ServerName puppet SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite -ALL:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA SSLHonorCipherOrder On SSLOpenSSLConfCmd DHParameters "/etc/ssl/dhparam.pem" SSLCertificateFile /var/lib/puppet/ssl/certs/puppet.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppet.pem SSLCACertificateFile /var/lib/puppet/server/ssl/certs/ca.pem SSLCertificateChainFile /var/lib/puppet/server/ssl/certs/ca.pem # If Apache complains about invalid signatures on the CRL, you can try disabling # CRL checking by commenting the next line, but this is not recommended. # NOTE: https://tickets.puppetlabs.com/browse/PUP-2310 says that CRL is not updated. Need to reevaluate this SSLCARevocationPath /var/lib/puppet/server/ssl/crl SSLCARevocationCheck chain SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars # The connection to the backends is also SSL encrypted but by frontend and backends do not authenticate connections # These request headers are used to pass the client certificate # authentication information on to the puppet master process RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e SSLProxyEngine on # Tries to avoid the "error reading status line from server" error SetEnv proxy-initial-not-pooled 1 # Certificates requests should only be in the master. ProxyPassMatch ^/([^/]+/certificate.*)$ https://puppetmaster1001.eqiad.wmnet:8141 ProxyPassMatch ^/(puppet-ca/.*)$ https://puppetmaster1001.eqiad.wmnet:8141 # File buckets should only be in one place. Choosing the frontend by default for simplicity ProxyPassMatch ^/([^/]+/file_bucket_file/md5/.*)$ https://puppetmaster1001.eqiad.wmnet:8141 ProxyPassMatch ^/(puppet/v3/file_bucket_file/md5/.*)$ https://puppetmaster1001.eqiad.wmnet:8141 # Volatile should only be in one place. Choosing the master by default for simplicity ProxyPassMatch ^/([^/]+/file_metadata(s)?/volatile/.*)$ https://puppetmaster1001.eqiad.wmnet:8141 ProxyPassMatch ^/(puppet/v3/file_metadata(s)?/volatile.*)$ https://puppetmaster1001.eqiad.wmnet:8141 ProxyPassMatch ^/([^/]+/file_content/volatile/.*)$ https://puppetmaster1001.eqiad.wmnet:8141 ProxyPassMatch ^/(puppet/v3/file_content/volatile/.*)$ https://puppetmaster1001.eqiad.wmnet:8141 # The rest gets balanced RewriteEngine On RewriteCond expr "-R '10.64.32.20'" [OR] RewriteCond expr "-R '2620::861:103:10:64:32:20'" [OR] RewriteCond expr "-R '198.35.26.6'" [OR] RewriteCond expr "-R '2620::863:1:198:35:26:6'" [OR] RewriteCond expr "-R '10.64.0.107'" [OR] RewriteCond expr "-R '2620::861:101:10:64:0:107'" [OR] RewriteCond expr "-R '2620::862:1:91:198:174:114'" [OR] RewriteCond expr "-R '91.198.174.114'" [OR] RewriteCond expr "-R '208.80.155.108'" [OR] RewriteCond expr "-R '2620::861:4:208:80:155:108'" [OR] RewriteCond expr "-R '10.64.48.167'" [OR] RewriteCond expr "-R '2620::861:107:10:64:48:167'" [OR] RewriteCond expr "-R '10.64.48.39'" [OR] RewriteCond expr "-R '2620:0:861:107:b283:feff:fec0:b0d2'" [OR] RewriteCond expr "-R '10.64.53.22'" [OR] RewriteCond expr "-R '2620::861:108:10:64:53:22'" [OR] RewriteCond expr "-R '10.64.0.175'" [OR] RewriteCond expr "-R '2620::861:101:10:64:0:175'" RewriteRule ^ balancer://canarybackend%{REQUEST_URI} [P,QSA] BalancerMember https://puppetmaster1003.eqiad.wmnet:8141 ping=1 connectiontimeout=1 retry=500 timeout=900 loadfactor=20 Require all granted ProxyPass / balancer://backend/ BalancerMember https://puppetmaster1001.eqiad.wmnet:8141 ping=1 connectiontimeout=1 retry=500 timeout=900 loadfactor=10 BalancerMember https://puppetmaster1002.eqiad.wmnet:8141 ping=1 connectiontimeout=1 retry=500 timeout=900 loadfactor=20 BalancerMember https://rhodium.eqiad.wmnet:8141 ping=1 connectiontimeout=1 retry=500 timeout=900 loadfactor=20 Require all granted CustomLog /var/log/apache2/puppetmaster.puppet.log wmf