Wrap text
Report abuse
nginx conf (plain_text)
|
|
upstream puppet {
server 127.0.0.1:18140;
server 127.0.0.1:18141;
}
# day-to-day operations
server {
listen 8140;
ssl on;
ssl_certificate /var/lib/puppet/ssl/certs/puppet.pem;
ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppet.pem;
ssl_client_certificate /var/lib/puppet/ssl/ca/ca_crt.pem;
ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
ssl_session_cache shared:SSL:8m;
ssl_session_timeout 5m;
ssl_verify_client on;
location / {
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Client-Verify SUCCESS;
proxy_set_header X-SSL-Subject $ssl_client_s_dn;
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
proxy_read_timeout 64;
proxy_pass http://puppet;
}
}
# the CA port
server {
listen 8141;
ssl_verify_client off;
ssl on;
ssl_certificate /var/lib/puppet/ssl/certs/puppet.pem;
ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppet.pem;
ssl_client_certificate /var/lib/puppet/ssl/ca/ca_crt.pem;
ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
ssl_session_cache shared:SSL:8m;
ssl_session_timeout 5m;
location / {
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Client-Verify FAILURE;
proxy_set_header X-SSL-Subject $ssl_client_s_dn;
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
proxy_read_timeout 64;
proxy_pass http://puppet;
}
}
|
relevant puppetmaster conf
|
|
[puppetmasterd]
ssl_client_header=HTTP_X_SSL_SUBJECT
servertype=mongrel
|
