_client_s_dn;
- proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
- proxy_read_timeout 65;
- }
- }
-
- server {
- listen <%= non_ssl_port %>;
- ssl_verify_client off;
- root /var/empty;
- access_log /var/log/nginx/access-<%= non_ssl_port %>.log;
- rewrite_log /var/log/nginx/rewrite-<%= non_ssl_port %>.log;
-
- location / {
- proxy_pass http://puppet-production;
- proxy_redirect off;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Client-Verify FAILURE;
- proxy_set_header X-SSL-Subject $ssl_client_s_dn;
- proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
- proxy_read_timeout 65;
- }
+server {
+ listen <%= non_ssl_port %>;
+ ssl_verify_client off;
+ root /var/empty;
+ access_log /var/log/nginx/access-<%= non_ssl_port %>.log;
+ rewrite_log /var/log/nginx/rewrite-<%= non_ssl_port %>.log;
+
+ location / {
+ proxy_pass http://puppet-production;
+ proxy_redirect off;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Client-Verify FAILURE;
+ proxy_set_header X-SSL-Subject $ssl_client_s_dn;
+ proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
+ proxy_read_timeout 65;
}
}