diff options
author | drebs <drebs@riseup.net> | 2010-02-16 01:12:47 -0200 |
---|---|---|
committer | drebs <drebs@riseup.net> | 2010-02-16 01:12:47 -0200 |
commit | 671780fbbb5fcc8f03c1f72386f31fc7c51080a9 (patch) | |
tree | 15d0b64a6371963d24e61252edca7f63a0a2f17b /templates/puppetmaster.erb | |
parent | 74ccc5f671a6ab6434a64fc22809f1ddae44ea7e (diff) | |
download | puppet-nginx-671780fbbb5fcc8f03c1f72386f31fc7c51080a9.tar.gz puppet-nginx-671780fbbb5fcc8f03c1f72386f31fc7c51080a9.tar.bz2 |
Splitting into smaller classes and adding puppetmaster proxying support.
Diffstat (limited to 'templates/puppetmaster.erb')
-rw-r--r-- | templates/puppetmaster.erb | 96 |
1 files changed, 96 insertions, 0 deletions
diff --git a/templates/puppetmaster.erb b/templates/puppetmaster.erb new file mode 100644 index 0000000..87fd996 --- /dev/null +++ b/templates/puppetmaster.erb @@ -0,0 +1,96 @@ +# This configuration file was auto-generated by the Puppet configuration +# management system. Any changes you make to this file will be overwritten +# the next time Puppet runs. Please make configuration changes to this +# service in Puppet. + +user www-data www-data; +worker_processes <%= $worker_processes %>; + +error_log /var/log/nginx-puppet.log notice; +pid /var/run/nginx-puppet.pid; + +events { + worker_connections <%= $worker_connections %>; +} + +http { + # include /etc/mime.types; + default_type application/octet-stream; + + # no sendfile on OSX uncomment + #this if your on linux or bsd + sendfile on; + tcp_nopush on; + + # Look at TLB size in /proc/cpuinfo (Linux) for the 4k pagesize + large_client_header_buffers 16 4k; + proxy_buffers 128 4k; + + # if you adjust this setting to something higher + # you should as well update the proxy_read_timeout + # in the server config part (see below) + # Otherwise nginx will rerequest a manifest compile. + keepalive_timeout 65; + tcp_nodelay on; + + ssl on; + ssl_certificate /Library/Puppet/Generated/Server/SSL/host_cert.pem; + ssl_certificate_key /Library/Puppet/Generated/Server/SSL/host_key.pem; + ssl_client_certificate /Library/Puppet/Generated/Server/SSL/ca/ca_crt.pem; + ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA; + ssl_session_cache shared:SSL:8m; + ssl_session_timeout 5m; + + upstream puppet-production { + <% $puppetmaster_servers.each do |upstream| -%> + server <%= upstream %>; + <% end -%> + } + + server { + listen <%= $ssl_port %>; + ssl_verify_client on; + root /var/empty; + access_log /var/log/nginx/access-<%= $ssl_port %>.log; + rewrite_log /var/log/nginx/rewrite-<%= $ssl_port %>.log; + + # Variables + # $ssl_cipher returns the line of those utilized it is cipher for established SSL-connection + # $ssl_client_serial returns the series number of client certificate for established SSL-connection + # $ssl_client_s_dn returns line subject DN of client certificate for established SSL-connection + # $ssl_client_i_dn returns line issuer DN of client certificate for established SSL-connection + # $ssl_protocol returns the protocol of established SSL-connection + + location / { + proxy_pass http://puppet-production; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Client-Verify SUCCESS; + proxy_set_header X-SSL-Subject $ssl_client_s_dn; + proxy_set_header X-SSL-Issuer $ssl_client_i_dn; + proxy_read_timeout 65; + } + } + + server { + listen <%= $nonssl_port %>; + ssl_verify_client off; + root /var/empty; + access_log /var/log/nginx/access-<%= $nonssl_port %>.log; + rewrite_log /var/log/nginx/rewrite-<%= $nonssl_port %>.log; + + location / { + proxy_pass http://puppet-production; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Client-Verify FAILURE; + proxy_set_header X-SSL-Subject $ssl_client_s_dn; + proxy_set_header X-SSL-Issuer $ssl_client_i_dn; + proxy_read_timeout 65; + } + } +} |