Created
January 21, 2011 17:17
-
-
Save jeffmccune/790018 to your computer and use it in GitHub Desktop.
Puppet Master Front End Load Balancer configuration
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Apache Load Balancer Front End ## | |
| # Puppet Apache::Config[010_frontend_puppet_prod.conf] | |
| # This file managed by Puppet from a template. | |
| # source: puppet_frontend_XXXX.conf | |
| # All CA requests should be directed to specific workers | |
| <Proxy balancer://puppet_prod_ca> | |
| # Only one member | |
| BalancerMember http://puppetca.puppetlabs.vm:18140 | |
| # Hot Standby if the primary is offline | |
| BalancerMember http://puppetca2.puppetlabs.vm:18140 status=+H | |
| </Proxy> | |
| # All requests other than CA requests should be directed to this pool of workers | |
| <Proxy balancer://puppet_prod> | |
| BalancerMember http://puppetmaster1.puppetlabs.vm:18140 | |
| BalancerMember http://puppetmaster2.puppetlabs.vm:18140 | |
| BalancerMember http://puppetmaster3.puppetlabs.vm:18140 | |
| BalancerMember http://puppetmaster4.puppetlabs.vm:18140 | |
| </Proxy> | |
| Listen 8140 | |
| <VirtualHost *:8140> | |
| SSLEngine on | |
| SSLProtocol -ALL +SSLv3 +TLSv1 | |
| SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP | |
| SSLCertificateFile /var/lib/puppet/spool/loadbalancer/frontend_puppet_prod/ssl_cert.pem | |
| SSLCertificateKeyFile /var/lib/puppet/spool/loadbalancer/frontend_puppet_prod/ssl_cert_key.pem | |
| SSLCertificateChainFile /var/lib/puppet/spool/loadbalancer/frontend_puppet_prod/ssl_cert_chain.pem | |
| SSLCACertificateFile /var/lib/puppet/spool/loadbalancer/frontend_puppet_prod/ssl_ca_cert.pem | |
| SSLCARevocationFile /var/lib/puppet/spool/loadbalancer/frontend_puppet_prod/ssl_ca_crl.pem | |
| SSLVerifyClient optional | |
| SSLVerifyDepth 3 | |
| SSLOptions +StdEnvVars | |
| # The following client headers record authentication information for down stream workers. | |
| RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e | |
| RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e | |
| RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e | |
| # WARNING THIS SHOULD HAVE ACCESS CONTROL. | |
| # I've left it wide open for testing. | |
| <Location /balancer-manager> | |
| SetHandler balancer-manager | |
| Order allow,deny | |
| Allow from all | |
| </Location> | |
| <Location /server-status> | |
| SetHandler server-status | |
| Order allow,deny | |
| Allow from all | |
| </Location> | |
| # Optional status | |
| ProxyStatus On | |
| # Don't load balance requests to the status page | |
| ProxyPass /balancer-manager ! | |
| ProxyPass /server-status ! | |
| # Ordering of ProxyPass directives is important | |
| # Direct all Puppet Agent CA requests to a specific set of workers. | |
| ProxyPassMatch ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppet_prod_ca/ | |
| ProxyPassReverse ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppet_prod_ca/ | |
| # Direct all other Puppet Agent requests to the default set of workers. | |
| ProxyPass / balancer://puppet_prod/ | |
| ProxyPassReverse / balancer://puppet_prod/ | |
| ProxyPreserveHost On | |
| # Logging for this front end | |
| ErrorLog /var/log/httpd/frontend_puppet_prod_error.log | |
| CustomLog /var/log/httpd/frontend_puppet_prod_access.log combined | |
| CustomLog /var/log/httpd/frontend_puppet_prod_ssl_requests.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" | |
| </VirtualHost> | |
| # EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Very nice.