diff options
| author | Silvio Rhatto <rhatto@riseup.net> | 2014-03-07 22:12:58 -0300 |
|---|---|---|
| committer | Silvio Rhatto <rhatto@riseup.net> | 2014-03-07 22:12:58 -0300 |
| commit | 8118ad3c0c39c65a97530ca6c5dda4da590d5aa1 (patch) | |
| tree | 8deca7ce1c664131d6dc03d59e6726573765e63d | |
| parent | b649e95885719b4f39ba17a1a9bdbc1f35d02c72 (diff) | |
| download | puppet-puppet-8118ad3c0c39c65a97530ca6c5dda4da590d5aa1.tar.gz puppet-puppet-8118ad3c0c39c65a97530ca6c5dda4da590d5aa1.tar.bz2 | |
Manage passenger vhost
| -rw-r--r-- | manifests/master/passenger.pp | 13 | ||||
| -rw-r--r-- | templates/passenger.erb | 43 |
2 files changed, 56 insertions, 0 deletions
diff --git a/manifests/master/passenger.pp b/manifests/master/passenger.pp index bbb0cb8..f0df446 100644 --- a/manifests/master/passenger.pp +++ b/manifests/master/passenger.pp @@ -20,4 +20,17 @@ class puppet::master::passenger { package { 'puppetmaster-passenger': ensure => installed, } + + $listen = hiera('puppet::daemon::port', '8140') + $certname = hiera('puppet::master::certname', "puppet.${::domain}") + + # manage puppetmaster vhost + file { '/etc/apache2/sites-available/puppetmaster': + ensure => present, + owner => root, + group => root, + mode => 0644, + content => template("puppet/passenger.erb"), + notify => Service['apache'], + } } diff --git a/templates/passenger.erb b/templates/passenger.erb new file mode 100644 index 0000000..b58b4c8 --- /dev/null +++ b/templates/passenger.erb @@ -0,0 +1,43 @@ +# You probably want to tune these settings +PassengerHighPerformance on +PassengerMaxPoolSize 12 +PassengerPoolIdleTime 1500 +# PassengerMaxRequests 1000 +PassengerStatThrottleRate 120 +RackAutoDetect Off +RailsAutoDetect Off + +Listen <%= listen %> + +<VirtualHost *:<%= listen %>> + SSLEngine on + SSLProtocol -ALL +SSLv3 +TLSv1 + SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP + + SSLCertificateFile /var/lib/puppetmaster/ssl/certs/<%= certname %>.pem + SSLCertificateKeyFile /var/lib/puppetmaster/ssl/private_keys/<%= certname %>.pem + SSLCertificateChainFile /var/lib/puppetmaster/ssl/certs/ca.pem + SSLCACertificateFile /var/lib/puppetmaster/ssl/certs/ca.pem + # If Apache complains about invalid signatures on the CRL, you can try disabling + # CRL checking by commenting the next line, but this is not recommended. + SSLCARevocationFile /var/lib/puppetmaster/ssl/ca/ca_crl.pem + SSLVerifyClient optional + SSLVerifyDepth 1 + SSLOptions +StdEnvVars + + # This header needs to be set if using a loadbalancer or proxy + RequestHeader unset X-Forwarded-For + + RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e + RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e + RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e + + DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/ + RackBaseURI / + <Directory /usr/share/puppet/rack/puppetmasterd/> + Options None + AllowOverride None + Order allow,deny + allow from all + </Directory> +</VirtualHost> |