Forked from jeffmccune/puppet_master_seed_prod_8140.conf
Created
January 9, 2012 16:12
-
-
Save kewinwang/1583621 to your computer and use it in GitHub Desktop.
Puppet Master Front End Load Balancer configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## Apache Load Balancer Front End ## | |
# Puppet Apache::Config[010_frontend_puppet_prod.conf] | |
# This file managed by Puppet from a template. | |
# source: puppet_frontend_XXXX.conf | |
# All CA requests should be directed to specific workers | |
<Proxy balancer://puppet_prod_ca> | |
# Only one member | |
BalancerMember http://puppetca.puppetlabs.vm:18140 | |
# Hot Standby if the primary is offline | |
BalancerMember http://puppetca2.puppetlabs.vm:18140 status=+H | |
</Proxy> | |
# All requests other than CA requests should be directed to this pool of workers | |
<Proxy balancer://puppet_prod> | |
BalancerMember http://puppetmaster1.puppetlabs.vm:18140 | |
BalancerMember http://puppetmaster2.puppetlabs.vm:18140 | |
BalancerMember http://puppetmaster3.puppetlabs.vm:18140 | |
BalancerMember http://puppetmaster4.puppetlabs.vm:18140 | |
</Proxy> | |
Listen 8140 | |
<VirtualHost *:8140> | |
SSLEngine on | |
SSLProtocol -ALL +SSLv3 +TLSv1 | |
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP | |
SSLCertificateFile /var/lib/puppet/spool/loadbalancer/frontend_puppet_prod/ssl_cert.pem | |
SSLCertificateKeyFile /var/lib/puppet/spool/loadbalancer/frontend_puppet_prod/ssl_cert_key.pem | |
SSLCertificateChainFile /var/lib/puppet/spool/loadbalancer/frontend_puppet_prod/ssl_cert_chain.pem | |
SSLCACertificateFile /var/lib/puppet/spool/loadbalancer/frontend_puppet_prod/ssl_ca_cert.pem | |
SSLCARevocationFile /var/lib/puppet/spool/loadbalancer/frontend_puppet_prod/ssl_ca_crl.pem | |
SSLVerifyClient optional | |
SSLVerifyDepth 3 | |
SSLOptions +StdEnvVars | |
# The following client headers record authentication information for down stream workers. | |
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e | |
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e | |
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e | |
# WARNING THIS SHOULD HAVE ACCESS CONTROL. | |
# I've left it wide open for testing. | |
<Location /balancer-manager> | |
SetHandler balancer-manager | |
Order allow,deny | |
Allow from all | |
</Location> | |
<Location /server-status> | |
SetHandler server-status | |
Order allow,deny | |
Allow from all | |
</Location> | |
# Optional status | |
ProxyStatus On | |
# Don't load balance requests to the status page | |
ProxyPass /balancer-manager ! | |
ProxyPass /server-status ! | |
# Ordering of ProxyPass directives is important | |
# Direct all Puppet Agent CA requests to a specific set of workers. | |
ProxyPassMatch ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppet_prod_ca/ | |
ProxyPassReverse ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppet_prod_ca/ | |
# Direct all other Puppet Agent requests to the default set of workers. | |
ProxyPass / balancer://puppet_prod/ | |
ProxyPassReverse / balancer://puppet_prod/ | |
ProxyPreserveHost On | |
# Logging for this front end | |
ErrorLog /var/log/httpd/frontend_puppet_prod_error.log | |
CustomLog /var/log/httpd/frontend_puppet_prod_access.log combined | |
CustomLog /var/log/httpd/frontend_puppet_prod_ssl_requests.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" | |
</VirtualHost> | |
# EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment