Page MenuHomePhabricator
Paste P8775

example output
ActivePublic

Authored by jbond on Jul 19 2019, 11:25 AM.
# Experimental virtualhost to test new puppetmaster backends
<VirtualHost *:8140>
ServerName foo.example.com
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite -ALL:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA
SSLHonorCipherOrder On
SSLOpenSSLConfCmd DHParameters "/etc/ssl/dhparam.pem"
SSLCertificateFile /var/lib/puppet/ssl/certs/foo.example.com.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/foo.example.com.pem
SSLCACertificateFile /var/lib/puppet/server/ssl/certs/ca.pem
SSLCertificateChainFile /var/lib/puppet/server/ssl/certs/ca.pem
# If Apache complains about invalid signatures on the CRL, you can try disabling
# CRL checking by commenting the next line, but this is not recommended.
# NOTE: https://tickets.puppetlabs.com/browse/PUP-2310 says that CRL is not updated. Need to reevaluate this
SSLCARevocationPath /crl
SSLVerifyClient
SSLVerifyDepth 1
SSLOptions +StdEnvVars
# The connection to the backends is also SSL encrypted but by frontend and backends do not authenticate connections
# These request headers are used to pass the client certificate
# authentication information on to the puppet master process
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
SSLProxyEngine on
# Tries to avoid the "error reading status line from server" error
SetEnv proxy-initial-not-pooled 1
# Certificates requests should only be in the master.
ProxyPassMatch ^/([^/]+/certificate.*)$ https://puppetmaster:8141
ProxyPassMatch ^/(puppet-ca/.*)$ https://puppetmaster:8141
# File buckets should only be in one place. Choosing the frontend by default for simplicity
ProxyPassMatch ^/([^/]+/file_bucket_file/md5/.*)$ https://foo.example.com:8141
ProxyPassMatch ^/(puppet/v3/file_bucket_file/md5/.*)$ https://foo.example.com:8141
# Volatile should only be in one place. Choosing the master by default for simplicity
ProxyPassMatch ^/([^/]+/file_metadata(s)?/volatile/.*)$ https://puppetmaster:8141
ProxyPassMatch ^/(puppet/v3/file_metadata(s)?/volatile.*)$ https://puppetmaster:8141
ProxyPassMatch ^/([^/]+/file_content/volatile/.*)$ https://puppetmaster:8141
ProxyPassMatch ^/(puppet/v3/file_content/volatile/.*)$ https://puppetmaster:8141
# The rest gets balanced
SetEnvIf Remote_Host canary1.example.com CANARY=yes
SetEnvIf Remote_Host canary2.example.com CANARY=yes
ProxyPass / balancer://canarybackend/ env=CANARY
<Proxy balancer://canarybackend>
BalancerMember https://canary_load20.example.com:8141 ping=1 connectiontimeout=1 retry=500 timeout=900 loadfactor=20
BalancerMember https://canary_load10.example.com:8141 ping=1 connectiontimeout=1 retry=500 timeout=900 loadfactor=10
Require all granted
</Proxy>
ProxyPass / balancer://backend/
<Proxy balancer://backend>
BalancerMember https://load20.example.com:8141 ping=1 connectiontimeout=1 retry=500 timeout=900 loadfactor=20
BalancerMember https://load10.example.com:8141 ping=1 connectiontimeout=1 retry=500 timeout=900 loadfactor=10
Require all granted
</Proxy>
CustomLog /var/log/apache2/puppetmaster.foo.example.com.log wmf
</VirtualHost>

Event Timeline

jbond created this paste.Jul 19 2019, 11:25 AM
jbond edited the content of this paste. (Show Details)Jul 19 2019, 11:34 AM