nanliu/gist:3174705

## gistfile1.pp
  f5_key { 'puppet.key':
    ensure  => 'present',
    content => file("${settings::ssldir}/ca/ca_key.pem"),
    mode    => 'MANAGEMENT_MODE_DEFAULT',
  }

  f5_profileclientssl { 'puppetmaster':
    ensure                     => present,
    certificate_file           => 'puppet.crt',
    key_file                   => 'puppet.key',
    ca_file                    => 'puppetca.crt',
    client_certificate_ca_file => 'puppetca.crt',
    peer_certification_mode    => 'REQUIRE',
  }

  f5_pool { 'puppetmaster':
    ensure    => present,
    lb_method => 'LEAST_CONNECTION_MEMBER',
    member    => { '192.168.1.1:8140' => {},
                   '192.168.1.2:8140' => {} },
  }

  f5_rule { 'puppetmaster':
    ensure     => present,
    definition => 'when HTTP_REQUEST {
  HTTP::header insert "X-Forwarded-Proto" "https"
  set cert_request 0
  set path2 [URI::path [HTTP::uri] 2 2 ]

  if { $path2 == "/certificate/" || $path2 == "/certificate_request/" } {
    set cert_request 1
  }
}

when HTTP_REQUEST_SEND {
  if { $cert_request == 0}{
   clientside {
     if {[SSL::verify_result] == 0} {
        HTTP::header insert "X-Client-Verify" "SUCCESS"
     }
     HTTP::header insert "X-Client-DN" /[X509::subject [SSL::cert 0]]
     HTTP::header insert "X-SSL-Subject" /[X509::subject [SSL::cert 0]]
   }
  }
}',
  }
	f5_key { 'puppet.key':
	ensure => 'present',
	content => file("${settings::ssldir}/ca/ca_key.pem"),
	mode => 'MANAGEMENT_MODE_DEFAULT',
	}

	f5_profileclientssl { 'puppetmaster':
	ensure => present,
	certificate_file => 'puppet.crt',
	key_file => 'puppet.key',
	ca_file => 'puppetca.crt',
	client_certificate_ca_file => 'puppetca.crt',
	peer_certification_mode => 'REQUIRE',
	}

	f5_pool { 'puppetmaster':
	ensure => present,
	lb_method => 'LEAST_CONNECTION_MEMBER',
	member => { '192.168.1.1:8140' => {},
	'192.168.1.2:8140' => {} },
	}

	f5_rule { 'puppetmaster':
	ensure => present,
	definition => 'when HTTP_REQUEST {
	HTTP::header insert "X-Forwarded-Proto" "https"
	set cert_request 0
	set path2 [URI::path [HTTP::uri] 2 2 ]

	if { $path2 == "/certificate/" \|\| $path2 == "/certificate_request/" } {
	set cert_request 1
	}
	}

	when HTTP_REQUEST_SEND {
	if { $cert_request == 0}{
	clientside {
	if {[SSL::verify_result] == 0} {
	HTTP::header insert "X-Client-Verify" "SUCCESS"
	}
	HTTP::header insert "X-Client-DN" /[X509::subject [SSL::cert 0]]
	HTTP::header insert "X-SSL-Subject" /[X509::subject [SSL::cert 0]]
	}
	}
	}',
	}