Created
April 15, 2013 19:01
-
-
Save dblessing/5390457 to your computer and use it in GitHub Desktop.
apache
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Apache handles the SSL encryption and decryption. It replaces webrick and listens by default on 8140 | |
Listen 8140 | |
<VirtualHost *:8140> | |
SSLEngine on | |
SSLProtocol -ALL +SSLv3 +TLSv1 | |
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP | |
SSLCertificateFile /var/lib/puppet/ssl/certs/puppet3.example.com.pem | |
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppet3.example.com.pem | |
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem | |
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem | |
# If Apache complains about invalid signatures on the CRL, you can try disabling | |
# CRL checking by commenting the next line, but this is not recommended. | |
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem | |
SSLVerifyClient optional | |
SSLVerifyDepth 1 | |
# The `ExportCertData` option is needed for agent certificate expiration warnings | |
SSLOptions +StdEnvVars +ExportCertData | |
# This header needs to be set if using a loadbalancer or proxy | |
RequestHeader unset X-Forwarded-For | |
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e | |
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e | |
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e | |
DocumentRoot /etc/puppet/rack/public/ | |
RackBaseURI / | |
<Directory /etc/puppet/rack/> | |
Options None | |
AllowOverride None | |
Order allow,deny | |
allow from all | |
</Directory> | |
</VirtualHost> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment