jeffmccune/puppet_master_seed_prod_8140.conf

## puppet_master_seed_prod_8140.conf
## Apache Load Balancer Front End ##

# Puppet Apache::Config[010_frontend_puppet_prod.conf]
# This file managed by Puppet from a template.
# source: puppet_frontend_XXXX.conf

# All CA requests should be directed to specific workers
<Proxy balancer://puppet_prod_ca>
  # Only one member
  BalancerMember http://puppetca.puppetlabs.vm:18140
  # Hot Standby if the primary is offline
  BalancerMember http://puppetca2.puppetlabs.vm:18140 status=+H
</Proxy>

# All requests other than CA requests should be directed to this pool of workers
<Proxy balancer://puppet_prod>
  BalancerMember http://puppetmaster1.puppetlabs.vm:18140
  BalancerMember http://puppetmaster2.puppetlabs.vm:18140
  BalancerMember http://puppetmaster3.puppetlabs.vm:18140
  BalancerMember http://puppetmaster4.puppetlabs.vm:18140
</Proxy>

Listen 8140
<VirtualHost *:8140>

  SSLEngine on
  SSLProtocol -ALL +SSLv3 +TLSv1
  SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

  SSLCertificateFile      /var/lib/puppet/spool/loadbalancer/frontend_puppet_prod/ssl_cert.pem
  SSLCertificateKeyFile   /var/lib/puppet/spool/loadbalancer/frontend_puppet_prod/ssl_cert_key.pem
  SSLCertificateChainFile /var/lib/puppet/spool/loadbalancer/frontend_puppet_prod/ssl_cert_chain.pem
  SSLCACertificateFile    /var/lib/puppet/spool/loadbalancer/frontend_puppet_prod/ssl_ca_cert.pem
  SSLCARevocationFile     /var/lib/puppet/spool/loadbalancer/frontend_puppet_prod/ssl_ca_crl.pem
  SSLVerifyClient         optional
  SSLVerifyDepth          3
  SSLOptions +StdEnvVars

  # The following client headers record authentication information for down stream workers.
  RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
  RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
  RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

  # WARNING THIS SHOULD HAVE ACCESS CONTROL.
  # I've left it wide open for testing.
  <Location /balancer-manager>
    SetHandler balancer-manager
    Order allow,deny
    Allow from all
  </Location>

  <Location /server-status>
    SetHandler server-status
    Order allow,deny
    Allow from all
  </Location>

  # Optional status
  ProxyStatus On

  # Don't load balance requests to the status page
  ProxyPass /balancer-manager !
  ProxyPass /server-status !

  # Ordering of ProxyPass directives is important
  # Direct all Puppet Agent CA requests to a specific set of workers.
  ProxyPassMatch ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppet_prod_ca/
  ProxyPassReverse ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppet_prod_ca/
  # Direct all other Puppet Agent requests to the default set of workers.
  ProxyPass / balancer://puppet_prod/
  ProxyPassReverse / balancer://puppet_prod/

  ProxyPreserveHost On

  # Logging for this front end
  ErrorLog  /var/log/httpd/frontend_puppet_prod_error.log
  CustomLog /var/log/httpd/frontend_puppet_prod_access.log combined
  CustomLog /var/log/httpd/frontend_puppet_prod_ssl_requests.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

# EOF
	## Apache Load Balancer Front End ##

	# Puppet Apache::Config[010_frontend_puppet_prod.conf]
	# This file managed by Puppet from a template.
	# source: puppet_frontend_XXXX.conf

	# All CA requests should be directed to specific workers
	<Proxy balancer://puppet_prod_ca>
	# Only one member
	BalancerMember http://puppetca.puppetlabs.vm:18140
	# Hot Standby if the primary is offline
	BalancerMember http://puppetca2.puppetlabs.vm:18140 status=+H
	</Proxy>

	# All requests other than CA requests should be directed to this pool of workers
	<Proxy balancer://puppet_prod>
	BalancerMember http://puppetmaster1.puppetlabs.vm:18140
	BalancerMember http://puppetmaster2.puppetlabs.vm:18140
	BalancerMember http://puppetmaster3.puppetlabs.vm:18140
	BalancerMember http://puppetmaster4.puppetlabs.vm:18140
	</Proxy>

	Listen 8140
	<VirtualHost *:8140>

	SSLEngine on
	SSLProtocol -ALL +SSLv3 +TLSv1
	SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

	SSLCertificateFile /var/lib/puppet/spool/loadbalancer/frontend_puppet_prod/ssl_cert.pem
	SSLCertificateKeyFile /var/lib/puppet/spool/loadbalancer/frontend_puppet_prod/ssl_cert_key.pem
	SSLCertificateChainFile /var/lib/puppet/spool/loadbalancer/frontend_puppet_prod/ssl_cert_chain.pem
	SSLCACertificateFile /var/lib/puppet/spool/loadbalancer/frontend_puppet_prod/ssl_ca_cert.pem
	SSLCARevocationFile /var/lib/puppet/spool/loadbalancer/frontend_puppet_prod/ssl_ca_crl.pem
	SSLVerifyClient optional
	SSLVerifyDepth 3
	SSLOptions +StdEnvVars

	# The following client headers record authentication information for down stream workers.
	RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
	RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
	RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

	# WARNING THIS SHOULD HAVE ACCESS CONTROL.
	# I've left it wide open for testing.
	<Location /balancer-manager>
	SetHandler balancer-manager
	Order allow,deny
	Allow from all
	</Location>

	<Location /server-status>
	SetHandler server-status
	Order allow,deny
	Allow from all
	</Location>

	# Optional status
	ProxyStatus On

	# Don't load balance requests to the status page
	ProxyPass /balancer-manager !
	ProxyPass /server-status !

	# Ordering of ProxyPass directives is important
	# Direct all Puppet Agent CA requests to a specific set of workers.
	ProxyPassMatch ^(/.?)/(certificate.?)/(.*)$ balancer://puppet_prod_ca/
	ProxyPassReverse ^(/.?)/(certificate.?)/(.*)$ balancer://puppet_prod_ca/
	# Direct all other Puppet Agent requests to the default set of workers.
	ProxyPass / balancer://puppet_prod/
	ProxyPassReverse / balancer://puppet_prod/

	ProxyPreserveHost On

	# Logging for this front end
	ErrorLog /var/log/httpd/frontend_puppet_prod_error.log
	CustomLog /var/log/httpd/frontend_puppet_prod_access.log combined
	CustomLog /var/log/httpd/frontend_puppet_prod_ssl_requests.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

	</VirtualHost>

	# EOF