package { 'puppetmaster-passenger':
ensure => installed,
}
+
+ $listen = hiera('puppet::daemon::port', '8140')
+ $certname = hiera('puppet::master::certname', "puppet.${::domain}")
+
+ # manage puppetmaster vhost
+ file { '/etc/apache2/sites-available/puppetmaster':
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => 0644,
+ content => template("puppet/passenger.erb"),
+ notify => Service['apache'],
+ }
}
--- /dev/null
+# You probably want to tune these settings
+PassengerHighPerformance on
+PassengerMaxPoolSize 12
+PassengerPoolIdleTime 1500
+# PassengerMaxRequests 1000
+PassengerStatThrottleRate 120
+RackAutoDetect Off
+RailsAutoDetect Off
+
+Listen <%= listen %>
+
+<VirtualHost *:<%= listen %>>
+ SSLEngine on
+ SSLProtocol -ALL +SSLv3 +TLSv1
+ SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
+
+ SSLCertificateFile /var/lib/puppetmaster/ssl/certs/<%= certname %>.pem
+ SSLCertificateKeyFile /var/lib/puppetmaster/ssl/private_keys/<%= certname %>.pem
+ SSLCertificateChainFile /var/lib/puppetmaster/ssl/certs/ca.pem
+ SSLCACertificateFile /var/lib/puppetmaster/ssl/certs/ca.pem
+ # If Apache complains about invalid signatures on the CRL, you can try disabling
+ # CRL checking by commenting the next line, but this is not recommended.
+ SSLCARevocationFile /var/lib/puppetmaster/ssl/ca/ca_crl.pem
+ SSLVerifyClient optional
+ SSLVerifyDepth 1
+ SSLOptions +StdEnvVars
+
+ # This header needs to be set if using a loadbalancer or proxy
+ RequestHeader unset X-Forwarded-For
+
+ RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
+ RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
+ RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
+
+ DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
+ RackBaseURI /
+ <Directory /usr/share/puppet/rack/puppetmasterd/>
+ Options None
+ AllowOverride None
+ Order allow,deny
+ allow from all
+ </Directory>
+</VirtualHost>
projects / puppet-puppet.git / commitdiff