Have you tried with passenger 2.2.2?
2009/10/20 nothings_absolute <soren.mor...@gmail.com>:
>
> 1st off sorry this is so long... I didn't see any way to attach files
> when creating the discussion.
>
> I am trying to get my puppetmaster (0.25.0) working with passenger
> (2.2.5) on Solaris (It works fine using webrick). At this point I
> think it "should" work, but get a 400 error (Located below) when
> running puppetd on the client.
>
> The server doesn't have anything in the error log indicating a
> problem, but the access log shows the server returning a 400 error.
> Any ideas about what the problem could be or how to enable additional
> logging on the server side (I tried uncommenting << "--debug" in my
> config.ru, but don't get anything additional).
>
> I have also included my config.ru, puppet.conf, and ssl.conf below the
> errors. Note: The install paths are bit odd, but I am trying to do
> this so that I can share a main "opt" puppet package with all zones
> and then have a puppetmd package that uses the same install as puppet
> itself.
>
>
> *** client error output ***
> bash-3.00# /opt/dhw/sbin/puppetd --server
> dhwsol105prod1z3.dhw.state.id.us --test --debug --environment=prod
> debug: Failed to load library 'shadow' for feature 'libshadow'
> debug: Puppet::Type::User::ProviderPw: file pw does not exist
> debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/
> dscl does not exist
> debug: Failed to load library 'ldap' for feature 'ldap'
> debug: Puppet::Type::User::ProviderLdap: feature ldap is missing
> debug: /File[/etc/puppet/ssl/crl.pem]: Autorequiring File[/etc/puppet/
> ssl]
> debug: /File[/etc/puppet/ssl/certs/
> dhwsol105prod1.dhw.state.id.us.pem]: Autorequiring File[/etc/puppet/
> ssl/certs]
> debug: /File[/etc/puppet/ssl/certs]: Autorequiring File[/etc/puppet/
> ssl]
> debug: /File[/etc/puppet/ssl/private]: Autorequiring File[/etc/puppet/
> ssl]
> debug: /File[/var/puppet/client_yaml]: Autorequiring File[/var/puppet]
> debug: /File[/var/puppet/state]: Autorequiring File[/var/puppet]
> debug: /File[/var/puppet/facts]: Autorequiring File[/var/puppet]
> debug: /File[/etc/puppet/ssl/private_keys/
> dhwsol105prod1.dhw.state.id.us.pem]: Autorequiring File[/etc/puppet/
> ssl/private_keys]
> debug: /File[/var/puppet/state/state.yaml]: Autorequiring File[/var/
> puppet/state]
> debug: /File[/etc/puppet/ssl/public_keys/
> dhwsol105prod1.dhw.state.id.us.pem]: Autorequiring File[/etc/puppet/
> ssl/public_keys]
> debug: /File[/etc/puppet/ssl/certificate_requests]: Autorequiring File
> [/etc/puppet/ssl]
> debug: /File[/etc/puppet/ssl]: Autorequiring File[/etc/puppet]
> debug: /File[/var/puppet/log]: Autorequiring File[/var/puppet]
> debug: /File[/var/puppet/run]: Autorequiring File[/var/puppet]
> debug: /File[/var/puppet/state/graphs]: Autorequiring File[/var/puppet/
> state]
> debug: /File[/var/puppet/state/classes.txt]: Autorequiring File[/var/
> puppet/state]
> debug: /File[/var/puppet/lib]: Autorequiring File[/var/puppet]
> debug: /File[/etc/puppet/ssl/private_keys]: Autorequiring File[/etc/
> puppet/ssl]
> debug: /File[/var/puppet/clientbucket]: Autorequiring File[/var/
> puppet]
> debug: /File[/etc/puppet/ssl/certs/ca.pem]: Autorequiring File[/etc/
> puppet/ssl/certs]
> debug: /File[/etc/puppet/ssl/public_keys]: Autorequiring File[/etc/
> puppet/ssl]
> debug: Finishing transaction 9414216 with 0 changes
> debug: Using cached certificate for ca
> debug: Using cached certificate for dhwsol105prod1.dhw.state.id.us
> debug: Loaded state in 0.03 seconds
> debug: Using cached certificate for ca
> debug: Using cached certificate for dhwsol105prod1.dhw.state.id.us
> debug: Using cached certificate_revocation_list for ca
> debug: Puppet::Network::Format[json]: false value when expecting true
> debug: Format s not supported for Puppet::Resource::Catalog; has not
> implemented method 'from_s'
> err: Could not retrieve catalog from remote server: Error 400 on
> SERVER: Bad Request
> warning: Not using cache on failed catalog
> err: Could not retrieve catalog; skipping run
>
>
> *** Server error output ***
> 10.10.1.51 - - [20/Oct/2009:13:44:30 -0600] "GET /prod/catalog/
> dhwsol105prod1.dhw.state.id.us?facts_format=yaml&facts=---%2B%2521ruby
> %252Fobject%253APuppet%253A%253ANode%253A%253AFacts%2B%250Aexpiration
> %253A%2B2009-10-20%2B14%253A14%253A29.927609%2B-06%253A00%250Aname%253A
> %2Bdhwsol105prod1.dhw.state.id.us%250Avalues%253A%2B%250A%2B%2Bkernel
> %253A%2BSunOS%250A%2B%2Bipaddress_vnet0_3%253A%2B10.10.1.57%250A%2B
> %2Bnetwork_vnet0_2%253A%2B10.10.1.0%250A%2B%2Bnetmask%253A
> %2B255.255.255.0%250A%2B%2Bnetmask_lo0%253A%2B255.0.0.0%250A%2B
> %2Buniqueid%253A%2B84f9e03a%250A%2B%2Bfqdn%253A
> %2Bdhwsol105prod1.dhw.state.id.us%250A%2B%2Bnetwork_vnet0_3%253A
> %2B10.10.1.0%250A%2B%2Boperatingsystemrelease%253A%2B
> %25225.10%2522%250A%2B%2Bclientversion%253A%2B0.25.0%250A%2B
> %2Bipaddress%253A%2B10.10.1.51%250A%2B%2Bvirtual%253A%2Bphysical%250A
> %2B%2Bnetmask_lo0_1%253A%2B255.0.0.0%250A%2B%2Bis_virtual%253A%2B
> %2522false%2522%250A%2B%2Bps%253A%2Bps%2B-ef%250A%2B
> %2Bipaddress_vnet0%253A%2B10.10.1.51%250A%2B%2Brubysitedir%253A%2B
> %252Fopt%252Fdhw%252Flib%252Fruby%252Fsite_ruby%252F1.8%250A%2B
> %2Bnetmask_lo0_2%253A%2B255.0.0.0%250A%2B%2Bhardwaremodel%253A%2Bsun4v
> %250A%2B%2Bkernelrelease%253A%2B%25225.10%2522%250A%2B
> %2Bnetwork_vnet0%253A%2B10.10.1.0%250A%2B%2Bnetmask_lo0_3%253A
> %2B255.0.0.0%250A%2B%2Bdomain%253A%2Bdhw.state.id.us%250A%2B%2Btimezone
> %253A%2BMDT%250A%2B%2Bid%253A%2Broot%250A%2B%2Bnetwork_lo0%253A
> %2B127.0.0.0%250A%2B%2Bipaddress_lo0_1%253A%2B127.0.0.1%250A%2B
> %2Bhardwareisa%253A%2Bsparc%250A%2B%2Bmacaddress_vnet0%253A
> %2B0%253A14%253A4f%253Afb%253Ad9%253Acc%250A%2B%2Binterfaces%253A
> %2Blo0%252Clo0_1%252Clo0_2%252Clo0_3%252Cvnet0%252Cvnet0_1%252Cvnet0_2%252Cvnet0_3%250A
> %2B%2Bipaddress_lo0_2%253A%2B127.0.0.1%250A%2B%2Bpath%253A%2B%252Fusr
> %252Fsbin%253A%252Fusr%252Fbin%253A%252Fusr%252Fccs%252Fbin%253A
> %252Fopt%252FSUNWldm%252Fbin%253A%252Fopt%252Fsmuser%252Fwebagent
> %252Fbin%253A%252Fsbin%250A%2B%2Bnetwork_lo0_1%253A%2B127.0.0.0%250A%2B
> %2Bnetmask_vnet0_1%253A%2B255.255.255.0%250A%2B%2Bkernelversion%253A
> %2BGeneric_141414-07%250A%2B%2Bipaddress_lo0%253A%2B127.0.0.1%250A%2B
> %2Benvironment%253A%2Bprod%250A%2B%2B%253F%2B%2521ruby%252Fsym
> %2B_timestamp%250A%2B%2B%253A%2BTue%2BOct
> %2B20%2B13%253A44%253A29%2B-0600%2B2009%250A%250A%2B
> %2Bnetmask_vnet0_2%253A%2B255.255.255.0%250A%2B%2Bpuppetversion%253A
> %2B0.25.0%250A%2B%2Buptime%253A%2B8%2Bday%250A%2B%2Bnetwork_lo0_2%253A
> %2B127.0.0.0%250A%2B%2Bipaddress_lo0_3%253A%2B127.0.0.1%250A%2B
> %2Bhostname%253A%2Bdhwsol105prod1%250A%2B%2Boperatingsystem%253A
> %2BSolaris%250A%2B%2Bipaddress_vnet0_1%253A%2B10.10.1.52%250A%2B
> %2Bfacterversion%253A%2B1.5.7%250A%2B%2Bmacaddress%253A
> %2B0%253A14%253A4f%253Afb%253Ad9%253Acc%250A%2B%2Bnetmask_vnet0_3%253A
> %2B255.255.255.0%250A%2B%2Bnetwork_lo0_3%253A%2B127.0.0.0%250A%2B
> %2Bsshrsakey%253A
> %2BAAAAB3NzaC1yc2EAAAABIwAAAIEAxKVNsY3Tk78LgNboqdrTr9omRW7%252BTjD7PvyaD37NDW
> %252FQiaWHOxIjgQ257gO765AaekFmP%252FlI9IWA8ss2feEVOYhwms0JrOln
> %252BZzixI6NiUnEkW00DLR75NH5bIMmNsKDsxbwDGQuJkD2jav8WIgfMG
> %252BO9RYQxNNZOMu5rUDsimc%253D%250A%2B%2Bkernelmajversion%253A
> %2BGeneric_141414-07%250A%2B%2Bnetwork_vnet0_1%253A%2B10.10.1.0%250A%2B
> %2Bipaddress_vnet0_2%253A%2B10.10.1.53%250A%2B%2Brubyversion%253A
> %2B1.8.7%250A%2B%2Bsshdsakey%253A
> %2BAAAAB3NzaC1kc3MAAACBAK0sGCS6m349DPJ0ENTNBnRlrJuF9wzBqv6v91%252BYUyiTCug54DG38LhXsB5a8wzP7vFDHm91w8H6X8lHSjZAkAZj0CXuoy
> %252BKMypouxa4aPSIq79DHDM%252FEKUk4uoLoD1SfK9CUq%252FRpy1tJiXvp%252BHA
> %252B5upqd4GzJUlxyQ5XoDw81u5AAAAFQDAzYUpzs%252FGN9T9sXSgdscaw%252B
> %252BoRQAAAIBIjPBFixi6vEaQmRBXE1wGI7vYQ1vSD%252FY8kjPTiH1JV
> %252BiX4ba80qBAN4ZfOi0aItt6dil6naY%252BoagfQkETMp58dSd
> %252BqkwyfDtJfT6LigLJ9cA6trMEHvjDJP5nAykUWcFBiviOtvLioWJgCDzSKqsQs816imAgvEu3%252Bspub6A6iQAAAIBknje4ZSbAlB
> %252Bn9evhpdwYFHMq7biResm9m6SZvpOoHzgAu6qZPer91qrGvVERFNi20%252F8SgLr6%252FOlddfyr
> %252BfHxu7%252FesYuh
> %252BuKpVq9T5jhNi3cIwgTkkeAszP1MJnX32moRJ211F6oWlKW6S8tjfD1VGU5In8WzZ2s2xdM86I5e4w
> %253D%253D%250A%2B%2Bnetmask_vnet0%253A%2B255.255.255.0%250A HTTP/1.1"
> 400 38
>
>
> *** config.ru file ***
> # a config.ru, for use with every rack-compatible webserver.
> # SSL needs to be handled outside this, though.
>
> # if puppet is not in your RUBYLIB:
> # $:.unshift('/opt/dhw/lib')
>
> $0 = "puppetmasterd"
> require 'puppet'
>
> # if you want debugging:
> ARGV << "--debug"
>
> # Add configuration directory as argument
> ARGV << "--confdir=/etc/opt/dhw/puppetmd"
>
> ARGV << "--rack"
> require 'puppet/application/puppetmasterd'
> # we're usually running inside a Rack::Builder.new {} block,
> # therefore we need to call run *here*.
> run Puppet::Application[:puppetmasterd].run
>
>
> *** puppet.conf ***
> [main]
> # Set the environments available to puppet
> environments = trng,prod,qual,intg,dev,qualf
>
> # Set to sync custom facts to the clients
> pluginsync = true
>
>
> [puppetmasterd]
> # Added for support with Apache and passenger
> ssl_client_header = SSL_CLIENT_S_DN
> ssl_client_verify_header = SSL_CLIENT_VERIFY
>
> # User and group to start puppetmasterd as
> user = puppetmd
> group = puppetmd
>
> # The port to run the puppet master on
> masterport = 8140
>
> # Where SSL certificates are kept.
> # The default value is '$confdir/ssl'.
> ssldir = $confdir/ssl
>
> # Single global manifest directory
> manifest = $confdir/manifests/site.pp
>
> # The location of the configuration for the fileserver
> fsconfig = $confdir/fileserver.conf
>
> # Where Puppet stores dynamic and growing data.
> # The default value is '/var/puppet'.
> vardir = /var/opt/dhw/puppetmd
>
> # Set factpath so facter can load custom facts from the server
> # factpath = $vardir/lib/facter
>
>
> [prod]
> # The module paths to check
> modulepath = /etc/opt/dhw/puppetmd/prod/modules
>
>
> [trng]
> # The module paths to check
> modulepath = /etc/opt/dhw/puppetmd/trng/modules
>
>
> [qual]
> # The module paths to check
> modulepath = /etc/opt/dhw/puppetmd/qual/modules
>
>
> [intg]
> # The module paths to check
> modulepath = /etc/opt/dhw/puppetmd/intg/modules
>
>
> [dev]
> # The module paths to check
> modulepath = /etc/opt/dhw/puppetmd/dev/modules
>
>
> [qualf]
> # The module paths to check
> modulepath = /etc/opt/dhw/puppetmd/qualf/modules
>
>
> *** ssl.conf ***
> SSLRandomSeed startup builtin
> SSLRandomSeed connect builtin
> #SSLRandomSeed startup file:/dev/random 512
> #SSLRandomSeed startup file:/dev/urandom 512
> #SSLRandomSeed connect file:/dev/random 512
> #SSLRandomSeed connect file:/dev/urandom 512
>
> #<IfDefine SSL>
>
> #
> # When we also provide SSL we have to listen to the
> # standard HTTP port (see above) and to the HTTPS port
> #
> # Note: Configurations that use IPv6 but not IPv4-mapped addresses
> need two
> # Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
> #
> #Listen 443
> Listen 8140
>
> ##
> ## SSL Global Context
> ##
> ## All SSL configuration in this context applies both to
> ## the main server and all SSL-enabled virtual hosts.
> ##
>
> #
> # Some MIME-types for downloading Certificates and CRLs
> #
> AddType application/x-x509-ca-cert .crt
> AddType application/x-pkcs7-crl .crl
>
> # Pass Phrase Dialog:
> # Configure the pass phrase gathering process.
> # The filtering dialog program (`builtin' is a internal
> # terminal dialog) has to provide the pass phrase on stdout.
> SSLPassPhraseDialog builtin
>
> # Inter-Process Session Cache:
> # Configure the SSL Session Cache: First the mechanism
> # to use and second the expiring timeout (in seconds).
> #SSLSessionCache none
> #SSLSessionCache shmht:/opt/apache/logs/ssl_scache(512000)
> #SSLSessionCache shmcb:/opt/apache/logs/ssl_scache(512000)
> SSLSessionCache dbm:/opt/apache/logs/ssl_scache
> SSLSessionCacheTimeout 300
>
> # Semaphore:
> # Configure the path to the mutual exclusion semaphore the
> # SSL engine uses internally for inter-process synchronization.
> SSLMutex file:/opt/apache/logs/ssl_mutex
>
>
> # Required Passenger settings
> LoadModule passenger_module /etc/opt/dhw/puppetmd/lib/passenger-2.2.5/
> ext/apache2/mod_passenger.so
> PassengerRoot /etc/opt/dhw/puppetmd/lib/passenger-2.2.5
> PassengerRuby /opt/dhw/bin/ruby
>
> # you probably want to tune these settings
> PassengerHighPerformance on
> PassengerMaxPoolSize 12
> PassengerPoolIdleTime 1500
> # PassengerMaxRequests 1000
> PassengerStatThrottleRate 120
> RackAutoDetect Off
> RailsAutoDetect Off
>
> ##
> ## SSL Virtual Host Context
> ##
>
> #<VirtualHost _default_:443>
>
> <VirtualHost dhwsol105prod1z3.dhw.state.id.us:8140>
> ServerAdmin r...@dhwsol105prod1z3
>
> SSLProtocol -ALL +SSLv3 +TLSv1
> SSLOptions +StdEnvVars
>
> # General setup for the virtual host
> #DocumentRoot "/opt/apache/htdocs"
> DocumentRoot /etc/opt/dhw/puppetmd/rack/puppetmasterd/public
>
> RackBaseURI /
>
> <Directory /etc/opt/dhw/puppetmd/rack/puppetmasterd/>
> Options None
> AllowOverride None
> Order allow,deny
> allow from all
> </Directory>
>
> ErrorLog /opt/apache/logs/error_log
> TransferLog /opt/apache/logs/access_log
>
> # SSL Engine Switch:
> # Enable/Disable SSL for this virtual host.
> SSLEngine on
>
> # SSL Cipher Suite:
> # List the ciphers that the client is permitted to negotiate.
> # See the mod_ssl documentation for a complete list.
> #SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:
> +SSLv2:+EXP:+eNULL
> SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
>
> # Server Certificate:
> # Point SSLCertificateFile at a PEM encoded certificate. If
> # the certificate is encrypted, then you will be prompted for a
> # pass phrase. Note that a kill -HUP will prompt again. Keep
> # in mind that if you have both an RSA and a DSA certificate you
> # can configure both in parallel (to also allow the use of DSA
> # ciphers, etc.)
> #SSLCertificateFile /opt/apache/conf/ssl.crt/server.crt
> #SSLCertificateFile /opt/apache/conf/ssl.crt/server-dsa.crt
> SSLCertificateFile /etc/opt/dhw/puppetmd/ssl/certs/
> dhwsol105prod1z3.dhw.state.id.us.pem
>
> # Server Private Key:
> # If the key is not combined with the certificate, use this
> # directive to point at the key file. Keep in mind that if
> # you've both a RSA and a DSA private key you can configure
> # both in parallel (to also allow the use of DSA ciphers, etc.)
> #SSLCertificateKeyFile /opt/apache/conf/ssl.key/server.key
> #SSLCertificateKeyFile /opt/apache/conf/ssl.key/server-dsa.key
> SSLCertificateKeyFile /etc/opt/dhw/puppetmd/ssl/private_keys/
> dhwsol105prod1z3.dhw.state.id.us.pem
>
> # Server Certificate Chain:
> # Point SSLCertificateChainFile at a file containing the
> # concatenation of PEM encoded CA certificates which form the
> # certificate chain for the server certificate. Alternatively
> # the referenced file can be the same as SSLCertificateFile
> # when the CA certificates are directly appended to the server
> # certificate for convinience.
> #SSLCertificateChainFile /opt/apache/conf/ssl.crt/ca.crt
> SSLCertificateChainFile /etc/opt/dhw/puppetmd/ssl/ca/ca_crt.pem
>
> # Certificate Authority (CA):
> # Set the CA certificate verification path where to find CA
> # certificates for client authentication or alternatively one
> # huge file containing all of them (file must be PEM encoded)
> # Note: Inside SSLCACertificatePath you need hash symlinks
> # to point to the certificate files. Use the provided
> # Makefile to update the hash symlinks after changes.
> #SSLCACertificatePath /opt/apache/conf/ssl.crt
> #SSLCACertificateFile /opt/apache/conf/ssl.crt/ca-bundle.crt
> SSLCACertificateFile /etc/opt/dhw/puppetmd/ssl/ca/ca_crt.pem
>
> # Certificate Revocation Lists (CRL):
> # Set the CA revocation path where to find CA CRLs for client
> # authentication or alternatively one huge file containing all
> # of them (file must be PEM encoded)
> # Note: Inside SSLCARevocationPath you need hash symlinks
> # to point to the certificate files. Use the provided
> # Makefile to update the hash symlinks after changes.
> #SSLCARevocationPath /opt/apache/conf/ssl.crl
> #SSLCARevocationFile /opt/apache/conf/ssl.crl/ca-bundle.crl
> # If Apache complains about invalid signatures on CRL, you can try
> disabling
> # CRL checking by commenting the next line, but this is not
> recommended.
> SSLCARevocationFile /etc/opt/dhw/puppetmd/ssl/ca/ca_crl.pem
>
> # Client Authentication (Type):
> # Client certificate verification type and depth. Types are
> # none, optional, require and optional_no_ca. Depth is a
> # number which specifies how deeply to verify the certificate
> # issuer chain before deciding the certificate is not valid.
> #SSLVerifyClient require
> #SSLVerifyDepth 10
> SSLVerifyClient optional
> SSLVerifyDepth 1
>
> # Access Control:
> # With SSLRequire you can do per-directory access control based
> # on arbitrary complex boolean expressions containing server
> # variable checks and other lookup directives. The syntax is a
> # mixture between C and Perl. See the mod_ssl documentation
> # for more details.
> #<Location />
> #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
> # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
> # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
> # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
> # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
> # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
> #</Location>
>
> # SSL Engine Options:
> # Set various options for the SSL engine.
> # o FakeBasicAuth:
> # Translate the client X.509 into a Basic Authorisation. This
> means that
> # the standard Auth/DBMAuth methods can be used for access
> control. The
> # user name is the `one line' version of the client's X.509
> certificate.
> # Note that no password is obtained from the user. Every entry in
> the user
> # file needs this password: `xxj31ZMTZzkVA'.
> # o ExportCertData:
> # This exports two additional environment variables:
> SSL_CLIENT_CERT and
> # SSL_SERVER_CERT. These contain the PEM-encoded certificates of
> the
> # server (always existing) and the client (only existing when
> client
> # authentication is used). This can be used to import the
> certificates
> # into CGI scripts.
> # o StdEnvVars:
> # This exports the standard SSL/TLS related `SSL_*' environment
> variables.
> # Per default this exportation is switched off for performance
> reasons,
> # because the extraction step is an expensive operation and is
> usually
> # useless for serving static content. So one usually enables the
> # exportation for CGI and SSI requests only.
> # o CompatEnvVars:
> # This exports obsolete environment variables for backward
> compatibility
> # to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x.
> Use this
> # to provide compatibility to existing CGI scripts.
> # o StrictRequire:
> # This denies access when "SSLRequireSSL" or "SSLRequire" applied
> even
> # under a "Satisfy any" situation, i.e. when it applies access is
> denied
> # and no other module can change it.
> # o OptRenegotiate:
> # This enables optimized SSL connection renegotiation handling
> when SSL
> # directives are used in per-directory context.
> #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars
> +StrictRequire
> <FilesMatch "\.(cgi|shtml|phtml|php3?)$">
> SSLOptions +StdEnvVars
> </FilesMatch>
> <Directory "/opt/apache/cgi-bin">
> SSLOptions +StdEnvVars
> </Directory>
>
> # SSL Protocol Adjustments:
> # The safe and default but still SSL/TLS standard compliant shutdown
> # approach is that mod_ssl sends the close notify alert but doesn't
> wait for
> # the close notify alert from client. When you need a different
> shutdown
> # approach you can use one of the following variables:
> # o ssl-unclean-shutdown:
> # This forces an unclean shutdown when the connection is closed,
> i.e. no
> # SSL close notify alert is send or allowed to received. This
> violates
> # the SSL/TLS standard but is needed for some brain-dead browsers.
> Use
> # this when you receive I/O errors because of the standard
> approach where
> # mod_ssl sends the close notify alert.
> # o ssl-accurate-shutdown:
> # This forces an accurate shutdown when the connection is closed,
> i.e. a
> # SSL close notify alert is send and mod_ssl waits for the close
> notify
> # alert of the client. This is 100% SSL/TLS standard compliant,
> but in
> # practice often causes hanging connections with brain-dead
> browsers. Use
> # this only for browsers where you know that their SSL
> implementation
> # works correctly.
> # Notice: Most problems of broken clients are also related to the
> HTTP
> # keep-alive facility, so you usually additionally want to disable
> # keep-alive for those clients, too. Use variable "nokeepalive" for
> this.
> # Similarly, one has to force some clients to use HTTP/1.0 to
> workaround
> # their broken HTTP/1.1 implementation. Use variables
> "downgrade-1.0" and
> # "force-response-1.0" for this.
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
>
> # Per-Server Logging:
> # The home of a custom SSL log file. Use this when you want a
> # compact non-error SSL logfile on a virtual host basis.
> CustomLog /opt/apache/logs/ssl_request_log \
> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
> </VirtualHost>
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---
