Split proxy config

diff --git a/manifests/init.pp b/manifests/init.pp
index 11c1166856b915a957869bb4e429394894866850..7d28fa1eeea4b3510e68914edf2b8fda5e03c14d 100644 (file)
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -115,6 +115,15 @@ class nginx::puppetmaster inherits nginx::base {
                $ssl_port = 8140, $non_ssl_port = 8141,
                $puppetmaster_servers = [ "127.0.0.1:18140" ]) {
 
+    file { "/etc/nginx/conf.d/puppetmaster.conf":
+      content => template("nginx/puppetmaster.conf.erb"),
+      owner   => "root",
+      group   => "root",
+      mode    => 0644,
+      ensure  => present,
+      notify  => Service["nginx"],
+    }
+
     file { "/etc/nginx/sites-available/$name":
       content => template("nginx/puppetmaster.erb"),
       owner   => "root",

diff --git a/templates/puppetmaster.conf.erb b/templates/puppetmaster.conf.erb
new file mode 100644 (file)
index 0000000..65240e7
--- /dev/null
+++ b/templates/puppetmaster.conf.erb
@@ -0,0 +1,18 @@
+# This configuration file was auto-generated by the Puppet configuration
+# management system.  Any changes you make to this file will be overwritten
+# the next time Puppet runs.  Please make configuration changes to this
+# service in Puppet.
+
+ssl                     on;
+ssl_certificate /var/lib/puppet/ssl/certs/puppetmaster.example.com.pem;
+ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppetmaster.example.com.pem;
+ssl_client_certificate  /var/lib/puppet/ssl/certs/ca.pem;
+ssl_ciphers             SSLv2:-LOW:-EXPORT:RC4+RSA;
+ssl_session_cache       shared:SSL:8m;
+ssl_session_timeout     5m;
+
+upstream puppet-production {
+  <% puppetmaster_servers.each do |upstream| -%>
+    server <%= upstream %>;
+  <% end -%>
+}

diff --git a/templates/puppetmaster.erb b/templates/puppetmaster.erb
index addd22ae7aa9dcce227246912be15e0e29b2c393..c96472e55263ec8913227019ffb40ae580ef1160 100644 (file)
--- a/templates/puppetmaster.erb
+++ b/templates/puppetmaster.erb
@@ -3,94 +3,49 @@
 # the next time Puppet runs.  Please make configuration changes to this
 # service in Puppet.
 
-user www-data www-data;
-worker_processes  <%= worker_processes %>;
-
-error_log       /var/log/nginx-puppet.log notice;
-pid             /var/run/nginx-puppet.pid;
-
-events {
-    worker_connections  <%= worker_connections %>;
-}
-
-http {
-    # include /etc/mime.types;
-    default_type  application/octet-stream;
-
-    # no sendfile on OSX uncomment 
-    #this if your on linux or bsd
-    sendfile        on;
-    tcp_nopush      on;
-    
-    # Look at TLB size in /proc/cpuinfo (Linux) for the 4k pagesize
-    large_client_header_buffers     16      4k;
-    proxy_buffers                   128     4k;
-
-    # if you adjust this setting to something higher
-    # you should as well update the proxy_read_timeout 
-    # in the server config part (see below)
-    # Otherwise nginx will rerequest a manifest compile.
-    keepalive_timeout  65;
-    tcp_nodelay        on;
-
-    ssl                     on;
-    ssl_certificate         /Library/Puppet/Generated/Server/SSL/host_cert.pem;
-    ssl_certificate_key     /Library/Puppet/Generated/Server/SSL/host_key.pem;
-    ssl_client_certificate  /Library/Puppet/Generated/Server/SSL/ca/ca_crt.pem;
-    ssl_ciphers             SSLv2:-LOW:-EXPORT:RC4+RSA;
-    ssl_session_cache       shared:SSL:8m;
-    ssl_session_timeout     5m;
-
-    upstream puppet-production {
-      <% puppetmaster_servers.each do |upstream| -%>
-        server <%= upstream %>;
-      <% end -%>
+server {
+    listen                  <%= ssl_port %>;
+    ssl_verify_client       on;
+    root                    /var/empty;
+    access_log              /var/log/nginx/access-<%= ssl_port %>.log;
+    rewrite_log             /var/log/nginx/rewrite-<%= ssl_port %>.log;
+
+    # Variables
+    # $ssl_cipher returns the line of those utilized it is cipher for established SSL-connection
+    # $ssl_client_serial returns the series number of client certificate for established SSL-connection
+    # $ssl_client_s_dn returns line subject DN of client certificate for established SSL-connection
+    # $ssl_client_i_dn returns line issuer DN of client certificate for established SSL-connection
+    # $ssl_protocol returns the protocol of established SSL-connection
+
+    location / {
+        proxy_pass          http://puppet-production;
+        proxy_redirect      off;
+        proxy_set_header    Host             $host;
+        proxy_set_header    X-Real-IP        $remote_addr;
+        proxy_set_header    X-Forwarded-For  $proxy_add_x_forwarded_for;
+        proxy_set_header    X-Client-Verify  SUCCESS;
+        proxy_set_header    X-SSL-Subject    $ssl_client_s_dn;
+        proxy_set_header    X-SSL-Issuer     $ssl_client_i_dn;
+        proxy_read_timeout  65;
     }
+}
 
-    server {
-        listen                  <%= ssl_port %>;
-        ssl_verify_client       on;
-        root                    /var/empty;
-        access_log              /var/log/nginx/access-<%= ssl_port %>.log;
-        rewrite_log             /var/log/nginx/rewrite-<%= ssl_port %>.log;
-
-        # Variables
-        # $ssl_cipher returns the line of those utilized it is cipher for established SSL-connection
-        # $ssl_client_serial returns the series number of client certificate for established SSL-connection
-        # $ssl_client_s_dn returns line subject DN of client certificate for established SSL-connection
-        # $ssl_client_i_dn returns line issuer DN of client certificate for established SSL-connection
-        # $ssl_protocol returns the protocol of established SSL-connection
-
-        location / {
-            proxy_pass          http://puppet-production;
-            proxy_redirect      off;
-            proxy_set_header    Host             $host;
-            proxy_set_header    X-Real-IP        $remote_addr;
-            proxy_set_header    X-Forwarded-For  $proxy_add_x_forwarded_for;
-            proxy_set_header    X-Client-Verify  SUCCESS;
-            proxy_set_header    X-SSL-Subject    $ssl_client_s_dn;
-            proxy_set_header    X-SSL-Issuer     $ssl_client_i_dn;
-            proxy_read_timeout  65;
-        }
-    }
-
-    server {
-        listen                  <%= non_ssl_port %>;
-        ssl_verify_client       off;
-        root                    /var/empty;
-        access_log              /var/log/nginx/access-<%= non_ssl_port %>.log;
-        rewrite_log             /var/log/nginx/rewrite-<%= non_ssl_port %>.log;
-
-        location / {
-            proxy_pass  http://puppet-production;
-            proxy_redirect     off;
-            proxy_set_header   Host             $host;
-            proxy_set_header   X-Real-IP        $remote_addr;
-            proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
-            proxy_set_header   X-Client-Verify  FAILURE;
-            proxy_set_header   X-SSL-Subject    $ssl_client_s_dn;
-            proxy_set_header   X-SSL-Issuer     $ssl_client_i_dn;
-            proxy_read_timeout  65;
-        }
+server {
+    listen                  <%= non_ssl_port %>;
+    ssl_verify_client       off;
+    root                    /var/empty;
+    access_log              /var/log/nginx/access-<%= non_ssl_port %>.log;
+    rewrite_log             /var/log/nginx/rewrite-<%= non_ssl_port %>.log;
+
+    location / {
+        proxy_pass  http://puppet-production;
+        proxy_redirect     off;
+        proxy_set_header   Host             $host;
+        proxy_set_header   X-Real-IP        $remote_addr;
+        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
+        proxy_set_header   X-Client-Verify  FAILURE;
+        proxy_set_header   X-SSL-Subject    $ssl_client_s_dn;
+        proxy_set_header   X-SSL-Issuer     $ssl_client_i_dn;
+        proxy_read_timeout  65;
     }
 }