Dzahn has uploaded a new change for review.
https://gerrit.wikimedia.org/r/153987
Change subject: puppetmaster Apache template - retab
......................................................................
puppetmaster Apache template - retab
Change-Id: I14b339c969a28a461a61072d5ec4a5737b4330be
---
M modules/puppetmaster/templates/puppetmaster.erb
1 file changed, 85 insertions(+), 85 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/87/153987/1
diff --git a/modules/puppetmaster/templates/puppetmaster.erb
b/modules/puppetmaster/templates/puppetmaster.erb
index e8cbc5a..f6ee749 100644
--- a/modules/puppetmaster/templates/puppetmaster.erb
+++ b/modules/puppetmaster/templates/puppetmaster.erb
@@ -12,105 +12,105 @@
<%- if @server_type == 'frontend' or @server_type == 'standalone' -%>
<VirtualHost <%= scope.lookupvar('puppetmaster::passenger::bind_address')
%>:8140>
- SSLEngine on
+ SSLEngine on
- SSLCertificateFile /var/lib/puppet/server/ssl/certs/<%=
scope.lookupvar('puppetmaster::server_name') %>.pem
- SSLCertificateKeyFile /var/lib/puppet/server/ssl/private_keys/<%=
scope.lookupvar('puppetmaster::server_name') %>.pem
- SSLCACertificateFile /var/lib/puppet/server/ssl/ca/ca_crt.pem
- SSLCertificateChainFile /var/lib/puppet/server/ssl/ca/ca_crt.pem
- # If Apache complains about invalid signatures on the CRL, you can try
disabling
- # CRL checking by commenting the next line, but this is not recommended.
- SSLCARevocationPath /var/lib/puppet/server/ssl/crl
- SSLVerifyClient <%=
scope.lookupvar('puppetmaster::passenger::verify_client') %>
- SSLVerifyDepth 1
- SSLOptions +StdEnvVars
- <%= @ssl_settings.join("\n") %>
+ SSLCertificateFile /var/lib/puppet/server/ssl/certs/<%=
scope.lookupvar('puppetmaster::server_name') %>.pem
+ SSLCertificateKeyFile /var/lib/puppet/server/ssl/private_keys/<%=
scope.lookupvar('puppetmaster::server_name') %>.pem
+ SSLCACertificateFile /var/lib/puppet/server/ssl/ca/ca_crt.pem
+ SSLCertificateChainFile /var/lib/puppet/server/ssl/ca/ca_crt.pem
+ # If Apache complains about invalid signatures on the CRL, you can try
disabling
+ # CRL checking by commenting the next line, but this is not recommended.
+ SSLCARevocationPath /var/lib/puppet/server/ssl/crl
+ SSLVerifyClient <%=
scope.lookupvar('puppetmaster::passenger::verify_client') %>
+ SSLVerifyDepth 1
+ SSLOptions +StdEnvVars
+ <%= @ssl_settings.join("\n") %>
- <%- if @server_type == 'frontend' -%>
- # These request headers are used to pass the client certificate
- # authentication information on to the puppet master process
- RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
- RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
- RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
+ <%- if @server_type == 'frontend' -%>
+ # These request headers are used to pass the client certificate
+ # authentication information on to the puppet master process
+ RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
+ RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
+ RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
- SSLProxyEngine on
- # Certificates should only be in the frontend. It is terminating SSL
connections from clients and authenticating them
- # The connection to the backends is also SSL encrypted but by frontend
and backends do not authenticate connections
- ProxyPassMatch ^/([^/]+/certificate.*)$ https://<%= @fqdn %>:8141
- # Reports should only be in one place. Choosing the frontend by default
for simplicity
- ProxyPassMatch ^/([^/]+/report/.*)$ https://<%= @fqdn %>:8141
- # File buckets should only be in one place. Choosing the frontend by
default for simplicity
- ProxyPassMatch ^/([^/]+/file_bucket_file/md5/.*)$ https://<%= @fqdn
%>:8141
- # Volatile should only be in one place. Choosing the frontend by
default for simplicity
- ProxyPassMatch ^/([^/]+/file_metadata(s)?/volatile/.*)$ https://<%=
@fqdn %>:8141
- ProxyPassMatch ^/([^/]+/file_content/volatile/.*)$ https://<%= @fqdn
%>:8141
- # The rest gets balanced
- ProxyPass / balancer://mycluster/
- <Proxy balancer://mycluster>
- <%- @workers.each do |workerhash| -%>
- BalancerMember https://<%= workerhash['worker'] %>:8141
connectiontimeout=1 retry=500 timeout=900 <%- if workerhash['loadfactor']
-%>loadfactor=<%= workerhash['loadfactor'] %><%- end %>
- <%- end -%>
- Order allow,deny
- Allow from all
- </Proxy>
- <%- else -%>
- RackBaseURI /
+ SSLProxyEngine on
+ # Certificates should only be in the frontend. It is terminating SSL
connections from clients and authenticating them
+ # The connection to the backends is also SSL encrypted but by frontend and
backends do not authenticate connections
+ ProxyPassMatch ^/([^/]+/certificate.*)$ https://<%= @fqdn %>:8141
+ # Reports should only be in one place. Choosing the frontend by default
for simplicity
+ ProxyPassMatch ^/([^/]+/report/.*)$ https://<%= @fqdn %>:8141
+ # File buckets should only be in one place. Choosing the frontend by
default for simplicity
+ ProxyPassMatch ^/([^/]+/file_bucket_file/md5/.*)$ https://<%= @fqdn %>:8141
+ # Volatile should only be in one place. Choosing the frontend by default
for simplicity
+ ProxyPassMatch ^/([^/]+/file_metadata(s)?/volatile/.*)$ https://<%= @fqdn
%>:8141
+ ProxyPassMatch ^/([^/]+/file_content/volatile/.*)$ https://<%= @fqdn
%>:8141
+ # The rest gets balanced
+ ProxyPass / balancer://mycluster/
+ <Proxy balancer://mycluster>
+ <%- @workers.each do |workerhash| -%>
+ BalancerMember https://<%= workerhash['worker'] %>:8141
connectiontimeout=1 retry=500 timeout=900 <%- if workerhash['loadfactor']
-%>loadfactor=<%= workerhash['loadfactor'] %><%- end %>
+ <%- end -%>
+ Order allow,deny
+ Allow from all
+ </Proxy>
+ <%- else -%>
+ RackBaseURI /
- <Location />
- Order Allow,Deny
- <%- scope.lookupvar('puppetmaster::passenger::allow_from').each
do |entry| -%>
- Allow from <%= entry.gsub(/^\*/, "") %>
- <%- end -%>
- <%- scope.lookupvar('puppetmaster::passenger::deny_from').each
do |entry| -%>
- Deny from <%= entry.gsub(/^\*/, "") %>
- <%- end -%>
- </Location>
+ <Location />
+ Order Allow,Deny
+ <%- scope.lookupvar('puppetmaster::passenger::allow_from').each do
|entry| -%>
+ Allow from <%= entry.gsub(/^\*/, "") %>
+ <%- end -%>
+ <%- scope.lookupvar('puppetmaster::passenger::deny_from').each do
|entry| -%>
+ Deny from <%= entry.gsub(/^\*/, "") %>
+ <%- end -%>
+ </Location>
- DocumentRoot /usr/share/puppet/rack/puppetmasterd/public
- <Directory /usr/share/puppet/rack/puppetmasterd/>
- Options None
- AllowOverride None
- Order allow,deny
- allow from all
- </Directory>
- <%- end -%>
+ DocumentRoot /usr/share/puppet/rack/puppetmasterd/public
+ <Directory /usr/share/puppet/rack/puppetmasterd/>
+ Options None
+ AllowOverride None
+ Order allow,deny
+ allow from all
+ </Directory>
+ <%- end -%>
- LogFormat "%h %l %u %{%Y-%m-%d %H:%M:%S}t \"%r\" %>s %O %D
\"%{Referer}i\" \"%{User-Agent}i\"" puppetmaster
- CustomLog /var/log/apache2/puppetmaster.log puppetmaster
+ LogFormat "%h %l %u %{%Y-%m-%d %H:%M:%S}t \"%r\" %>s %O %D \"%{Referer}i\"
\"%{User-Agent}i\"" puppetmaster
+ CustomLog /var/log/apache2/puppetmaster.log puppetmaster
</VirtualHost>
<%- end -%>
<%- if @server_type == 'frontend' or @server_type == 'backend' -%>
<VirtualHost <%= scope.lookupvar('puppetmaster::passenger::bind_address')
%>:8141>
- SSLEngine on
- SSLProtocol -ALL +SSLv3 +TLSv1
- SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
+ SSLEngine on
+ SSLProtocol -ALL +SSLv3 +TLSv1
+ SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
- SSLCertificateFile /var/lib/puppet/ssl/certs/<%= @fqdn %>.pem
- SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/<%= @fqdn
%>.pem
- SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem
- SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
- RackBaseURI /
+ SSLCertificateFile /var/lib/puppet/ssl/certs/<%= @fqdn %>.pem
+ SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/<%= @fqdn %>.pem
+ SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem
+ SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
+ RackBaseURI /
- <Location />
- Order Allow,Deny
- <%- scope.lookupvar('puppetmaster::passenger::allow_from').each
do |entry| -%>
- Allow from <%= entry.gsub(/^\*/, "") %>
- <%- end -%>
- <%- scope.lookupvar('puppetmaster::passenger::deny_from').each
do |entry| -%>
- Deny from <%= entry.gsub(/^\*/, "") %>
- <%- end -%>
- </Location>
+ <Location />
+ Order Allow,Deny
+ <%- scope.lookupvar('puppetmaster::passenger::allow_from').each do
|entry| -%>
+ Allow from <%= entry.gsub(/^\*/, "") %>
+ <%- end -%>
+ <%- scope.lookupvar('puppetmaster::passenger::deny_from').each do
|entry| -%>
+ Deny from <%= entry.gsub(/^\*/, "") %>
+ <%- end -%>
+ </Location>
- DocumentRoot /usr/share/puppet/rack/puppetmasterd/public
- <Directory /usr/share/puppet/rack/puppetmasterd/>
- Options None
- AllowOverride None
- Order allow,deny
- allow from all
- </Directory>
+ DocumentRoot /usr/share/puppet/rack/puppetmasterd/public
+ <Directory /usr/share/puppet/rack/puppetmasterd/>
+ Options None
+ AllowOverride None
+ Order allow,deny
+ allow from all
+ </Directory>
- LogFormat "%h %l %u %{%Y-%m-%d %H:%M:%S}t \"%r\" %>s %O %D
\"%{Referer}i\" \"%{User-Agent}i\"" puppetmaster
- CustomLog /var/log/apache2/puppetmaster-backend.log puppetmaster
+ LogFormat "%h %l %u %{%Y-%m-%d %H:%M:%S}t \"%r\" %>s %O %D \"%{Referer}i\"
\"%{User-Agent}i\"" puppetmaster
+ CustomLog /var/log/apache2/puppetmaster-backend.log puppetmaster
</VirtualHost>
<%- end -%>
--
To view, visit https://gerrit.wikimedia.org/r/153987
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I14b339c969a28a461a61072d5ec4a5737b4330be
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Dzahn <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
