awreece · November 18, 2014 21:09
diff --git a/gistfile1.txt b/gistfile1.txt
 # This Apache 2 virtual host config shows how to use Puppet as a Rack
 # application via Passenger. See
 # http://docs.puppetlabs.com/guides/passenger.html for more information.

 # You can also use the included config.ru file to run Puppet with other Rack
 # servers instead of Passenger.

 # you probably want to tune these settings
 PassengerHighPerformance on
 PassengerMaxPoolSize 12
 PassengerPoolIdleTime 1500
 # PassengerMaxRequests 1000
 PassengerStatThrottleRate 120

 Listen 8140

 <VirtualHost *:8140>
        SSLEngine on
        SSLProtocol             ALL -SSLv2 -SSLv3
        SSLCipherSuite          EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
        SSLHonorCipherOrder     on

        SSLCertificateFile      /var/lib/puppet/ssl/certs/puppet.XXX.com.pem
        SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/puppet.XXX.com.pem
        SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
        SSLCACertificateFile    /var/lib/puppet/ssl/certs/ca.pem
        # If Apache complains about invalid signatures on the CRL, you can try disabling
        # CRL checking by commenting the next line, but this is not recommended.
        SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem
        # Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none
        # which effectively disables CRL checking; if you are using Apache 2.4+ you must
        # specify 'SSLCARevocationCheck chain' to actually use the CRL.
        SSLCARevocationCheck chain
        SSLVerifyClient optional
        SSLVerifyDepth  1
        # The `ExportCertData` option is needed for agent certificate expiration warnings
        SSLOptions +StdEnvVars +ExportCertData

        # This header needs to be set if using a loadbalancer or proxy
        RequestHeader unset X-Forwarded-For

        RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

        DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
        RackBaseURI /
        <Directory /usr/share/puppet/rack/puppetmasterd/>
                Options None
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
 </VirtualHost>
	# This Apache 2 virtual host config shows how to use Puppet as a Rack
	# application via Passenger. See
	# http://docs.puppetlabs.com/guides/passenger.html for more information.

	# You can also use the included config.ru file to run Puppet with other Rack
	# servers instead of Passenger.

	# you probably want to tune these settings
	PassengerHighPerformance on
	PassengerMaxPoolSize 12
	PassengerPoolIdleTime 1500
	# PassengerMaxRequests 1000
	PassengerStatThrottleRate 120

	Listen 8140

	<VirtualHost *:8140>
	SSLEngine on
	SSLProtocol ALL -SSLv2 -SSLv3
	SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
	SSLHonorCipherOrder on

	SSLCertificateFile /var/lib/puppet/ssl/certs/puppet.XXX.com.pem
	SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppet.XXX.com.pem
	SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
	SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem
	# If Apache complains about invalid signatures on the CRL, you can try disabling
	# CRL checking by commenting the next line, but this is not recommended.
	SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
	# Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none
	# which effectively disables CRL checking; if you are using Apache 2.4+ you must
	# specify 'SSLCARevocationCheck chain' to actually use the CRL.
	SSLCARevocationCheck chain
	SSLVerifyClient optional
	SSLVerifyDepth 1
	# The `ExportCertData` option is needed for agent certificate expiration warnings
	SSLOptions +StdEnvVars +ExportCertData

	# This header needs to be set if using a loadbalancer or proxy
	RequestHeader unset X-Forwarded-For

	RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
	RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
	RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

	DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
	RackBaseURI /
	<Directory /usr/share/puppet/rack/puppetmasterd/>
	Options None
	AllowOverride None
	Order allow,deny
	allow from all
	</Directory>
	</VirtualHost>