Skip to content

Instantly share code, notes, and snippets.

@raphink
Last active October 19, 2019 05:21
Show Gist options
  • Save raphink/bc4f43353c20417871cb to your computer and use it in GitHub Desktop.
Save raphink/bc4f43353c20417871cb to your computer and use it in GitHub Desktop.
Puppet Proxy setup for the Puppet Server
<VirtualHost *:8140>
ServerName puppet-proxy
ServerAlias puppet-proxy.example.com
## SSL directives
SSLEngine on
SSLCertificateFile "/etc/puppet/ssl/certs/puppet-proxy.example.com.pem"
SSLCertificateKeyFile "/etc/puppet/ssl/private_keys/puppet-proxy.example.com.pem"
SSLCertificateChainFile "/etc/puppet/ssl/ca/ca_crt.pem"
SSLCACertificatePath "/etc/ssl/certs"
SSLCACertificateFile "/etc/puppet/ssl/ca/ca_crt.pem"
SSLCARevocationFile "/etc/puppet/ssl/ca/ca_crl.pem"
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars +ExportCertData
# The key and certificate for puppet-proxy.example.com, concatenated as one PEM file
SSLProxyMachineCertificateFile /etc/apache2/pm_keys.pem
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
SSLProxyEngine On
ProxyPreserveHost On
# Redirect certificate requests to the local CA
ProxyPassMatch ^/.*/certificate.*/ http://localhost:8139
<Location ~ ^/.*/certificate.*/ >
ProxyPassReverse http://localhost:8139
</Location>
# Redirect stable environement requests to the stable Puppet Master
ProxyPassMatch ^/stable/ https://puppetmaster-stable.example.com:8140
<Location ~ ^/stable/ >
ProxyPassReverse https://puppetmaster-stable.example.com:8140
</Location>
# Redirect staging environement requests to the stable Puppet Master
ProxyPassMatch ^/staging/ https://puppetmaster-staging.example.com:8140
<Location ~ ^/staging/ >
ProxyPassReverse https://puppetmaster-staging.example.com:8140
</Location>
# All other requests go to the dev Puppet Master
ProxyPassMatch ^/.*/ https://puppetmaster-dev.example.com:8140
<Location ~ ^/.*/ >
ProxyPassReverse https://puppetmaster-dev.example.com:8140
</Location>
</VirtualHost>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment