tmakinen/puppet
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Cleaned up apache proxy config for puppetmaster and tightened crypto settings.

Browse source
This commit is contained in:
Timo Mkinen 2011-08-05 00:47:38 +03:00
parent 37c0a23f0f
commit f6f4ed8711
1 changed files with 34 additions and 118 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

152
puppet/templates/puppet-httpd.conf.erb
View file

@ -4,14 +4,11 @@
<IfModule !mod_ssl.c> <IfModule !mod_ssl.c>
LoadModule ssl_module modules/mod_ssl.so LoadModule ssl_module modules/mod_ssl.so
</IfModule> </IfModule>
#
# Listen to puppet port also # Listen to puppet port also
#
Listen 8140 Listen 8140
#
# Proxy balancer settings # Proxy balancer settings
#
<Proxy balancer://puppetmaster> <Proxy balancer://puppetmaster>
<% puppet_listenports.each do |port| -%> <% puppet_listenports.each do |port| -%>
BalancerMember http://127.0.0.1:<%= port %> keepalive=on max=2 retry=30 BalancerMember http://127.0.0.1:<%= port %> keepalive=on max=2 retry=30
@ -24,125 +21,44 @@ Listen 8140
<VirtualHost _default_:8140> <VirtualHost _default_:8140>
# Use separate log files for the SSL virtual host; note that LogLevel # Use default log path for puppet
# is not inherited from httpd.conf. ErrorLog /srv/www/log/https/<%= homename %>/error_log
ErrorLog /srv/www/log/https/<%= homename %>/error_log CustomLog /srv/www/log/https/<%= homename %>/access_log combined
CustomLog /srv/www/log/https/<%= homename %>/access_log combined LogLevel warn
LogLevel warn
# SSL Engine Switch: # SSL settings
# Enable/Disable SSL for this virtual host. SSLEngine on
SSLEngine on SSLProtocol TLSv1
SSLCipherSuite DHE-RSA-AES256-SHA
# SSL Cipher Suite: # Certificates and keys
# List the ciphers that the client is permitted to negotiate. SSLCertificateFile <%= puppet_ssldir %>/certs/<%= homename %>.pem
# See the mod_ssl documentation for a complete list. SSLCertificateKeyFile <%= puppet_ssldir %>/private_keys/<%= homename %>.pem
SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA SSLCertificateChainFile <%= puppet_ssldir %>/certs/ca.pem
SSLCACertificateFile <%= puppet_ssldir %>/certs/ca.pem
SSLCARevocationFile <%= puppet_ssldir %>/ca/ca_crl.pem
# Server Certificate: # Client authentication
# Point SSLCertificateFile at a PEM encoded certificate. If SSLVerifyClient optional
# the certificate is encrypted, then you will be prompted for a SSLVerifyDepth 1
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile <%= puppet_ssldir %>/certs/<%= homename %>.pem
# Server Private Key: # SSL options and headers
# If the key is not combined with the certificate, use this SSLOptions +StdEnvVars
# directive to point at the key file. Keep in mind that if RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
# you've both a RSA and a DSA private key you can configure RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
# both in parallel (to also allow the use of DSA ciphers, etc.) RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
SSLCertificateKeyFile <%= puppet_ssldir %>/private_keys/<%= homename %>.pem
# Server Certificate Chain: # Proxy settings
# Point SSLCertificateChainFile at a file containing the <Location />
# concatenation of PEM encoded CA certificates which form the SetHandler balancer-manager
# certificate chain for the server certificate. Alternatively Order allow,deny
# the referenced file can be the same as SSLCertificateFile Allow from all
# when the CA certificates are directly appended to the server </Location>
# certificate for convinience. ProxyPass / balancer://puppetmaster:8140/ timeout=180
SSLCertificateChainFile <%= puppet_ssldir %>/certs/ca.pem ProxyPassReverse / balancer://puppetmaster:8140/
ProxyPreserveHost on
# Certificate Authority (CA): SetEnv force-proxy-request-1.0 1
# Set the CA certificate verification path where to find CA SetEnv proxy-nokeepalive 1
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
SSLCACertificateFile <%= puppet_ssldir %>/certs/ca.pem
# Certificate Revocation List:
# Point SSLCARevocation file at a file containing the
# Certificate Revocation Lists (CRL) of Certification
# Authorities (CA) whose clients you deal with. These are used
# for client authentication.
SSLCARevocationFile <%= puppet_ssldir %>/ca/ca_crl.pem
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
SSLVerifyClient optional
SSLVerifyDepth 1
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
SSLOptions +StdEnvVars
# The following client headers allow the same configuration to work with Pound.
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
<Location />
SetHandler balancer-manager
Order allow,deny
Allow from all
</Location>
ProxyPass / balancer://puppetmaster:8140/ timeout=180
ProxyPassReverse / balancer://puppetmaster:8140/
ProxyPreserveHost on
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
</VirtualHost> </VirtualHost>