[Puppet Users] Toward a simple Nginx configuration for Puppet Mongrel

Tue, 21 Jul 2009 11:46:06 -0700 

Hi,

I've created two Nginx patches (see at the end of this message) to allow 
a simpler Nginx configuration for your Mongrel puppetmasters.

The two main issues with Nginx in front of puppet were:
  * no CRL support
  * no optional certificate verification (and thus we're forced to have 
two separate configs on two different ports, and to use --ca_port).

Now, it is as simple as the following configuration:

upstream puppet-production {
   server 127.0.0.1:18140;
   server 127.0.0.1:18141;
}

server {
   listen 8140;

   ssl                     on;
   ssl_session_timeout     5m;
   ssl_certificate         /var/lib/puppet/ssl/certs/puppetmaster.pem;
   ssl_certificate_key 
/var/lib/puppet/ssl/private_keys/puppetmaster.pem;
   ssl_client_certificate  /var/lib/puppet/ssl/ca/ca_crt.pem;
   ssl_ciphers             SSLv2:-LOW:-EXPORT:RC4+RSA;

   # allow authenticated and client without certs
   ssl_verify_client       optional;

   # obey to the Puppet CRL
   ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;

   root                    /var/tmp;

   location / {
     proxy_pass              http://puppet-production;
     proxy_redirect         off;
     proxy_set_header    Host             $host;
     proxy_set_header    X-Real-IP        $remote_addr;
     proxy_set_header    X-Forwarded-For  $proxy_add_x_forwarded_for;
     proxy_set_header    X-Client-Verify  $ssl_client_verify;
     proxy_set_header    X-SSL-Subject    $ssl_client_s_dn;
     proxy_set_header    X-SSL-Issuer     $ssl_client_i_dn;
     proxy_read_timeout  65;
   }
}

I really hope those patches could be merged in the official Nginx 
distribution, meanwhile it is easy to patch and build your own nginx (or 
package of).

Please see the following blog post for more information and access to 
those patches:
http://www.masterzen.fr/2009/07/21/new-ssl-features-for-nginx/

Thanks,
-- 
Brice Figureau
My Blog: http://www.masterzen.fr/


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to