diff options
author | Silvio Rhatto <rhatto@riseup.net> | 2010-02-17 19:30:17 -0200 |
---|---|---|
committer | Silvio Rhatto <rhatto@riseup.net> | 2010-02-17 19:30:17 -0200 |
commit | 16e684ac77c95789a9903cdbeb5baf5b95cfe07c (patch) | |
tree | a67d6f0ee802fba0eaa727e44dd36798bde97e47 /templates/puppetmaster.erb | |
parent | 24dac3e185d66299519f80f990436028c3a6cf15 (diff) | |
download | puppet-nginx-16e684ac77c95789a9903cdbeb5baf5b95cfe07c.tar.gz puppet-nginx-16e684ac77c95789a9903cdbeb5baf5b95cfe07c.tar.bz2 |
Split proxy config
Diffstat (limited to 'templates/puppetmaster.erb')
-rw-r--r-- | templates/puppetmaster.erb | 129 |
1 files changed, 42 insertions, 87 deletions
diff --git a/templates/puppetmaster.erb b/templates/puppetmaster.erb index addd22a..c96472e 100644 --- a/templates/puppetmaster.erb +++ b/templates/puppetmaster.erb @@ -3,94 +3,49 @@ # the next time Puppet runs. Please make configuration changes to this # service in Puppet. -user www-data www-data; -worker_processes <%= worker_processes %>; - -error_log /var/log/nginx-puppet.log notice; -pid /var/run/nginx-puppet.pid; - -events { - worker_connections <%= worker_connections %>; -} - -http { - # include /etc/mime.types; - default_type application/octet-stream; - - # no sendfile on OSX uncomment - #this if your on linux or bsd - sendfile on; - tcp_nopush on; - - # Look at TLB size in /proc/cpuinfo (Linux) for the 4k pagesize - large_client_header_buffers 16 4k; - proxy_buffers 128 4k; - - # if you adjust this setting to something higher - # you should as well update the proxy_read_timeout - # in the server config part (see below) - # Otherwise nginx will rerequest a manifest compile. - keepalive_timeout 65; - tcp_nodelay on; - - ssl on; - ssl_certificate /Library/Puppet/Generated/Server/SSL/host_cert.pem; - ssl_certificate_key /Library/Puppet/Generated/Server/SSL/host_key.pem; - ssl_client_certificate /Library/Puppet/Generated/Server/SSL/ca/ca_crt.pem; - ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA; - ssl_session_cache shared:SSL:8m; - ssl_session_timeout 5m; - - upstream puppet-production { - <% puppetmaster_servers.each do |upstream| -%> - server <%= upstream %>; - <% end -%> +server { + listen <%= ssl_port %>; + ssl_verify_client on; + root /var/empty; + access_log /var/log/nginx/access-<%= ssl_port %>.log; + rewrite_log /var/log/nginx/rewrite-<%= ssl_port %>.log; + + # Variables + # $ssl_cipher returns the line of those utilized it is cipher for established SSL-connection + # $ssl_client_serial returns the series number of client certificate for established SSL-connection + # $ssl_client_s_dn returns line subject DN of client certificate for established SSL-connection + # $ssl_client_i_dn returns line issuer DN of client certificate for established SSL-connection + # $ssl_protocol returns the protocol of established SSL-connection + + location / { + proxy_pass http://puppet-production; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Client-Verify SUCCESS; + proxy_set_header X-SSL-Subject $ssl_client_s_dn; + proxy_set_header X-SSL-Issuer $ssl_client_i_dn; + proxy_read_timeout 65; } +} - server { - listen <%= ssl_port %>; - ssl_verify_client on; - root /var/empty; - access_log /var/log/nginx/access-<%= ssl_port %>.log; - rewrite_log /var/log/nginx/rewrite-<%= ssl_port %>.log; - - # Variables - # $ssl_cipher returns the line of those utilized it is cipher for established SSL-connection - # $ssl_client_serial returns the series number of client certificate for established SSL-connection - # $ssl_client_s_dn returns line subject DN of client certificate for established SSL-connection - # $ssl_client_i_dn returns line issuer DN of client certificate for established SSL-connection - # $ssl_protocol returns the protocol of established SSL-connection - - location / { - proxy_pass http://puppet-production; - proxy_redirect off; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Client-Verify SUCCESS; - proxy_set_header X-SSL-Subject $ssl_client_s_dn; - proxy_set_header X-SSL-Issuer $ssl_client_i_dn; - proxy_read_timeout 65; - } - } - - server { - listen <%= non_ssl_port %>; - ssl_verify_client off; - root /var/empty; - access_log /var/log/nginx/access-<%= non_ssl_port %>.log; - rewrite_log /var/log/nginx/rewrite-<%= non_ssl_port %>.log; - - location / { - proxy_pass http://puppet-production; - proxy_redirect off; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Client-Verify FAILURE; - proxy_set_header X-SSL-Subject $ssl_client_s_dn; - proxy_set_header X-SSL-Issuer $ssl_client_i_dn; - proxy_read_timeout 65; - } +server { + listen <%= non_ssl_port %>; + ssl_verify_client off; + root /var/empty; + access_log /var/log/nginx/access-<%= non_ssl_port %>.log; + rewrite_log /var/log/nginx/rewrite-<%= non_ssl_port %>.log; + + location / { + proxy_pass http://puppet-production; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Client-Verify FAILURE; + proxy_set_header X-SSL-Subject $ssl_client_s_dn; + proxy_set_header X-SSL-Issuer $ssl_client_i_dn; + proxy_read_timeout 65; } } |