Page MenuHomePhabricator
Paste P8872

apache
ActivePublic

Authored by jbond on Aug 6 2019, 3:19 PM.
<VirtualHost *:8140>
ServerName puppet
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite -ALL:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA
SSLHonorCipherOrder On
SSLOpenSSLConfCmd DHParameters "/etc/ssl/dhparam.pem"
SSLCertificateFile /var/lib/puppet/ssl/certs/puppet.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppet.pem
SSLCACertificateFile /var/lib/puppet/server/ssl/certs/ca.pem
SSLCertificateChainFile /var/lib/puppet/server/ssl/certs/ca.pem
# If Apache complains about invalid signatures on the CRL, you can try disabling
# CRL checking by commenting the next line, but this is not recommended.
# NOTE: https://tickets.puppetlabs.com/browse/PUP-2310 says that CRL is not updated. Need to reevaluate this
SSLCARevocationPath /var/lib/puppet/server/ssl/crl
SSLCARevocationCheck chain
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars
# The connection to the backends is also SSL encrypted but by frontend and backends do not authenticate connections
# These request headers are used to pass the client certificate
# authentication information on to the puppet master process
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
SSLProxyEngine on
# Tries to avoid the "error reading status line from server" error
SetEnv proxy-initial-not-pooled 1
# Certificates requests should only be in the master.
ProxyPassMatch ^/([^/]+/certificate.*)$ https://puppetmaster1001.eqiad.wmnet:8141
ProxyPassMatch ^/(puppet-ca/.*)$ https://puppetmaster1001.eqiad.wmnet:8141
# File buckets should only be in one place. Choosing the frontend by default for simplicity
ProxyPassMatch ^/([^/]+/file_bucket_file/md5/.*)$ https://puppetmaster1001.eqiad.wmnet:8141
ProxyPassMatch ^/(puppet/v3/file_bucket_file/md5/.*)$ https://puppetmaster1001.eqiad.wmnet:8141
# Volatile should only be in one place. Choosing the master by default for simplicity
ProxyPassMatch ^/([^/]+/file_metadata(s)?/volatile/.*)$ https://puppetmaster1001.eqiad.wmnet:8141
ProxyPassMatch ^/(puppet/v3/file_metadata(s)?/volatile.*)$ https://puppetmaster1001.eqiad.wmnet:8141
ProxyPassMatch ^/([^/]+/file_content/volatile/.*)$ https://puppetmaster1001.eqiad.wmnet:8141
ProxyPassMatch ^/(puppet/v3/file_content/volatile/.*)$ https://puppetmaster1001.eqiad.wmnet:8141
# The rest gets balanced
RewriteEngine On
RewriteCond expr "-R '10.64.32.20'" [OR]
RewriteCond expr "-R '2620::861:103:10:64:32:20'" [OR]
RewriteCond expr "-R '198.35.26.6'" [OR]
RewriteCond expr "-R '2620::863:1:198:35:26:6'" [OR]
RewriteCond expr "-R '10.64.0.107'" [OR]
RewriteCond expr "-R '2620::861:101:10:64:0:107'" [OR]
RewriteCond expr "-R '2620::862:1:91:198:174:114'" [OR]
RewriteCond expr "-R '91.198.174.114'" [OR]
RewriteCond expr "-R '208.80.155.108'" [OR]
RewriteCond expr "-R '2620::861:4:208:80:155:108'" [OR]
RewriteCond expr "-R '10.64.48.167'" [OR]
RewriteCond expr "-R '2620::861:107:10:64:48:167'" [OR]
RewriteCond expr "-R '10.64.48.39'" [OR]
RewriteCond expr "-R '2620:0:861:107:b283:feff:fec0:b0d2'" [OR]
RewriteCond expr "-R '10.64.53.22'" [OR]
RewriteCond expr "-R '2620::861:108:10:64:53:22'" [OR]
RewriteCond expr "-R '10.64.0.175'" [OR]
RewriteCond expr "-R '2620::861:101:10:64:0:175'"
RewriteRule ^ balancer://canarybackend%{REQUEST_URI} [P,QSA]
<Proxy balancer://canarybackend>
BalancerMember https://puppetmaster1003.eqiad.wmnet:8141 ping=1 connectiontimeout=1 retry=500 timeout=900 loadfactor=20
Require all granted
</Proxy>
ProxyPass / balancer://backend/
<Proxy balancer://backend>
BalancerMember https://puppetmaster1001.eqiad.wmnet:8141 ping=1 connectiontimeout=1 retry=500 timeout=900 loadfactor=10
BalancerMember https://puppetmaster1002.eqiad.wmnet:8141 ping=1 connectiontimeout=1 retry=500 timeout=900 loadfactor=20
BalancerMember https://rhodium.eqiad.wmnet:8141 ping=1 connectiontimeout=1 retry=500 timeout=900 loadfactor=20
Require all granted
</Proxy>
CustomLog /var/log/apache2/puppetmaster.puppet.log wmf
</VirtualHost>

Event Timeline

jbond created this paste.Aug 6 2019, 3:19 PM