Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F29812213
raw.txt
No One
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
jbond
Jul 19 2019, 11:34 AM
2019-07-19 11:34:09 (UTC+0)
Size
4 KB
Referenced Files
None
Subscribers
None
raw.txt
View Options
# Experimental virtualhost to test new puppetmaster backends
<VirtualHost *:8140>
ServerName foo.example.com
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite -ALL:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA
SSLHonorCipherOrder On
SSLOpenSSLConfCmd DHParameters "/etc/ssl/dhparam.pem"
SSLCertificateFile /var/lib/puppet/ssl/certs/foo.example.com.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/foo.example.com.pem
SSLCACertificateFile /var/lib/puppet/server/ssl/certs/ca.pem
SSLCertificateChainFile /var/lib/puppet/server/ssl/certs/ca.pem
# If Apache complains about invalid signatures on the CRL, you can try disabling
# CRL checking by commenting the next line, but this is not recommended.
# NOTE: https://tickets.puppetlabs.com/browse/PUP-2310 says that CRL is not updated. Need to reevaluate this
SSLCARevocationPath /crl
SSLVerifyClient
SSLVerifyDepth 1
SSLOptions +StdEnvVars
# The connection to the backends is also SSL encrypted but by frontend and backends do not authenticate connections
# These request headers are used to pass the client certificate
# authentication information on to the puppet master process
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
SSLProxyEngine on
# Tries to avoid the "error reading status line from server" error
SetEnv proxy-initial-not-pooled 1
# Certificates requests should only be in the master.
ProxyPassMatch ^/([^/]+/certificate.*)$ https://puppetmaster:8141
ProxyPassMatch ^/(puppet-ca/.*)$ https://puppetmaster:8141
# File buckets should only be in one place. Choosing the frontend by default for simplicity
ProxyPassMatch ^/([^/]+/file_bucket_file/md5/.*)$ https://foo.example.com:8141
ProxyPassMatch ^/(puppet/v3/file_bucket_file/md5/.*)$ https://foo.example.com:8141
# Volatile should only be in one place. Choosing the master by default for simplicity
ProxyPassMatch ^/([^/]+/file_metadata(s)?/volatile/.*)$ https://puppetmaster:8141
ProxyPassMatch ^/(puppet/v3/file_metadata(s)?/volatile.*)$ https://puppetmaster:8141
ProxyPassMatch ^/([^/]+/file_content/volatile/.*)$ https://puppetmaster:8141
ProxyPassMatch ^/(puppet/v3/file_content/volatile/.*)$ https://puppetmaster:8141
# The rest gets balanced
SetEnvIf Remote_Host canary1.example.com CANARY=yes
SetEnvIf Remote_Host canary2.example.com CANARY=yes
ProxyPass / balancer://canarybackend/ env=CANARY
<Proxy balancer://canarybackend>
BalancerMember https://canary_load20.example.com:8141 ping=1 connectiontimeout=1 retry=500 timeout=900 loadfactor=20
BalancerMember https://canary_load10.example.com:8141 ping=1 connectiontimeout=1 retry=500 timeout=900 loadfactor=10
Require all granted
</Proxy>
ProxyPass / balancer://backend/
<Proxy balancer://backend>
BalancerMember https://load20.example.com:8141 ping=1 connectiontimeout=1 retry=500 timeout=900 loadfactor=20
BalancerMember https://load10.example.com:8141 ping=1 connectiontimeout=1 retry=500 timeout=900 loadfactor=10
Require all granted
</Proxy>
CustomLog /var/log/apache2/puppetmaster.foo.example.com.log wmf
</VirtualHost>
File Metadata
Details
Attached
Mime Type
text/plain; charset=utf-8
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
7752503
Default Alt Text
raw.txt (4 KB)
Attached To
Mode
P8775 example output
Attached
Detach File
Event Timeline
Log In to Comment