From 16e684ac77c95789a9903cdbeb5baf5b95cfe07c Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Wed, 17 Feb 2010 19:30:17 -0200 Subject: Split proxy config --- templates/puppetmaster.conf.erb | 18 ++++++ templates/puppetmaster.erb | 129 +++++++++++++--------------------------- 2 files changed, 60 insertions(+), 87 deletions(-) create mode 100644 templates/puppetmaster.conf.erb (limited to 'templates') diff --git a/templates/puppetmaster.conf.erb b/templates/puppetmaster.conf.erb new file mode 100644 index 0000000..65240e7 --- /dev/null +++ b/templates/puppetmaster.conf.erb @@ -0,0 +1,18 @@ +# This configuration file was auto-generated by the Puppet configuration +# management system. Any changes you make to this file will be overwritten +# the next time Puppet runs. Please make configuration changes to this +# service in Puppet. + +ssl on; +ssl_certificate /var/lib/puppet/ssl/certs/puppetmaster.example.com.pem; +ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppetmaster.example.com.pem; +ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem; +ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA; +ssl_session_cache shared:SSL:8m; +ssl_session_timeout 5m; + +upstream puppet-production { + <% puppetmaster_servers.each do |upstream| -%> + server <%= upstream %>; + <% end -%> +} diff --git a/templates/puppetmaster.erb b/templates/puppetmaster.erb index addd22a..c96472e 100644 --- a/templates/puppetmaster.erb +++ b/templates/puppetmaster.erb @@ -3,94 +3,49 @@ # the next time Puppet runs. Please make configuration changes to this # service in Puppet. -user www-data www-data; -worker_processes <%= worker_processes %>; - -error_log /var/log/nginx-puppet.log notice; -pid /var/run/nginx-puppet.pid; - -events { - worker_connections <%= worker_connections %>; -} - -http { - # include /etc/mime.types; - default_type application/octet-stream; - - # no sendfile on OSX uncomment - #this if your on linux or bsd - sendfile on; - tcp_nopush on; - - # Look at TLB size in /proc/cpuinfo (Linux) for the 4k pagesize - large_client_header_buffers 16 4k; - proxy_buffers 128 4k; - - # if you adjust this setting to something higher - # you should as well update the proxy_read_timeout - # in the server config part (see below) - # Otherwise nginx will rerequest a manifest compile. - keepalive_timeout 65; - tcp_nodelay on; - - ssl on; - ssl_certificate /Library/Puppet/Generated/Server/SSL/host_cert.pem; - ssl_certificate_key /Library/Puppet/Generated/Server/SSL/host_key.pem; - ssl_client_certificate /Library/Puppet/Generated/Server/SSL/ca/ca_crt.pem; - ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA; - ssl_session_cache shared:SSL:8m; - ssl_session_timeout 5m; - - upstream puppet-production { - <% puppetmaster_servers.each do |upstream| -%> - server <%= upstream %>; - <% end -%> +server { + listen <%= ssl_port %>; + ssl_verify_client on; + root /var/empty; + access_log /var/log/nginx/access-<%= ssl_port %>.log; + rewrite_log /var/log/nginx/rewrite-<%= ssl_port %>.log; + + # Variables + # $ssl_cipher returns the line of those utilized it is cipher for established SSL-connection + # $ssl_client_serial returns the series number of client certificate for established SSL-connection + # $ssl_client_s_dn returns line subject DN of client certificate for established SSL-connection + # $ssl_client_i_dn returns line issuer DN of client certificate for established SSL-connection + # $ssl_protocol returns the protocol of established SSL-connection + + location / { + proxy_pass http://puppet-production; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Client-Verify SUCCESS; + proxy_set_header X-SSL-Subject $ssl_client_s_dn; + proxy_set_header X-SSL-Issuer $ssl_client_i_dn; + proxy_read_timeout 65; } +} - server { - listen <%= ssl_port %>; - ssl_verify_client on; - root /var/empty; - access_log /var/log/nginx/access-<%= ssl_port %>.log; - rewrite_log /var/log/nginx/rewrite-<%= ssl_port %>.log; - - # Variables - # $ssl_cipher returns the line of those utilized it is cipher for established SSL-connection - # $ssl_client_serial returns the series number of client certificate for established SSL-connection - # $ssl_client_s_dn returns line subject DN of client certificate for established SSL-connection - # $ssl_client_i_dn returns line issuer DN of client certificate for established SSL-connection - # $ssl_protocol returns the protocol of established SSL-connection - - location / { - proxy_pass http://puppet-production; - proxy_redirect off; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Client-Verify SUCCESS; - proxy_set_header X-SSL-Subject $ssl_client_s_dn; - proxy_set_header X-SSL-Issuer $ssl_client_i_dn; - proxy_read_timeout 65; - } - } - - server { - listen <%= non_ssl_port %>; - ssl_verify_client off; - root /var/empty; - access_log /var/log/nginx/access-<%= non_ssl_port %>.log; - rewrite_log /var/log/nginx/rewrite-<%= non_ssl_port %>.log; - - location / { - proxy_pass http://puppet-production; - proxy_redirect off; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Client-Verify FAILURE; - proxy_set_header X-SSL-Subject $ssl_client_s_dn; - proxy_set_header X-SSL-Issuer $ssl_client_i_dn; - proxy_read_timeout 65; - } +server { + listen <%= non_ssl_port %>; + ssl_verify_client off; + root /var/empty; + access_log /var/log/nginx/access-<%= non_ssl_port %>.log; + rewrite_log /var/log/nginx/rewrite-<%= non_ssl_port %>.log; + + location / { + proxy_pass http://puppet-production; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Client-Verify FAILURE; + proxy_set_header X-SSL-Subject $ssl_client_s_dn; + proxy_set_header X-SSL-Issuer $ssl_client_i_dn; + proxy_read_timeout 65; } } -- cgit v1.2.3