-
Notifications
You must be signed in to change notification settings - Fork 1
/
puppet_apache.conf
67 lines (55 loc) · 2.57 KB
/
puppet_apache.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
ServerName __FQDN__
PassengerDisableAnonymousTelemetry on
# And the passenger performance tuning settings:
# Set this to about 1.5 times the number of CPU cores in your master:
PassengerMaxPoolSize 4
# Recycle master processes after they service 1000 requests
PassengerMaxRequests 1000
# Stop processes if they sit idle for 10 minutes
PassengerPoolIdleTime 600
Listen 8140
<VirtualHost *:8140>
PassengerRuby /opt/puppetlabs/puppet/bin/ruby
# Make Apache hand off HTTP requests to Puppet earlier, at the cost of
# interfering with mod_proxy, mod_rewrite, etc. See note below.
PassengerHighPerformance On
SSLEngine On
# Only allow high security cryptography. Alter if needed for compatibility.
SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
SSLHonorCipherOrder on
SSLCertificateFile /etc/puppetlabs/puppet/ssl/certs/__FQDN__.pem
SSLCertificateKeyFile /etc/puppetlabs/puppet/ssl/private_keys/__FQDN__.pem
SSLCertificateChainFile /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem
SSLCACertificateFile /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem
SSLCARevocationFile /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem
SSLCARevocationCheck chain
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars +ExportCertData
# Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to
# none
# which effectively disables CRL checking. If you are using Apache 2.4+ you
# must
# specify 'SSLCARevocationCheck chain' to actually use the CRL.
# These request headers are used to pass the client certificate
# authentication information on to the Puppet master process
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
DocumentRoot /usr/share/puppet/server/public
<Directory /usr/share/puppet/server/>
Options None
AllowOverride None
# Apply the right behavior depending on Apache version.
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
</Directory>
ErrorLog /var/log/httpd/puppet_ssl_error.log
CustomLog /var/log/httpd/puppet_ssl_access.log combined
</VirtualHost>